Secure 5G With the CN-Series Firewall
Use the 5G-Native Security capabilities on the CN-Series
firewall for visibility and control of 5G traffic.
For visibility and control of 5G traffic
for private enterprises and 5G Mobile Packet Core deployments in
a Mobile Operator Networks on Kubernetes, review the following sections for
supported environments and how to modify the YAML files to unlock GTP Securityand 5G-Native Security on
the CN-Series firewall. In addition to enabling these capabilities when
you deploy the CN-Series firewall, you must also enable Panorama
for GTP Security and/or SCTP Security.
Product | Version |
|---|---|
Container
runtime | Docker CRI-O Containerd |
Kubernetes version | 1.17 through 1.23 |
Cloud provider managed Kubernetes |
|
Customer managed Kubernetes | On the public cloud or on-premise data center. Make
sure that the Kubernetes version, CNI Types, and Host VM OS versions
are as listed in this table. VMware TKG+ version 1.1.2
|
Kubernetes Host VM | Operating System:
|
Linux Kernel Version:
| |
Linux Kernel Netfilter: Iptables | |
CNI Plugins | CNI Spec 0.3 and later:
|
OpenShift |
|
Container
runtime | Version |
CN-Series firewall Kubernetes plugin Panorama | PAN-OS 10.0.3 or later 1.0.1 or later 10.0.0
or later |
The following are list of all
the editable Parameters in the YAML file that you use to deploy
the CN-Series firewall: For details, see CN-Series Core Building Blocks and Editable Parameters in CN-Series Deployment YAML Files. | |
Enable GTP | On the pan-cn-mgmt-configmap.yaml set— PAN_GTP_ENABLED : "True" ,
before you deploy the CN-MGMT StatefulSet. |
Enable Jumbo Frame Mode | On the pan-cn-mgmt-configmap.yaml set: PAN_JUMBO_FRAME_ENABLED: "True" ,
before you deploy the CN-MGMT StatefulSet.The CN-MGMT pod
during bootup uses the "eth0" MTU to auto-detect whether to enable jumbo-frame
mode. So, if your secondary CNI uses jumbo frames, while the primary
CNI does not, you must define PAN_JUMBO_FRAME_ENABLED: "True" to
enable jumbo frame mode on the CN-Series firewall.CN-Series
currently doesn't support DPDK and it doesn't allow the app pod
to use DPDK. You might need to modify the app pod if the app does not
automatically adjust to non DPDK mode. |
Enable System Resource Flexibility | If you need higher throughput and want to configure
more memory to address your deployment needs on the pan-cn-mgmt-configmap.yaml
set: PAN_NGFW_MEMORY="48Gi" For templating (Helm), it
can take the same variable as allocated for CN-NGFW pod. When enable
a larger memory footprint, the CN-MGMT StatefulSet only supports
one CN-NGFW pod. |
Configure vCPU, Memory for
5G | The recommended configuration for CN-MGMT pods
(in pan-cn-mgmt.yaml) and NGFW pods (in pan-cn-ngfw.yaml) is to
have identical values in "request" and "limit" for cpus and memory
to achieve guaranteed QoS. For CN-MGMT pods, recommended
values are cpu=4, memory=16Gi. To control placement of CN-MGMT pods,
for example on the same or different nodes than where the CN-NGFW
pods are deployed, use the node-selector capability in k8s. |
For CN-NGFW pods, recommended values are cpu=12,
memory=48Gi. To control placement of CN-NGFW pods for example on
the same or different nodes than where the CN-NGFW pods are deployed,
use the node-selector capability in k8s. | |
Select the CNI yaml file | The Multus CNI acts as a meta-plugin, that
calls other CNI plugins. On OpenShift environments, Multus is enabled
by default, so you can use the pan-cni.yaml .
On other environments where Multus is supported but is optional,
such as with self-managed (native) environments, use the pan-cni-multus.yaml instead
of the pan-cni.yaml . |
Also review the System Requirements for the Kubernetes Cluster before
you continue to Deploy the CN-Series Firewalls.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
