The CN-Series firewall is designed to provide the tools you need to secure the
applications in your containerized environment. To understand how the CN-Series fits
into a containerized network, it is important to understand some key concepts.
—the foundation of your containerized environment;
all your containerized applications run on top of a cluster.
—depending on the cluster, a node might be a virtual
or physical machine that contains the necessary services required
—the smallest deployable computing unit that you
can deploy and manage in Kubernetes. The CN-Series firewall is deployed
in a distributed PAN-OS architecture as two pods: CN-MGMT and CN-NGFW.
See CN-Series Core Building Blocks for more information.
—a namespace is a virtual cluster that is
backed by a physical cluster. In an environment with many users
spread across multiple teams and functions, a namespace can be used
to separate them on a single cluster.
Container Network Interface (CNI)
—a plugin that configures
network interfaces for containers. Additionally, the CNI removes
the allocated resources used for networking when a container is
—in a Kubernetes deployment, a DaemonSet ensures that some or all nodes run a
copy of a particular pod. And as nodes are added to a Kubernetes cluster, a copy
of the pod defined by the DaemonSet is added to each new node. When you deploy
the CN-Series firewall as a DaemonSet, a copy of the CN-NGFW pod is deployed on
each (up to 30 per CN-MGMT pair) node in your cluster.
—an abstraction that exposes an
application running on a set of pods as network service. When you
deploy the CN-Series as a service, the number of CN-NGFW pods deployed
is defined by you when setting up your yaml files.
- Deploying the CN-series-as-a-kubernetes-CNF resolves
challenges related to traffic that uses Service Function Chaining (SFC) through
external entities such as cloud provider's native routing, vRouters, and Top of
Rack (TOR) switches. The CN-series-as-a-kubernetes-CNF mode of eployment does
not impact the application pods.
Horizontal Pod Autoscaler (HPA)
—Automatically scales the number of pods in a deployment,
replica set, or stateful set based on various metrics such as CPU utilization or
is supported on the CN-Series as a Kubernetes service only.
—Palo Alto Networks CN-Series Hyperscale Security Fabric (HSF) 1.0 is a
cluster of containerized next-gen firewalls that deliver a highly scalable and
resilient next-gen firewall solution for Mobile Service Providers deploying 5G