Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart
Focus
Focus
CN-Series

Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart

Table of Contents

Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart

Deploy CN-Series firewalls with Helm charts and templates.
Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
    deployment
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment with Helm
The Helm repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Packet Manager for Kubernetes.
You can download CN-Series Helm Charts from GitHub.

Prepare to Use the Helm Charts and Templates

Install the required software. These instructions list the minimum versions, but you can install a later version in the same family unless an upper limit is specified.
  1. Deploy CN-Series firewall 10.1.x, 10.2.x, 11.0.x, or 11.1.x container images.
  2. Install a Kubernetes version between 1.16 - 1.25 and create a Kubernetes cluster. For more information on supported kubernetes version for your environments, see
    CN-Series Deployment Supported Environments
    .
  3. Deploy Panorama in a location that is accessible from the Kubernetes cluster and the CN-Series firewall you use to secure the cluster.
    1. Ensure that the Panorama PAN-OS version is 10.x.x or later.
    2. Install the Kubernetes plugin for Panorama version 1.0.x or 2.0.x.

Deploy the CN-Series Firewall Using HELM Chart (Recommended)

Use this procedure to clone the repository and deploy from your local environment.
  1. Clone the repository from GitHub.
    $ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
  2. Change into a local directory for the cloned repository. For example:
    $ cd cn-series-helm
  3. Change to the subdirectory for your deployment.
    • Use the directory
      helm_cnv1
      to deploy the CN-Series as a daemon set
    • Use the directory
      helm_cnv2
      to deploy CN-Series as a service.
    • Use the directory
      helm_cnv3
      to deploy CN-Series as a cnf.
  4. Download the service account YAML for the
    plugin-serviceaccount.yaml
    and apply the yaml. The service account enables the permissions that Panorama requires to authenticate to the cluster for retrieving Kubernetes labels and resource information. This service account is named
    pan-plugin-user
    by default. Run the following command to deploy the
    plugin-serviceaccount.yaml
    file:
    kubectl apply -f plugin-serviceaccount.yaml
    kubectl -n kube-system get secrets | grep pan-plugin-user
    To view the secrets associated with this service account.
    kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.json
    Create the credential file, named
    cred.json
    in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series firewall.
    On
    Openshift
    , you must manually deploy the
    pan-cni-net-attach-def.yaml
    for each Openshift namespace file before deploying the Helm charts.
  5. Edit the
    values.yaml file
    to enter your configuration information. The following values are from the
    helm_cnv1
    subdirectory.
    # The K8s environment # Valid deployTo tags are: [gke|eks|aks||native] # Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments. cluster: deployTo: eks multus: disable
    # Panorama tags panorama: ip: "<Panorama-IP>" ip2: authKey: "<Panorama-auth-key>" deviceGroup: "<Panorama-device-group>" template: "<panorama-template-stack>" cgName: "<panorama-collector-group>"
    # MP container tags mp: initImage: gcr.io/pan-cn-series/pan_cn_mgmt_init initVersion: latest image: gcr.io/pan-cn-series/panos_cn_mgmt version: 10.2.3 cpuLimit: 4 # DP container tags dp: image: gcr.io/pan-cn-series/panos_cn_ngfw version: 10.2.3 cpuLimit: 2 # CNI container tags cni: image: gcr.io/pan-cn-series/pan_cni version: latest
  6. View the rendered YAML files.
    helm install --debug --generate-name helm_cnv1/ --dry-run
  7. Perform a lint check on the helm charts.
    helm lint helm_cnv1/
  8. Deploy the HELM charts.
    helm install <deployment-name> helm_cnv1
    Persisten volume claims are not deleted when a HELM Chart is uninstalled. You must ensure that you clear these claims beforehand for the HELM install to work.
    For more information HELM, see HELM Classic: A Kubernetes Package Manager.

Deploy the CN-Series Firewall through the YAML Files

To deploy without cloning the repository, add the repository to your Helm client.
  1. Download the service account YAML for the
    plugin-serviceaccount.yaml
    and apply the yaml. The service account enables the permissions that Panorama requires to authenticate to the cluster for retrieving Kubernetes labels and resource information. This service account is named
    pan-plugin-user
    by default. Run the following command to deploy the
    plugin-serviceaccount.yaml
    file:
    kubectl apply -f plugin-serviceaccount.yaml
    kubectl -n kube-system get secrets | grep pan-plugin-user
    To view the secrets associated with this service account.
    kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.json
    Create the credential file, named
    cred.json
    in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series firewall.
    On
    Openshift
    , you must manually deploy the
    pan-cni-net-attach-def.yaml
    for each Openshift namespace file before deploying the Helm charts.
  2. Add the CN-Series repository to your local Helm client.
    Enter this command on a single line:
    $ helm repo add my-project https://paloaltonetworks.github.io/cn-series-helm
    "cn-series" has been added to your repositories
  3. Confirm the repository has been added to your Helm client.
    $ helm search repo cn-series
  4. Select the Kubernetes cluster.
    $ kubectl config set-cluster NAME
  5. Deploy using the Helm chart repository. Edit the following command to include your configuration information.
    $ helm install cn-series/cn-series --name="deployment name"
    --set cluster.deployTo="gke|eks|aks|openshift"
    --set panorama.ip="panorama hostname or ip"
    --set panorama.ip2="panorama2 hostname or ip"
    --set-string panorama.authKey="vm auth key"
    --set panorama.deviceGroup="device group"
    --set panorama.template="template stack"
    --set panorama.cgName="collector group"
    --set cni.image="container repo"
    --set cni.version="container version"
    --set mp.initImage="container repo"
    --set mp.initVersion="container version"
    --set mp.image="container repo"
    --set mp.version="container version"
    --set mp.cpuLimit="cpu max"
    --set dp.image="container repo"
    --set dp.version="container version"
    --set dp.cpuLimit="cpu max"
    Persistent volume claims are not deleted when a HELM Chart is uninstalled. You must ensure that you clear these claims beforehand for the HELM install to work.

Recommended For You