Professional Documents
Culture Documents
Container Firewall
Prevent threats in Kubernetes
CN-Series container environments with the industry’s
firewalls deliver:
leading Next-Generation Firewall
• Threat prevention and advanced
network security services to protect The Palo Alto Networks CN-Series is the industry’s first
Kubernetes namespace boundaries
next-generation firewall delivered in a container form factor
• Automated deployment and
configuration via Kubernetes for and natively integrated with Kubernetes®. The container
frictionless network security firewall prevents network-based threats from spreading
• Visibility into native Kubernetes across Kubernetes namespace boundaries.
metadata (e.g., namespace) for
context-based security policies
• Centralized management with
Panorama
How the CN-Series Works By enabling our integrated cloud-delivered subscriptions ser-
vices, you can enhance your security capabilities without com-
CN-Series firewalls deploy as two sets of pods: one for the man- promising productivity. Turning on our Threat Prevention and
agement plane (CN-MGMT) and another for the firewall data- WildFire® malware prevention services on the CN-Series fire-
plane (CN-NGFW). The firewall dataplane runs as a daemon set, wall protects your Kubernetes environment against any file-
allowing a single command from within Kubernetes to deploy based threats, including exploits, malware, spyware, and pre-
firewalls on all nodes in a Kubernetes cluster at once. The man- viously unknown threats, attempting to sneak through open
agement plane simply runs as a Kubernetes service. ports. In addition, deploying our URL Filtering and DNS Security
Management of CN-Series firewalls is done through the services protects your environment from web-based threats,
Panorama™ network security management console. A including phishing, command and control, and data theft.
Kubernetes plugin within Panorama provides contextual in-
formation about containers in an environment, and this seam-
lessly enables context-based network security policies. For ex-
CN-Series Key Capabilities
ample, Kubernetes namespaces can be used to define a traffic Whatever the security needs of your container environment,
source in a firewall policy. the CN-Series is built to deliver.
Customers can deploy CN-Series firewalls in Kubernetes
Inline Network Security Visibility and Control
environments hosted on-premises or in public clouds.
CN-Series firewalls can also be deployed into cloud-managed • Threat prevention and sandboxing: Threat Prevention and
Kubernetes offerings, including Google Kubernetes Engine WildFire services can be enabled on CN-Series firewalls to
(GKE), Azure Kubernetes Service (AKS), and Amazon Elastic block exploits, prevent malware, and stop both known and
Kubernetes Service (EKS). unknown advanced threats.
Deployment via Kubernetes package managers such as Helm is • Exfiltration prevention and URL filtering: The CN-Series
also available and community-supported. enables content inspection and SSL Decryption, prevent-
ing sensitive information from leaving your network. URL
CN-Series Use Cases Filtering uses machine learning to categorize URLs and block
access to malicious sites that deliver malware or steal creden-
Prevent Data Exfiltration from Kubernetes tials. Automation ensures protections are always up to date.
Environments • Flexible tag-based policy model: CN-Series firewall pol-
CN-Series firewalls offer a multitude of security capabilities icies can be defined by application, user, content, native
to prevent exfiltration of sensitive data from Kubernetes en- Kubernetes labels, and other metadata to deliver flexible
vironments. Traffic content inspection—including inspection policies aligned with business needs.
Table 1: CN-Series Support Matrix Table 3: CN-Series CPU and Memory Requirements
3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 cn-series-container-firewall-ds-062320
Support: +1.866.898.9087
www.paloaltonetworks.com