Text Material Preview
<p>1. Components Required to Deploy CN-Series</p><p>This lesson describes the components that are needed to deploy CN-Series firewalls.</p><p>CN-Series Deployment Components</p><p>There are several components that are required to deploy the CN-Series in a Kubernetes environment.</p><p>Panorama with Kubernetes Plugin</p><p>Panorama hosts the Kubernetes plugin, which enables monitoring of the Kubernetes clusters and centralizes Security policy management.</p><p>· Panorama - Panorama functions as the hub for managing the configuration and licensing of containerized firewalls, and Panorama is required to configure and manage CN-Series firewalls. You can use a physical or virtual Panorama appliance and deploy it on-premises or in a public cloud environment.</p><p>Panorama must have network connectivity to the firewall management plane pods (CN-MGMT) to ensure that it can license the firewalls (CN-NGFWs) and push configuration and policies via Panorama templates and device groups. Palo Alto Networks recommends deploying Panorama in an HA configuration.</p><p>· Kubernetes Plugin - The Kubernetes plugin manages the licenses for the CN-Series firewall and provides cluster monitoring. The plugin:</p><p>· Allows Panorama to leverage Kubernetes labels that are used to organize Kubernetes objects such as pods, services, and deployments. These labels can be used to create context-aware Security policy rules.</p><p>· Communicates with the API server and retrieves metadata to allow visibility into the applications that are running the cluster.</p><p>· Collects namespaces, services, and labels from your Kubernetes clusters to create tags for the IP-address-to-tag mapping for the associated objects in the cluster. These tags can then be used in Security policies.</p><p>· Collects information on the ports that are specified in the application YAML and creates service objects.</p><p>Container Files</p><p>To support the distributed architecture, the CN-Series firewall has four Docker images that are available on the Palo Alto Networks Customer Support Portal (CSP).</p><p>Image Archives</p><p>· Pan_cni-1.0.X.tgz - This archive includes the CNI plugin that allows connectivity between the CN-MGMT and CN-NFGW. The [archive/plugin] also reconfigures the network interfaces on the application pods to redirect traffic to the CN-NGFW pod on each node.</p><p>· PanOS_cn-10.0.X.tgz - This archive includes two images: the firewall management plane (CN-MGMT) and firewall dataplane (CN-NGFW).</p><p>· Pan_cn_mgmt_init-1.0.0.tgz - This archive includes the init container (CN-INIT) that contains the utilities required to deploy the management plane on the firewall. The init container allows secure IPSec communication between the CN-MGMT and CN-NFGW pods.</p><p>Docker Images</p><p>Images are available from the Palo Alto Networks Support site by clicking Updates > Software Updates > PAN-OS Container Images. These images are published as three compressed tar archives (tar.gz format), and you must unzip these images and do a Docker push to your image registry. Click the image to enlarge it.</p><p>Licenses and Authorization Codes</p><p>To manage and configure CN-Series, you will need a support license for Panorama. Licensing of the CN-Series firewalls is managed by the Kubernetes plugin on Panorama. To deploy CN-Series firewalls, you will need an auth code per cluster for a specific number of vCPUs.</p><p>Auth Code</p><p>· You can add CN-Series auth codes under Assets > CN-Series Licensing on the Palo Alto Networks Support site.</p><p>· Codes are handled by the Kubernetes plugin.</p><p>· Codes are needed for each CN-Series firewall deployed on each cluster.</p><p>Panorama Support License</p><p>You will also need licenses for each security subscription service that you will implement on each CN-Series firewall, such as Threat Prevention, URL Filtering, WildFire, and DNS Security services.</p><p>Subscription Security Services</p><p>CN-Series enables content inspection and SSL decryption, preventing sensitive information from leaving your network. Deploying Threat Prevention, URL Filtering, DNS Security, and WildFire subscription services protects your environment from web-based threats, including phishing, command and control, and data theft.</p><p>· Threat Prevention - Threat Prevention service protects your network by providing multiple layers of prevention that confront threats at each phase of an attack. Threat Prevention benefits from our other cloud-delivered security subscriptions for daily updates that stop exploits, malware, malicious URLs, command and control (C2), spyware, etc.</p><p>· URL Filtering - The URL Filtering service with PAN-DB enables safe web access, protecting users from dangerous websites, malware sites, credential-phishing pages, and attacks that attempt to leverage web browsing to deliver threats.</p><p>· WildFire - The basic WildFire service is included in the Palo Alto Networks next-generation firewall and does not require a WildFire subscription.</p><p>· With the basic WildFire service, the firewall can forward portable executable (PE) files for WildFire analysis and can retrieve WildFire signatures only with antivirus and/or Threat Prevention updates, which are made available every 24-48 hours.</p><p>· A WildFire subscription supports real-time signature updates for newly discovered malware and advanced file type support. Advanced file type support includes APKs, Flash files, PDFs, Microsoft Office files, Java applets, Java files (.jar and .class), and HTTP/HTTPS email links that are contained in SMTP and POP3 email messages.</p><p>· DNS Security - DNS Security provides enhanced DNS sinkholing capabilities by querying DNS Security, an extensible cloud-based service that can generate DNS signatures via advanced predictive analytics and machine learning. Policies can be set to block, alert, or sinkhole based on categories that include malware, DNS tunneling, command and control, dynamic DNS, and newly registered domains.