CN-Series Next-Generation Firewall Deployment
This is a repository for YAMLs to deploy CN-Series Next-Generation firewall from Palo Alto Networks.
All the YAMLs required to deploy CN-Series on a given cloud platform are present under that cloud platform specific directory. Users can use these YAMLs as is to deploy CN-Series quickly after filling in just these fields from their setup:
In pan-cni.yaml, pan-cn-mgmt.yaml and pan-cn-ngfw.yaml: image: <your-private-registry-image-path> In pan-cn-mgmt-secret.yaml: PAN_PANORAMA_AUTH_KEY: <panorama-auth-key> # Thermite Certificate retrieval CN-SERIES-AUTO-REGISTRATION-PIN-ID: "<PIN Id>" CN-SERIES-AUTO-REGISTRATION-PIN-VALUE: "<PIN-Value>" In pan-cn-mgmt-configmap.yaml: # Panorama settings PAN_PANORAMA_IP: <panorama-IP> PAN_DEVICE_GROUP: <panorama-device-group> PAN_TEMPLATE_STACK: <panorama-template-stack> PAN_CGNAME: <panorama-collector-group> # Intended License Bundle type - "CN-X-BASIC", "CN-X-BND1", "CN-X-BND2" # based on the authcode applied on the Panorama K8S plugin PAN_BUNDLE_TYPE: <license-bundle-type>
For production deployment, it's expected users would want to customize the YAMLs as per below:
- Resources (cpu, memory) fields in pan-cn-mgmt.yaml and pan-cn-ngfw.yaml are pre-populated but should be customized to better suit the deployment scenario.
- There are some optional fields in the configmaps which users can add e.g. PAN_PANORAMA_IP2 for Panorama in HA, or CLUSTER_NAME for easier identification when managing multiple Kubernetes clusters under the same Panorama. Note: For complex setup and advanced topics needing modifications in the YAMLs, refer to the deployment documentations for details. Changing a field might require modification in multiple places and multiple YAMLs.
Once the YAMLs have been modified as desired, these YAMLs can be deployed as:
kubectl apply -f plugin-serviceaccount.yaml kubectl apply -f pan-cni-serviceaccount.yaml kubectl apply -f pan-mgmt-serviceaccount.yaml kubectl apply -f pan-cni-configmap.yaml kubectl apply -f pan-cni.yaml kubectl apply -f pan-cn-mgmt-secret.yaml kubectl apply -f pan-cn-mgmt-configmap.yaml kubectl apply -f pan-cn-mgmt.yaml kubectl apply -f pan-cn-ngfw-configmap.yaml kubectl apply -f pan-cn-ngfw.yaml
To enable the security for the application pods, apply the following annotation to their YAMLs, OR, to enable the security for all the pods in a given namespace, apply this annotation to the namespace:
paloaltonetworks.com/firewall: pan-fw e.g. for "default" namespace
kubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw
Multus and OpenShift
Multus CNI acts as a "meta-plugin", that calls other CNI plugins. OpenShift comes with multus enabled, so its pan-cni.yaml takes care of that. For platforms where Multus is optional and supported e.g. self-managed (native), a separate pan-cni-multus.yaml is provided which should be used instead of pan-cni.yaml.
To make PAN-CNI plugin work with multus, these 2 extra steps are needed for the application pods:
- A NetworkAttachmentDefinition "pan-cni" needs to be deployed in every app pod's namespace
kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
- An annotation
k8s.v1.cni.cncf.io/networks: pan-cniin the app pod yaml
Refer to the deployment documentations for more details on it.