Secure Kubernetes Workloads with CN-Series Firewall
Where Can I Use This?
What Do I Need?
CN-Series 10.1.x or above Container Images
running PAN-OS 10.1.x or above version
Helm 3.6 or above version client
for CN-Series deployment with Helm
CN-Series firewalls deploy as two sets of pods: one for the management plane (CN-MGMT)
and another for the firewall dataplane (CN-NGFW). The firewall dataplane runs as a
daemon set, allowing a single command from within Kubernetes to deploy firewalls on all
nodes in a Kubernetes cluster at once. The management plane runs as a Kubernetes
CN-Series firewalls are managed through the Panorama console. A Kubernetes plugin within
Panorama provides contextual information about containers in an environment, and this
seamlessly enables context-based network security policies.
For example, Kubernetes namespaces can be used to define a traffic source in a firewall
policy. You can deploy CN-Series firewalls in Kubernetes environments hosted on-premises
or in public clouds.
CN-Series firewalls can also be deployed into cloud-managed Kubernetes offerings,
including Google Kubernetes Engine (GKE®), Azure Kubernetes Service (AKS), Alibaba Cloud
(ACK), and Amazon Elastic Kubernetes Service (EKS). You can also deploy via Kubernetes
package managers, such as Helm.
CN-Series offers threat protection for inbound, outbound, and east-west
traffic between container trust zones and other workload types, without slowing the
speed of development.
Deploy the CN-Series for Layer 7 visibility into container traffic and
enforce security policies with threat prevention profiles to protect allowed traffic
across Kubernetes namespace boundaries, and share that context with the hardware and
VM-Series firewalls to ensure a consistent policy enforcement model across your entire
hybrid cloud environment.
Prevent Data Exfiltration from Kubernetes Environments
CN-Series firewalls offer a multitude of security capabilities to prevent exfiltration of
sensitive data from Kubernetes environments. Traffic content inspection—including
inspection of TLS-/SSL-encrypted traffic—ensures that packets containing malicious
payloads are identified and remediated. URL Filtering bars outbound connections to
potentially nefarious websites, including malicious code repositories.
Prevent Lateral Spread of Threats Across Kubernetes Namespace Boundaries
Trust boundaries between applications are logical locations to enforce segmentation
policies that prevent the lateral movement of threats. In many Kubernetes environments,
the Kubernetes namespace is the trust boundary. CN-Series firewalls can enforce Threat
Prevention policies between Kubernetes namespaces as well as between a Kubernetes
namespace and other workload types (For example, VMs and bare metal servers), to deter
threats from moving between your cloud native applications and your legacy