>
    High Availability Support for CN-Series Firewall as a Kubernetes CNF
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. High Availability and DPDK Support for CN-Series Firewall
    4. High Availability Support for CN-Series Firewall as a Kubernetes CNF
    Download PDF
    CN-Series

    High Availability Support for CN-Series Firewall as a Kubernetes CNF

    Table of Contents

    High Availability Support for CN-Series Firewall as a Kubernetes CNF

    Where Can I Use This?
    What Do I Need?
    • CN-Series
       deployment
    • CN-Series 10.2.x or above Container Images
    • Panorama
       running PAN-OS 10.2.x or above version
    • Helm 3.6 or above version client
       for CN-Series deployment with Helm
    High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up the firewalls in a two-device cluster provides redundancy and allows you to ensure business continuity.
    You can now deploy the CN-series-as-a-kubernetes-CNF in HA. This mode of deployment supports only active/passive HA with session and configuration synchronization.
    When you deploy the CN-Series-as-a-Kubernetes CNF in HA, there will be two PAN-CN-MGMT-CONFIGMAP, PAN-CN-MGMT, and PAN-CN-NGFW YAML files each for active and passive nodes.
    To successfully deploy the CN-Series firewall as a Kubernetes CNF in HA with layer 3 support:
    • In HA, each Kubernetes node should have at least three interfaces: Management (default), HA2 interface, and data interface.
    • For CN-Series firewall in L3 mode, there should be at least two interfaces: Management (default) and data interface.
    • Modify the new Network Attachment definition YAML files with the following changes:
      • Ensure that the
        PAN_HA_SUPPORT
         parameter value is
        true
         in the following YAML files:
        pan-cn-mgmt-configmap-0.yaml
        pan-cn-mgmt-configmap-1.yaml
      • Retrieve the
        pciBusID
         value from the hypervisor interface running the following command:
        ethtool -i interface name
        Add the above retrieved
        pciBusID
         value to the following Network definition files:
        net-attach-def-1.yaml
        net-attach-def-2.yaml
        net-attach-def-3.yaml
        net-attach-def-ha2-0.yaml
        net-attach-def-ha2-1.yaml
      • Retrieve the static IP address of the HA2 interface from the corresponding node instance on the AWS console and add it to the
        address
         parameter of
        net-attach-def-ha2-0.yaml
         and
        net-attach-def-ha2-1.yaml
         file.
      If you are using
      Advanced Routing
      consider that CN-Series firewalls deployed in CNF mode are only supported in EKS and on-prem environments. If you are using
      Advanced Routing
      with the Kubernetes 3.0.0 plugin, you must configure it manually on the template stack; in the file
      pan-cn-mgmt-console.yaml
      , set the flag
      PAN_ADVANCED_ROUTING:”true”.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.