* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Next-Generation Firewalls](https://www.paloaltonetworks.com.au/blog/network-security/category/next-generation-firewalls/)
* CN-Series Firewalls: Comp...

# CN-Series Firewalls: Comprehensive Network Security for Kubernetes

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2020%2F07%2Fnetwork-cn-series-firewalls%2F)  
[](https://twitter.com/share?text=CN-Series+Firewalls%3A+Comprehensive+Network+Security+for+Kubernetes&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2020%2F07%2Fnetwork-cn-series-firewalls%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2020%2F07%2Fnetwork-cn-series-firewalls%2F&title=CN-Series+Firewalls%3A+Comprehensive+Network+Security+for+Kubernetes&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2020/07/network-cn-series-firewalls/&ts=markdown)  
\[\](mailto:?subject=CN-Series Firewalls: Comprehensive Network Security for Kubernetes)  
Link copied  
By [Sudeep Padiyar](https://www.paloaltonetworks.com/blog/author/sudeep-padiyar/?ts=markdown "Posts by Sudeep Padiyar")  
Jul 28, 2020  
6 minutes  
[Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[CN-Series](https://www.paloaltonetworks.com/blog/tag/cn-series/?ts=markdown)  
[Firewall](https://www.paloaltonetworks.com/blog/tag/firewall/?ts=markdown)  
[Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown)  
[NGFW](https://www.paloaltonetworks.com/blog/tag/ngfw/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com.au/blog/2020/08/network-cn-series-firewalls/?lang=ja "Switch to Japanese(日本語)")

How can you and your organization deploy effective network security for containers? This question has become top of mind for network security teams as they sort through the complexities of traditional applications becoming increasingly containerized -- and as they see cloud native applications rely on containers, serverless and platform as a service (PaaS) technologies. Last week's general availability of the Palo Alto Networks [CN-Series container firewall](https://www.paloaltonetworks.com/network-security/cn-series) answers these concerns, based on a [deep understanding](https://www.paloaltonetworks.com/resources/ebooks/cn-series-container-firewalls-for-kubernetes) of customer challenges with Kubernetes.

## Consistent Security Remains a Big Kubernetes Security Concern

More and more organizations are discovering how Kubernetes and containers can be attractive options for application development. Containers can simplify development as they enable DevOps teams to move fast, deploy software efficiently and save compute resources.

Kubernetes plays a critical role in these environments by orchestrating application development in an automated way using containers. But network traffic across hosts and between container pods can also present opportunities for attackers. What's more, containers frequently need to connect to mission-critical applications, which always need comprehensive network security.

The [2019 Cloud Native Computing Foundation (CNCF) survey](https://www.cncf.io/wp-content/uploads/2020/03/CNCF_Survey_Report.pdf) indicates 78% of respondents are using Kubernetes in production -- and security continues to be one of their key concerns. That overall concern was something I heard over and over from more than 50 customers I spoke with over the course of last year. They talked about their challenges in coming up with a consistent strategy for [securing containers in public and private clouds](https://www.paloaltonetworks.com/blog/2020/05/network-cloud-native-applications/).

In particular, customers were loud and clear about three primary container security challenges:

1. DevOps teams deploying containers in infrastructure that network security teams are responsible for protecting -- while having limited visibility into containers. This concern topped the list.
2. Containers are increasingly being used with other workload types (such as virtual machines) and they need consistent network security to protect their workloads.
3. Orchestrating security and firewalls with the rest of their containerized application stacks.

## Network Security in Kubernetes Has Unique Requirements

Ensuring comprehensive security for Kubernetes starts with understanding how networking in Kubernetes works. [Container Network Interface](https://github.com/containernetworking/cni) (CNI) is a CNCF project that defines a specification for allowing communication between containers. Kubernetes supports CNI plugins for the communication between pods. Firewalls need to be placed optimally in the network path so they can see the relevant traffic for inbound, outbound and east-west flows to and from the application pods, as seen below.
![The diagram shows how CN-Series fiewalls are placed optimally in the network path so they can see the relevant traffic for inbound, outbound and east-west flows to and from the application pods.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/07/Runtime.png)
Container Network Interface (CNI) and container firewall placement  
Source: Modified from CNCF CNI Documentation

This is where Palo Alto Networks CN-Series firewalls come in and leverage the CNI chaining capabilities. It's the industry's first containerized NGFW, and has been built so it can protect containerized applications in most Kubernetes-based environments like AWS EKS, Azure AKS, Google GKE and Openshift.

CN-Series firewalls leverage deep container context to protect inbound, outbound and east-west traffic between container trust zones along with other components of enterprise IT environments. To keep pace with DevOps speed and agility, the CN-Series makes the most of native Kubernetes orchestration and is directly inserted into continuous integration/continuous development (CI/CD) processes.  
Here's how it works: PAN-OS in CN-Series firewalls is split into two containers -- one operates as the management plane, while the other operates as the data plane. The CNI chaining explained above ensures that traffic for application pods that need comprehensive security goes through the data plane. This ensures speed and simplicity vital for developer environments because a single command within Kubernetes is all that's needed for simultaneous CN-Series deployment on every node in a Kubernetes cluster.

