Getting Started with CN-Series
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation
• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 25, 2023
Getting Started with CN-Series
2
©2024 Palo Alto Networks, Inc.
Table of Contents
CN-Series Firewall for Kubernetes................................................................ 5
Secure Kubernetes Workloads with CN-Series Firewall....................................................6
CN-Series Key Concepts............................................................................................................8
CN-Series Core Building Blocks............................................................................................ 10
Components Required to Secure Kubernetes Clusters with CN-Series Firewall....... 16
Additional CN-Series Resources............................................................................................20
CN-Series System Requirements................................................................. 21
CN-Series System Requirements for the Kubernetes Cluster........................................22
CN-Series System Requirements for On-Premises Kubernetes Deployments...........25
CN-Series Performance and Scaling.....................................................................................26
Scale Supported on the CN-Series Components................................................... 26
Scale Supported on the Kubernetes Plugin on Panorama................................... 37
CN-Series Key Performance Metrics........................................................................37
CN-Series Deployment—Supported Environments...........................................................41
CN-Series Deployment Prerequisites......................................................... 51
License the CN-Series Firewall.............................................................................................. 52
Activate Credits..............................................................................................................53
Create a CN-Series Deployment Profile.................................................................. 54
Manage Deployment Profiles..................................................................................... 57
Install a Device Certificate on the CN-Series Firewall..................................................... 60
Create Service Accounts for Cluster Authentication....................................................... 63
Install the Kubernetes Plugin and Set up Panorama for CN-Series.............................. 65
Get the Images and Files for the CN-Series Deployment............................................... 75
Cortex Data Lake (CDL) Logging with CN-Series Firewall.....................81
IOT Security Support for CN-Series Firewall............................................87
Getting Started with CN-Series
3
©2024 Palo Alto Networks, Inc.
Table of Contents
Getting Started with CN-Series
4
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
The Palo Alto Networks Container Native Firewalls (CN-Series) are natively integrated into
kubernetes (k8s) to provide complete L7 visibility, application level segmentation, DNS Security,
and protection from advanced threats for traffic going across trusted zones in public cloud or
data center environments. It enables you to isolate and protect workloads, application stacks,
and services, even as individual containers scale up, down, or across hosts and consistently apply
security policies that are based on kubernetes labels.
Application deployment in a kubernetes environment is dynamic and the following teams are
often involved in the container life cycle:
• Platform (PAAS) Admin—Manages the Kubernetes clusters and other infrastructure
components in public cloud and data centers.
• App Teams—Deploy their individual containerized and other applications in kubernetes
namespaces/projects provided by PAAS admin.
• Security Admin—Provisions security for the entire deployment including kubernetes clusters
and individual containerized applications.
In this dynamic scenario and interplay with multiple teams, security management and monitoring
pose a challenge. The CN-Series enables your security administrator to provision security for
the containerized applications across a wide range of environments including Cloud Provider
Managed k8s such as GKE, EKS, AKS, AliCloud ACK, and Customer Managed k8s such as
Openshift, and Native k8s on the public cloud or on premises data centers. The CN-Series
uses Kubernetes constructs and metadata driven policy so that the teams can automate the
deployment and efficiently enforce security policy to consistently protect from known and
unknown threats.
5
CN-Series Firewall for Kubernetes
Secure Kubernetes Workloads with CN-Series Firewall
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
CN-Series firewalls deploy as two sets of pods: one for the management plane (CN-MGMT)
and another for the firewall dataplane (CN-NGFW). The firewall dataplane runs as a daemon
set, allowing a single command from within Kubernetes to deploy firewalls on all nodes in a
Kubernetes cluster at once. The management plane runs as a Kubernetes service.
CN-Series firewalls are managed through the Panorama console. A Kubernetes plugin within
Panorama provides contextual information about containers in an environment, and this
seamlessly enables context-based network security policies.
For example, Kubernetes namespaces can be used to define a traffic source in a firewall policy.
You can deploy CN-Series firewalls in Kubernetes environments hosted on-premises or in public
clouds.
CN-Series firewalls can also be deployed into cloud-managed Kubernetes offerings, including
Google Kubernetes Engine (GKE®), Azure Kubernetes Service (AKS), Alibaba Cloud (ACK), and
Amazon Elastic Kubernetes Service (EKS). You can also deploy via Kubernetes package managers,
such as Helm.
CN-Series offers threat protection for inbound, outbound, and east-west traffic between
container trust zones and other workload types, without slowing the speed of development.
Deploy the CN-Series for Layer 7 visibility into container traffic and enforce security policies with
threat prevention profiles to protect allowed traffic across Kubernetes namespace boundaries,
and share that context with the hardware and VM-Series firewalls to ensure a consistent policy
enforcement model across your entire hybrid cloud environment.
Prevent Data Exfiltration from Kubernetes Environments:
CN-Series firewalls offer a multitude of security capabilities to prevent exfiltration of sensitive
data from Kubernetes environments. Traffic content inspection—including inspection of TLS-/
SSL-encrypted traffic—ensures that packets containing malicious payloads are identified and
remediated. URL Filtering bars outbound connections to potentially nefarious websites, including
malicious code repositories.
Prevent Lateral Spread of Threats Across Kubernetes Namespace Boundaries:
Trust boundaries between applications are logical locations to enforce segmentation policies
that prevent the lateral movement of threats. In many Kubernetes environments, the Kubernetes
namespace is the trust boundary. CN-Series firewalls can enforce Threat Prevention policies
between Kubernetes namespaces as well as between a Kubernetes namespace and other
Getting Started with CN-Series
6
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
workload types (For example, VMs and bare metal servers), to deter threats from moving between
your cloud native applications and your legacy infrastructure.
Getting Started with CN-Series
7
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
CN-Series Key Concepts
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
The CN-Series firewall is designed to provide the tools you need to secure the applications in your
containerized environment. To understand how the CN-Series fits into a containerized network, it
is important to understand some key concepts.
• Cluster—the foundation of your containerized environment; all your containerized applications
run on top of a cluster.
• Node—depending on the cluster, a node might be a virtual or physical machine that contains
the necessary services required to pods.
• Pod—the smallest deployable computing unit that you can deploy and manage in Kubernetes.
The CN-Series firewall is deployed in a distributed PAN-OS architecture as two pods: CNMGMT and CN-NGFW. See CN-Series Core Building Blocks for more information.
• Namespace—a namespace is a virtual cluster that is backed by a physical cluster. In an
environment with many users spread across multiple teams and functions, a namespace can be
used to separate them on a single cluster.
• Container Network Interface (CNI)—a plugin that configures network interfaces for containers.
Additionally, the CNI removes the allocated resources used for networking when a container is
deleted.
• DaemonSet—in a Kubernetes deployment, a DaemonSet ensures that some or all nodes run
a copy of a particular pod. And as nodes are added to a Kubernetes cluster, a copy of the
pod defined by the DaemonSet is added to each new node. When you deploy the CN-Series
firewall as a DaemonSet, a copy of the CN-NGFW pod is deployed on each (up to 30 per CNMGMT pair) node in your cluster.
• Kubernetes Service—an abstraction that exposes an application running on a set of pods as
network service. When you deploy the CN-Series as a service, the number of CN-NGFW pods
deployed is defined by you when setting up your yaml files.
• Kuberenetes CNF- Deploying the CN-series-as-a-kubernetes-CNF resolves challenges related
to traffic that uses Service Function Chaining (SFC) through external entities such as cloud
provider's native routing, vRouters, and Top of Rack (TOR) switches. The CN-series-as-akubernetes-CNF mode of eployment does not impact the application pods.
Getting Started with CN-Series
8
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
• Horizontal Pod Autoscaler (HPA)—Automatically scales the number of pods in a deployment,
replica set, or stateful set based on various metrics such as CPU utilization or session
utilization.
HPA is supported on the CN-Series as a Kubernetes service only.
• HSF—Palo Alto Networks CN-Series Hyperscale Security Fabric (HSF) 1.0 is a cluster of
containerized next-gen firewalls that deliver a highly scalable and resilient next-gen firewall
solution for Mobile Service Providers deploying 5G networks.
Getting Started with CN-Series
9
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
CN-Series Core Building Blocks
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment using helm
The CN-Series firewall is the containerized next-generation firewall that provides visibility and
security for your containerized application workloads on Kubernetes clusters. The CN-Series
firewall uses native Kubernetes (K8s) constructs and Palo Alto Networks components to make this
possible.
The core building blocks to Deploy the cn-series firewall are:
• CN-Series Deployment Files—to deploy the CN-Series in your containerized environment, you
must download and deploy the various CN-Series deployment files.
• PAN-CN-MGMT—The init container generates certificates which are used for securing
communication between instances of CN-MGMT Pods and between CN-MGMT pods and
CN-NGFW pods.
• PAN-CN-MGMT-CONFIGMAP
• PAN-CN-MGMT-SECRET—Allows Panorama to authenticate the firewalls so that it can
add each firewall as a managed device. The VM auth key is required for the lifetime of the
deployment. Without a valid key in the connection request, the CN-Series firewall will be
unable to register with Panorama.
• PAN-CN-NGFW
• PAN-CN-NGFW-CONFIGMAP
• PAN-CNI
• PAN-CNI-CONFIGMAP
• PAN-CNI-MULTUS
• Distributed PAN-OS architecture with CN-MGMT and CN-NGFW pods—The management
plane (CN-MGMT) and data plane (CN-NGFW) of the containerized firewall are separate to
enable better runtime protection for applications and to support a smaller footprint. The CNMGMT and CN-NGFW are deployed using container images and YAML manifest files with
ConfigMap objects.
• CN-MGMT runs as a StatefulSet to ensure that it has persistent volume and is exposed as a
K8s service that can be discovered using DNS in the Kubernetes environment. The CN-MGMT
provides fault tolerance and a single CN-MGMT pod can manage the existing CN-NGFW pods
in the event of a restart or a failure of a CN-MGMT pod.
Getting Started with CN-Series
10
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
• CN-NGFW can be deployed as a DaemonSet or as a Kubernetes Service. DaemonSet
deployments suited for Kubernetes environments with larger nodes, pods that require low
latency, and/or requires high firewall capacity. The CN-Series as a Kubernetes Service is suited
for Kubernetes environments with smaller nodes and/or requires more dynamic firewalling.
• When deployed as a DaemonSet, each instance of the CN-NGFW pod can secure 30
application pods running on the same node. This architecture enables you to place the CNNGFW DaemonSet pod on each node that you want to protect workloads in a cluster, and
Getting Started with CN-Series
11
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
a pair of CN-MGMT pods can connect to and manage up to 30 CN-NGFW pods within a
cluster. For more information on limits, see CN-Series Performance and Scaling.
• When deployed as a Kubernetes Service, instances of the CN-NGFW can be deployed on
security nodes and application pod traffic is redirected to an available CN-NGFW instance
for inspection and enforcement.
Getting Started with CN-Series
12
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
• PAN-CNI plugin for network insertion—The PAN-CNI plugin is responsible for the allocation of
network interfaces on every pod, which enables network connectivity to the CN-NGFW pod.
The YAML files that enable you to deploy the CN-Series include the PAN-CNI DaemonSet,
which inserts the PAN-CNI plugin into the CNI plugin chain on each node within the cluster.
The plugin reads the annotation on each application pod as it comes up to determine whether
to enable security and redirect traffic to the CN-NGFW pod for inspection as it ingresses and
egresses the pod.
