>
    CN-Series Key Concepts
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Getting Started with CN-Series
    4. CN-Series Firewall for Kubernetes
    5. CN-Series Key Concepts
    Download PDF
    CN-Series

    CN-Series Key Concepts

    Table of Contents

    CN-Series Key Concepts

    Where Can I Use This?What Do I Need?
    • CN-Series deployment
    • CN-Series 10.1.x or above Container Images
    • Panorama running PAN-OS 10.1.x or above version
    • Helm 3.6 or above version client for CN-Series deployment with Helm
    The CN-Series firewall is designed to provide the tools you need to secure the applications in your containerized environment. To understand how the CN-Series fits into a containerized network, it is important to understand some key concepts.
    • Cluster—the foundation of your containerized environment; all your containerized applications run on top of a cluster.
    • Node—depending on the cluster, a node might be a virtual or physical machine that contains the necessary services required to pods.
    • Pod—the smallest deployable computing unit that you can deploy and manage in Kubernetes. The CN-Series firewall is deployed in a distributed PAN-OS architecture as two pods: CN-MGMT and CN-NGFW. See CN-Series Core Building Blocks for more information.
    • Namespace—a namespace is a virtual cluster that is backed by a physical cluster. In an environment with many users spread across multiple teams and functions, a namespace can be used to separate them on a single cluster.
    • Container Network Interface (CNI)—a plugin that configures network interfaces for containers. Additionally, the CNI removes the allocated resources used for networking when a container is deleted.
    • DaemonSet—in a Kubernetes deployment, a DaemonSet ensures that some or all nodes run a copy of a particular pod. And as nodes are added to a Kubernetes cluster, a copy of the pod defined by the DaemonSet is added to each new node. When you deploy the CN-Series firewall as a DaemonSet, a copy of the CN-NGFW pod is deployed on each (up to 30 per CN-MGMT pair) node in your cluster.
    • Kubernetes Service—an abstraction that exposes an application running on a set of pods as network service. When you deploy the CN-Series as a service, the number of CN-NGFW pods deployed is defined by you when setting up your yaml files.
    • Kuberenetes CNF- Deploying the CN-series-as-a-kubernetes-CNF resolves challenges related to traffic that uses Service Function Chaining (SFC) through external entities such as cloud provider's native routing, vRouters, and Top of Rack (TOR) switches. The CN-series-as-a-kubernetes-CNF mode of eployment does not impact the application pods.
    • Horizontal Pod Autoscaler (HPA)—Automatically scales the number of pods in a deployment, replica set, or stateful set based on various metrics such as CPU utilization or session utilization.
      HPA is supported on the CN-Series as a Kubernetes service only.
    • HSF—Palo Alto Networks CN-Series Hyperscale Security Fabric (HSF) 1.0 is a cluster of containerized next-gen firewalls that deliver a highly scalable and resilient next-gen firewall solution for Mobile Service Providers deploying 5G networks.

    © 2024 Palo Alto Networks, Inc. All rights reserved.