Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart
Focus
Focus
CN-Series

Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart

Table of Contents

Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart

Deploy CN-Series firewalls with Helm charts and templates.
Where Can I Use This?What Do I Need?
  • CN-Series deployment
  • CN-Series 10.1.x or above Container Images
  • Panorama running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client for CN-Series deployment with Helm
The Helm repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Packet Manager for Kubernetes.
You can download CN-Series Helm Charts from GitHub.

Prepare to Use the Helm Charts and Templates

Install the required software. These instructions list the minimum versions, but you can install a later version in the same family unless an upper limit is specified.
  1. Deploy CN-Series firewall 10.1.x, 10.2.x, 11.0.x, or 11.1.x container images.
  2. Install a Kubernetes version between 1.16 - 1.25 and create a Kubernetes cluster. For more information on supported kubernetes version for your environments, see CN-Series Deployment Supported Environments.
  3. Deploy Panorama in a location that is accessible from the Kubernetes cluster and the CN-Series firewall you use to secure the cluster.
    1. Ensure that the Panorama PAN-OS version is 10.x.x or later.
    2. Install the Kubernetes plugin for Panorama version 1.0.x or 2.0.x.

Deploy the CN-Series Firewall Using HELM Chart (Recommended)

Use this procedure to clone the repository and deploy from your local environment.
  1. Clone the repository from GitHub.
    $ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
  2. Change into a local directory for the cloned repository. For example:
    $ cd cn-series-helm
  3. Change to the subdirectory for your deployment.
    • Use the directory helm_cnv1 to deploy the CN-Series as a daemon set
    • Use the directory helm_cnv2 to deploy CN-Series as a service.
    • Use the directory helm_cnv3 to deploy CN-Series as a cnf.
  4. Download the service account YAML for the plugin-serviceaccount.yaml and apply the yaml. The service account enables the permissions that Panorama requires to authenticate to the cluster for retrieving Kubernetes labels and resource information. This service account is named pan-plugin-user by default. Run the following command to deploy the plugin-serviceaccount.yaml file:
    kubectl apply -f plugin-serviceaccount.yaml
    kubectl -n kube-system get secrets | grep pan-plugin-user
    To view the secrets associated with this service account.
    kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.json
    Create the credential file, named cred.json in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series firewall.
    On Openshift, you must manually deploy the pan-cni-net-attach-def.yaml for each Openshift namespace file before deploying the Helm charts.
  5. Edit the values.yaml file to enter your configuration information. The following values are from the helm_cnv1 subdirectory.
    # The K8s environment 
    # Valid deployTo tags are: [gke|eks|aks||native]
    # Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments.
    cluster:
      deployTo: eks
      multus: disable 
    # Panorama tags
    panorama:
      ip: "<Panorama-IP>" 
      ip2: 
      authKey: "<Panorama-auth-key>"
      deviceGroup: "<Panorama-device-group>"
      template: "<panorama-template-stack>" 
      cgName: "<panorama-collector-group>"
    # MP container tags
    mp:
      initImage: gcr.io/pan-cn-series/pan_cn_mgmt_init
      initVersion: latest
      image: gcr.io/pan-cn-series/panos_cn_mgmt
      version: 10.2.3
      cpuLimit: 4
    
    # DP container tags
    dp:
      image: gcr.io/pan-cn-series/panos_cn_ngfw
      version: 10.2.3
      cpuLimit: 2
    
    # CNI container tags
    cni:
      image: gcr.io/pan-cn-series/pan_cni
      version: latest
    
  6. View the rendered YAML files.
    helm install --debug --generate-name helm_cnv1/ --dry-run
  7. Perform a lint check on the helm charts.
    helm lint helm_cnv1/
  8. Deploy the HELM charts.
    helm install <deployment-name> helm_cnv1
    Persisten volume claims are not deleted when a HELM Chart is uninstalled. You must ensure that you clear these claims beforehand for the HELM install to work.
    For more information HELM, see HELM Classic: A Kubernetes Package Manager.

Deploy the CN-Series Firewall through the YAML Files

To deploy without cloning the repository, add the repository to your Helm client.
  1. Download the service account YAML for the plugin-serviceaccount.yaml and apply the yaml. The service account enables the permissions that Panorama requires to authenticate to the cluster for retrieving Kubernetes labels and resource information. This service account is named pan-plugin-user by default. Run the following command to deploy the plugin-serviceaccount.yaml file:
    kubectl apply -f plugin-serviceaccount.yaml
    kubectl -n kube-system get secrets | grep pan-plugin-user
    To view the secrets associated with this service account.
    kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.json
    Create the credential file, named cred.json in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series firewall.
    On Openshift, you must manually deploy the pan-cni-net-attach-def.yaml for each Openshift namespace file before deploying the Helm charts.
  2. Add the CN-Series repository to your local Helm client.
    Enter this command on a single line:
    $ helm repo add my-project https://paloaltonetworks.github.io/cn-series-helm
    "cn-series" has been added to your repositories
  3. Confirm the repository has been added to your Helm client.
    $ helm search repo cn-series
  4. Select the Kubernetes cluster.
    $ kubectl config set-cluster NAME
  5. Deploy using the Helm chart repository. Edit the following command to include your configuration information.
    $ helm install cn-series/cn-series --name="deployment name"
    --set cluster.deployTo="gke|eks|aks|openshift"
    --set panorama.ip="panorama hostname or ip"
    --set panorama.ip2="panorama2 hostname or ip"
    --set-string panorama.authKey="vm auth key"
    --set panorama.deviceGroup="device group"
    --set panorama.template="template stack"
    --set panorama.cgName="collector group"
    --set cni.image="container repo"
    --set cni.version="container version"
    --set mp.initImage="container repo"
    --set mp.initVersion="container version"
    --set mp.image="container repo"
    --set mp.version="container version"
    --set mp.cpuLimit="cpu max"
    --set dp.image="container repo"
    --set dp.version="container version"
    --set dp.cpuLimit="cpu max"
    Persistent volume claims are not deleted when a HELM Chart is uninstalled. You must ensure that you clear these claims beforehand for the HELM install to work.