Getting Started with CN-Series
13
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
• Panorama for centralized management—Panorama functions as the hub for managing
the configuration and licensing of the containerized firewalls. It also hosts the Kubernetes
plugin, which enables monitoring of the Kubernetes clusters, and centralized Security policy
management. You can use a physical or virtual Panorama appliance, and deploy it on-premises
or in a public cloud environment. Panorama must have network connectivity to the firewall
management plane pods (CN-MGMT) to ensure that it can license the (CN-NGFW) firewalls
and push configuration and policies using Panorama templates and device groups. Palo Alto
Networks recommends deploying Panorama in an HA configuration.
You need standard Kubernetes tools such as kubectl or Helm to deploy and manage
your Kubernetes clusters, apps, and firewall services. Panorama is not designed to be
an orchestrator for Kubernetes cluster deployment and management. Templates for
cluster management are provided by Managed Kubernetes providers. You can also use the
community-supported templates for deploying CN-Series with Helm and Terraform.
• Kubernetes Plugin on Panorama—The Kubernetes plugin manages the licenses for the CNSeries firewall. Licensing is based on the number of cores you choose to allocate to CNNGFW pods. Each CN-NGFW pod uses a license token, and the tokens are managed locally on
Panorama after you activate the auth code and retrieve the specified number of tokens from
the Palo Alto Networks license server. As each CN-NGFW comes up on the Kubernetes nodes,
Panorama distributes the license tokens locally.
The Kubernetes plugin on Panorama also enables you to monitor your clusters and leverage
Kubernetes labels that you use to organize Kubernetes objects such as pods, services,
deployments and the associated identifying attributes, so that you can create context-aware
Security policy rules. The Kubernetes plugin communicates with the API server and retrieves
metadata in near realtime, to enable visibility into the applications running within the cluster.
The Kubernetes plugin collects namespaces, services, and labels from your Kubernetes clusters
to create tags for the IP-address-to-tag mapping for the associated objects within the cluster
which can then be used in Security policies. For details, see IP-Address-to-Tag Mapping of
Kubernetes Attributes.
It also collects information on the ports specified in your application YAML and creates Service
Objects.
While these tags and service objects are automatically shared with the CN-NGFW pods in each
cluster, you can also enable sharing of the tags and service objects with hardware-based or
VM-Series firewalls. The tags become available as match criteria in Dynamic Address Groups,
which you can then use to secure traffic between pods or namespaces, to an internet-exposed
service, or outbound connections.
Palo Alto Networks recommends deploying Panorama in an HA configuration so that the
Panorama peer continues to receive IP address updates in the event of a failure. If you deploy
a single instance of Panorama, in the event of a failure the traffic from any existing applications
pods are not impacted, and the current policies are enforced on the CN-NGFW pods. When a
new pod comes up, all the rules with the source "ANY" will match to this new pod, and traffic
from this new pod will be allowed or blocked depending on your policy rules. For example, if
there is an Anti-Spyware policy rule to block outbound access from any source to the outside
Getting Started with CN-Series
14
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
world, then this rule will apply to the new pod, and the profile can secure traffic. If there is a
default Deny rule, then traffic from this new pod will be denied.
You can use the Kubernetes plugin to distribute IP-address-to-tag mapping for pods,
nodes, namespaces, and services deployed within the Kubernetes cluster to physical or
VM-Series firewalls, even if you have not deployed CN-Series firewalls in that cluster.
Getting Started with CN-Series
15
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
Components Required to Secure Kubernetes Clusters
with CN-Series Firewall
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment using helm
The following is a list of what you need to deploy the cn-series firewall and secure the
applications deployed within Kubernetes clusters.
• Panorama—A hardware-based or virtual appliance that can connect to the Kubernetes clusters
where the applications and CN-Series firewalls are deployed. Panorama is required for license
management and configuration management of the CN-Series firewalls. For more information,
see CN-Series Core Building Blocks.
Getting Started with CN-Series
16
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
• Kubernetes Plugin on Panorama—Because of the rate of change with containerized
applications, this plugin is required for visibility into container activity within a cluster and for
managing the license token allocation for the firewall deployed on each node within a cluster.
The Kubernetes plugin connects to Kubernetes clusters using service account credentials.
From there it retrieves resource attributes and labels and creates tags and service objects. The
tags can be used to create Dynamic address groups and reference them in Security policy for
IP traffic enforcement. You can also use the service objects in Security policy to allow or deny
traffic based on ports as well as IP addresses. The tags and service objects give you visibility
and granular control for traffic enforcement within your Kubernetes cluster.
• Docker Images—To support the distributed architecture, the CN-Series firewall has four docker
images that are available on the Palo Alto Networks portal. These images are published as
three compressed tar archives (tar.gz format), and you must get these images unzip and do a
Docker push to your image registry.
Note: Make sure that the images and YAML files versions are compatible. The compressed files
are:
• PanOS_cn-10.1.0.tgz—This archive includes the firewall management plane (CN-MGMT)
and firewall dataplane (CN-NGFW) images.
The unzipped image names are, for example: panos_cn_ngfw:10.1.0-b7 and
panos_cn_mgmt:10.1.0-b7
• Pan_cn_mgmt_init-2.0.0.tgz—This archive includes the init container (CN-INIT) that
contains the utilities required to deploy the management plane on the firewall. The init
container enables secure IPSec communication between the CN-MGMT and CN-NFGW
Pods. The unzipped image name is for example: pan_cn_mgmt_init:1.0.0-b1-c1.
• Pan_cni-2.0.0.tgz—This archive includes the CNI plugin that enables connectivity
between the CN-MGMT and CN-NFGW and reconfigures the network interfaces on the
application pods to redirect traffic to the CN-NGFW pod on each node. The unzipped
image name is for example: pan_cni:2.0.0.
The images names listed above are examples and will change to reflect the latest release.
You can find the latest images on the Palo Alto Networks portal.
Getting Started with CN-Series
17
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
• YAML Files—The YAML files that include the required fields and object specifications for
deploying the resources in your Kubernetes clusters, and are published on GitHub.
All the YAML files you need, for a supported environment such as native Kubernetes or GKE,
are combined and zipped in one folder for your convenience.
The YAML files are automatically deployed through HELM charts, which is the
recommended method of deploying CN-Series Firewall.
• CN-MGMT has three YAML files—pan-cn-mgmt.yaml, pan-cn-mgmtconfigmap.yaml, pan-cn-mgmt-secret.yaml, pan-cn-mgmt-slot-cr.yaml, and
pan-cn-mgmt-slot-crd.yaml.
• CN-NGFW as a DaemonSet has two YAML files—pan-cn-ngfw.yaml, and pan-cnngfw-configmap.yaml. The CN-NGFW as a Kubernetes Service has pan-cn-ngfwsvc.yaml in addition to the previously mentioned files.
• CNI plugin has three YAML files—pan-cni-configmap.yaml and pan-cni.yaml or
pan-cni-multus.yaml.
If you are deploying the CN-Series on environments with the Multus CNI that acts as a
meta-plugin, and calls other CNI plugins you have to choose either pan-cni.yaml or pancni-multus.yaml.
When deploying the CN-Series on OpenShift, Multus is enabled by default, the pan-cni.yaml
is adequate. Whereas, if you are deploying the CN-Series on an environment where the
Multus CNI is supported but is optional such as with self-managed (native) environments,
use the pan-cni-multus.yaml instead of the pan-cni.yaml.
• There is also a pan-cni-serviceaccount.yaml that is referenced in the
service account creation section below.
• For OpenShift deployments there is an additional pan-cni-net-attachdef.yaml.
• Service Account Creation—Three YAML files, pan-mgmt-serviceaccount.yaml, pancni-serviceaccount.yaml, and plugin-serviceaccount.yaml.
pan-mgmt-serviceaccount.yaml and pan-cni-serviceaccount.yaml are for the
CN-MGMT and CN-NGFW pods to authenticate to the cluster.
The plugin-serviceaccount.yaml is for the Kubernetes plugin on Panorama to
authenticate to the cluster.
• Persistent volume YAML for Native Kubernetes deployments—pan-cn-pvmanual.yaml and pan-cn-pv-local.yaml.
The pan-cn-pv-manual.yaml is only provided for PoC with single node clusters. Palo
Alto Networks strongly recommends the use of dynamically provisioned persistent volumes
for storing the configuration and logs for the CN-MGMT pods that are referenced in the
pan-cn-mgmt.yaml. Make sure to set up a persistent volume within the cluster for both
the CN-MGMT pods.
Getting Started with CN-Series
18
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
• License auth code—The auth code enables you to license each instance of the CN-NGFW pod
deployed on each node within a cluster.
The license auth code is tied to the CN-Series deployment profile you created on the Palo Alto
Network CSP. Additionally, it enables any security subscriptions you selected when creating
your deployment profile.
Getting Started with CN-Series
19
©2024 Palo Alto Networks, Inc.
CN-Series Firewall for Kubernetes
Additional CN-Series Resources
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
You can use the following resources to learn more about the CN-Series firewall and how it can
help you secure your containerized network.
• CN-Series Firewall—watch these videos to learn about the CN-Series firewall.
• The Why, What, and How of the CN-Series—a three-part blog series (with embedded videos)
on the Palo Alto Networks Live Community that describes the why, what, and how of the CNSeries firewall.
• Palo Alto Network Qwiklabs—use the Palo Alto Networks Qwiklab to take a lab exercise and
try the CN-Series firewall in AWS or GCP.
• Panorama Plugin for Kubernetes Release Notes—read the release notes to learn about the
features and enhancements introduced in the latest version of the Panorama plugin for
Kubernetes.
• PAN-OS Release Notes—view the PAN-OS release notes to learn more about CN-Series
features and enhancements introduced in the latest version of PAN-OS.
• Panorama Administrator’s Guide—Panorama is the interface used to connect with your
Kubernetes environment, manage deployed CN-Series firewalls, and define security policy.
Getting Started with CN-Series
20
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
This section covers the recommended system requirements for deploying the CN-Series firewall
in Kubernetes cluster and On-Premises environment.
This section covers the following:
• CN-Series System Requirements for the Kubernetes Cluster
• CN-Series System Requirements for On-Premises Kubernetes Deployments
• CN-Series Performance and Scaling
• CN-Series Deployment—Supported Environments
21
CN-Series System Requirements
CN-Series System Requirements for the Kubernetes
Cluster
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
Here are recommended system requirements for deploying the CN-Series firewall across its
multiple supported modes.
• PAN-OS 10.1
• PAN-OS 10.2 and later
PAN-OS 10.1
The following table shows the system requirements for the cluster on which the CN-Series is
deployed. These values are general guidelines for CPU, memory, and disk storage; the amount of
resources you deploy might vary depending on your needs.
The CN-Series Medium is not available for the CN-Series as a Daemonset.
Resource
CN-MGMT- CN-NGFW- CN-MGMT- CN-NGFW- CN-MGMT- CN-NGFWSmall
Small
Medium
Medium
Large
Large
Memory
(Minimum)
3GB
• 2GB
3GB
(Daemonset)
6GB
4GB
48GB
• 2.5GB
(K8s
Service)
CPU Min
2
2
2
4
4
12
(Recommended)
(Recommended)
(Recommended)
(Recommended)
(Recommended)
(Recommended)
CPU Max
N/A
31
N/A
31
N/A
31
Disk
50GB
N/A
50GB
N/A
50GB
N/A
Getting Started with CN-Series
22
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
PAN-OS 10.2 and later
5G-Native Security is exclusively supported on Daemonset and Kubernetes CNF Mode.
