Secure 5G With the CN-Series Firewall
Use the 5G-Native Security capabilities on the CN-Series firewall for visibility and control of 5G traffic.
For visibility and control of 5G traffic for private enterprises and 5G Mobile Packet Core deployments in a Mobile Operator Networks on Kubernetes, review the following sections for supported environments and how to modify the YAML files to unlock GTP Securityand 5G-Native Security on the CN-Series firewall. In addition to enabling these capabilities when you deploy the CN-Series firewall, you must also enable Panorama for GTP Security and/or SCTP Security.
1.17 through 1.23
Cloud provider managed Kubernetes
Customer managed Kubernetes
On the public cloud or on-premise data center.
Make sure that the Kubernetes version, CNI Types, and Host VM OS versions are as listed in this table.
VMware TKG+ version 1.1.2
Kubernetes Host VM
Linux Kernel Version:
Linux Kernel Netfilter: Iptables
CNI Spec 0.3 and later:
PAN-OS 10.0.3 or later
1.0.1 or later
10.0.0 or later
The following are list of all the editable Parameters in the YAML file that you use to deploy the CN-Series firewall: For details, see CN-Series Core Building Blocks and Editable Parameters in CN-Series Deployment YAML Files.
On the pan-cn-mgmt-configmap.yaml set—
PAN_GTP_ENABLED : "True", before you deploy the CN-MGMT StatefulSet.
Enable Jumbo Frame Mode
On the pan-cn-mgmt-configmap.yaml set:
PAN_JUMBO_FRAME_ENABLED: "True", before you deploy the CN-MGMT StatefulSet.
The CN-MGMT pod during bootup uses the "eth0" MTU to auto-detect whether to enable jumbo-frame mode. So, if your secondary CNI uses jumbo frames, while the primary CNI does not, you must define
PAN_JUMBO_FRAME_ENABLED: "True"to enable jumbo frame mode on the CN-Series firewall.
CN-Series currently doesn't support DPDK and it doesn't allow the app pod to use DPDK. You might need to modify the app pod if the app does not automatically adjust to non DPDK mode.
Enable System Resource Flexibility
If you need higher throughput and want to configure more memory to address your deployment needs on the pan-cn-mgmt-configmap.yaml set: PAN_NGFW_MEMORY="48Gi"
For templating (Helm), it can take the same variable as allocated for CN-NGFW pod. When enable a larger memory footprint, the CN-MGMT StatefulSet only supports one CN-NGFW pod.
Configure vCPU, Memory for 5G
The recommended configuration for CN-MGMT pods (in pan-cn-mgmt.yaml) and NGFW pods (in pan-cn-ngfw.yaml) is to have identical values in "request" and "limit" for cpus and memory to achieve guaranteed QoS.
For CN-MGMT pods, recommended values are cpu=4, memory=16Gi. To control placement of CN-MGMT pods, for example on the same or different nodes than where the CN-NGFW pods are deployed, use the node-selector capability in k8s.
For CN-NGFW pods, recommended values are cpu=12, memory=48Gi. To control placement of CN-NGFW pods for example on the same or different nodes than where the CN-NGFW pods are deployed, use the node-selector capability in k8s.
Select the CNI yaml file
The Multus CNI acts as a meta-plugin, that calls other CNI plugins. On OpenShift environments, Multus is enabled by default, so you can use the
pan-cni.yaml. On other environments where Multus is supported but is optional, such as with self-managed (native) environments, use the
pan-cni-multus.yamlinstead of the
Recommended For You
Recommended videos not found.