CN-Series – Full Bundle – Bundle 2 + Platinum Support



Firewall throughput (App-ID Enabled) 500 Mbps
Threat Prevention throughput 250 Mbps
Max sessions 20,000




The CN-Series Container next-generation firewall


Conventional NGFWs can only be deployed at the edge of a Kubernetes environment and therefore cannot determine the specific pod where traffic originates. To overcome this challenge, CN-Series container firewalls are deployed on each node of a Kubernetes cluster, giving them precise visibility into container traffic. The CN-Series delivers Layer 7 visibility and control while enabling the enforcement of advanced security services. This protection can be enforced on allowed traffic traversing namespace boundaries—whether outbound, inbound, or east-west—between pods, and even between containerized applications and legacy workloads, such as virtual machines (VMs) and bare metal servers.

CN-Series firewalls are easy to deploy using Kubernetes orchestration to simplify integration of network security into continuous integration/continuous development (CI/CD) processes. Ongoing management of CN-Series firewalls is centralized in Panorama™ network security management—the same management console as all Palo Alto Networks firewalls—giving network security teams a single pane of glass to manage the overall network security posture of their organizations.


CN-Series firewalls deploy as two sets of pods: one for the management plane (CN-MGMT) and another for the firewall dataplane (CN-NGFW). The firewall dataplane runs as a daemon set, allowing a single command from within Kubernetes to deploy firewalls on all nodes in a Kubernetes cluster at once. The management plane simply runs as a Kubernetes service.

CN-Series firewalls are managed through the Panorama console. A Kubernetes plugin within Panorama provides contextual information about containers in an environment, and this seamlessly enables context-based network security policies. For example, Kubernetes namespaces can be used to define a traffic source in a firewall policy.

Customers can deploy CN-Series firewalls in Kubernetes environments hosted on-premises or in public clouds. CN-Series firewalls can also be deployed into cloud-managed Kubernetes offerings, including Google Kubernetes Engine (GKE®), Azure Kubernetes Service (AKS), and Amazon Elastic Kubernetes Service (EKS).

Deployment via Kubernetes package managers, such as Helm, is also available and community-supported.


  • CN-SERIES Firewall
  • Threat Prevention Subscription
  • DNS Security Subscription
  • PANDB URL Filtering
  • WildFire Subscription
  • Platinum Support
  • 1 Year for Firewall, Subscriptions & Support