CN-Series Helm Chart ⛵⎈

This repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Package Manager for Kubernetes

Minimum requirements

  • CN-Series
    • CN-Series 10.0.0 container images
  • Panorama
    • Panorama 10.0.0
    • Kubernetes plugin for Panorama version 1.0.0
    • Panorama must be accessible from the Kubernetes cluster
  • Kubernetes
    • Kubernetes 1.13 - 1.18 cluster
    • A current kubeconfig file
  • Helm

A full list of supported Kubernetes environments may be found here:


Method 1 - With Repo

  1. Generate the VM authorization key on Panorama

  2. Clone the repository from GitHub

$ git clone
  1. Change into the repo directory
$ cd cn-series-helm
  1. Edit the values.yaml file and plug in your specific configs
# The K8s environment 
# Valid deployTo tags are: [gke|eks|aks|openshift]
  deployTo: gke

# Firewall tags
# Valid licenceBundle tags are: [basic|bundle1|bundle2]
 operationMode: daemonset
 failoverMode: failopen
 licenseBundle: bundle2

# Panorama tags
  authKey: "000000000000000"
  deviceGroup: my-devicegroup
  template: my-stack
  cgName: my-collector

# MP container tags
 initVersion: latest
 version: latest
 cpuLimit: 4

# DP container tags
 version: latest
 cpuLimit: 2

# CNI container tags
 version: latest
  1. Install the Helm chart
$ helm install my-deployment .

Method 2 - Without Repo

  1. Generate the VM authorization key on Panorama

  2. Add the cn-series repo to your local Helm client

$ helm repo add paloaltonetworks
"cn-series" has been added to your repositories
  1. Confirm the repo has been added to your Helm client
$ helm search repo cn-series
paloaltonetworks/cn-series   0.1.5           10.0.0           Palo Alto Networks CN-Series firewall Helm char...
  1. Select the Kubernetes cluster
$ kubectl config set-cluster NAME
  1. Deploy using the Helm chart repo
$ helm install my-deployment paloaltonetworks/cn-series \
--set cluster.deployTo="gke|eks|aks|openshift"
--set panorama.ip="panorama hostname or ip" \
--set panorama.ip2="panorama2 hostname or ip" \
--set-string panorama.authKey="vm auth key" \
--set panorama.deviceGroup="device group" \
--set panorama.template="template stack" \
--set panorama.cgName="collector group" \
--set cni.image="container repo" \
--set cni.version="container version" \
--set mp.initImage="container repo" \
--set mp.initVersion="container version" \
--set mp.image="container repo" \
--set mp.version="container version" \
--set mp.cpuLimit="cpu max" \
--set dp.image="container repo" \
--set dp.version="container version" \
--set dp.cpuLimit="cpu max"


This template/solution is released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.

Unless explicitly tagged, all projects or work posted in our GitHub repository (at or sites other than our official Downloads page on are provided under the best effort policy.

Developer Sites


Copyright © 2023 Palo Alto Networks, Inc. All rights reserved.