Professional Documents
Culture Documents
CN Series Firewall
CN Series Firewall
Container Firewall
Prevent threats in Kubernetes
CN-Series container environments with the industry’s
firewalls deliver:
leading Next-Generation Firewall
• Threat prevention and advanced
network security services to protect The Palo Alto Networks CN-Series container firewall is the
Kubernetes namespace boundaries
industry’s first next-generation firewall (NGFW) delivered
• Automated deployment and
configuration via Kubernetes for in a container form factor and natively integrated into
frictionless network security Kubernetes®. Container firewalls prevent network-based
• Visibility into native Kubernetes threats from spreading across Kubernetes namespace
metadata (e.g., namespace) for
boundaries.
context-based security policies
• Centralized management with
Panorama
Flexible and Consistent CNI Integration Table 2: CN-Series Key Performance Metrics
• Simple insertion: The CN-Series supports multiple con-
Feature/Attribute CN-NGFW (1 Core)
tainer network interface (CNI) plugins for use in different
types of Kubernetes deployments.
Firewall Throughput 500 Mbps
(App-ID Enabled)
Kubernetes On-Premises and Cloud Support
• Public cloud: CN-Series firewalls can be deployed in hosted Threat Prevention Throughput 250 Mbps
container environments such as GKE, AKS, Amazon EKS,
and Red Hat OpenShift®. For detailed platform support in- Max Sessions 20,000
formation, see table 1.
• On-premises: CN-Series firewalls can also be deployed
CPU (min.) 2 1
Panorama Kubernetes 1.0.0
Plugin
CPU (max.) 2 4
Container Runtime Docker, CRI-O
Disk 50 GB N/A
Native Kubernetes 1.14 – 1.18
Cloud Provider-Managed
Kubernetes*
OpenShift 4.2, 4.4, 4.5 Scalability of Components
AWS EKS (1.14 – 1.17)
Azure AKS (1.14 – 1.18) Table 4 lists scalability numbers of the different CN-Series
GCP GKE (1.14 – 1.17) components, and table 5 lists those of the Panorama
Kubernetes plugin.
Customer-Managed Kubernetes†
Table 4: Scalability of CN-Series Components
Kubernetes Host VM OS Ubuntu 16.04, 18.04, RHEL/
CentOS 7.3+ Capacity/Attribute CN-Series Scale
CNI CNI Spec 0.3.0 and higher, Max. CN-MGMT Pairs per K8s Cluster 4
which support
CNI chaining (e.g., Calico, Max. CN-NGFW Pods per CN-MGMT
30
Pair
Flannel, Weave)
* Recommended versions for Kubernetes, Calico, etc. Kubernetes Pods Secured by
† In customer-managed deployments, Kubernetes can be deployed using any CN-NGFW (per Kubernetes Node) 30
orchestrator (e.g., Rancher, Kubespray) and deployed in a public or private cloud
so far as Kubernetes, CNI, and host OS versions are from table 1.
3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 cn-series-container-firewall-ds-111220
Support: +1.866.898.9087
www.paloaltonetworks.com