Conventional NGFWs can only be deployed at the edge of a Kubernetes environment and therefore cannot determine the specific pod where traffic originates. To overcome this challenge, CN-Series container firewalls are deployed on each node of a Kubernetes cluster, giving them precise visibility into container traffic. The CN-Series delivers Layer 7 visibility and control while enabling the enforcement of advanced security services. This protection can be enforced on allowed traffic traversing namespace boundaries—whether outbound, inbound, or east-west—between pods, and even between containerized applications and legacy workloads, such as virtual machines (VMs) and bare metal servers.
CN-Series firewalls are easy to deploy using Kubernetes orchestration to simplify integration of network security into continuous integration/continuous development (CI/CD) processes. Ongoing management of CN-Series firewalls is centralized in Panorama™ network security management—the same management console as all Palo Alto Networks firewalls—giving network security teams a single pane of glass to manage the overall network security posture of their organizations.
CN-Series firewalls deploy as two sets of pods: one for the management plane (CN-MGMT) and another for the firewall dataplane (CN-NGFW). The firewall dataplane runs as a daemon set, allowing a single command from within Kubernetes to deploy firewalls on all nodes in a Kubernetes cluster at once. The management plane simply runs as a Kubernetes service.
CN-Series firewalls are managed through the Panorama console. A Kubernetes plugin within Panorama provides contextual information about containers in an environment, and this seamlessly enables context-based network security policies. For example, Kubernetes namespaces can be used to define a traffic source in a firewall policy.
Customers can deploy CN-Series firewalls in Kubernetes environments hosted on-premises or in public clouds. CN-Series firewalls can also be deployed into cloud-managed Kubernetes offerings, including Google Kubernetes Engine (GKE®), Azure Kubernetes Service (AKS), and Amazon Elastic Kubernetes Service (EKS).
Deployment via Kubernetes package managers, such as Helm, is also available and community-supported.
- CN-SERIES Firewall
- Threat Prevention Subscription
- DNS Security Subscription
- PANDB URL Filtering
- WildFire Subscription
- Platinum Support
- 1 Year for Firewall, Subscriptions & Support