The memory and core combinations for CN-MGMT and CN-NGFW applies to Small,
Medium, and Large respectively. The combination of Small, Medium, and Large pertaining
to CN-MGMT maps directly with respective CN-NGFW.
Table 1: Recommended CN-Series system and capacity matrix
CN Mode
Resource
Small
Medium
Medium
Medium
Large
Large
Daemonset Min CNMGMT
Memory
3G
3G
4G
4G
16G
16G
Min CNNGFW
Memory
2G
6.5G
16G
32G
48G
56G
Recommended
2
CNMGMT
Cores
2
2
4
8
12
Max CNNGFW
Cores
2
4
8
16
31
47
Disk
52Gi
52Gi
52Gi
52Gi
52Gi
52Gi
DPDK
Hugepage
Size
N/A
N/A
N/A
N/A
N/A
N/A
Kubernetes Min CNService
MGMT
Memory
3G
3G
4G
4G
16G
16G
Min CNNGFW
Memory
4G
6.5G
16G
32G
48G
56G
2
2
4
8
12
Recommended
2
CNMGMT
Cores
Getting Started with CN-Series
23
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
CN Mode
Resource
Small
Medium
Medium
Medium
Large
Large
Max CNNGFW
Cores
2
4
8
16
31
47
Disk
52Gi
52Gi
52Gi
52Gi
52Gi
52Gi
DPDK
Hugepage
Size
N/A
N/A
N/A
N/A
N/A
N/A
Kubernetes Min CNCNF
MGMT
Memory
3G
3G
4G
4G
16G
16G
Min CNNGFW
Memory
2G
6.5G
16G
32G
48G
56G
Recommended
2
CNMGMT
Cores
2
2
4
8
12
Max CNNGFW
Cores
2
4
8
16
31
47
Disk
52Gi
52Gi
52Gi
52Gi
52Gi
52Gi
DPDK
Hugepage
Size
1G
1G
2G
2G
4G
4G
Getting Started with CN-Series
24
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
CN-Series System Requirements for On-Premises
Kubernetes Deployments
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
Review the following prerequisites for your on-premises deployments:
• Ensure that the container images are accessible to all nodes in the Kubernetes cluster.
• Set up a persistent volume within the cluster for both the CN-MGMT pods. Since CN-MGMT
pods that actively manage CN-NGFW pods, are deployed as a StatefulSet, both instances must
have access to the persistent volume.
To get the SSH access for your Rancher cluster, you must ensure that the content of the
kubeconfig file is copied under the location /.kube/config, and then only, you can run
kubectl commands for your cluster.
Also, you should ensure that the Kubernetes command-line tool, kubectl is installed on
your system. For more information, see Install Tools.
For CN-Series with Rancher support, install Docker on Master node Ubuntu 18.0.4 LTS
VM with 8 vCPUs and 32G Memory with minimum 200G disk. For more information, see
Install Docker On Ubuntu 18.04.
For Ubuntu 18.0.4, Kernel on the machines should be updated to the latest Kernel using
the following command:
sudo apt install linux-generic-hwe-18.04 -y
Getting Started with CN-Series
25
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
CN-Series Performance and Scaling
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
The scale numbers that the different components required to Secure Kubernetes Workloads with
CN-Series Firewall are listed in the following sections:
• Scale Supported on the CN-Series Components
• Scale Supported on the Kubernetes Plugin on Panorama
• CN-Series Key Performance Metrics
Scale Supported on the CN-Series Components
For information on CN-Series CPU, memory, and disk storage definitions, see CN-Series System
Requirements for the Kubernetes Cluster.
The following table separates some data by CN-Series sizes—small, medium, and large. These CNSeries sizes have the following memory values:
• CN-Series Small—Minimum 2.5G CN-NGFW and 3G CN-MGMT
• CN-Series Medium—Minimum 6G of CN-NGFW and 3G CN-MGMT
• CN-Series Large—Minimum 42G of CN-NGFW and 4G of CN-MGMT
Attribute
CN-Series Scale
(DaemonSet)
CN-Series Scale (K8s
Service)
CN-Series Scale (K8sCNF)
Maximum CNMGMT pairs per K8s
cluster
4 CN-MGMT pairs in
Active/Passive HA
mode
4 CN-MGMT pairs in
Active/Passive HA
mode
4 CN-MGMT pairs in
Active/Passive HA
mode
Maximum CNNGFW pods per
CN-MGMT pair
30
30
30
Kubernetes pods
secured by CN-
30 (PAN-OS 10.1.8
or earlier version)
N/A
N/A
Getting Started with CN-Series
26
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Attribute
NGFW (per K8s
node)
Maximum Number
of TCP/IP Sessions
per CN-NGFW
Maximum Dynamic
Address Groups IP
addresses* per CNMGMT pair
CN-Series Scale
(DaemonSet)
125 (PAN-OS 10.1.9
and above version
with k8s 2.0.2
installed)
CN-Series Scale (K8s
Service)
This
deployment
mode is
agnostic
of the
number
of
application
pods on
a K8s
node.
CN-Series Scale (K8sCNF)
This
deployment
mode is
agnostic
of the
number
of
application
pods on
a K8s
node.
CN-Series Small:
20,000
CN-Series Small:
250,000
CN-Series Small:
250,000
CN-Series Medium:
819,200
CN-Series Medium:
819,200
CN-Series Medium:
819,200
CN-Series Large:
10,000,000
CN-Series Large:
10,000,000
CN-Series Large:
10,000,000
CN-Series Small:
2500 (PAN-OS
10.0.6 and below)
CN-Series Small:
2500 (PAN-OS
10.0.6 and below)
CN-Series Small: 2500
(PAN-OS 10.0.6 and
below)
10,000 (PAN-OS
10.0.7 and above)
10,000 (PAN-OS
10.0.7 and above)
10,000 (PAN-OS
10.0.7 and above)
CN-Series Medium:
200,000
CN-Series Medium:
200,000
CN-Series Large:
300,000
CN-Series Large:
300,000
Tags per IP address*
per CN-MGMT pair
32
32
32
Maximum Security
Zones
CN-Series Small: 2
CN-Series Small: 2
CN-Series Small: 2
CN-Series Medium:
40
CN-Series Medium:
40
CN-Series Medium: 40
CN-Series Large: 200
CN-Series Large: 200
CN-Series Small: 38
CN-Series Small: 375
CN-Series Small: 375
CN-Series Medium:
375
CN-Series Medium:
375
CN-Series Medium:
375
CN-Series Large: 750
CN-Series Large: 750
CN-Series Large: 750
Security Profiles
Getting Started with CN-Series
27
CN-Series Large: 200
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Attribute
CN-Series Scale
(DaemonSet)
CN-Series Scale (K8s
Service)
CN-Series Scale (K8sCNF)
Max Interfaces
For PAN-OS 10.1.8
or earlier version:
CN-Series Small: 2
CN-Series Small: 60
CN-Series Medium: 2
CN-Series Medium: 60
CN-Series Large: 2
CN-Series Large: 60
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Security Rules
1500
10,000
20,000
Security Rule
Schedules
256
256
256
NAT Rules
N/A
N/A
N/A
Decryption Rules
1000
1000
2000
App Override Rules
1000
1000
2000
CN-Series Small: 30
CN-Series Medium:
30
CN-Series Large: 30
For PAN-OS 10.1.9
and above version
with k8s 2.0.2
installed:
CN-Series Small: 250
CN-Series Medium:
250
CN-Series Large: 250
*See the Firewall comparison tool.
Policies
NAT
rules is
supported
on CNF
mode.
Getting Started with CN-Series
28
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Policies
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Tunnel Content
Inspection Rules
100
500
2000
SD-WAN Rules
N/A
N/A
N/A
Policy-based
Forwarding Rules
N/A
N/A
N/A
Captive Portal Rules
N/A
N/A
N/A
DoS Protection Rules
• 100 (DaemonSet)
1000
1000
Objects (Addresses and CN-Series Small
Services)
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
CN-Series Medium
CN-Series Large
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Address Objects
10,000
10,000
40,000
Address Groups
1000
1000
4000
Members per Address
Group
2500
2500
2500
Service Objects
2000
2000
5000
Service Groups
500
500
500
Policybased
Forwarding
Rules
are
supported
on CNF
mode.
