CN-Series Firewall as a k8s Service

Enhanced Auto Scale Deployment for CN-Series Firewalls
You can now deploy the Palo Alto Networks Container Native Firewalls (CN-Series) as a service in your Kubernetes environment. By deploying the CN-Series firewall as a service, you are no longer required to deploy a CN-NGFW instance on each node in your environment. Instead, you can deploy the CN-Series anywhere in your cluster and any traffic in your environment is redirected to the CN-NGFW pods.
This is a new deployment mode for the CN-Series firewall that augments the previously released CN-Series-as-a-DaemonSet deployment mode.
The CN-Series firewall as a service requires Kubernetes 1.18 or later and kernel version 4.18 or later.
The CN-Series firewall as a service also supported the horizontal pod autoscaler. The HPA is a Kubernetes resource available in all cloud environments that automatically scales the number of CN-MGMT and CN-NGFW pods in a deployment based on monitored metrics. HPA uses two standard metrics across all cloud environments—CPU and memory utilization—as well as custom metrics specific to each cloud environment. As such, each cloud requires specific yaml files to enable HPA in AKS, EKS, and GKE.
HPA uses a cloud-specific metric adapter to retrieve metrics data from a monitoring adapter in the cloud environment, such as CloudWatch in EKS, to determine when to scale up or down based on the thresholds you define. You must modify the necessary yaml files to set the minimum and maximum number of replicas, the thresholds for each metric, and which metric are used in autoscaling your firewalls.
Cloud Environment
CN-MGMT metrics
  • pan-logging-rate
  • pan-dataplane-slots
CN-NFGW metrics
  • dataplane-cpu-utilization-pct
  • dataplane-packet-buffer-utilization
  • pan-session-active
  • pan-session-utilization
  • pan-session-ssl-proxy-utilization
  • pan-throughput
  • pan-packet-rate
  • pan-connections-per-second

Recommended For You