High Availability Support for CN-Series Firewall as a Kubernetes CNF
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- CN-Series 10.2.x or above Container Images
- Panorama running PAN-OS 10.2.x or above version
- Helm 3.6 or above version client for CN-Series deployment with Helm
|
High availability (HA) is a configuration
in which two firewalls are placed in a group and their configuration
is synchronized to prevent a single point of failure on your network.
A heartbeat connection between the firewall peers ensures seamless failover
in the event that a peer goes down. Setting up the firewalls in
a two-device cluster provides redundancy and allows you to ensure
business continuity.
You can now deploy the CN-series-as-a-kubernetes-CNF in HA. This
mode of deployment supports only active/passive HA with session
and configuration synchronization.
When you deploy the CN-Series-as-a-Kubernetes CNF in HA, there
will be two PAN-CN-MGMT-CONFIGMAP, PAN-CN-MGMT, and PAN-CN-NGFW
YAML files each for active and passive nodes.
To successfully deploy the CN-Series firewall as a Kubernetes
CNF in HA with layer 3 support:
In HA, each Kubernetes node should have at least three
interfaces: Management (default), HA2 interface, and data interface.
For CN-Series firewall in L3 mode, there should be at least two interfaces: Management (default)
and data interface.
Modify the new Network Attachment definition YAML files with
the following changes:
