—A hardware-based or virtual
appliance that can connect to the Kubernetes clusters where the
applications and CN-Series firewalls are deployed. Panorama is required
for license management and configuration management of the CN-Series
firewalls. For more information, see CN-Series Core Building Blocks.
Kubernetes Plugin on Panorama
of the rate of change with containerized applications, this plugin
is required for visibility into container activity within a cluster
and for managing the license token allocation for the firewall deployed
on each node within a cluster.
The Kubernetes plugin connects
to Kubernetes clusters using service account credentials. From there
it retrieves resource attributes and labels and creates tags and
service objects. The tags can be used to create Dynamic address groups
and reference them in Security policy for IP traffic enforcement.
You can also use the service objects in Security policy to allow
or deny traffic based on ports as well as IP addresses. The tags
and service objects give you visibility and granular control for
traffic enforcement within your Kubernetes cluster.
—To support the distributed architecture, the CN-Series
firewall has four docker images that are available on the Palo Alto Networks portal. These
images are published as three compressed tar archives (tar.gz format), and you
must get these images unzip and do a Docker push to your image registry.
sure that the images and YAML files versions are compatible. The compressed
archive includes the firewall management plane (CN-MGMT) and firewall
dataplane (CN-NGFW) images.
The unzipped image names are,
includes the init container (CN-INIT) that contains the utilities
required to deploy the management plane on the firewall. The init
container enables secure IPSec communication between the CN-MGMT
and CN-NFGW Pods. The unzipped image name is for example:
—This archive includes
the CNI plugin that enables connectivity between the CN-MGMT and
CN-NFGW and reconfigures the network interfaces on the application
pods to redirect traffic to the CN-NGFW pod on each node. The unzipped
image name is for example:
The images names listed above are examples and will change to reflect the latest release. You can
find the latest images on the Palo Alto Networks portal.
—The YAML files that
include the required fields and object specifications for deploying
the resources in your Kubernetes clusters, and are published on GitHub.
All the YAML files
you need, for a supported environment such as native Kubernetes
or GKE, are combined and zipped in one folder for your convenience.
The YAML files are automatically deployed through HELM
charts, which is the recommended method of deploying CN-Series Firewall.
CN-MGMT has three YAML files—
CN-NGFW as a DaemonSet has two YAML files—
. The CN-NGFW
as a Kubernetes Service has
addition to the previously mentioned files.
CNI plugin has three YAML files—
you are deploying the CN-Series on environments with the Multus
CNI that acts as a
, and calls other CNI plugins
you have to choose either
deploying the CN-Series on OpenShift, Multus is enabled by default, the
pan-cni.yaml is adequate. Whereas, if you are deploying the CN-Series
on an environment where the Multus CNI is supported but is optional
such as with self-managed (native) environments, use the pan-cni-multus.yaml
instead of the pan-cni.yaml.
There is also a
is referenced in the service account creation section below.
For OpenShift deployments there is an additional
Service Account Creation
for the CN-MGMT and CN-NGFW pods to authenticate to the cluster.
for the Kubernetes plugin on Panorama to authenticate to the cluster.
Persistent volume YAML for Native Kubernetes deployments
only provided for PoC with single node clusters. Palo Alto Networks
strongly recommends the use of dynamically provisioned persistent
volumes for storing the configuration and logs for the CN-MGMT pods
that are referenced in the
Make sure to set up a persistent volume within the cluster for both
the CN-MGMT pods.
License auth code
—The auth code
enables you to license each instance of the CN-NGFW pod deployed
on each node within a cluster.
The license auth code is tied
to the CN-Series deployment profile you created on the Palo Alto
Network CSP. Additionally, it enables any security subscriptions
you selected when creating your deployment profile.