Deploy CN-Series Firewalls With and Without the Helm Repository
Deploy CN-Series firewalls with Helm charts and templates.
The Helm repository contains charts and templates for
deploying the Palo Alto Networks CN-series containerized firewall
using the Helm Packet Manager for Kubernetes.
You can download CN-Series Helm Charts from GitHub.
Prepare to Use the Helm Charts and Templates
Install the required software. These instructions
list the minimum versions, but you can install a later version in
the same family unless an upper limit is specified.
- Deploy CN-Series firewall 10.1.x or 10.2.x container images.
- Install a Kubernetes version between 1.16 - 1.24 and create a Kubernetes cluster.
- Deploy Panorama in a location that is accessible from the Kubernetes cluster and the CN-Series firewall you use to secure the cluster.
- Ensure that the Panorama version supports the PAN-OS version of your deployment.
- Install the Panorama plugin for Kubernetes supported by your version of Panorama.
- Install the Helm client version 3.6.0 or later.
Deploy the CN-Series Firewall Using the Repository
Use this procedure to clone the repository
and deploy from your local environment.
- Clone the repository from GitHub.$ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
- Change into a local directory for the cloned repository. For example:$ cd cn-series-helm
- Change to the subdirectory for your deployment.
- Use the directoryhelm_cnv1to deploy the CN-Series as a daemon set
- Use the directoryhelm_cnv2to deploy CN-Series as a service.
- Use the directoryhelm_cnv3to deploy CN-Series as a cnf.
- Edit thevalues.yaml fileto enter your configuration information. The following values are from thehelm_cnv1subdirectory.# The K8s environment # Valid deployTo tags are: [gke|eks|aks||native] # Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments. cluster: deployTo: eks multus: disable# Panorama tags panorama: ip: "<Panorama-IP>" ip2: authKey: "<Panorama-auth-key>" deviceGroup: "<Panorama-device-group>" template: "<panorama-template-stack>" cgName: "<panorama-collector-group>"# MP container tags mp: initImage: gcr.io/pan-cn-series/pan_cn_mgmt_init initVersion: latest image: gcr.io/pan-cn-series/panos_cn_mgmt version: 10.2.3 cpuLimit: 4 # DP container tags dp: image: gcr.io/pan-cn-series/panos_cn_ngfw version: 10.2.3 cpuLimit: 2 # CNI container tags cni: image: gcr.io/pan-cn-series/pan_cni version: latest
- View the rendered YAML files.helm install --debug --generate-name helm_cnv1/ --dry-run
- Perform a lint check on the helm charts.helm lint helm_cnv1/
- Deploy the HELM charts.helm install <deployment-name> helm_cnv1
Deploy the CN-Series Firewall Without the Repository
To deploy without cloning the repository, add
the repository to your Helm client.
- Add the CN-Series repository to your local Helm client.Enter this command on a single line:$ helm repo add my-project https://paloaltonetworks.github.io/cn-series-helm"cn-series" has been added to your repositories
- Confirm the repository has been added to your Helm client.$ helm search repo cn-series
- Select the Kubernetes cluster.$ kubectl config set-cluster NAME
- Deploy using the Helm chart repository. Edit the following command to include your configuration information.$ helm install cn-series/cn-series --name="deployment name"--set cluster.deployTo="gke|eks|aks|openshift"--set panorama.ip="panorama hostname or ip"--set panorama.ip2="panorama2 hostname or ip"--set-string panorama.authKey="vm auth key"--set panorama.deviceGroup="device group"--set panorama.template="template stack"--set panorama.cgName="collector group"--set cni.image="container repo"--set cni.version="container version"--set mp.initImage="container repo"--set mp.initVersion="container version"--set mp.image="container repo"--set mp.version="container version"--set mp.cpuLimit="cpu max"--set dp.image="container repo"--set dp.version="container version"--set dp.cpuLimit="cpu max"
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.