• 1000 (K8s
Service)
Getting Started with CN-Series
29
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Objects (Addresses and CN-Series Small
Services)
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
CN-Series Medium
CN-Series Large
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Members per Service
Groups
500
500
500
FQDN Address
Objects
2000
2000
2000
Max Dynamic Address
Group IP Addresses
2500
200,000
300,000
Tags per IP Address
32
32
32
App-ID
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Custom App-ID
Signatures
6000
6000
6000
Shared Custom AppIDs
512
512
512
Custom App-IDs
(virtual system
specific)
6416
6416
6416
SSL Decryption
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Max SSL Inbound
Certificates
1000
1000
1000
SSL Certificate Cache
(Forward Proxy)
128
2000
8000
Max Concurrent
Decryption Sessions
• 1024
(DaemonSet)
15,000
100,000
Getting Started with CN-Series
30
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
SSL Decryption
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
• 6400 (K8s
Service)
SSL Port Mirror
No
No
No
SSL Decryption
Broker
No
No
No
HSM Supported
No
No
No
URL Filtering
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Total Entries for Allow
List, Block List, and
Custom Categories
25,000
25,000
100,000
Max Custom
Categories
• 500 (DaemonSet)
2849
2849
Dataplane Cache Size
for URL Filtering
• 5000
(DaemonSet)
90,000
250,000
• 2849 (K8s
Service)
• 90,000 (K8s
Service)
Management Plane
Dynamic Cache Size
100,000
100,000
600,000
EDL
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
30
30
30
Max Number of
Custom Lists
Getting Started with CN-Series
31
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
EDL
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Max Number of IPs
per System
50,000
50,000
50,000
Max Number of DNS
Domains per System
50,000
500,000
2,000,000
Max Number of URLs
per System
50,000
100,000
100,000
Shortest Check
Interval (minutes)
5
5
5
Address Assignments
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
DHCP Servers
3
10
125
DHCP Relays
No
No
No
Max Number of
Assigned Addresses
64,000
64,000
64,000
Interfaces
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
• 60 (DaemonSet)
• 60 (DaemonSet)
• 60 (DaemonSet)
• 2 (K8s Service)
• 2 (K8s Service)
• 2 (K8s Service)
• 2 (K8s-CNF)
• 2 (K8s-CNF)
• 2 (K8s-CNF)
Management - Outof-Bound
N/A
N/A
N/A
Management 10/100/1000 High
Availability
N/A
N/A
N/A
Max Interfaces
(Logical and Physical)
Getting Started with CN-Series
32
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Interfaces
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Management - 40G
High Availability
N/A
N/A
N/A
Management - 10G
High Availability
N/A
N/A
N/A
Traffic - 10/100/1000
N/A
N/A
N/A
Traffic 100/1000/10000
N/A
N/A
N/A
Traffic - 1G SFP
N/A
N/A
N/A
Traffic - 10G SFP+
N/A
N/A
N/A
Traffic - 40/100G
QSFP+/QSFP28
N/A
N/A
N/A
802.1q Tags per
Device
N/A
N/A
N/A
802.1q Tags per
Physical Interface
N/A
N/A
N/A
Max Aggregate
Interfaces
N/A
N/A
N/A
Max SD-WAN Virtual
Interfaces
N/A
N/A
N/A
NAT
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Total NAT Rules
Capacity
N/A
N/A
N/A
Max NAT Rules
(Static)
N/A
N/A
N/A
Getting Started with CN-Series
33
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
NAT
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Max NAT Rules (DIP)
N/A
N/A
N/A
Max NAT Rules (DIPP)
N/A
N/A
N/A
Max Translated IPs
(DIP)
N/A
N/A
N/A
Max Translated IPs
(DIPP)
N/A
N/A
N/A
Default DIPP Pool
Oversubscription
N/A
N/A
N/A
User-ID
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
IP-User Mappings
(Management Plane)
N/A
N/A
N/A
IP-User Mappings
(Dataplane)
N/A
N/A
N/A
Active and Unique
Groups Used in Policy
N/A
N/A
N/A
Number of User-ID
Agents
N/A
N/A
N/A
Monitored Servers for
User-ID
N/A
N/A
N/A
Terminal Server
Agents
N/A
N/A
N/A
Tags per User
N/A
N/A
N/A
Getting Started with CN-Series
34
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Routing
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
IPv4 Forwarding Table
Size
N/A
N/A
N/A
IPv6 Forwarding Table
Size
N/A
N/A
N/A
System Total
Forwarding Table Size
N/A
N/A
N/A
Max Routing Peers
(Protocol Dependent)
N/A
N/A
N/A
Static Entries - DNS
Proxy
N/A
N/A
N/A
Bidirection
Forwarding Detection
(BFD) Sessions
N/A
N/A
N/A
L2 Forwarding
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
ARP Table Size per
Device
N/A
N/A
N/A
IPv6 Neighbor Table
Size
N/A
N/A
N/A
MAC Table Size per
Device
N/A
N/A
N/A
Max ARP Entries per
Broadcast Domain
N/A
N/A
N/A
Max MAC Entries per
Broadcast Domain
N/A
N/A
N/A
Getting Started with CN-Series
35
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
QoS
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Number of QoS
Policies
N/A
N/A
N/A
Physical Interfaces
Supporting QoS
N/A
N/A
N/A
Clear Text Nodes per
Physical Interface
N/A
N/A
N/A
DSCP Marking by
Policy
N/A
N/A
N/A
Subinterfaces
Supported
N/A
N/A
N/A
IPSec VPN
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Max IKE Peers
N/A
N/A
N/A
Site-to-Site (with
Proxy ID)
N/A
N/A
N/A
SD-WAN IPSec
Tunnels
N/A
N/A
N/A
GlobalProtect
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
N/A
N/A
N/A
GlobalProtect Client
VPN
Max Tunnels (SSL,
IPSec, IKE with
XAUTH)
Getting Started with CN-Series
36
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
GlobalProtect
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
N/A
N/A
N/A
CN-Series Small
CN-Series Medium
CN-Series Large
(Min 2.5G CN-NGFW
and Min 3G CNMGMT)
(Min 6G CN-NGFW
and Min 2G CNMGMT)
(Min 42G CN-NGFW
and Min 4G CNMGMT)
Replication (Egress
Interfaces)
N/A
N/A
N/A
Routes
N/A
N/A
N/A
GlobalProtect
Clientless VPN
Max SSL Tunnels
Multicast
Scale Supported on the Kubernetes Plugin on Panorama
Attribute
Kubernetes Plugin Scale
Maximum Clusters on a K8s Panorama Plugin
32 (across all supported environments such
as native K8s, AKS, EKS, GKE)
CN-Series Key Performance Metrics
CN-Series on AWS EKS
CPU
Cores
CN-Series as
a DaemonSet
(MMAP)
CN-Series as
a Kubernetes
Service (MMAP)
CN-Series as a
Kubernetes CNF
(MMAP)
App-ID
1
750 Mbps
580 Mbps
580 Mbps
Content and Threat
Detection
1
310 Mbps
275 Mbps
275 Mbps
App-ID
2
1.45 Gbps
890 Mbps
890 Mbps
Content and Threat
Detection
2
610 Mbps
530 Mbps
530 Mbps
Getting Started with CN-Series
37
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
CN-Series on AWS EKS
CPU
Cores
CN-Series as
a DaemonSet
(MMAP)
CN-Series as
a Kubernetes
Service (MMAP)
CN-Series as a
Kubernetes CNF
(MMAP)
App-ID
4
2.8 Gbps
1.45 Gbps
1.45 Gbps
Content and Threat
Detection
4
1.19 Gbps
1.04 Gbps
1.04 Gbps
CN-Series on Google Cloud GKE (XDP Enabled)
CPU
Cores
CN-Series as a DaemonSet CN-Series as a Kubernetes
Service
App-ID
1
950 Mbps
750 Mbps
Content and Threat
Detection
1
320 Mbps
310 Mbps
App-ID
2
1.7 Gbps
900 Mbps
Getting Started with CN-Series
38
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
CN-Series on Google Cloud GKE (XDP Enabled)
Content and Threat
Detection
CPU
Cores
CN-Series as a DaemonSet CN-Series as a Kubernetes
Service
2
640 Mbps
575 Mbps
The testing for the information in the following table was conducted on Google
Kubernetes Engine (GKE) with traffic directed between nodes and between pods on the
same node in the same cluster
Feature/Attribute
CN-Series Small
CN-Series Medium
CN-Series Large
Firewall Throughput (AppID Enabled) per vCPU of
CN-NGFW
500 Mbps
500 Mbps
500 Mbps
Threat Prevention
Throughput per vCPU of
CN-NGFW
250 Mbps
250 Mbps
250 Mbps
Max Sessions
• 20,000
(DaemonSet)
819,200
10,000,000
• 250,000 (K8s
Service)
• 250,000 (K8sCNF)
Getting Started with CN-Series
39
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Feature/Attribute
CN-Series Small
CN-Series Medium
CN-Series Large
IPSec VPN Throughput per
vCPU of CN-NGFW
N/A
N/A
N/A
Connections per Second
N/A
N/A
N/A
Getting Started with CN-Series
40
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
CN-Series Deployment—Supported Environments
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
This chapter provides information on compatibility and version requirements for the CN-Series
firewall.
• PAN-OS 10.1
• PAN-OS 10.2
• PAN-OS 11.0
• PAN-OS 11.1
PAN-OS 10.1
You can deploy the CN-Series firewall in the following environments:
Product
Version
Container runtime
Docker
CRI-O
Containerd
Kubernetes version
1.17 through 1.27
Cloud provider managed Kubernetes
• AWS EKS (1.17 through 1.27 for CN-Series as
a daemonset and CN-Series as a Service mode
of deployment. )
• EKS on AWS Outpost (1.17 through 1.25)
CN-Series for EKS on AWS
Outpost does not support SR-IOV
or Multus.
Getting Started with CN-Series
41
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Product
Version
• Azure AKS (1.17 through 1.27)
In Azure AKS, the PAN-OS
10.1.10h1 is the minimum
required version to support
kubernetes 1.25 and above.
• AliCloud ACK (1.26)
• GCP GKE (1.17 through 1.27)
Includes GKE Dataplane V2.
Customer managed Kubernetes
On the public cloud or on-premise data center.
Make sure that the Kubernetes version, CNI
Types, and Host VM OS versions are as listed in
this table.
VMware TKG+ version 1.1.2
• Infrastructure Platform—vSphere 7.0
• Kubernetes Host VM OS—Photon OS
Kubernetes Host VM
Operating System:
• Ubuntu 16.04
• Ubuntu 18.04
• Ubuntu 22.04
• RHEL/Centos 7.3 and later
• CoreOS 21XX, 22XX
• Container-Optimized OS
Linux Kernel Version:
• 4.18 or later (K8s Service Mode only)
• 5.4 or later required to enable AF_XDP
mode. See Editable Parameters in CNSeries Deployment YAML Files for more
information.
Linux Kernel Netfilter: Iptables
CNI Plugins
CNI Spec 0.3 and later:
• AWS-VPC
• Azure
• Calico
Getting Started with CN-Series
42
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Product
Version
• Flannel
• Weave
• For AliCloud, Terway
• For Openshift, OpenshiftSDN
• The following are supported on the CN-Series
firewall as a DaemonSet.
• Multus
• Bridge
• SR-IOV
• Macvlan
OpenShift
CN-Series as a DaemonSet:
4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12,
and 4.13
CN-Series as a K8s Service:
(PAN-OS 10.1.2 and later)
4.7, 4.8, 4.9, 4.10, 4.11, 4.12, and 4.13
The PAN-OS 10.1.10h1 is the
minimum required version to support
4.12 and above.
Also review the CN-Series System Requirements for the Kubernetes Cluster, before you Deploy
the cn-series firewall.
PAN-OS 10.2
You can deploy the CN-Series firewall in the following environments:
Product
Version
Container runtime
Docker
CRI-O
Containerd
Kubernetes version
1.17 through 1.27
Cloud provider managed Kubernetes
• AWS EKS (1.17 through 1.27 for CN-Series as
a daemonset and CN-Series as a Service mode
of deployment. )
Getting Started with CN-Series
43
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Product
Version
• AWS EKS (1.17 through 1.22 for CN-Series as
a CNF mode of deployment.)
• EKS on AWS Outpost (1.17 through 1.22)
CN-Series for EKS on AWS
Outpost does not support SR-IOV
or Multus.
• Azure AKS (1.17 through 1.27)
In Azure AKS, the PAN-OS
10.2.4h3 is the minimum required
version to support kubernetes
1.25 and above.
• GCP GKE (1.17 through 1.27)
In GCP GKE, the PAN-OS
10.2.4h3 is the minimum required
version to support kubernetes
1.25 and above.
Includes GKE Dataplane V2.
• Google Anthos 1.12.3
• OCI OKE (1.23)
Customer managed Kubernetes
On the public cloud or on-premise data center.
Make sure that the Kubernetes version, CNI
Types, and Host VM OS versions are as listed in
this table.
VMware TKG+ version 1.1.2
• Infrastructure Platform—vSphere 7.0
• Kubernetes Host VM OS—Photon OS
Kubernetes Host VM
Operating System:
• Ubuntu 16.04
• Ubuntu 18.04
• Ubuntu 22.04
• RHEL/Centos 7.3 and later
• CoreOS 21XX, 22XX
• Container-Optimized OS
Linux Kernel Version:
Getting Started with CN-Series
44
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Product
Version
• 4.18 or later (K8s Service Mode only)
• 5.4 or later required to enable AF_XDP
mode. See Editable Parameters in CNSeries Deployment YAML Files for more
information.
Linux Kernel Netfilter: Iptables
CNI Plugins
CNI Spec 0.3 and later:
• AWS-VPC
• Azure
• Calico
• Flannel
• Weave
• For Openshift, OpenshiftSDN, OVN
Kubernetes
• The following are supported on the CN-Series
firewall as a DaemonSet.
• Multus
• Bridge
• SR-IOV
• Macvlan
OpenShift
• Version 4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10,
4.11, 4.12, and 4.13
OpenShift 4.7 is qualified on the
CN-Series as a DaemonSet only.
