CN-Series Firewalls
Focus
Focus
Compatibility Matrix

CN-Series Firewalls

Table of Contents

CN-Series Firewalls

Learn about supported environments and required and compatible files for CN-Series firewalls.
The CN-Series firewall is supported only in certain environments and is compatible with or requires a specific set of files to do so.

CN-Series Supported Environments

You can deploy the CN-Series firewall in the following environments.
ProductPAN-OS 10.1PAN-OS 10.2PAN-OS 11.0PAN-OS 11.1PAN-OS 11.2
Container runtime
Docker
CRI-O
Containers
Docker
CRI-O
Containers
Docker
CRI-O
Containers
Docker
CRI-O
Containers
Docker
CRI-O
Containers
Kubernetes version
1.17 through 1.27
1.17 through 1.31
1.17 through 1.31
1.17 through 1.31
1.17 through 1.31
Cloud provider managed Kubernetes
  • AWS EKS (1.17 through 1.27 for CN-Series as a daemonset and CN-Series as a Service mode of deployment. )
  • EKS on AWS Outpost (1.17 through 1.22)
    CN-Series for EKS on AWS Outpost does not support SR-IOV or Multus.
  • Azure AKS (1.17 through 1.27)
    In Azure AKS, the PAN-OS 10.1.10h1 is the minimum required version to support Kubernetes 1.25 and above.
  • AliCloud ACK (1.26)
  • GCP GKE (1.17 through 1.27)
  • AWS EKS (1.17 through 1.31 for CN-Series as a daemonset and CN-Series as a Service mode of deployment. )
  • AWS EKS (1.17 through 1.31 for CN-Series as a CNF mode of deployment.)
  • EKS on AWS Outpost (1.17 through 1.31)
    CN-Series for EKS on AWS Outpost does not support SR-IOV or Multus.
  • Azure AKS (1.17 through 1.31)
    In Azure AKS, the PAN-OS 10.2.4h3 is the minimum required version to support Kubernetes 1.25 and above.
  • GCP GKE (1.17 through 1.31)
    In GCP GKE, the PAN-OS 10.2.4h3 is the minimum required version to support Kubernetes 1.25 and above.
  • Google Anthos 1.12.3
  • OCI OKE (1.23)
  • AWS EKS (1.17 through 1.31 for CN-Series as a daemonset and CN-Series as a Service mode of deployment. )
  • AWS EKS (1.17 through 1.31 for CN-Series as a CNF mode of deployment.)
  • EKS on AWS Outpost (1.17 through 1.31)
    CN-Series for EKS on AWS Outpost does not support SR-IOV or Multus.
  • Azure AKS (1.17 through 1.31)
    In Azure AKS, the PAN-OS 11.0.2 is the minimum required version to support Kubernetes 1.25 and above.
  • GCP GKE (1.17 through 1.31)
  • OCI OKE (1.23)
  • AWS EKS (1.17 through 1.31 for CN-Series as a daemonset and CN-Series as a Service mode of deployment. )
  • AWS EKS (1.17 through 1.31 for CN-Series as a CNF mode of deployment.)
  • EKS on AWS Outpost (1.17 through 1.31)
    CN-Series for EKS on AWS Outpost does not support SR-IOV or Multus.
  • Azure AKS (1.17 through 1.31)
    In Azure AKS, the PAN-OS 11.0.2 is the minimum required version to support Kubernetes 1.25 and above.
  • GCP GKE (1.17 through 1.31)
  • OCI OKE (1.23)
  • AWS EKS (1.17 through 1.31 for CN-Series as a daemonset and CN-Series as a Service mode of deployment. )
  • AWS EKS (1.17 through 1.31 for CN-Series as a CNF mode of deployment.)
  • EKS on AWS Outpost (1.17 through 1.31)
    CN-Series for EKS on AWS Outpost does not support SR-IOV or Multus.
  • Azure AKS (1.17 through 1.31)
    In Azure AKS, the PAN-OS 11.0.2 is the minimum required version to support Kubernetes 1.25 and above.
  • GCP GKE (1.17 through 1.31)
  • OCI OKE (1.23)
Customer managed Kubernetes
On the public cloud or on-premises data center.
Make sure that the Kubernetes version, CNI Types, and Host VM OS versions are included in this table.
VMware TKG+ version 1.1.2
  • Infrastructure Platform—vSphere 7.0
  • Kubernetes Host VM OS—Photon OS
On the public cloud or on-premises data center.
Make sure that the Kubernetes version, CNI Types, and Host VM OS versions are included in this table.
VMware TKG+ version 1.1.2
  • Infrastructure Platform—vSphere 7.0
  • Kubernetes Host VM OS—Photon OS
On the public cloud or on-premises data center.
Make sure that the Kubernetes version, CNI Types, and Host VM OS versions are included in this table.
VMware TKG+ version 1.1.2
  • Infrastructure Platform—vSphere 7.0
  • Kubernetes Host VM OS—Photon OS
On the public cloud or on-premises data center.
Make sure that the Kubernetes version, CNI Types, and Host VM OS versions are included in this table.
VMware TKG+ version 1.1.2
  • Infrastructure Platform—vSphere 7.0
  • Kubernetes Host VM OS—Photon OS
On the public cloud or on-premises data center.
