Three Ways Network Security Fool-Proofs Your Containerized Apps

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L2 Linker



Cloud-native adoption is on the rise. According to Gartner, by the end of 2023, more than 75% of global organizations will be running containerized applications in production, up from less than 30% today.


What do you need a container firewall?


Hardware and virtual firewalls can only be deployed outside the container environment. When the traffic leaves the Kubernetes cluster, it is Network Address Translated (NATed) to the node IP address. As a result, these firewalls sitting outside the Kubernetes cluster are blind to the actual source of the traffic. Customers interested in gaining Layer-7 visibility inside the Kubernetes cluster and enforcing granular policies at a Kubernetes namespace level are now adopting CN-series. 




The Palo Alto Networks CN-Series firewall is the industry's first next-gen firewall (NGFW) for Kubernetes purpose-built to secure the Kubernetes environment from network-based attacks. With the CN-series firewall, you can:


  1. Gain Layer-7 visibility and enforcement using native K8S context to protect against known and unknown threats.
  2. Protect containerized apps deployed anywhere with best-in-class network security.
  3. Deploy and scale network security without compromising DevOps speed and agility.


Here are the top three business drivers for customers to adopt network security to secure containers: 


  • Extending Zero Trust to Modern Apps: Customers adopting the Zero Trust model for traditional applications can now extend the same Zero Trust architecture to all parts of infrastructure - including modern micro-services based containerized apps. 
  • Regulatory Compliance: Customers moving critical applications to containers can ensure their micro-services based applications remain compliant with the industry standards such as PCI and HIPAA to minimize the business risks. 
  • Optimize Total Cost of Ownership (TCO): To improve operational efficiency and optimize cost, customers are looking at Kubernetes native constructors to dynamically scale network security since scaling traditional hardware and virtualized firewalls can be operationally challenging. 


How customers deploy CN-series in their environment:


Prevent Lateral Spread of Threats Across Kubernetes Namespace Boundaries (E-W Traffic Protection):





To stop the lateral movement of threats between different applications running on the same Kubernetes cluster as well as to comply with regulatory standards such as HIPAA and PCI, large healthcare providers and online retailers have inserted CN-series between Web-server application facing the internet and the Database application holding the sensitive data. By doing so, the customers can ensure threats don’t move laterally between different applications and hence, comply with regulatory standards. 


While Microsegmentation products provide granular protection at Layer 3 and 4 to block traffic between workloads that shouldn’t be able to communicate, CN-Series inspects and controls allowed traffic at layer 7 and stops threats that may be attempting to move laterally across the environment. 


Prevent Data Exfiltration from Kubernetes Environments (OutBound Protection):


To get visibility inside the Kubernetes cluster at the application level and enforce the granular level policy as well as prevent data exfiltration, customers deploy CN-series in conjunction with URL filtering and DNS Security subscriptions.

By using CN-series, the customers have ensured the specific app (Jenkins for example) can communicate with only a specific URL that might be internal to the organization or on the internet.  However, other apps running on the same Kubernetes cluster (App1 and App2) can talk to any other apps on the internet. Additionally, whenever a potentially malicious website/domain is detected by a DNS security subscription, all the apps stop communicating with the malicious domain and ensure customers’ sensitive data stays within the organization. 


Prevent Both Known and Unknown inbound attacks (InBound Protection):



Screen Shot 2022-03-08 at 10.51.09 AM.png



To protect against incoming threats and apply granular level policy at the application/namespaces level, large online retailers and banking customers are using CN-series in conjunction with Threat Prevention (TP) and Wildfire (WF) subscriptions. With CN-series, the customer can apply stricter policies for the specific applications only and protect against any file-based threats, including exploits, malware, spyware, and previously unknown threats, attempting to sneak through open ports. 


Additionally, by taking advantage of the auto-scaling capabilities of Kubernetes to handle peak traffic, many customers have moved from the HW firewall to CN-series Firewall, enabling greater cost savings and improved operational efficiency. 


To learn more about how CN-series can help you protect your containerized workloads, please visit:



Register or Sign-in