• OpenShift on AWS
The PAN-OS 10.2.4h3 is the
minimum required version to
support 4.12 and above.
Also review the CN-Series System Requirements for the Kubernetes Cluster, before you Deploy
the cn-series firewall.
PAN-OS 11.0
You can deploy the CN-Series firewall in the following environments:
Getting Started with CN-Series
45
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Product
Version
Container runtime
Docker
CRI-O
Containerd
Kubernetes version
1.17 through 1.27
Cloud provider managed Kubernetes
• AWS EKS (1.17 through 1.27 for CN-Series as
a daemonset and CN-Series as a Service mode
of deployment. )
• AWS EKS (1.17 through 1.22 for CN-Series as
a CNF mode of deployment.)
• EKS on AWS Outpost (1.17 through 1.25)
CN-Series for EKS on AWS
Outpost does not support SR-IOV
or Multus.
• Azure AKS (1.17 through 1.27)
In Azure AKS, the PAN-OS 11.0.2
is the minimum required version
to support kubernetes 1.25 and
above.
• GCP GKE (1.17 through 1.27)
Includes GKE Dataplane V2.
• OCI OKE (1.23)
Customer managed Kubernetes
On the public cloud or on-premise data center.
Make sure that the Kubernetes version, CNI
Types, and Host VM OS versions are as listed in
this table.
VMware TKG+ version 1.1.2
• Infrastructure Platform—vSphere 7.0
• Kubernetes Host VM OS—Photon OS
Kubernetes Host VM
Operating System:
• Ubuntu 16.04
• Ubuntu 18.04
• Ubuntu 22.04
• RHEL/Centos 7.3 and later
Getting Started with CN-Series
46
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Product
Version
• CoreOS 21XX, 22XX
• Container-Optimized OS
Linux Kernel Version:
• 4.18 or later (K8s Service Mode only)
• 5.4 or later required to enable AF_XDP
mode. See Editable Parameters in CNSeries Deployment YAML Files for more
information.
Linux Kernel Netfilter: Iptables
CNI Plugins
CNI Spec 0.3 and later:
• AWS-VPC
• Azure
• Calico
• Flannel
• Weave
• For Openshift, OpenshiftSDN, OVN
Kubernetes
• The following are supported on the CN-Series
firewall as a DaemonSet.
• Multus
• Bridge
• SR-IOV
• Macvlan
OpenShift
• Version 4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10,
4.11, 4.12, and 4.13.
OpenShift 4.7 is qualified on the
CN-Series as a DaemonSet only.
The PAN-OS 11.0.2 is the
minimum required version to
support 4.12 and above.
• OpenShift on AWS
Also review the CN-Series System Requirements for the Kubernetes Cluster, before you Deploy
the cn-series firewall.
Getting Started with CN-Series
47
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
PAN-OS 11.1
You can deploy the CN-Series firewall in the following environments:
Product
Version
Container runtime
Docker
CRI-O
Containerd
Kubernetes version
1.17 through 1.27
Cloud provider managed Kubernetes
• AWS EKS (1.17 through 1.27 for CN-Series as
a daemonset and CN-Series as a Service mode
of deployment. )
• AWS EKS (1.17 through 1.22 for CN-Series as
a CNF mode of deployment.)
• EKS on AWS Outpost (1.17 through 1.25)
CN-Series for EKS on AWS
Outpost does not support SR-IOV
or Multus.
• Azure AKS (1.17 through 1.27)
In Azure AKS, the PAN-OS 11.0.2
is the minimum required version
to support kubernetes 1.25 and
above.
• GCP GKE (1.17 through 1.27)
Includes GKE Dataplane V2.
• OCI OKE (1.23)
Customer managed Kubernetes
On the public cloud or on-premise data center.
Make sure that the Kubernetes version, CNI
Types, and Host VM OS versions are as listed in
this table.
VMware TKG+ version 1.1.2
• Infrastructure Platform—vSphere 7.0
• Kubernetes Host VM OS—Photon OS
Kubernetes Host VM
Operating System:
• Ubuntu 16.04
Getting Started with CN-Series
48
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Product
Version
• Ubuntu 18.04
• Ubuntu 22.04
• RHEL/Centos 7.3 and later
• CoreOS 21XX, 22XX
• Container-Optimized OS
Linux Kernel Version:
• 4.18 or later (K8s Service Mode only)
• 5.4 or later required to enable AF_XDP
mode. See Editable Parameters in CNSeries Deployment YAML Files for more
information.
Linux Kernel Netfilter: Iptables
CNI Plugins
CNI Spec 0.3 and later:
• AWS-VPC
• Azure
• Calico
• Flannel
• Weave
• For Openshift, OpenshiftSDN, OVN
Kubernetes
• The following are supported on the CN-Series
firewall as a DaemonSet.
• Multus
• Bridge
• SR-IOV
• Macvlan
OpenShift
• Version 4.2, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10,
4.11, 4.12, and 4.13.
OpenShift 4.7 is qualified on the
CN-Series as a DaemonSet only.
The PAN-OS 11.0.2 is the
minimum required version to
support 4.12 and above.
• OpenShift on AWS
Getting Started with CN-Series
49
©2024 Palo Alto Networks, Inc.
CN-Series System Requirements
Also review the CN-Series System Requirements for the Kubernetes Cluster, before you Deploy
the cn-series firewall.
Getting Started with CN-Series
50
©2024 Palo Alto Networks, Inc.
CN-Series Deployment
Prerequisites
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
To deploy the CN-Series firewall, you must ensure that following prerequisites are met:
• License the CN-Series Firewall
• Install a Device Certificate on the CN-Series Firewall
• Create Service Accounts for Cluster Authentication
• Install the Kubernetes Plugin and Set up Panorama for CN-Series
• Get the Images and Files for the CN-Series Deployment
51
CN-Series Deployment Prerequisites
License the CN-Series Firewall
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
CN-Series firewall licensing is managed by the Kubernetes plugin on Panorama. The CN-Series
firewalls are licensed based on the total number of vCPUs (cores) used by the CN-NGFW pods
deployed in your Kubernetes environment. One token is consumed for each vCPU used the CNNGFW.
• Activate Credits—begin by activating your credits. Once activated, you can apply credits from
your credit pool to a CN-Series deployment profile.
• Create a CN-Series Deployment Profile—in the deployment profile, you will specify the number
of vCPUs that allocate to the generate authcode. You will then use the authcode associated
with your CN-Series deployment profile to license the CN-Series firewalls in your Kubernetes
cluster. The deployment profile can be used license the CN-NGFW pods based on the number
of vCPUs allocated. A single authcode from a deployment profile can be used to license
the CN-Series across different Kubernetes environments, different clusters, or on different
Panorama instances.
In a CN-Series-as-a-Kubernetes-Service deployment, if the number of CN-NGFW pods
deployed in your environment exceeds the number of allocated vCPUs, you have a 30-day
grace period to add more vCPUs to your deployment profile or delete enough CN-NGFW
pods. If you do not allocate additional vCPUs or delete unlicensed pods within the 30-day
grace period, all CN-Series firewalls in your the cluster will be delicensed.
When a the CN-Series is deployed a DaemonSet, if the number of CN-NGFW pods deployed
exceed the number of allocated vCPUs, you have a four-hour grace period to add more vCPUs
to your deployment profile or delete enough CN-NGFW pods. If you do not allocate additional
vCPUs or delete unlicensed pods within the four-hour grace period, the unlicensed pods will
stop processing traffic. The already licensed pods remain licensed.
You also have the option to provision a virtual Panorama appliance when creating your CNSeries deployment profile.
• Manage Deployment Profiles—you can edit, clone, or delete CN-Series deployment profiles
based on the requirements of your CN-Series deployment. Additionally, you can add or remove
subscriptions from the deployment profile after it has been created.
Licenses are applied to the CN-Series at the cluster level. Individual CN-NGFW might
appear as unlicensed, however, all pods in the cluster are licensed until the entire cluster is
delicensed.
Getting Started with CN-Series
52
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Activate Credits
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
Within your organization you can create many accounts, each with a different purpose. During
activation you can choose only one account per default credit pool. Once the credit pool is active,
users granted the credit administrator role can allocate the credits for deployments, and even
transfer credits to other pools.
If you have an existing CSP account and are a superuser or an admin, the system automatically
adds the credit admin role to your profile. If you do not have an existing account, the CSP
automatically creates an account for you and adds the credit admin role to your profile.
You (the purchaser) receive an email detailing the subscription, the credit pool ID, the subscription
start and end date, the amount of credits purchased, and the description of the default credit pool
(the credit pool created when you activate your credits).
Secure this email for future reference.
STEP 1 | In the email, click Start Activation to view your available credit pools.
STEP 2 | Select the credit pool you want to activate. You can use the search field to filter your
account list by number or name.
If you have purchased multiple credit pools, both of them are automatically selected. The
check marks represent activation links for onboarding credits.
You are prompted to authenticate or sign in.
If you deselect a credit pool, you see a reminder that if you want to activate those
credits, you must return to the email and click the Start Activation link.
STEP 3 | Select Start Activation.
STEP 4 | Select the support account (you can search by account number or name).
STEP 5 | Select the default credit pool.
STEP 6 | Select Deposit Credits.
You see a message that the deposit was successful.
Getting Started with CN-Series
53
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 7 | ( optional) If this is your first credit activation, you see the Create Deployment Profile dialog.
Continue to Create a CN-Series Deployment Profile.
Create a CN-Series Deployment Profile
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
Use the following procedure to create a CN-Series Deployment Profile.
STEP 1 | If you already have credit pool, log into the account, and from the dashboard, select Assets >
Software NGFW Credits > Prisma NGFW Credits > Create New Profile.
If you have just activated a credit pool you see the Create Deployment Profile form.
1. Select the CN-Series firewall type.
2. Select the PAN-OS 10.2 and above.
3. Click Next.
STEP 2 | CN-Series profile.
1. Profile Name.
Name the profile.
2. Total vCPUs.
Enter the total number of vCPUs across all CN-NGFW.
3. Select a Security Use Case from the drop-down. Each Security Use Case in the dropdown automatically selects a number of descriptions that are recommended for the
chosen use case. If you select Custom, you can specify the subscriptions that you would
like to use in your deployment.
4. (optional) Use Credits to Enable VM Panorama— For Management or Dedicated Log
Collector.
STEP 3 | (optional) Hover over the question mark following Protect more, save more to see how your
credit allocation affects savings.
Getting Started with CN-Series
54
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 4 | Click Calculate Estimated Cost to view the credit total, and the number of credits available
before the deployment.
(optional) Hover over the question mark following the estimate to view the credit breakdown
for each component.
STEP 5 | (optional) Provision Panorama. If you used credits to Enable a VM Panorama, complete the
following steps to provision Panorama and generate a serial number. Panorama is required
Getting Started with CN-Series
55
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
to manage CN-Series deployments. Once you have applied the serial number to Panorama,
Panorama will contact the licensing update server and retrieve the license.
1. Select Assets > Software NGFW Credits > Prisma NGFW Credits and locate your
deployment profile.
2. On the far right, select the vertical ellipsis and select Provision Panorama.
3. Click Provision Panorama to generate a serial number.
4. Record or copy the serial number to apply to your Panorama instance.
Getting Started with CN-Series
56
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
5. Register Panorama.
Manage Deployment Profiles
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with Helm
You can use the following procedures manage your existing deployment profiles.
