>
    Deploy the CN-Series on OpenShift Operator Hub
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Deploy the CN-Series on OpenShift Operator Hub
    Download PDF
    CN-Series

    Deploy the CN-Series on OpenShift Operator Hub

    Table of Contents

    Deploy the CN-Series on OpenShift Operator Hub

    On your OpenShift environment, deploy the CN-Series firewalls.
    Where Can I Use This?
    What Do I Need?
    • CN-Series
       deployment
    • CN-Series 10.1.x or above Container Images
    • Panorama
       running PAN-OS 10.2.x version and above
    The CN-Series Container firewall is now available on RedHat Openshift platform Operator Hub. You can deploy, configure, and operate CN-Series container firewalls directly from RedHat Operator Hub.
    Prerequisites for CN-Series on Openshift Operator Hub:
    The following are the prerequisites for deploying the CN-Series firewall on the Openshift operator hub:
    Deploy the CN-Series on an OpenShift Operator hub:
    The pan-cni secures traffic on the default
    eth0
     interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
    The pan-cni does not create a network and hence, does not need IP addresses like other CNI plugins.
    You require PAN-OS 10.2 or later to deploy the CN-Series on OpenShift Operator hub.
    Following are the steps to deploy the CN-Series firewall on your Redhat OpenShift operator hub:
    1. Log in to the Redhat OpenShift container console.
    2. Go to
      Operators
      , and then click
      OperatorHub
      .
    3. Enter
      Palo Alto
       in the Operator search box.
    4. Click
      pan-cn-series-operator
      .
      The install window opens when you click the
      pan-cn-series-operator
       tile.
    5. Click
      Install
       to install the pan-cn-series operator on your OpenShift cluster.
      Complete he pre-installation steps before the next deployment steps given here.
      If your service credential file is over 10KB, you must gzip the file and then do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
    6. On the navigation menu, go to
      Installed Operators
      , and then click
      pan-cn-series-operator
       that you have installed.
    7. Click
      Create Instance
      .
    8. Enter a unique operand
      Name
      .
    9. Enter the
      Minimum Replicas for DP
      ,
      Memory Unit
      , and
      vCPU Limit
       for DP and MP pods. For information on vCPU limits, see CN-Series Key Performance Metrics.
    10. Enter the
      Panorama IP Address
      .
    11. Optional
       Enter the
      Secondary Panorama IP Address
       for your HA deployment.
    12. Enter the CN-Series Panorama
      Auth Key
      .
    13. Enter the
      Panorama Device Group
      .
    14. Enter the
      Panorama Template Stack
      .
    15. Enter the
      Panorama Log Collector Group Name
      .
    16. Optional
       Enter the Customer Support Portal (CSP)
      Pin ID
      ,
      Pin value
      , and
      Alternate URL
      .
    17. Based on your PAN-OS version, link to the appropriate images for DP, MP, and CNI in the CN-Series Container registry console.
    18. Click
      Create
      .
    19. On the Navigation menu, go to
      pods
      .
    20. Select project
      OpenShift-operators
       and then go to
      kube-system
       to view the name and status of the CNI, management, and data plane pods that you deployed as part of the operand.
      You can check the firewall deployment status on Panorama. The
      Device State
       will change to Connected in less than 5 minutes after deployment.
    21. Configure the PALO ALTO NETWORKS-CNI plugin to work with the Multus CNI plugin.
      The Multus CNI on OpenShift functions as a
      meta-plugin
       that calls other CNI plugins. For each application you must:
      1. Run the following command to deploy the pan-cni-net-attach-def.yaml in every pod namespace:
        kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
      2. Modify the Application YAML.
        After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the following annotation:
        paloaltonetworks.com/firewall: pan-fw
        k8s.v1.cni.cncf.io/networks: pan-cni
        If you have other networks in the above annotation, add
        pan-cni
         after the networks that need inspection. The networks that follow
        pan-cni
         are not redirected and inspected.
        If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under the
        interfaces
         section in the
        pan-cni-configmap.yaml
         file.
        For example:
        
								template:
								    metadata:
								      annotations:
								         paloaltonetworks.com/firewall: pan-fw
								         k8s.v1.cni.cncf.io/networks: pan-cni

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.