Secure Kubernetes Workloads with CN-Series Firewall


Secure Kubernetes Workloads with CN-Series Firewall

Table of Contents

Secure Kubernetes Workloads with CN-Series Firewall

Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment with Helm
CN-Series firewalls deploy as two sets of pods: one for the management plane (CN-MGMT) and another for the firewall dataplane (CN-NGFW). The firewall dataplane runs as a daemon set, allowing a single command from within Kubernetes to deploy firewalls on all nodes in a Kubernetes cluster at once. The management plane runs as a Kubernetes service.
CN-Series firewalls are managed through the Panorama console. A Kubernetes plugin within Panorama provides contextual information about containers in an environment, and this seamlessly enables context-based network security policies.
For example, Kubernetes namespaces can be used to define a traffic source in a firewall policy. You can deploy CN-Series firewalls in Kubernetes environments hosted on-premises or in public clouds.
CN-Series firewalls can also be deployed into cloud-managed Kubernetes offerings, including Google Kubernetes Engine (GKE®), Azure Kubernetes Service (AKS), Alibaba Cloud (ACK), and Amazon Elastic Kubernetes Service (EKS). You can also deploy via Kubernetes package managers, such as Helm.
CN-Series offers threat protection for inbound, outbound, and east-west traffic between container trust zones and other workload types, without slowing the speed of development.
Deploy the CN-Series for Layer 7 visibility into container traffic and enforce security policies with threat prevention profiles to protect allowed traffic across Kubernetes namespace boundaries, and share that context with the hardware and VM-Series firewalls to ensure a consistent policy enforcement model across your entire hybrid cloud environment.
Prevent Data Exfiltration from Kubernetes Environments
CN-Series firewalls offer a multitude of security capabilities to prevent exfiltration of sensitive data from Kubernetes environments. Traffic content inspection—including inspection of TLS-/SSL-encrypted traffic—ensures that packets containing malicious payloads are identified and remediated. URL Filtering bars outbound connections to potentially nefarious websites, including malicious code repositories.
Prevent Lateral Spread of Threats Across Kubernetes Namespace Boundaries
Trust boundaries between applications are logical locations to enforce segmentation policies that prevent the lateral movement of threats. In many Kubernetes environments, the Kubernetes namespace is the trust boundary. CN-Series firewalls can enforce Threat Prevention policies between Kubernetes namespaces as well as between a Kubernetes namespace and other workload types (For example, VMs and bare metal servers), to deter threats from moving between your cloud native applications and your legacy infrastructure.

Recommended For You