• Edit a Deployment Profile
• Clone a Deployment Profile
• Delete a Deployment Profile
• Transfer Credits to Pool in the Same Account
• Transfer Credits to a Different CSP Account
Getting Started with CN-Series
57
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Edit a Deployment Profile
You can modify an existing deployment profile to add more credits or assign additional vCPUs to
your deployment. The auth code associated with the deployment profile to be modified must not
be in use on Panorama.
STEP 1 | Select Assets > Software NGFW Credits and choose a profile (select a row).
STEP 2 | On the far right, select the vertical ellipsis (More Options) and select Edit Profile.
STEP 3 | Make your changes and select Update Deployment Profile.
Clone a Deployment Profile
Complete the following procedure to clone an existing deployment profile.
STEP 1 | Go to Assets > Software NGFW Credits and select a profile (select a row).
STEP 2 | On the far right, select the vertical ellipsis (More Options) and select Clone Profile.
STEP 3 | Change the profile name, make any other changes, and select Create Deployment Profile.
Delete a Deployment Profile
Before deleting a deployment profile, you must delete any firewalls that use the profile. The auth
code associated with the deployment profile to be deleted must not be in use on Panorama.
STEP 1 | In the CSP, select Assets > Software NGFW Credits and select a profile (select a row).
STEP 2 | On the far right, select the vertical ellipsis (More Options) and select Delete.
Transfer Credits to Pool in the Same Account
You can transfer credits to a credit pool in a different account that you can access.
STEP 1 | Log in to your CSP account.
STEP 2 | Select Assets > Software NGFW Credits.
• Identify the source credit pool and make note of the Credit Pool ID.
• Identify the destination credit pool and make note of the Credit Pool ID.
STEP 3 | Go to the source credit pool and select Transfer Credits on the bottom left.
STEP 4 | Select Different CSP account.
1. New credit type—Choose a credit type. At this time, the source and destination type
must be the same.
2. Credit Pool ID#—Choose a Credit pool ID number. If the destination account does not
have any credit pools of the chosen type, the CSP prompts you to create a credit pool.
3. Amount to transfer—Enter the amount to transfer.
STEP 5 | Select Update Credits.
Getting Started with CN-Series
58
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Transfer Credits to a Different CSP Account
You can transfer credits to a credit pool in the same account.
STEP 1 | Log into your CSP account.
STEP 2 | Select Assets > Software NGFW Credits.
• Identify the source credit pool and make note of the Credit Pool ID.
• Identify the destination credit pool and make note of the Credit Pool ID.
If the destination is in a different account, select it from the Current Account dropdown on
the upper left, and Select Assets > Software NGFW Credits. Find the destination and note
the credit type and the Credit Pool ID.
STEP 3 | Go to the source credit pool and click Transfer Credits on the bottom left.
STEP 4 | Choose Different CSP account.
1. Transfer to—Choose an account name.
2. As credit type—Choose a credit type. At this time, the source and destination type must
be the same.
3. Credit Pool ID#—Choose a Credit pool ID number. If the destination account does not
have any credit pools of the chosen type, the CSP prompts you to create a credit pool.
4. Amount to transfer—Enter the amount to transfer.
STEP 5 | Select Update Credits.
Getting Started with CN-Series
59
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Install a Device Certificate on the CN-Series Firewall
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment using helm
The firewall requires a device certificate that authorizes secure access to the Palo Alto clouddelivered security services (CDSS) such as WildFire, AutoFocus, and Cortex Data Lake. You
must apply an auto-registration PIN to apply a CDSS license to your CN-Series firewall
deployment. Each PIN is generated on the Customer Support Portal (CSP) and unique to your
Palo Alto Networks support account. To successfully install the device certificate, the CNSeries management plane pod (CN-MGMT) must have an outbound internet connection and the
following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network.
FQDN
Ports
• http://ocsp.paloaltonetworks.com
TCP 80
• http://crl.paloaltonetworks.com
• http://ocsp.godaddy.com
• https://api.paloaltonetworks.com
TCP 443
• http://apitrusted.paloaltonetworks.com
• https://
certificatetrusted.paloaltonetworks.com
• https://certificate.paloaltonetworks.com
• *.gpcloudservice.com
TCP 444 and TCP 443
To add a device certificate to an existing deployment without an existing device
certificate, you must redeploy the CN-Series firewall after adding the valid PIN ID and
value to pan-cn-mgmt-secret.yaml. For public cloud CN-Series deployment,
you must delete the persistent volume claim before redeployment. For static/native
Kubernetes deployments, you must delete the persistent volume claim and persistent
volume before redeployment.
STEP 1 | Log in to the Palo Alto Networks Customer Support Portal with your account credentials.
If you need a new account, see How to Create a New Customer Support Portal User Account.
Getting Started with CN-Series
60
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 2 | Select Assets > Device Certificates > Generate Registration PIN.
STEP 3 | Enter a Description and select a PIN Expiration from the drop-down.
Getting Started with CN-Series
61
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 4 | Save the PIN ID and value.
Save the PIN ID and value. This PIN ID and value are inputs in the pan-cn-mgmtsecret.yaml file used to deploy the cn-series firewall. Make sure to launch the firewall
before the PIN expires.
# Thermite Certificate retrieval
CN-SERIES-AUTO-REGISTRATION-PIN-ID: "<your-pin-id>"
CN-SERIES-AUTO-REGISTRATION-PIN-VALUE: "<your-pin-value>"
Getting Started with CN-Series
62
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Create Service Accounts for Cluster Authentication
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment with helm chart
The CN-Series firewall requires three Service accounts with the minimum permissions that
authorize it to communicate with your Kubernetes cluster resources.
For service account creation, you require pan-mgmt-serviceaccount.yaml, pan-cniserviceaccount.yaml, and plugin-serviceaccount.yaml files.
The service account (pan-plugin-user) created with the plugin-serviceaccount.yaml
enables the Kubernetes plugin on Panorama to authenticate with the Kubernetes cluster for
retrieving metadata on the pods. The other two yaml files, pan-mgmt-serviceaccount.yaml
and pan-cni-serviceaccount.yaml, create the pan-mgmt-sa and the pan-cni-sa service
accounts to enable the authentication between the fault tolerant CN-Mgmt pods, and between
the CN-MGMT pod and the CN-NGFW pods. For more information, see Components Required to
Secure Kubernetes Clusters with CN-Series Firewall.
By default, the YAML files create the service account and the secret in the kube-system
namespace; the Kubernetes plugin will only look for the secret in the kube-system
namespace.
To create the service accounts, your Kubernetes cluster should be ready.
Getting Started with CN-Series
63
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 1 | Run the service account YAML for the plugin-serviceaccount.yaml.
This service account enables the permissions that Panorama requires to authenticate to the
GKE cluster for retrieving Kubernetes labels and resource information. This service account is
named pan-plugin-user by default.
1. kubectl apply -f plugin-serviceaccount.yaml
2. kubectl -n kube-system get secrets | grep pan-plugin-user
To view the secrets associated with this service account.
If you are using kubernetes version 1.24 or above, run the following command to
view the secrets associated with this service account:
kubectl -n kube-system get secrets | grep pan-pluginuser-secret
3. kubectl -n kube-system get secrets <secrets-from-above-command>
-o json >> cred.json
Create the credential file, named cred.json in this example, that includes the secrets and
save this file. You need to upload this file to Panorama to set up the Kubernetes plugin
for monitoring the clusters in Install the Kubernetes Plugin and Set up Panorama for CNSeries.
STEP 2 | Run the pan-mgmt-serviceaccount.yaml and pan-cni-serviceaccount.yaml.
The pan-mgmt-serviceaccount.yaml creates a service account named pan-sa, and is
required to enable the CN-MGMT and CN-NGFW Pods to communicate with each other, the
PAN-CNI, and the Kubernetes API server. If you modify this service account name, you must
also update the YAML files that you use to deploy the CN-MGMT and CN-NFGW Pods.The
pan-cni-serviceaccount.yaml creates a service account named pan-cni-sa.
kubectl apply -f pan-mgmt-serviceaccount.yaml
kubectl apply -f pan-cni-serviceaccount.yaml
STEP 3 | Verify the service accounts.
kubectl get serviceaccounts -n kube-system
If you are using HELM chart, the steps 2,3 are automated by the HELM chart and
doesn't need to be manually carried out.
Getting Started with CN-Series
64
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Install the Kubernetes Plugin and Set up Panorama for
CN-Series
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment using helm
You can deploy the Panorama appliance on-premises or in the cloud, as long as the Panorama
appliance can connect with the Kubernetes clusters where you want to deploy the CN-Series
firewalls. This workflow takes you through the process of installing the Kubernetes plugin,
activating the auth code and setting up the Kubernetes plugin to monitor your clusters.
You must carefully plan the number of credits you want to allocate to Panorama.
After changing the number of credits, you need not redeploy the CN-Series firewall on
Panorama OS 11.0.
For more information, see License the CN-Series Firewall and Software NGFW Credit
Estimator.
STEP 1 | Deploy a Panorama with software version 11.0 and install the minimum content version.
1. Go to Panorama > Dynamic Updates for the minimum content release version on PANOS 11.0.
See PAN-OS Release Notes.
2. Go to Panorama > Software for the software version.
Locate and download the model-specific file for the release version to which you are
upgrading. For example, to upgrade an M-Series appliance to Panorama 11.0, download
the Panorama_m-11.0.0 image; to upgrade a Panorama virtual appliance to Panorama
11.0.0, download the Panorama_pc-11.0.0 image.
After a successful download, the Action column changes from Download to Install for
the downloaded image.
STEP 2 | Verify that your Panorama is in Panorama mode, if you want Panorama to collect the firewall
logs.
Getting Started with CN-Series
65
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 3 | Install the Kubernetes plugin on Panorama. If your Panorama appliances are deployed as an
HA pair, you must install the Kubernetes plugin on the primary (active) peer first.
1. Log in to the Panorama Web Interface, select Panorama > Plugins and click Check Now
to get the list of available plugins.
2. Select Download and Install the Kubernetes plugin
After you successfully install, Panorama refreshes and the Kubernetes plugin displays on
the Panorama tab.
If Panorama is deployed in an HA pair, install the Kubernetes plugin on the secondary (passive)
Panorama following the above steps described in Step 3.
You can also verify the General Information widget on the Panorama Dashboard.
Getting Started with CN-Series
66
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Getting Started with CN-Series
67
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 4 | Commit your changes on Panorama.
Click Commit to Panorama. The commit creates four templates—K8S-Network-Setup, K8SNetwork-Setup-V2, K8S-Network-Setup-V3, and K8S-Network-Setup-V3-HA. It can take up
to one minute for the interfaces to display on Panorama.
• K8S-Network-Setup is for use with the CN-Series as a DaemonSet and has 30 virtual wires;
a pair of interfaces that are part of a virtual wire to secure an application. Therefore, the
CN-NGFW as a DaemonSet can secure a maximum of 30 application pods on a node.
• K8S-Network-Setup-V2 is for use with the CN-Series as a Kubernetes Service and has one
virtual wire; a pair of interfaces that are part of the virtual wire to secure pod applications.
