>
    Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Deploy the CN-Series Firewalls
    4. Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart
    Download PDF
    CN-Series

    Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart

    Table of Contents

    Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart

    Deploy CN-Series firewalls with Helm charts and templates.
    Where Can I Use This?What Do I Need?
    • CN-Series deployment
    • CN-Series 10.1.x or above Container Images
    • Panorama running PAN-OS 10.1.x or above version
    • Helm 3.6 or above version client for CN-Series deployment with Helm
    The Helm repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Packet Manager for Kubernetes.
    You can download CN-Series Helm Charts from GitHub.

    Prepare to Use the Helm Charts and Templates

    Install the required software. These instructions list the minimum versions, but you can install a later version in the same family unless an upper limit is specified.
    1. Deploy CN-Series firewall 10.1.x, 10.2.x, 11.0.x, or 11.1.x container images.
    2. Install a Kubernetes version between 1.16 - 1.25 and create a Kubernetes cluster. For more information on supported kubernetes version for your environments, see CN-Series Deployment Supported Environments.
    3. Deploy Panorama in a location that is accessible from the Kubernetes cluster and the CN-Series firewall you use to secure the cluster.
      1. Ensure that the Panorama PAN-OS version is 10.x.x or later.
      2. Install the Kubernetes plugin for Panorama version 1.0.x or 2.0.x.
    4. Install the Helm client version 3.6.0 or later.
      Continue to Deploy the CN-Series Firewall Using HELM Chart (Recommended)
      or Deploy the CN-Series Firewall through the YAML Files.

    Deploy the CN-Series Firewall Using HELM Chart (Recommended)

    Use this procedure to clone the repository and deploy from your local environment.
    1. Generate the VM auth key on Panorama.
    2. Clone the repository from GitHub.
      $ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
    3. Change into a local directory for the cloned repository. For example:
      $ cd cn-series-helm
    4. Change to the subdirectory for your deployment.
      • Use the directory helm_cnv1 to deploy the CN-Series as a daemon set
      • Use the directory helm_cnv2 to deploy CN-Series as a service.
      • Use the directory helm_cnv3 to deploy CN-Series as a cnf.
    5. Download the service account YAML for the plugin-serviceaccount.yaml and apply the yaml. The service account enables the permissions that Panorama requires to authenticate to the cluster for retrieving Kubernetes labels and resource information. This service account is named pan-plugin-user by default. Run the following command to deploy the plugin-serviceaccount.yaml file:
      kubectl apply -f plugin-serviceaccount.yaml
      kubectl -n kube-system get secrets | grep pan-plugin-user
      To view the secrets associated with this service account.
      kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.json
      Create the credential file, named cred.json in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series firewall.
      On Openshift, you must manually deploy the pan-cni-net-attach-def.yaml for each Openshift namespace file before deploying the Helm charts.
    6. Edit the values.yaml file to enter your configuration information. The following values are from the helm_cnv1 subdirectory.
      # The K8s environment 
# Valid deployTo tags are: [gke|eks|aks||native]
# Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments.
cluster:
  deployTo: eks
  multus: disable 
      # Panorama tags
panorama:
  ip: "<Panorama-IP>" 
  ip2: 
  authKey: "<Panorama-auth-key>"
  deviceGroup: "<Panorama-device-group>"
  template: "<panorama-template-stack>" 
  cgName: "<panorama-collector-group>"
      # MP container tags
mp:
  initImage: gcr.io/pan-cn-series/pan_cn_mgmt_init
  initVersion: latest
  image: gcr.io/pan-cn-series/panos_cn_mgmt
  version: 10.2.3
  cpuLimit: 4

# DP container tags
dp:
  image: gcr.io/pan-cn-series/panos_cn_ngfw
  version: 10.2.3
  cpuLimit: 2

# CNI container tags
cni:
  image: gcr.io/pan-cn-series/pan_cni
  version: latest
    7. View the rendered YAML files.
      helm install --debug --generate-name helm_cnv1/ --dry-run
    8. Perform a lint check on the helm charts.
      helm lint helm_cnv1/
    9. Deploy the HELM charts.
      helm install <deployment-name> helm_cnv1
      Persisten volume claims are not deleted when a HELM Chart is uninstalled. You must ensure that you clear these claims beforehand for the HELM install to work.
      For more information HELM, see HELM Classic: A Kubernetes Package Manager.

    Deploy the CN-Series Firewall through the YAML Files

    To deploy without cloning the repository, add the repository to your Helm client.
    1. Generate the VM auth key on Panorama.
    2. Download the service account YAML for the plugin-serviceaccount.yaml and apply the yaml. The service account enables the permissions that Panorama requires to authenticate to the cluster for retrieving Kubernetes labels and resource information. This service account is named pan-plugin-user by default. Run the following command to deploy the plugin-serviceaccount.yaml file:
      kubectl apply -f plugin-serviceaccount.yaml
      kubectl -n kube-system get secrets | grep pan-plugin-user
      To view the secrets associated with this service account.
      kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.json
      Create the credential file, named cred.json in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series firewall.
      On Openshift, you must manually deploy the pan-cni-net-attach-def.yaml for each Openshift namespace file before deploying the Helm charts.
    3. Add the CN-Series repository to your local Helm client.
      Enter this command on a single line:
      $ helm repo add my-project https://paloaltonetworks.github.io/cn-series-helm
      "cn-series" has been added to your repositories
    4. Confirm the repository has been added to your Helm client.
      $ helm search repo cn-series
    5. Select the Kubernetes cluster.
      $ kubectl config set-cluster NAME
    6. Deploy using the Helm chart repository. Edit the following command to include your configuration information.
      $ helm install cn-series/cn-series --name="deployment name"
      --set cluster.deployTo="gke|eks|aks|openshift"
      --set panorama.ip="panorama hostname or ip"
      --set panorama.ip2="panorama2 hostname or ip"
      --set-string panorama.authKey="vm auth key"
      --set panorama.deviceGroup="device group"
      --set panorama.template="template stack"
      --set panorama.cgName="collector group"
      --set cni.image="container repo"
      --set cni.version="container version"
      --set mp.initImage="container repo"
      --set mp.initVersion="container version"
      --set mp.image="container repo"
      --set mp.version="container version"
      --set mp.cpuLimit="cpu max"
      --set dp.image="container repo"
      --set dp.version="container version"
      --set dp.cpuLimit="cpu max"
      Persistent volume claims are not deleted when a HELM Chart is uninstalled. You must ensure that you clear these claims beforehand for the HELM install to work.

    © 2024 Palo Alto Networks, Inc. All rights reserved.