Make sure that the Kubernetes version, CNI Types, and Host VM OS versions are included in this table.
VMware TKG+ version 1.1.2
  • Infrastructure Platform—vSphere 7.0
  • Kubernetes Host VM OS—Photon OS
Kubernetes Host VM
Operating System:
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu-22.04
  • RHEL/CentOS 7.3 and later
  • CoreOS 21XX, 22XX
  • Container-Optimized OS
Operating System:
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu-22.04
  • RHEL/CentOS 7.3 and later
  • CoreOS 21XX, 22XX
  • Container-Optimized OS
Operating System:
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu-22.04
  • RHEL/CentOS 7.3 and later
  • CoreOS 21XX, 22XX
  • Container-Optimized OS
Operating System:
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu-22.04
  • RHEL/CentOS 7.3 and later
  • CoreOS 21XX, 22XX
  • Container-Optimized OS
Operating System:
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu-22.04
  • RHEL/CentOS 7.3 and later
  • CoreOS 21XX, 22XX
  • Container-Optimized OS
Linux Kernel Netfilter: Iptables
Linux kernel version:
Linux kernel version:
Linux kernel version:
Linux kernel version:
Linux kernel version:
Linux kernel Netfilter: Iptables
Linux kernel Netfilter: Iptables
Linux kernel Netfilter: Iptables
Linux kernel Netfilter: Iptables
CNI Plugins
CNI Spec 0.3 and later:
  • AWS-VPC
  • Azure
  • Calico
  • Flannel
  • Weave
  • For AliCloud, Terway
  • For Openshift, OpenshiftSDN
  • The following are supported on the CN-Series firewall as a DaemonSet.
    • Multus
    • Bridge
    • SR-IOV
    • Macvlan
CNI Spec 0.3 and later:
  • AWS-VPC
  • Azure
  • Calico
  • Flannel
  • Weave
  • For Openshift, OpenshiftSDN, OVN Kubernetes
  • The following are supported on the CN-Series firewall as a DaemonSet.
    • Multus
    • Bridge
    • SR-IOV
    • Macvlan
CNI Spec 0.3 and later:
  • AWS-VPC
  • Azure
  • Calico
  • Flannel
  • Weave
  • For Openshift, OpenshiftSDN, OVN Kubernetes
  • The following are supported on the CN-Series firewall as a DaemonSet.
    • Multus
    • Bridge
    • SR-IOV
    • Macvlan
CNI Spec 0.3 and later:
  • AWS-VPC
  • Azure
  • Calico
  • Flannel
  • Weave
  • For Openshift, OpenshiftSDN, OVN Kubernetes
  • The following are supported on the CN-Series firewall as a DaemonSet.
    • Multus
    • Bridge
    • SR-IOV
    • Macvlan
CNI Spec 0.3 and later:
  • AWS-VPC
  • Azure
  • Calico
  • Flannel
  • Weave
  • For Openshift, OpenshiftSDN, OVN Kubernetes
  • The following are supported on the CN-Series firewall as a DaemonSet.
    • Multus
    • Bridge
    • SR-IOV
    • Macvlan
OpenShift
CN-Series as a DaemonSet:
4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, and 4.13
  • Version 4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 4.13,4.14, and 4.15
    OpenShift 4.7 is qualified on the CN-Series as a DaemonSet only.
  • OpenShift on AWS
The PAN-OS 10.2.4h3 is the minimum required version to support 4.12 and above.
  • Version 4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 4.13, 4.14, and 4.15
    OpenShift 4.7 is qualified on the CN-Series as a DaemonSet only.
    The PAN-OS 11.0.2 is the minimum required version to support 4.12 and above.
  • OpenShift on AWS
  • Version 4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 4.13, 4.14, and 4.15
    OpenShift 4.7 is qualified on the CN-Series as a DaemonSet only.
    The PAN-OS 11.0.2 is the minimum required version to support 4.12 and above.
  • OpenShift on AWS
  • Version 4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 4.13, 4.14, and 4.15
    OpenShift 4.7 is qualified on the CN-Series as a DaemonSet only.
    The PAN-OS 11.0.2 is the minimum required version to support 4.12 and above.
  • OpenShift on AWS
CN-Series as a K8s Service:
(PAN-OS 10.1.2 and later)
4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 4.13, 4.14, and 4.15.
The PAN-OS 10.1.10h1 is the minimum required version to support 4.12 and above.

CN-Series Firewall Image and File Compatibility

Deploying the CN-Series firewall requires a number of different of files. To help ensure a successful deployment, check the following information to make sure you download the correct combination of files for CN-Series firewall deployment.
PAN-OS Version
YAML Version
CNI Version
mgmt-init Version
PAN-OS 11.2.x
PAN-OS 11.1.x
PAN-OS 11.0.x
PAN-OS 10.2.x
PAN-OS 10.1.x
3.0.x
3.0.x
3.0.x