Deploy CN-Series Firewalls With and Without the Helm Repository

Deploy CN-Series firewalls with Helm charts and templates.
The Helm repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Packet Manager for Kubernetes.

Prepare to Use the Helm Charts and Templates

Install the required software. These instructions list the minimum versions, but you can install a later version in the same family unless an upper limit is specified.
  1. Deploy CN-Series firewall 10.1.x or 10.2.x container images.
  2. Install a Kubernetes version between 1.16 - 1.24 and create a Kubernetes cluster.
  3. Deploy Panorama in a location that is accessible from the Kubernetes cluster and the CN-Series firewall you use to secure the cluster.
    1. Ensure that the Panorama PAN-OS version is 10.x.x or later.
    2. Install the Kubernetes plugin for Panorama version 1.0.x or 2.0.x.

Deploy the CN-Series Firewall Using the Repository

Use this procedure to clone the repository and deploy from your local environment.
  1. Clone the repository from GitHub.
    $ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
  2. Change into a local directory for the cloned repository. For example:
    $ cd cn-series-helm
  3. Change to the subdirectory for your deployment.
    • Use the directory
      helm_cnv1_10_1
      to deploy cnv1 10.1.x as a daemon set
    • Use the directory
      helm_cnv2_10_2
      to deploy cnv2 as a service.
  4. Edit the
    values.yaml file
    to enter your configuration information. The following values are from the
    helm_cnv2_10_1_2
    subdirectory.
    # Default values for cn-series. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # Supports from PanOS version - 10.1.2 # The K8s environment # Valid deployTo tags are: [gke|eks|aks||native] # Openshift will be supported from 10.1.3 cluster: deployTo: eks
    # Firewall tags firewall: failoverMode: failopen operationMode: "k8s-service"
    # Panorama tags panorama: ip: "<Panorama-IP>" ip2: authKey: "<Panorama-auth-key>" deviceGroup: "<Panorama-device-group>" template: "<panorama-template-stack>" cgName: "<panorama-collector-group>"
    # Customer Support Portal PIN information csp: pinId: "" pinValue: :"" alternateUrl: :""
    # MP container tags mp: initImage: 018147215560.dkr.ecr.us-east-1.amazonaws.com/pan_cn_mgmt_init initVersion: 2.0.0-pkg image: 018147215560.dkr.ecr.us-east-1.amazonaws.com/panos_cn_mgmt version: 10.1.2-c38 cpuLimit: 4 # DP container tags dp: image: 018147215560.dkr.ecr.us-east-1.amazonaws.com/panos_cn_ngfw version: 10.1.2-c38 cpuLimit: 2 # CNI container tags cni: image: 018147215560.dkr.ecr.us-east-1.amazonaws.com/skrish-pan-cni version: latest ############ # Non essential configs ############ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. If not set and create is true, # a name is generated using the fullname template name: podSecurityContext: {} # fsGroup: 2000 securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 # service: # type: ClusterIP # port: 80
    # ingress: # enabled: false # annotations: {} # # kubernetes.io/ingress.class: nginx # # kubernetes.io/tls-acme: "true" # hosts: # - host: chart-example.local # paths: [] # tls: [] # # - secretName: chart-example-tls # # hosts: # # - chart-example.local
    resources: {} # We usually recommend not to specify default resources and to leave this as a # conscious choice for the user. This also increases chances charts run on # environments with littleresources, such as Minikube. # If you do want to specify resources, uncomment the following lines, # adjust them as necessary, and remove the curly braces after # 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: [] affinity: {}
    .
  5. View the rendered YAML files.
    helm install --debug --generate-name helm_cnv2_10_1_2/ --dry-run
  6. Deploy the HELM charts.
    helm install <deployment-name> directory

Deploy the CN-Series Firewall Without the Repository

To deploy without cloning the repository, add the repository to your Helm client.
  1. Add the CN-Series repository to your local Helm client.
    Enter this command on a single line:
    $ helm repo add my-project
      https://paloaltonetworks.github.io/cn-series-helm
    "cn-series" has been added to your repositories
  2. Confirm the repository has been added to your Helm client.
    $ helm search repo cn-series
  3. Select the Kubernetes cluster.
    $ kubectl config set-cluster NAME
  4. Deploy using the Helm chart repository. Edit the following command to include your configuration information.
    $ helm install cn-series/cn-series --name="deployment name"
    --set cluster.deployTo="gke|eks|aks|openshift"
    --set panorama.ip="panorama hostname or ip" --set panorama.ip2="panorama2 hostname or ip"
    --set-string panorama.authKey="vm auth key" --set panorama.deviceGroup="device group"
    --set panorama.template="template stack"
    --set panorama.cgName="collector group"
    --set cni.image="container repo"
    --set cni.version="container version"
    --set mp.initImage="container repo"
    --set mp.initVersion="container version"
    --set mp.image="container repo"
    --set mp.version="container version"
    --set mp.cpuLimit="cpu max"
    --set dp.image="container repo"
    --set dp.version="container version"
    --set dp.cpuLimit="cpu max"

Recommended For You