Basic Concept: CN-Series is deployed natively into Kubernetes clusters and managed by Panorama to enforce consistent policy across container environments.

Why C is Correct: Using Kubernetes tools such as Helm to deploy CN-Series in each cluster and managing all instances through Panorama satisfies east-west inspection, scaling, and policy consistency.

Why A is Wrong: Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why B is Wrong: Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why D is Wrong: Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.