As you adopt Kubernetes and containers for application development and operational agility, you can now automate the deployment of the next-generation firewalls in environments such as OpenShift, native Kubernetes, GKE, AKS, or EKS, using native Kubernetes constructs. The CN-Series firewall is the containerized form factor of the next-generation firewall that provides complete Layer 7 visibility, application-level segmentation, and protection from advanced threats for traffic going between trust zones in public cloud or data center environments. The containerized form factor has a distributed PAN-OS architecture with CN-Mgmt and CN-NGFW pods that integrate into your CI/CD pipeline and help you secure traffic going from containerized applications running in Kubernetes clusters to VMs, bare metal servers, or to other containerized applications.

The CN-Series firewall requires Panorama and the Kubernetes plugin on Panorama to enable centralized management, licensing, and security policy enforcement. Panorama and the CN-Series firewall use the Kubernetes APIs for a tight integration whereby the CN-NGFW pods that you deploy as a DaemonSet, use CNI-chaining for integrating into the container namespace and retrieve Kubernetes labels for enabling metadata-driven policies with dynamic address groups in Security policy.

To support the automatic license activationworkflows for VM-Series use cases such as bootstrapping and autoscaling, the site licenses for AutoFocus and Cortex Data Lake can now be automatically activated for the Pay-as-you-go (PAYG) marketplace firewalls. With the support for enterprise wide (site) licenses on the VM-Series PAYG firewalls, these firewalls can now access the cloud-based threat intelligence service (AutoFocus) and logging infrastructure (Cortex Data Lake) within your enterprise. When you provide the auto-registration pin ID and value as part of the bootstrapping process, the firewall is automatically registered to the Customer Support Account so that it can retrieve the site licenses that have already been registered on the Customer Support Portal. You can also manually retrieve the license directly on the firewall.

Panorama now supports security policies within the same device group for multiple IP-tag sources, such as AWS, VMware NSX, and Cisco TrustSec plugins. If you have Panorama monitoring VMs in multiple cloud environments or receiving IP-tags from other sources, you can now aggregate and push them to the appropriate device groups.

To secure the highly distributed 5G networks, including edge clouds and across multi-vendor and multi-cloud environments, you can enable network slice security, equipment ID security, and subscriber ID security on the CN-Series. Security policy rules and correlation based on 5G network slice, equipment ID, and subscriber ID are supported. You can also enable RAN-based security with SCTP and GTP Security for 5G user-plane tunnel content inspection and threat prevention.

The CN-Series firewall is supported on VMWare's VMware Tanzu Kubernetes Grid (TKG) platform with the Intel x710, macvlan and Multus CNI's available as part of TKG - SR-IOV.