• K8S-Network-Setup-V3 template has a sample config that you can clone and you can
modify it to match your desired configurations. The Kubernetes CNF mode of deployment
protects both container and non-container workloads. You can deploy as a standalone layer
3 deployment.
Getting Started with CN-Series
68
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 5 | Get the CN-Series license credits on Panorama.
1. Select Panorama > Plugins > Kubernetes > Setup > Licenses.
2. Select Activate/update using authorization code, and enter the auth code and the total
number of dataplane vCPUs needed. You must Create a CN-Series Deployment Profile
to obtain your CN-Series authcode.
If you deploy the CN-Series firewall without activating the license, you have a 4hour grace period after which the firewalls stop processing traffic. After the grace
period, the CN-NGFW instances will either failopen (default) or failclosed based on
the (FAILOVER_MODE) defined in the pan-cn-ngfw-configmap.yaml.In fail-open
mode the firewall will receive the packets and send it out without applying any security
policies. Transitioning to fail-open will require a restart and cause a brief disruption of
traffic during that (expected around 10-30 seconds). In fail-closed mode, the firewall
will drop all the packets it receives. A fail-close will bring down the CN-NGFW Pod and
release the credits to the available credits pool for licensing new CN-NGFW Pods.
3. Verify that the number of available license credits is updated.
STEP 6 | Generate a VM Auth Key.
1. Ensure the following prerequisites are met:
• You have a computer with network access to Panorama.
• You know the Panorama IP address.
• The Management interface supports SSH, which is the default setting. If an
administrator disabled SSH and you want to re-enable it: select Panorama > Setup
Getting Started with CN-Series
69
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
> Interfaces, click Management, select SSH, click OK, select Commit > Commit to
Panorama, and Commit your changes to the Panorama configuration.
2. To access the CLI using SSH:
1. Enter the Panorama IP address in the SSH client and use port 22.
2. Enter your administrative access credentials when prompted. After you log in, the
message of the day displays, followed by the CLI prompt in Operational mode. For
example:
admin@ABC_Sydney>
3. Use the following operational command:
request bootstrap vm-auth-key generate lifetime <1-8760>
For example to generate a key that is valid for 24 hrs, enter the following:
request bootstrap vm-auth-key generate lifetime 24
VM auth key 755036225328715 generated.
Expires at: 2020/01/29 12:03:52
4. You should ensure that you save the VM auth key somewhere as it is required for the
later step.
STEP 7 | Create a parent Device Group and Template Stack.
You must create a template stack and a device group, and you will later reference this template
stack and device group when you edit the YAML file to deploy the CN-MGMT Pods. The
Kubernetes plugin on Panorama creates a template called K8S-Network-Setup, and this
template will be part of the template stack you define here.
1. Create a template stack and add the K8S-Network-Setup template the template stack.
1. Select Panorama > Templates and Add Stack.
2. Enter a unique Name to identify the stack.
3. Add and select the K8S-Network-Setup template for daemonset, K8S-NetworkSetup-V2 for kubernetes as a service deployment, K8S-Network-Setup-V3
Getting Started with CN-Series
70
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
for standalone CNF deployment, or K8S-Network-Setup-V3-HA for CNF HA
deployment.
4. Click OK.
2. Create a device group.
1. Go to Panorama > Device Groups and click Add.
2. Enter a unique Name and a Description to identify the device group.
3. Select the Parent Device Group (default is Shared) that will be just above the device
group you are creating in the device group hierarchy.
4. Click OK.
3. If you are using a Panorama virtual appliance, you can create a Log Collector and add it
to a Log Collector Group.
1. Go to Panorama > Collector Groups and Add a Collector Group.
2. Enter a Name for the Collector Group.
3. Enter the Minimum Retention Period in days (1 to 2,000) for which the Collector
Group will retain firewall logs.
By default, the field is blank, which means the Collector Group retains logs
indefinitely.
4. Add Log Collectors (1 to 16) to the Collector Group Members list.
5. Select Commit > Commit and Push and then Commit and Push your changes to
Panorama and the Collector Group you configured.
4. If you are using Advanced Routing, enable it.
1. Go to Panorama > Templates > Device.
Getting Started with CN-Series
71
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
2. In the Management tab, select Advanced Routing (This is applicable to the
kubernetes CNF mode of deployment only).
STEP 8 | Set up the Kubernetes plugin for monitoring the clusters.
The next step in the process is to add Kubernetes cluster information to Panorama to ensure
that the two can communicate with each other.
Panorama supports up to 32 Kubernetes clusters.
To ensure that the plugin and the Kubernetes clusters are in sync, the plugin polls the
Kubernetes API server at a configured interval and listens for notifications from the
Kubernetes Watch API at a predefined interval.
After you add the cluster information, Panorama always retrieves the service, node, replica set,
and then creates tags for them to enable you to gain visibility and to control traffic to and from
these clusters. Optionally, you can specify whether you want Panorama to retrieve information
on the Kubernetes labels and create tags for these also. See IP-Address-to-Tag Mapping of
Kubernetes Attributes for a list of supported attributes.
1. Check the monitoring interval.
The default interval at which Panorama polls the Kubernetes API server endpoint is 30
seconds.
1. Select Panorama > Plugins > Kubernetes > Setup > General.
2. Verify that Enable Monitoring is selected.
3. Click the gear icon to edit the Monitoring Interval and change to a range of 30-300
seconds.
2. Select Panorama > Plugins > Kubernetes > Setup > Cluster, and Add Cluster.
Make sure that you do not add the same Kubernetes cluster to more than one Panorama
(single instance or HA pair) appliance because you may see inconsistencies in how the
IP-address-to mappings are registered to the device groups.
3. Enter a Name and the API Server Address.
This is the Endpoint IP address for the cluster that you must get from your Kubernetes
deployment. Enter a name, up to 20 characters, to uniquely identify the name of the
Getting Started with CN-Series
72
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
cluster. You cannot modify this name because Panorama uses the cluster name when it
creates tags for the pods, nodes, services it discovers within the cluster.
The format of the API server address can be a hostname or an IP address:port number,
and you do not need to specify the port if you are using port 443, which is the default
port.
4. Select the Type of environment on which your cluster is deployed.
The available options are AKS, EKS, GKE, Native Kubernetes, OpenShift, and Other.
5. Upload the service account Credential that Panorama requires to communicate with
the cluster. As described in the Create Service Accounts for Cluster Authentication
workflow, the filename for this service account is plugin-svc-acct.json.
If you are uploading the service credentials via CLI/API then you must gzip the
file and then do a base64 encoding of the compressed file before you upload or
paste the contents of the file into the Panorama CLI or API. These steps are not
required if you are uploading the service credential file on the GUI.
6. Click OK.
You can leave the Label Filter and Label Selector configuration for later. This is an
optional task that enables you to retrieve any custom or user-defined labels for which
you want Panorama to create tags.
STEP 9 | (Optional) If your Kubernetes cluster API-server certificate is signed by a certificate chain,
the authentication from the Kubernetes plugin for Panorama requires every certificate in the
Getting Started with CN-Series
73
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
chain. If your API server uses a certificate chain, you must combine all the certificates in the
chain into a single .crt file and add to the plugin.
The Kubernetes plugin supports up to four certificates.
1. Select Panorama > Kubernetes > Setup > Cluster > Add > Custom Certificate > Add to
import a credentials file.
2. Enter a descriptive Name.
3. (Optional) Enter a Description.
4. Click the import icon and navigate to the certificate file.
5. Click OK.
STEP 10 | (Optional) Configure a proxy for each cluster.
Unlike the other plugins, the Kubernetes plugin does not use the proxy configured under
Panorama > Setup > Services. Instead if you want to enable or bypass a proxy, you must enter
the proxy for each cluster. When configured, the Kubernetes plugin uses this proxy server IP
address to make all API calls to the API server for this cluster.
1. Log in to the CLI on Panorama.
2. Enter the following CLI commands to configure the proxy server for this Kubernetes
cluster.
> configure> set plugins kubernetes setup cluster-credentials
<cluster-name> cluster-proxy enable-proxy <yes/no> proxy-port
<port>
proxy-server <IP> proxy-user <username> secure-proxypassword <password>
*** username and password are optional ***
STEP 11 | Next steps:
1. Get the Images and Files for the CN-Series Deployment
2. Deploy the cn-series firewall
3. Configure Panorama to Secure a Kubernetes Deployment
Getting Started with CN-Series
74
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Get the Images and Files for the CN-Series Deployment
Where Can I Use This?
What Do I Need?
• CN-Series deployment
• CN-Series 10.1.x or above Container
Images
• Panorama running PAN-OS 10.1.x or
above version
• Helm 3.6 or above version client for CNSeries deployment using helm
Refer to the following table before beginning your deployment to ensure that you have
downloaded the compatible files.
PAN-OS Version
YAML Version
CNI Version
MGMT-INIT Version
PAN-OS 11.1.x
3.0.x
3.0.x
3.0.x
PAN-OS 11.0.x
3.0.x
3.0.x
3.0.x
PAN-OS 10.2.x
3.0.x
3.0.x
3.0.x
PAN-OS 10.1.x
3.0.x
3.0.x
3.0.x
PAN-OS 10.0.x
1.0.x
1.0.x
3.0.x
Use the following steps to pull the docker images from the public container registry on Google
Cloud Platform and then continue to deploy the CN-Series firewall:
Docker images from the public container registry:
Getting Started with CN-Series
75
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
1. Based on your PAN-OS version, pull the required docker images from the public cloud
repository.
2. Select the required PAN-OS version.
Getting Started with CN-Series
76
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
3. Copy the link for each image path to the appropriate location in your deployment YAML files.
Do the following to get the YAML files from GitHub:
1. Open the folder for the deployment method—DaemonSet, Kubernetes Service, or Kubernetes
CNF that you plan to use.
2. Download the yaml files from the folder that corresponds to your environment.
Get the files from the Native-k8s folder for use with native Kubernetes on premises or cloud
deployments.
Get the files from the respective Managed Kubernetes folder for GKE.
Docker images from the Palo Alto Networks CSP:
Use the following steps to get the YAML files from GitHub and to download the docker images
from the Palo Alto Networks CSP and push them to your private registry before you continue to
deploy the CN-Series firewall.
Getting Started with CN-Series
77
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 1 | Download the docker images and YAML files.
1. Get the compressed tar archives from the Palo Alto Networks Customer Support Portal
(CSP).
1. Log in to the CSP using your support account.
2. Select Updates > Software Updates.
3. Select PAN-OS Container Images from the Please Select drop-down.
4. Download the following files for the PAN-OS version you want to deploy.
PanOS_cn-X.X.X.tgz - for CN-MGMT and CN-NGFW Pods.
Pan_cn_mgmt_init-X.X.X.tgz - for the init container that runs as a part of the CNMGMT Pod.
Pan_cni-2.0.0.tgz - for the PAN-CNI Pod.
2. Get the YAML files from GitHub.
1. Open the folder for the deployment method—DaemonSet, Kubernetes Service, or
Kubernetes CNF—you plan to use.
2. Download the yaml files from the folder that corresponds to your environment.
Get the files from the Native-k8s folder for use with native Kubernetes on-premises
or cloud deployments.
Get the files from the respective Managed Kubernetes folder for AKS, EKS, or GKE.
Getting Started with CN-Series
78
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
STEP 2 | Retrieve the docker images and push it to your container registry.
