CN-Series
Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart
Table of Contents
Expand All
|
Collapse All
CN-Series Firewall Docs
-
- CN-Series System Requirements for the Kubernetes Cluster
- CN-Series System Requirements for On-Premises Kubernetes Deployments
- CN-Series Performance and Scaling
- Create Service Accounts for Cluster Authentication
- Get the Images and Files for the CN-Series Deployment
- Strata Logging Service with CN-Series Firewall
- IOT Security Support for CN-Series Firewall
- Software Cut-through Based Offload on CN-Series Firewall
-
Deployment Modes
- Deployment Modes
- HSF
- In-Cloud and On-Prem
- Quickstart- CN-Series Firewall Deployment
-
- CN-Series Deployment Checklist
- Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart
- Editable Parameters in CN-Series Deployment YAML Files
- Secure 5G With the CN-Series Firewall
- Enable Inspection of Tagged VLAN Traffic
- Enable IPVLAN
- Uninstall the Kubernetes Plugin on Panorama
- Features Not Supported on the CN-Series
Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart
Deploy CN-Series firewalls with Helm charts and templates.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The Helm repository contains charts and templates for deploying the Palo Alto Networks
CN-series containerized firewall using the Helm Packet Manager for Kubernetes.
You can download CN-Series Helm Charts from GitHub.
- Prepare to Use the Helm Charts and Templates
- Deploy the CN-Series Firewall Using HELM Chart (Recommended)
- Deploy the CN-Series Firewall through the YAML Files
Prepare to Use the Helm Charts and Templates
Install the required software. These instructions
list the minimum versions, but you can install a later version in
the same family unless an upper limit is specified.
- Deploy CN-Series firewall 10.1.x, 10.2.x, 11.0.x, or 11.1.x container images.
- Install a Kubernetes version between 1.16 - 1.25 and create a Kubernetes cluster. For more information on supported kubernetes version for your environments, see CN-Series Deployment Supported Environments.
- Deploy Panorama in a location that is accessible from the Kubernetes cluster and the CN-Series firewall you use to secure the cluster.
- Ensure that the Panorama PAN-OS version is 10.x.x or later.
- Install the Kubernetes plugin for Panorama version 1.0.x or 2.0.x.
- Install the Helm client version 3.6.0 or later.Continue toorDeploy the CN-Series Firewall Using HELM Chart (Recommended)Deploy the CN-Series Firewall through the YAML Files.
Deploy the CN-Series Firewall Using HELM Chart (Recommended)
Use this procedure to clone the repository
and deploy from your local environment.
- Clone the repository from GitHub.$ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
- Change into a local directory for the cloned repository. For example:$ cd cn-series-helm
- Change to the subdirectory for your deployment.
- Use the directory helm_cnv1 to deploy the CN-Series as a daemon set
- Use the directory helm_cnv2 to deploy CN-Series as a service.
- Use the directory helm_cnv3 to deploy CN-Series as a cnf.
- Download the service account YAML for the plugin-serviceaccount.yaml and apply the yaml. The service account enables the permissions that Panorama requires to authenticate to the cluster for retrieving Kubernetes labels and resource information. This service account is named pan-plugin-user by default. Run the following command to deploy the plugin-serviceaccount.yaml file:kubectl apply -f plugin-serviceaccount.yamlkubectl -n kube-system get secrets | grep pan-plugin-userTo view the secrets associated with this service account.kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.jsonCreate the credential file, named cred.json in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series firewall.On Openshift, you must manually deploy the pan-cni-net-attach-def.yaml for each Openshift namespace file before deploying the Helm charts.
- Edit the values.yaml file to enter your configuration information. The following values are from the helm_cnv1 subdirectory.
# The K8s environment # Valid deployTo tags are: [gke|eks|aks||native] # Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments. cluster: deployTo: eks multus: disable# Panorama tags panorama: ip: "<Panorama-IP>" ip2: authKey: "<Panorama-auth-key>" deviceGroup: "<Panorama-device-group>" template: "<panorama-template-stack>" cgName: "<panorama-collector-group>"# MP container tags mp: initImage: gcr.io/pan-cn-series/pan_cn_mgmt_init initVersion: latest image: gcr.io/pan-cn-series/panos_cn_mgmt version: 10.2.3 cpuLimit: 4 # DP container tags dp: image: gcr.io/pan-cn-series/panos_cn_ngfw version: 10.2.3 cpuLimit: 2 # CNI container tags cni: image: gcr.io/pan-cn-series/pan_cni version: latest - View the rendered YAML files.helm install --debug --generate-name helm_cnv1/ --dry-run
- Perform a lint check on the helm charts.helm lint helm_cnv1/
- Deploy the HELM charts.helm install <deployment-name> helm_cnv1Persisten volume claims are not deleted when a HELM Chart is uninstalled. You must ensure that you clear these claims beforehand for the HELM install to work.For more information HELM, see HELM Classic: A Kubernetes Package Manager.
Deploy the CN-Series Firewall through the YAML Files
- Download the service account YAML for the plugin-serviceaccount.yaml and apply the yaml. The service account enables the permissions that Panorama requires to authenticate to the cluster for retrieving Kubernetes labels and resource information. This service account is named pan-plugin-user by default. Run the following command to deploy the plugin-serviceaccount.yaml file:kubectl apply -f plugin-serviceaccount.yamlkubectl -n kube-system get secrets | grep pan-plugin-userTo view the secrets associated with this service account.kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.jsonCreate the credential file, named cred.json in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series firewall.On Openshift, you must manually deploy the pan-cni-net-attach-def.yaml for each Openshift namespace file before deploying the Helm charts.
- Add the CN-Series repository to your local Helm client.Enter this command on a single line:$ helm repo add my-project https://paloaltonetworks.github.io/cn-series-helm
"cn-series" has been added to your repositories - Confirm the repository has been added to your Helm client.$ helm search repo cn-series
- Select the Kubernetes cluster.$ kubectl config set-cluster NAME
- Deploy using the Helm chart repository. Edit the following command to include your configuration information.$ helm install cn-series/cn-series --name="deployment name"--set cluster.deployTo="gke|eks|aks|openshift"--set panorama.ip="panorama hostname or ip"--set panorama.ip2="panorama2 hostname or ip"--set-string panorama.authKey="vm auth key"--set panorama.deviceGroup="device group"--set panorama.template="template stack"--set panorama.cgName="collector group"--set cni.image="container repo"--set cni.version="container version"--set mp.initImage="container repo"--set mp.initVersion="container version"--set mp.image="container repo"--set mp.version="container version"--set mp.cpuLimit="cpu max"--set dp.image="container repo"--set dp.version="container version"--set dp.cpuLimit="cpu max"Persistent volume claims are not deleted when a HELM Chart is uninstalled. You must ensure that you clear these claims beforehand for the HELM install to work.