CN-Series Firewall Deployment Modes
  • CN-Series Firewall Deployment Modes
  • CN-Series Documentation
  • All Documentation
>
High Availability Support for CN-Series Firewall as a Kubernetes CNF
Focus
Download PDF
Focus
  1. Home
  2. CN-Series
  3. CN-Series Firewall Deployment Modes
  4. High Availability and DPDK Support for CN-Series Firewall
  5. High Availability Support for CN-Series Firewall as a Kubernetes CNF
Download PDF
CN-Series

High Availability Support for CN-Series Firewall as a Kubernetes CNF

Table of Contents

High Availability Support for CN-Series Firewall as a Kubernetes CNF

Where Can I Use This?What Do I Need?
  • CN-Series deployment
  • CN-Series 10.2.x or above Container Images
  • Panorama running PAN-OS 10.2.x or above version
  • Helm 3.6 or above version client for CN-Series deployment with Helm
High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up the firewalls in a two-device cluster provides redundancy and allows you to ensure business continuity.
You can now deploy the CN-series-as-a-kubernetes-CNF in HA. This mode of deployment supports only active/passive HA with session and configuration synchronization.
When you deploy the CN-Series-as-a-Kubernetes CNF in HA, there will be two PAN-CN-MGMT-CONFIGMAP, PAN-CN-MGMT, and PAN-CN-NGFW YAML files each for active and passive nodes.
To successfully deploy the CN-Series firewall as a Kubernetes CNF in HA with layer 3 support:
  • In HA, each Kubernetes node should have at least three interfaces: Management (default), HA2 interface, and data interface.
  • For CN-Series firewall in L3 mode, there should be at least two interfaces: Management (default) and data interface.
  • Modify the new Network Attachment definition YAML files with the following changes:
    • Ensure that the PAN_HA_SUPPORT parameter value is true in the following YAML files:
      pan-cn-mgmt-configmap-0.yaml
      pan-cn-mgmt-configmap-1.yaml
    • Retrieve the pciBusID value from the hypervisor interface running the following command:
      ethtool -i interface name
      Add the above retrieved pciBusID value to the following Network definition files:
      net-attach-def-1.yaml
      net-attach-def-2.yaml
      net-attach-def-3.yaml
      net-attach-def-ha2-0.yaml
      net-attach-def-ha2-1.yaml
    • Retrieve the static IP address of the HA2 interface from the corresponding node instance on the AWS console and add it to the address parameter of net-attach-def-ha2-0.yaml and net-attach-def-ha2-1.yaml file.
    If you are using Advanced Routing consider that CN-Series firewalls deployed in CNF mode are only supported in EKS and on-prem environments. If you are using Advanced Routing with the Kubernetes 3.0.0 plugin, you must configure it manually on the template stack; in the file pan-cn-mgmt-console.yaml, set the flag PAN_ADVANCED_ROUTING:”true”.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.