CN-Series
Secure 5G With the CN-Series Firewall
Table of Contents
Expand All
|
Collapse All
CN-Series Firewall Docs
-
-
- Deployment Modes
- HSF
- In-Cloud and On-Prem
-
-
-
Secure 5G With the CN-Series Firewall
Use the 5G-Native Security capabilities on the CN-Series
firewall for visibility and control of 5G traffic.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
For visibility and control of 5G traffic for private enterprises and 5G Mobile
Packet Core deployments in a Mobile Operator Networks on Kubernetes, review the
following sections for supported environments and how to modify the YAML files to unlock
GTP Securityand 5G-Native Security on the CN-Series firewall.
In addition to enabling these capabilities when you deploy the CN-Series firewall, you
must also enable Panorama for GTP Security and/or SCTP Security.
|
Container runtime
|
Docker
CRI-O
Containerd
|
|
Kubernetes version
|
1.17 through 1.27
|
|
Cloud provider managed Kubernetes
|
|
|
Customer managed Kubernetes
|
On the public cloud or on-premise data center.
Make sure that the Kubernetes version, CNI Types, and Host VM OS
versions are as listed in this table.
VMware TKG+ version 1.1.2
|
|
Kubernetes Host VM
|
Operating System:
|
|
Linux Kernel Version:
| |
|
Linux Kernel Netfilter: Iptables
| |
|
CNI Plugins
|
CNI Spec 0.3 and later:
|
|
OpenShift
|
|
| Container Runtime | Version |
|---|---|
|
CN-Series firewall
Kubernetes plugin
Panorama
|
PAN-OS 10.0.3 or later
1.0.1 or later
10.0.0 or later
|
| The following are list of all the editable Parameters in the YAML file that you use to deploy the CN-Series firewall: For details, see Editable Parameters in CN-Series Deployment yaml files and CN-Series Core building blocks. | |
| Enable GTP |
On the pan-cn-mgmt-configmap.yaml set— PAN_GTP_ENABLED
: "True", before you deploy the CN-MGMT
StatefulSet.
|
|
Enable Jumbo Frame Mode
|
On the pan-cn-mgmt-configmap.yaml set:
PAN_JUMBO_FRAME_ENABLED: "True",
before you deploy the CN-MGMT StatefulSet.
The CN-MGMT pod during bootup uses the "eth0" MTU to auto-detect
whether to enable jumbo-frame mode. So, if your secondary CNI uses
jumbo frames, while the primary CNI does not, you must define
PAN_JUMBO_FRAME_ENABLED: "True" to
enable jumbo frame mode on the CN-Series firewall.
CN-Series currently doesn't support DPDK and it doesn't allow the
app pod to use DPDK. You might need to modify the app pod if the
app does not automatically adjust to non DPDK mode. |
|
Enable System Resource Flexibility
|
If you need higher throughput and want to configure more memory to
address your deployment needs on the pan-cn-mgmt-configmap.yaml set:
PAN_NGFW_MEMORY="48Gi"
For templating (Helm), it can take the same
variable as allocated for CN-NGFW pod. When enable a larger memory
footprint, the CN-MGMT StatefulSet only supports one CN-NGFW
pod. |
|
Configure vCPU, Memory for 5G
|
The recommended configuration for CN-MGMT pods (in pan-cn-mgmt.yaml)
and NGFW pods (in pan-cn-ngfw.yaml) is to have identical values in
"request" and "limit" for cpus and memory to achieve guaranteed QoS.
For CN-MGMT pods, recommended values are cpu=4, memory=16Gi. To
control placement of CN-MGMT pods, for example on the same or
different nodes than where the CN-NGFW pods are deployed, use the
node-selector capability in k8s.
|
|
For CN-NGFW pods, recommended values are cpu=12, memory=48Gi. To
control placement of CN-NGFW pods for example on the same or
different nodes than where the CN-NGFW pods are deployed, use the
node-selector capability in k8s.
| |
|
Select the CNI yaml file
|
The Multus CNI acts as a meta-plugin, that calls other CNI plugins.
On OpenShift environments, Multus is enabled by default, so you can
use the pan-cni.yaml. On other environments
where Multus is supported but is optional, such as with self-managed
(native) environments, use the
pan-cni-multus.yaml instead of the
pan-cni.yaml.
|
Also review the System Requirements for CN-Series firewall
before you continue to deploy the CN-Series firewall.