Deploy the CN‐Series Firewall - PaloAltoNetworks/cn-series-deploy GitHub Wiki
The /cn-series folder contains Terraform plan files used to deploy the CN-Series Firewall application to an existing Kubernetes cluster. The plan leverage the Terraform Helm provider to deploy the cn-series Helm chart which may be found here.
There are specific requirements regarding cluster node sizing and supported CNIs when deploying the CN-Series Firewall. There are Terraform plans in this repository for deploying GKE, EKS, and AKS clusters that meet these requirements.
Usage
-
Deploy the CN-Series Firewall using Terraform.
-
Create a
terraform.tfvarsfile and add the following variables and their associated values.k8s_environment = "" # Kubernetes environment (gke|eks|aks|openshift|native) panorama_ip = "" # Panorama IP address panorama_auth_key = "" # Panorama auth key for VM-series registration panorama_device_group = "" # Panorama device group panorama_template_stack = "" # Panorama template stack panorama_collector_group = "" # Panorama log collector group k8s_dp_cpu = "" # DP container CPU limit -
Initialize the Terraform providers.
$ terraform init -
Validate the Terraform plan.
$ terraform plan -
Apply the Terraform plan.
$ terraform apply -
Verify the pods have been deployed and are in are Ready and Running.
$ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE ... kube-system pan-cni-6kkxw 1/1 Running 0 26m kube-system pan-cni-tvx2b 1/1 Running 0 26m kube-system pan-mgmt-sts-0 1/1 Running 0 26m kube-system pan-mgmt-sts-1 1/1 Running 0 26m kube-system pan-ngfw-ds-nrtrn 1/1 Running 0 26m kube-system pan-ngfw-ds-rcmmj 1/1 Running 0 26m
-
-
You are now ready to configure the Kubernetes plugin on Panorama.