article CN-Series Part 1: What is CN-Series? in CN-Series Articles

article CN-Series Part 1: What is CN-Series? in CN-Series Articles https://live.paloaltonetworks.com/t5/cn-series-articles/cn-series-part-1-what-is-cn-series/ta-p/422659 <P data-unlink="true"><SPAN style="font-weight: 400;">In my </SPAN><SPAN style="font-weight: 400;">previous article,</SPAN><SPAN style="font-weight: 400;"> "<A href="https://live.paloaltonetworks.com/t5/cn-series-articles/why-did-we-build-the-cn-series/ta-p/415268" target="_self">Why Did We Build the CN-Series?</A>," we discussed the <EM>why </EM>behind the development of the CN-Series in a world where cloud-native adoption and containerized applications are on the rise. </SPAN></P> <P data-unlink="true"> </P> <P data-unlink="true"><SPAN style="font-weight: 400;">Now, we're going to go over what a CN-Series firewall actually does, its functions, and how it can help NetSec teams secure Kubernetes workloads. </SPAN></P> <P data-unlink="true"> </P> <P><SPAN style="font-weight: 400;"><A href="https://www.paloaltonetworks.com/network-security/cn-series" target="_self">CN-Series Container Firewalls for Kubernetes</A> deliver all of our PA-Series (hardware NGFW) and VM-Series (software) firewalls’ capabilities in a container form factor. You can deploy our cloud-delivered security services on top of the CN-Series firewalls, just like our other firewall form factors. This solution gives you the ability to deploy Layer 7 network security and threat protection in your Kubernetes clusters for advanced protection and compliance.</SPAN></P> <P> </P> <P><SPAN style="font-weight: 400;">CN-Series has been deeply integrated with Kubernetes for complete visibility and context and ensures that the firewall is automatable and scalable to accommodate DevOps workflows.</SPAN></P> <P> </P> <H2><STRONG>So what exactly do you get with CN-Series?</STRONG></H2> <P> </P> <P><SPAN style="font-weight: 400;">Specifically, CN-Series provides customers with visibility and control over their Kubernetes traffic. You will gain a contextual understanding of Kubernetes constructs, like namespaces and tags, to define security policies.</SPAN></P> <P> </P> <P><SPAN style="font-weight: 400;">CN-Series also provides deeper traffic visibility than any other firewall form factor. For instance, it can overcome the challenge to </SPAN><SPAN style="font-weight: 400;">identify the specific pod that traffic originates from, as we discussed in my <A href="https://live.paloaltonetworks.com/t5/cn-series-articles/why-did-we-build-the-cn-series/ta-p/415268" target="_self">previous article on the CN-Series</A>. It means that you can write security policies more granularly—at the application-level rather than at the cluster-level. </SPAN></P> <P> </P> <P><SPAN style="font-weight: 400;">CN-Series firewalls are managed in Panorama, using the new Kubernetes plugin. A consistent management solution to incorporate Kubernetes context into integrated policies, which provide broader network security posture.</SPAN></P> <P> </P> <P><SPAN style="font-weight: 400;">As I mentioned before, the deep integration we’ve built between CN-Series and Kubernetes ensures that the firewalls can be deployed and configured seamlessly as part of your DevOps team’s workflow. For those of you using Helm to manage your Kubernetes deployments, we’ve built a </SPAN><A href="https://github.com/paloaltonetworks/cn-series-helm" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">Helm chart</SPAN></A><SPAN style="font-weight: 400;"> for CN-Series.</SPAN></P> <P> </P> <P data-unlink="true"><SPAN style="font-weight: 400;">Here is a </SPAN><A href="https://www.youtube.com/watch?v=IqUUfRfAiSw" target="_self"><SPAN style="font-weight: 400;">quick demonstration</SPAN></A><SPAN style="font-weight: 400;"><A href="https://www.youtube.com/watch?v=IqUUfRfAiSw" target="_self"> of how to deploy CN-Series via Helm Charts</A>.</SPAN></P> <P data-unlink="true"> </P> <P data-unlink="true"><SPAN style="font-weight: 400;"><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FIqUUfRfAiSw%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DIqUUfRfAiSw&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FIqUUfRfAiSw%2Fhqdefault.jpg&type=text%2Fhtml&schema=youtube" width="600" height="338" scrolling="no" title="Deploying CN-Series Container Firewall Using HELM Charts" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></SPAN></P> <P><SPAN style="font-weight: 400;"> </SPAN></P> <H2> </H2> <H2><STRONG>CN-Series — Distributed deployment mode in PANOS 10.0</STRONG></H2> <P> </P> <P><SPAN style="font-weight: 400;">In our PANOS 10.0 release, you have a CN-Series firewall deployed on each node as a Daemon set within your K8S environment to provide maximum visibility and control.