Understanding the identity of each application is key here: CN-Series has been tailored to fit into Kubernetes network architecture in ways that enable app-id, threat inspection, DNS security, WildFire, URL filtering and other critical security services. Please refer to the [CN-Series data sheet](https://www.paloaltonetworks.com/resources/datasheets/cn-series-container-firewall) for a complete list of supported environments.

## Security Should Follow Kubernetes Native Security Automation

One of the primary benefits of containers is their automation capabilities. Because CN-Series firewalls are [themselves containerized](https://www.paloaltonetworks.com/blog/2020/06/network-cn-series/), ensuring that security extends to containers becomes very easy and network security teams can better work with their DevOps counterparts to plan for firewall provisioning in Kubernetes environments.

For example, most Kubernetes experts use the command-line tool [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) directly. DevOps teams have also started using the [Helm](https://helm.sh/) package manager extensively as it helps them define, install and upgrade complex Kubernetes
![The diagram shows how CN-Series firewalls fit into the landscape of Kubernetes tools, including Helm, Terraform, GKE/AKS/EKS and OpenShift.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/07/Terraform.png)
CN-Series and Kubernetes tools

applications. Customers already familiar with Terraform software can also use it in conjunction with Helm if they use Terraform for the rest of their infrastructure as code (IaC templates). To ease lifecycle management of firewalls for our customers, Palo Alto Networks has published community-supported [Helm Charts](https://github.com/PaloAltoNetworks/cn-series-helm) and [Terraform templates](https://github.com/PaloAltoNetworks/cn-series-deploy).

In the cloud and containerized application space, selective traffic steering, which can be automated easily, is critical for ongoing operation and security. With CN-Series, application teams can indicate which apps need security with a single annotation in an app's YAML files. Checks can be added in the CI/CD pipeline to make sure apps handling PCI data or that have other stringent network security requirements have NGFW security enabled. This allows for better coordination between DevOps and network security teams.

## It's All About Consistent Security Policies and Threat Prevention

Most large enterprises have applications running in different workload form factors (VMs, bare metal, containers and so on) on the network -- and want the ability to apply consistent policies for applications, regardless of hosting workload type.

Our customers have built security policies for their existing firewalls and are excited about CN-Series allowing them to extend these policies to containerized workloads by leveraging labels from Kubernetes. Policies can be built using labels attached on namespaces, services, replicasets and pods. This means that policies don't need to be updated when apps scale.

It's important to understand that most containerized apps have known and unknown vulnerabilities, both of which can be exploited on the network. The rich set of threat prevention capabilities in CN-Series helps reduce needed resources, complexity and latency by automatically blocking known malware, vulnerability exploits and C2 traffic. We continue to add threat coverage for components of containerized infrastructure such as Kubernetes, Docker and Openshift, as well as for most containerized apps including Redis, MongoDB, WordPress and Nginx. Automation of policies can be accomplished using the integration of Palo Alto Networks Cortex XSOAR and PAN-OS, as seen below.
![This diagram illustrates how policies can be automated and integrated with Cortex XSOAR, flowing from detection sources, through ingestion and to incident response tools.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/07/Detection-sources.png)
CN-Series policy automation and integration with Cortex XSOAR

Palo Alto Networks strongly believes container adoption demands comprehensive protection all the way from scanning container registries in the CI/CD pipeline to network security in production deployments. We have built the most comprehensive suite of products in [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/compute-security/container-security) and in [CN-Series firewalls](https://www.paloaltonetworks.com/resources/datasheets/cn-series-container-firewall) to ensure security concerns do not remain a hindrance as you embark on the container adoption journey.

So how can you and your organization deploy effective network security for containers? To discover in-depth technical details about how CN-Series has been designed to resolve burning container security questions, visit [CN-Series TechDocs](https://docs.paloaltonetworks.com/cn-series).

*** ** * ** ***

## Related Blogs

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Announcing CN-Series: The Industry's First NGFW for Kubernetes](https://www.paloaltonetworks.com.au/blog/2020/06/network-cn-series/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Hybrid Cloud Security Sessions You Need to See](https://www.paloaltonetworks.com.au/blog/2020/08/netsec-hybrid-cloud-security/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### PAN-OS 10.0 for the World's First ML-Powered NGFW Now Available](https://www.paloaltonetworks.com.au/blog/2020/07/network-ml-powered-ngfw/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Paradigm Shift: The World's First ML-Powered NGFW with PAN-OS 10.0](https://www.paloaltonetworks.com.au/blog/2020/06/network-pan-os-10-0/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Secure EUC Environments with Palo Alto Networks and Nutanix](https://www.paloaltonetworks.com.au/blog/2020/06/network-euc-environments/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Need to Secure Cloud Native Applications? Take a Look at Airport Security](https://www.paloaltonetworks.com.au/blog/2020/05/network-cloud-native-applications/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language