The Palo Alto Networks CN-series container firewall is the industry’s first next-generation firewall (NGFW) delivered in a container form factor and natively integrated into Kubernetes®. Container firewalls prevent network-based threats from spreading across Kubernetes namespace boundaries.
Conventional NGFWs can only be deployed at the edge of a Kubernetes environment and therefore cannot determine the specific pod where traffic originates. To overcome this challenge, CN-series container firewalls move security inside the Kubernetes environment, giving them precise visibility into and control over container traffic.
The CN-series delivers Layer 7 visibility and control while enabling the enforcement of advanced security services, such as intrusion prevention. This protection can be enforced on allowed traffic traversing namespace boundaries within or between Kubernetes clusters, including between containerised applications and legacy workloads, such as virtual machines (VMs) and bare metal servers.
CN-series firewalls are easy to deploy using Kubernetes orchestration, allowing operators to deploy network security using the same processes and technology they use to manage the rest of their environments. Ongoing management of CN-series firewalls is centralised in the Panorama™ network security management solution—the same management console as all Palo Alto Networks firewalls—giving network security teams a single pane of glass to manage the overall network security posture of their organisations.
Why choose CN-series?
Outbound traffic protection
- Block suspicious activity and prevent exfiltration with full outbound traffic content inspection, including encrypted SSL traffic and traffic originating from containerized applications.
East-west traffic protection
- Discover Layer 7 visibility and control and protect east-west traffic between pods in different trust zones (such as two namespaces) or between pods and other workload types.
Inbound traffic protection
- Protect against malware delivery, including variants not yet seen in the wild, through custom-built signatures based on content instead of hashes.
- Application visibility and control
- Get immediate visibility into application traffic within your Kubernetes environment. Define application-based policies to control application traffic and enforce zero trust best practices.
- Threat prevention and sandboxing
- Threat prevention and WildFire services can be enabled on CN-series firewalls to block exploits, prevent malware, and stop both known and unknown advanced threats.
- Automated scalability
- CN-series firewalls can leverage the autoscaling capabilities of Kubernetes to ensure protection in even the most dynamic environments.
- DevOps-friendly configuration
- All configuration of CN-series firewalls is specified in a YAML file and can be easily integrated into infrastructure deployment files for fast, repeatable deployments.
- Flexible deployment options
- Customers can choose to deploy CN-series firewalls in distributed or clustered modes, depending on their use case, budget and environmental configuration.
- Consistent CNI integration
- The CN-series supports multiple container network interface (CNI) plugins for use in different types of Kubernetes deployments.
- Public cloud
- CN-Series firewalls can be deployed in hosted container environments such as GKE, AKS, Amazon EKS, and Red Hat OpenShift®.
- CN-series firewalls can also be deployed into Kubernetes environments hosted on-premises.
- Centralised security management
- Manage the CN-series from Panorama. It centralises logging to simplify auditing and compliance.