</SPAN></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="CN-Series deployment" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35288iC544751D8A82711E/image-size/large?v=v2&px=999" role="button" title="rapatil_0-1627478401043.png" alt="CN-Series deployment" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">CN-Series deployment</span></span></P> <P> </P> <P> </P> <P><SPAN style="font-weight: 400;">Technically, the firewalls deploy two sets of pods: one for the management plane (CN-MGMT) and another for the firewall data plane (CN-NGFW). The firewall data plane runs as a daemon set, and the management plane simply runs as a Kubernetes service.</SPAN></P> <P> </P> <P><SPAN style="font-weight: 400;">Of course, we also have Panorama represented here since that’s where CN-Series is managed from. The plugin is continually pulling information from Kubernetes and feeding it into Panorama.</SPAN></P> <P> </P> <H2><STRONG> What’s new in PANOS 10.1 for CN-Series?</STRONG></H2> <P> </P> <P><SPAN style="font-weight: 400;">Starting with the PANOS 10.1 release, Palo Alto Networks adds a new fw-as-a-k8s-service deployment mode to augment the fw-as-a-daemon-set mode.</SPAN></P> <P> </P> <P><SPAN style="font-weight: 400;">With CN-Series NGFW running as a k8s service, customers will no longer need to deploy the CN-NGFW on every application node. Instead, you can have dedicated nodes (let’s call them Security nodes ) on which all CN-NGFW firewalls will be deployed.</SPAN></P> <P><SPAN style="font-weight: 400;">Traffic redirection between Application Pods and CN-NGFW happens via secure VXLAN encapsulation.</SPAN></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CN-Series cluster mode" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35289i109B775933827763/image-size/large?v=v2&px=999" role="button" title="rapatil_1-1627478401045.png" alt="CN-Series cluster mode" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">CN-Series cluster mode</span></span></P> <P> </P> <P> </P> <H3><STRONG>When to go for Daemon set vs. K8s Service deployment?</STRONG></H3> <P> </P> <P><SPAN style="font-weight: 400;">Daemon set deployment mode needs at least one CPU core and 2G memory per CN-NGFW firewall per node. So, customers with a large footprint and/or high firewall-capacity demands will go for Daemon set deployment for compliance and risk mitigation use cases. </SPAN><SPAN style="font-weight: 400;">However, the second set of customers with smaller nodes and/or small firewall capacity needs and looking for securing a subset (e.g. database traffic) through CN-Series firewalls will most likely adopt the CN-Series as a k8s service mode (PANOS 10.1) or Cluster mode deployment.</SPAN></P> <P> </P> <P><SPAN style="font-weight: 400;">These customers would like to start small (limited firewall capacity with minimum resource needs) and dynamically increase/decrease the firewall capacity as the need changes while minimizing the disruption to the traffic. These customers will benefit from having the ability to run firewall as a shared k8s service, just like any other k8s application, where they could start with 1 or 2 pods and automatically scale the number of firewall pods up/down when the traffic is going through the firewall service increases/decreases. </SPAN></P> <P> </P> <H3><STRONG>CN-Series Autoscaling with Horizontal Pod Autoscaler (</STRONG><A href="https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/" target="_blank" rel="noopener"><STRONG>HPA</STRONG></A><STRONG>) feature</STRONG></H3> <P> </P> <P><SPAN style="font-weight: 400;">Starting with the 10.1 release, CN-Series in cluster mode will also support the auto-scaling functionality based on standard or custom metrics. </SPAN><SPAN style="font-weight: 400;">For the standard metrics, customers can scale their Management Pods and the Dataplane Pods based on average CPU or memory utilization across all Pods.</SPAN></P> <P> </P> <P><SPAN style="font-weight: 400;">I hope I was able to provide enough information on CN-Series to get you started. In my third and final article, I’ll go over some of the primary use-cases of CN-Series.</SPAN></P> <P> </P> <P><STRONG>Find more information, visit Palo Alto Networks' page on <SPAN style="font-weight: 400;"><STRONG><A href="https://www.paloaltonetworks.com/network-security/cn-series" target="_self">CN-Series Container Firewalls for Kubernetes</A>. </STRONG></SPAN></STRONG></P> <P> </P> Thu, 05 Aug 2021 15:20:54 GMT rapatil 2021-08-05T15:20:54Z CN-Series Part 1: What is CN-Series? https://live.paloaltonetworks.com/t5/cn-series-articles/cn-series-part-1-what-is-cn-series/ta-p/422659 <P>Learn how Palo Alto Networks' CN-Series firewall helps Network Security teams secure Kubernetes workloads. </P> Thu, 05 Aug 2021 15:20:54 GMT https://live.paloaltonetworks.com/t5/cn-series-articles/cn-series-part-1-what-is-cn-series/ta-p/422659 rapatil 2021-08-05T15:20:54Z Re: CN-Series Part 1: What is CN-Series? https://live.paloaltonetworks.com/t5/cn-series-articles/cn-series-part-1-what-is-cn-series/tac-p/452090#M7 <P>Loved it. Much need firewall at container  level.</P> Wed, 08 Dec 2021 13:38:24 GMT https://live.paloaltonetworks.com/t5/cn-series-articles/cn-series-part-1-what-is-cn-series/tac-p/452090#M7 SachinIvanti 2021-12-08T13:38:24Z