</p><p>Container Management System</p><p>You must have standard Kubernetes tools, such as kubectl or Helm, to deploy and manage your Kubernetes clusters, apps, and firewall services. Panorama is not designed to be an orchestrator for Kubernetes cluster deployment and management. Templates for cluster management are provided by Managed Kubernetes providers.</p><p>Note the following details about CN-Series and content management systems.</p><p>· Kubernetes - Standard Kubernetes tools are required to deploy and manage Kubernetes clusters.</p><p>· Panorama - Panorama is not a cluster orchestration tool.</p><p>· Kubernetes - Cluster management templates are available from managed Kubernetes providers.</p><p>· Templates - There are community-supported templates for CN-Series deployment, including Helm and Terraform.</p><p>2. The Role of YAML Files</p><p>This lesson describes the importance of YAML files and the YAML file configurations for Kubernetes components.</p><p>Kubernetes Components and YAML Files</p><p>For each component that Kubernetes configures, a YAML file is used to provide the object definition, creation, and configuration. Depending on the object, different fields contain different values. For example, with each new type of object created, the field “kind” is modified to specify the type of object along with any other necessary field details.</p><p>The following image shows the YAML file configurations for Kubernetes components.</p><p>3. CN-Series Docker Images</p><p>This lesson describes how to obtain CN-Series Docker images from the Palo Alto Networks Customer Support Portal.</p><p>How to Obtain CN-Series Docker Images</p><p>PAN-OS container images can be downloaded from the Palo Alto Networks Customer Support Portal.</p><p>To download the appropriate PAN-OS container image, log into the Customer Support portal and navigate to Updates > Software Updates. Under the Please Select drop-down, browse to PAN-OS Container Images and select the appropriate image.</p><p>4. Licensing for CN-Series</p><p>This lesson describes the licensing options for CN-Series and the flexible-consumption model.</p><p>CN-Series is Licensed in Line with VM-Series</p><p>Our virtual firewall, via the next-generation firewall credits model, provides you with a greater sense of flexibility so that</p><p>you can scale your firewall deployments alongside your applications.</p><p>The credit model also enables you to both add and subtract our cloud-delivered security services over time. Finally, credits purchased through the NGFW credits model can be used interchangeably on VM-Series and CN-Series deployments.</p><p>We support bring your own license (BYOL) across all environments and have monthly or yearly licenses available in AWS as part of the AWS Marketplace for Containers Anywhere.</p><p>How Is Licensing Determined?</p><p>Here are a few factors to help determine licensing.</p><p>· CN-Series is licensed per CN NGFW data plane vCPU.</p><p>· Managed from the Kubernetes plugin in Panorama. Giving the admin a single pane of glass to enforce policies on the bare metal virtual and containerized firewalls.</p><p>· Consistent licensing model for any deployment via daemonset Kubernetes service or container network function (CNF).</p><p>· Supported from PAN-OS 10.1 or above.</p><p>Software NGFW Credits: Simplified Licensing</p><p>The flexible-consumption model is designed so you can consume software NGFWs and security services with the same freedom and agility as the rest of your cloud infrastructure.</p><p>Credit-Based Licensing Enables Flexible Consumption</p><p>Now with credit-based licensing, organizations can make the most of a more granular, agile approach to firewall procurement that allows them to pay for what they use and consume their network security tools as needed.</p><p>You purchase Software NGFW Credits, which you can then allocate to VM-Series virtual and CN-Series container NGFWs, cloud-delivered security services, and VM Panorama management services.</p><p>As needs change over time, you can reallocate Software NGFW Credits to new resources, without having to go through additional procurement cycles.</p><p>Streamline Procurement and Deployment Cycles</p><p>Now software firewall consumption can be aligned with the consumption models of other resources, simplifying and speeding up the time to deployment from days or weeks to minutes.</p><p>The flexible-consumption model moves upstream time-consuming processes such as purchase orders, approval, and procurement. When a need arises, the focus is on deploying security, not navigating the bureaucracy.</p><p>Scale Security Easily to Accommodate Changing Requirements</p><p>The flexible-consumption model eliminates the inflexibility of discrete software firewall models based on size. You, not the vendor, determine how many cores (vCPU) and memory are allocated to your software firewalls to meet specific scale demands and requirements.</p><p>When needs change, you simply allocate or remove additional cores to scale the software firewall up or down, rather than procuring a new firewall model that fits the new size requirements.</p><p>Software NGFW Credits will automatically be deducted or refunded from your credit bank accordingly. For example, if you have deployed a VM-Series firewall with 10Gbps throughput, you can easily scale it to 11Gbps today and 13Gbps tomorrow with just a few clicks.</p><p>Protect Network Security Investments and Maximize ROI</p><p>With the flexible-consumption model, you can consume any of the Palo Alto Networks cloud-delivered security services on demand without having to commit to a rigid bundle.</p><p>· NGFW - Use Software NGFW Credits to procure the latest security services as soon as they become generally available, without additional procurement processes.</p><p>· VM-Series Virtual Firewalls - Leverage VM-Series virtual firewalls to protect today’s applications and grow into using CN-Series container firewalls as you transition to cloud-native architectures tomorrow.</p><p>100%</p><p>image11.png</p><p>image9.png</p><p>image10.png</p><p>image13.png</p><p>image6.png</p><p>image14.png</p><p>image12.png</p><p>image2.png</p><p>image5.png</p><p>image7.png</p><p>image1.png</p><p>image4.png</p><p>image3.png</p><p>image15.png</p><p>image8.png</p>
