CN-Series
High Availability Support for CN-Series Firewall as a Kubernetes CNF
Table of Contents
High Availability Support for CN-Series Firewall as a Kubernetes CNF
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
High availability (HA) is a configuration
in which two firewalls are placed in a group and their configuration
is synchronized to prevent a single point of failure on your network.
A heartbeat connection between the firewall peers ensures seamless failover
in the event that a peer goes down. Setting up the firewalls in
a two-device cluster provides redundancy and allows you to ensure
business continuity.
You can now deploy the CN-series-as-a-kubernetes-CNF in HA. This
mode of deployment supports only active/passive HA with session
and configuration synchronization.
When you deploy the CN-Series-as-a-Kubernetes CNF in HA, there
will be two PAN-CN-MGMT-CONFIGMAP, PAN-CN-MGMT, and PAN-CN-NGFW
YAML files each for active and passive nodes.
To successfully deploy the CN-Series firewall as a Kubernetes
CNF in HA with layer 3 support:
- In HA, each Kubernetes node should have at least three interfaces: Management (default), HA2 interface, and data interface.
- For CN-Series firewall in L3 mode, there should be at least two interfaces: Management (default) and data interface.
![]()
- Modify the new Network Attachment definition YAML files with the following changes:
- Ensure that the PAN_HA_SUPPORT parameter value is true in the following YAML files:pan-cn-mgmt-configmap-0.yamlpan-cn-mgmt-configmap-1.yamlRetrieve the pciBusID value from the hypervisor interface running the following command:ethtool -i interface nameAdd the above retrieved pciBusID value to the following Network definition files:net-attach-def-1.yamlnet-attach-def-2.yamlnet-attach-def-3.yamlnet-attach-def-ha2-0.yamlnet-attach-def-ha2-1.yamlRetrieve the static IP address of the HA2 interface from the corresponding node instance on the AWS console and add it to the address parameter of net-attach-def-ha2-0.yaml and net-attach-def-ha2-1.yaml file.If you are using Advanced Routing consider that CN-Series firewalls deployed in CNF mode are only supported in EKS and on-prem environments. If you are using Advanced Routing with the Kubernetes 3.0.0 plugin, you must configure it manually on the template stack; in the file pan-cn-mgmt-console.yaml, set the flag PAN_ADVANCED_ROUTING:”true”.