For example, on a GKE deployment, you will upload the images to a Container Registry on GKE
and get the image path for referencing in the YAML files.Use the following commands on a
client system running the docker engine.
Replace the x variables in the following steps with the values that match the image
version you are using. For example, Pan_cn_mgmt-init-2.0.0.tgz or pan_cni:2.0.0.
1. Load the images.
docker load -i PanOS_cn-x.x.x.tgz
docker load -i Pan_cn_mgmt-init-x.x.x.tgz
docker load -i Pan_cni-x.x.x.tgz
After these steps, "docker images" will display the image, for example,
"paloaltonetworks/panos_cn_mgmt:x.x.x".
2. Tag these images to include your private registry detail.
docker tag paloaltonetworks/panos_cn_mgmt:x.x.x <your_registry>/
paloaltonetworks/panos_cn_mgmt:x.x.x
docker tag paloaltonetworks/panos_cn_ngfw:x.x.x <your_registry>/
paloaltonetworks/panos_cn_ngfw:x.x.x
docker tag paloaltonetworks/pan_cn_mgmt_init:x.x.x
<your_registry>/paloaltonetworks/pan_cn_mgmt_init:x.x.x
docker tag paloaltonetworks/pan_cni:x.x.x <your_registry>/
paloaltonetworks/pan_cni:x.x.x
3. Push these images to your private registry.
docker push <your_registry>/paloaltonetworks/panos_cn_mgmt:x.x.x
docker push <your_registry>/paloaltonetworks/panos_cn_ngfw:x.x.x
docker push <your_registry>/paloaltonetworks/
pan_cn_mgmt_init:x.x.x
docker push <your_registry>/paloaltonetworks/pan_cni:x.x.x
Getting Started with CN-Series
79
©2024 Palo Alto Networks, Inc.
CN-Series Deployment Prerequisites
Getting Started with CN-Series
80
©2024 Palo Alto Networks, Inc.
Cortex Data Lake (CDL) Logging
with CN-Series Firewall
Where Can I Use This?
What Do I Need?
• Cortex Data Lake (CDL) logging with CNSeries firewall
• Panorama running with minimum PAN-OS
11.1 version
• A logging license and a CDL instance
created in CSP account
Cortex Data Lake enables AI-based innovations for cybersecurity with the industry’s only
approach to normalizing and stitching together your enterprise’s data. For more information, see
About Cortex Data Lake and Cortex Data Lake for Panorama-Managed Firewalls. Cortex Data
Lake (CDL) can now collect log data from CN-Series next-generation firewall. When you purchase
a Cortex Data Lake license, all firewalls registered to your support account receive a Cortex Data
Lake license. You will also receive a magic link that you will need to use to activate your Cortex
Data Lake instance.
To get started with CN-Series firewall CDL logging, you must ensure that you Install the
Kubernetes Plugin and Set up Panorama for your CN-Series Firewall. You must provide the device
certificate to the CN-MGMT pod for CDL connectivity. It is important to register your CN-MGMT
pod with a CSP account to ensure that CN-MGMT pod is reflected in your CDL instance. Add the
valid PIN-ID and PIN-value to pan-cn-mgmt-secret.yaml file to successfully install the device
certificate. The CN-Series firewall requires a device certificate that authorizes secure access to
CDL. For more information see Install a Device Certificate on the CN-Series Firewall.
After you deploy your CN-Series firewall, verify that your CN-MGMT pod is visible on your
CSP account, under Registered Devices. For more information see, Register the Firewall. You
must ensure that you Configure your CN-Series firewall with Panorama and Create a CN-Series
Deployment Profile on your CSP account and use the auth code to push licenses from Panorama
to your CN-Series firewall.
CN-Series Firewall CDL Logging
CDL provides cloud-based, centralized log storage and aggregation for cloud-delivered services
and applications.
You must ensure that you have a logging license and a CDL instance created in your CSP
account. For more information, see Cortex Data Lake License.
Complete the following steps to configure CDL settings on Panorama and push them to the
firewall:
1. Onboard your Panorama to the CDL to enable settings of CDL configurations on the device.
2. Onboard your CN-Series firewall to the CDL instance.
81
Cortex Data Lake (CDL) Logging with CN-Series Firewall
3. In your panorama, go to the Device tab, click Settings in the Cortex Data lake pane.
Getting Started with CN-Series
82
©2024 Palo Alto Networks, Inc.
Cortex Data Lake (CDL) Logging with CN-Series Firewall
Getting Started with CN-Series
83
©2024 Palo Alto Networks, Inc.
Cortex Data Lake (CDL) Logging with CN-Series Firewall
You can now see that the Region is populated.
4. Click Enable Cortex Data Lake. .
5. Click OK.
Getting Started with CN-Series
84
©2024 Palo Alto Networks, Inc.
Cortex Data Lake (CDL) Logging with CN-Series Firewall
6. Go to Commit > Push to Devices
7. Select your CN-MGMT pod.
8. Click OK.
CDL configuration for CN-MGMT pod is pushed now. The CN-MGMT pod will now initiate its
connection to the CDL instance.
Getting Started with CN-Series
85
©2024 Palo Alto Networks, Inc.
Cortex Data Lake (CDL) Logging with CN-Series Firewall
Once your onboarded firewall is in a connected state, you can start sending logs to your CDL
instance. For more information, see Start Sending Logs to Cortex Data Lake (Panorama-Managed).
Getting Started with CN-Series
86
©2024 Palo Alto Networks, Inc.
IOT Security Support for CNSeries Firewall
Where Can I Use This?
What Do I Need?
• IoT Security for CN-Series firewall
• CDL license for IoT subscription that stores
data in CDL
• Panorama running with minimum PAN-OS
11.1 version
For Palo Alto Networks next-generation CN-Series firewall, the IoT Security solution uses
machine learning (ML) to provide visibility of discovered IoT devices based on the meta-data in
the logs it receives from the firewall. IoT Security also identifies vulnerabilities and assess risk in
devices based on their network traffic behaviors and dynamically updated threat feeds.
You can use the policy rule recommendations that IoT Security generates as a reference when
manually adding rules to your CN-Series firewall. IoT Security always generates Security policy
rule recommendations regardless of the PAN-OS version.
When using IoT Security Subscription, which stores data in Cortex Data Lake, you need
one Cortex Data Lake license per account and must ensure that CDL configuration for
your CN-Series firewall is complete.
For more information, see IoT Security Prerequisites.
Configure IOT Support for CN-Series Firewall
You must ensure that your environment meets all prerequisites for deploying IoT Security with
CN-Series firewall. For more information, see IoT Security Prerequisites.
To configure IoT - Requires Data Lake subscription for CN-Series firewall, you must complete the
following steps:
You must ensure that you onboard your Panorama onto the CDL instance. For more
information, see Onboard firewalls with Panorama.
1. Create a Tenant Service Group (TSG). For more information, see Step 3 in Activate IoT Security
Subscriptions Through Common Services.
2. Onboard CDL tenant to the TSG. You must ensure that you purchase the CDL and activate it
using Magic link before using in TSG.
3. Create a CN-Series Deployment Profile with IoT - Requires Data Lake option.
4. Click Finish Setup. Once you associate the deployment profile to the TSG and click Activate,
an IoT tenant will be created if one doesn't already exist.
You can then forward the collected metadata to the cloud-based logging service where IoT
Security uses it to identify various IoT devices on the network.
87
IOT Security Support for CN-Series Firewall
5. Provision Panorama and generate a serial number. For more information, see Register
Panorama and Install Licenses.
6. Configure your CN-Series firewall with Panorama using the auth code to push licenses from
Panorama to CN-Series firewall using the kubernetes plugin. For more information, see
Configure Panorama to Secure a Kubernetes Deployment.
Apply deployment authcode to Kubernetes plugin in Panorama.
You can now see your CN-series firewall onboarded on an IoT tenant.
7. Configure template vwire to allow and enable device id in zone.
You can use the Default template K8S-Network-Setup-V2 and make the following changes in
that template:
• Enable link state passthrough and multicast firewall for default vwire.
• Enable device identification for default zone.
For more information, see Configure Virtual Wires.
8. Configure the Enable Cortex Data Lake and Enable Enhanced Application Logging option
Panorama to CN-Series firewall. For more information, see CDL configuration for your CNSeries firewall.
To configure IoT Security, Doesn't Require Data Lakesubscription for CN-Series firewall, you
must complete the following steps:
Note: You must ensure that you onboard your Panorama onto the CDL instance. When using
IoT Security, Doesn't Require Data Lake Subscription, you must register your Panorama in the
IoT portal after adding the CN-series Firewall. For more information, see Step 2 in Prepare Your
Firewall for IoT Security.
1. Create a Tenant Service Group (TSG). For more information, see Step 3 in Activate IoT Security
Subscriptions Through Common Services.
2. Create a CN-Series Deployment Profile with IoT - Doesn’t Require Data Lake option.
3. Set up your IOT instance and select Finish Setup option to associate your deployment profile
with the tenant service group (TSG) to enable logging service on your CN-Series firewall and
configure it to obtain and log network traffic metadata. For more information, see Prepare
Your Firewall for IoT Security.
You can then forward the collected metadata to the cloud-based logging service where IoT
Security uses it to identify various IoT devices on the network.
4. Provision Panorama and generate a serial number. For more information, see Register
Panorama and Install Licenses.
5. Configure your CN-Series firewall with Panorama using the auth code to push licenses from
Panorama to CN-Series firewall using the kubernetes plugin. For more information, see
Configure Panorama to Secure a Kubernetes Deployment.
Apply deployment authcode to Kubernetes plugin in Panorama. You can now see your CNseries firewall onboarded on an IoT tenant.
Getting Started with CN-Series
88
©2024 Palo Alto Networks, Inc.
IOT Security Support for CN-Series Firewall
6. Configure template vwire to allow and enable device ID in zone. For more information, see
Configure Virtual Wires.
You can use the Default template K8S-Network-Setup-V and make the following changes in
that template:
• Enable link state passthrough and multicast firewall for default vwire.
• Enable device identification for default zone.
Getting Started with CN-Series
89
©2024 Palo Alto Networks, Inc.
IOT Security Support for CN-Series Firewall
For more information, see Configure Virtual Wires.
Vwire configured in k8s-template-v2 allows Link state pass through and Multicast
Firewalling. The zone configuration of the k8s-template-v2 enables device identification
7. Configure the Enable Cortex Data Lake and Enable Enhanced Application Logging option
Panorama to CN-Series firewall. For more information, see CDL configuration for your CNSeries firewall
After you have successfully onboarded your Panorama and CN-Series firewall onto the cloudbased logging service, go to your IoT instance.
After IoT Security has sufficient information to identify devices from their network behavior,
it provides CN-Series firewall with IP address-to-device mappings and Panorama with policy
Getting Started with CN-Series
90
©2024 Palo Alto Networks, Inc.
IOT Security Support for CN-Series Firewall
recommendations that the Panorama administrator can import and then push to CN-Series
Firewall to enforce policy on IoT device traffic.
Click Administration > Sites and Firewalls > Firewalls in the IoT Security portal to see the status
of logs that the logging service is streaming to the IoT Security application. For more information,
see IoT Security Integration Status with Firewalls.
Getting Started with CN-Series
91
©2024 Palo Alto Networks, Inc.
IOT Security Support for CN-Series Firewall
Getting Started with CN-Series
92
©2024 Palo Alto Networks, Inc.