CN-Series Firewalls — GKE
The Palo Alto Networks Container Native Firewalls (CN-Series) are natively integrated into Kubernetes (k8s) to provide complete L7 visibility, application level segmentation, DNS Security, and protection from advanced threats for traffic going across trusted zones in public cloud or data center environments. It enables you to isolate and protect workloads, application stacks, and services, even as individual containers scale up, down, or across hosts and consistently apply security policies that are based on Kubernetes labels.
The CN-Series firewall enables your security administrator to provision security for the containerised applications across a wide range of environments including Cloud Provider Managed k8s such as GKE, EKS, AKS, and Customer Managed k8s such as Openshift, and Native k8s on the public cloud or on premises data centers.
The CN-Series firewall uses Kubernetes constructs and metadata driven policy so that the teams can automate the deployment and efficiently enforce security policy to consistently protect from known and unknown threats.
CN-Series Core Building Blocks
The core building blocks to Deploy the CN-Series Firewalls are:
1. Distributed PAN-OS architecture with CN-MGMT and CN-NGFW pods
The management plane (CN-MGMT) and data plane (CN-NGFW) of the containerised firewall are separate to enable better runtime protection for applications and to support a smaller footprint. The CN-MGMT and CN-NGFW are deployed using container images and YAML manifest files with ConfigMap objects.
2. CN-MGMT
CN-MGMT runs as a StatefulSet to ensure that it has persistent volume and is exposed as a K8s service that can be discovered using DNS in the Kubernetes environment. The CN-MGMT provides fault tolerance and a single CN-MGMT pod can manage the existing CN-NGFW pods in the event of a restart or a failure of a CN-MGMT pod.
3. CN-NGFW
CN-NGFW can be deployed as a DaemonSet or as a Kubernetes Service. DaemonSet deployments suited for Kubernetes environments with larger nodes, pods that require low latency, and/or requires high firewall capacity. The CN-Series as a Kubernetes Service is suited for Kubernetes environments with smaller nodes and/or requires more dynamic firewalling.
When deployed as a DaemonSet, each instance of the CN-NGFW pod can secure 30 application pods running on the same node. This architecture enables you to place the CN-NGFW DaemonSet pod on each node that you want to protect workloads in a cluster, and a pair of CN-MGMT pods can connect to and manage up to 30 CN-NGFW pods within a cluster.
When deployed as a Kubernetes Service, instances of the CN-NGFW can be deployed on security nodes and application pod traffic is redirected to an available CN-NGFW instance for inspection and enforcement.
4. PAN-CNI plugin for network insertion
The PAN-CNI plugin is responsible for the allocation of network interfaces on every pod, which enables network connectivity to the CN-NGFW pod. The YAML files that enable you to deploy the CN-Series include the PAN-CNI DaemonSet, which insert the PAN-CNI plugin into the CNI plugin chain on each node within the cluster. The plugin reads the annotation on each application pod as it comes up to determine whether to enable security and redirect traffic to the CN-NGFW pod for inspection as it ingresses and egresses the pod.
5. Panorama for centralized management
Panorama functions as the hub for managing the configuration and licensing of the containerised firewalls. It also hosts the Kubernetes plugin, which enables monitoring of the Kubernetes clusters, and centralized Security policy management. You can use a physical or virtual Panorama appliance, and deploy it on-premises or in a public cloud environment. Panorama must have network connectivity to the firewall management plane pods (CN-MGMT) to ensure that it can license the (CN-NGFW) firewalls and push configuration and policies using Panorama templates and device groups. Palo Alto Networks recommends deploying Panorama in an HA configuration.
6. Kubernetes Plugin on Panorama
The Kubernetes plugin manages the licenses for the CN-Series firewall. Licensing is based on the number of cores you choose to allocate to CN-NGFW pods. Each CN-NGFW pod uses a license token, and the tokens are managed locally on Panorama after you activate the auth code and retrieve the specified number of tokens from the Palo Alto Networks license server. As each CN-NGFW comes up on the Kubernetes nodes, Panorama distributes the license tokens locally.
Deploy the CN-Series Firewall as a Kubernetes Service on GKE
Refer to this article for more details on setting up CN-Series Firewall as K8S Service on GKE.
Refer to this articel for more details on setting up CN-Series Firewall as Daemonset on GKE.
Hope this blog was useful to get context about Container Native Firewalls and leveraging them to provide complete L7 visibility, application level segmentation, DNS Security, and protection from advanced threats for traffic going across trusted zones in public cloud or data center environments.
