* [Blog](https://www2.paloaltonetworks.com/blog)
* [Network Security](https://www2.paloaltonetworks.com/blog/network-security/)
* [Hybrid Cloud Data Center](https://www2.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/)
* From Log4j and Beyond: 3 ...

# From Log4j and Beyond: 3 Ways CN-Series Protects Containers

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Flog4j-cn-series-container-firewalls%2F)  
[](https://twitter.com/share?text=From+Log4j+and+Beyond%3A+3+Ways+CN-Series+Protects+Containers&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Flog4j-cn-series-container-firewalls%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Flog4j-cn-series-container-firewalls%2F&title=From+Log4j+and+Beyond%3A+3+Ways+CN-Series+Protects+Containers&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/network-security/log4j-cn-series-container-firewalls/&ts=markdown)  
\[\](mailto:?subject=From Log4j and Beyond: 3 Ways CN-Series Protects Containers)  
Link copied  
By [Chintan Udeshi](https://www.paloaltonetworks.com/blog/author/chintan-udeshi/?ts=markdown "Posts by Chintan Udeshi") and [Raj Patil](https://www.paloaltonetworks.com/blog/author/raj-patil/?ts=markdown "Posts by Raj Patil")  
Mar 03, 2022  
4 minutes  
[Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown)  
[Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown)  
[Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)  
[Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)  
[CN-Series](https://www.paloaltonetworks.com/blog/tag/cn-series/?ts=markdown)  
[IT Compliance](https://www.paloaltonetworks.com/blog/tag/it-compliance/?ts=markdown)  
[network architects](https://www.paloaltonetworks.com/blog/tag/network-architects/?ts=markdown)  
[SecOps](https://www.paloaltonetworks.com/blog/tag/secops/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/network-security/log4j-cn-series-container-firewalls/?lang=ja "Switch to Japanese(日本語)")

Since the [Log4j vulnerability](https://www.paloaltonetworks.com/blog/network-security/apache-log4j-vulnerability-ngfw/) was detected in December 2021, security teams have rushed to identify and patch their vulnerable applications. Because Java is used everywhere and many applications rely on open source libraries dependent on Log4j, even applications that don't use Log4j directly may be vulnerable. Due to this vulnerability, attackers can contact any LDAP or JNDI server and execute any Java command on the victim device to steal data, install malware or take full control of the victim's system. Estimates state that up to 3 billion devices, on both corporate and home networks, are affected. Even though many companies started patching the vulnerability immediately, it could take weeks to even months to patch all vulnerable applications since large companies have hundreds of vulnerable applications in both the cloud and on-premises.

Log4j is far from the first unknown critical vulnerability to be unearthed and will certainly not be the last. Vulnerabilities are prevalent and dangerous, however, there are ways to stop both known and unknown attacks. Here are the three ways [CN-Series Container Firewalls](https://www.paloaltonetworks.com/network-security/cn-series) provide Layer-7 runtime protection for your containers for both known and unknown vulnerabilities.

#### **1. CN-Series prevents data exfiltration from Kubernetes environments:**

![Log4j is not the first unknown critical vulnerability. Learn three ways CN-Series Container Firewalls provide Layer-7 runtime protection for your containers for both known and unknown vulnerabilities.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-5.png)
CN-series prevents data exfiltration with Outbound Protection.

For vulnerabilities like Log4j, an important part of an attack is to communicate externally to malicious domains to exfiltrate data and establish a command-and-control (C2) relationship. CN-Series, when used in conjunction with [URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering) and [DNS security](https://www.paloaltonetworks.com/network-security/dns-security) subscriptions, provides visibility and enforcement at an application level. Additionally, DNS security subscription constantly monitors and blocks connections with known and unidentified malicious domains (websites) and ensures customers' sensitive data stays within the organization. Thus, CN-series customers are protected against Log4j as well as other known and unknown vulnerabilities without any manual intervention.

#### **2. Protection against unknown threats/CVEs without manual intervention:**

Although security teams have been working around the clock to patch the Log4j vulnerability, the [CVE-2021-44832](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832) patch will only protect them from attacks targeting this specific and known vulnerability. There are numerous vulnerabilities that have not been discovered yet, meaning that even "up-to-date" organizations can still be attacked through vulnerability exploits.

To detect and protect against zero-day attacks, organizations need global security that is always on. Deploy-time (shift-left) security products help to identify and secure instances, devices, and hosts that are vulnerability-free and configured properly. In contrast, Layer-7 ML-Powered Next-Generation Firewalls prevent the core parts of a network attack by identifying and blocking malware, suspicious protocols, and connections to malicious and/or unknown domains. That's not to say that shift-left security isn't important. Reducing the attack surface is a best-practice step in cybersecurity. However, for end-to-end container security, a ML-Powered Next-Generation Firewall is necessary to block the inevitable holes.

#### **3. Granular level control and policies for East-West and Inbound traffic protection:**

It is unrealistic for security teams to always patch every single application since it takes time to identify the vulnerability, develop a patch and then roll out the patch. However, to ultimately compromise an organization, attackers need to push malware onto victims, exfiltrate data or beacon out for further instructions.
![Log4j is not the first unknown critical vulnerability. Learn three ways CN-Series Container Firewalls provide Layer-7 runtime protection for your containers for both known and unknown vulnerabilities.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-6.png)
CN-series prevents lateral movement of threats, stops data exfiltration, and guards against known and unknown inbound attacks.

CN-Series keeps organizations safe by inspecting and controlling traffic between the two applications running on the same Kubernetes cluster (East-West traffic protection), as well as the incoming traffic to the specific application from the internet (Inbound traffic protection). For both East-West and inbound traffic protection, CN-Series uses both the [Threat Prevention (TP)](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention) and [WildFire (WF)](https://www.paloaltonetworks.com/products/secure-the-network/wildfire) subscriptions to block malware, spyware, vulnerability exploits, and file-based threats that exploiters may attempt to sneak into your network, affording security teams the time to focus on their security posture instead of the never ending patch-work.

Log4j will not be the last unknown critical vulnerability. With these types of vulnerabilities prevalent throughout the industry, it's important to learn ways to protect your containers against both known and unknown attacks. To learn more about how CN-Series Container Firewalls can help you protect your containerized workloads, download our eBook, [*Protect Kubernetes Environments with CN-Series Firewalls*](https://www.paloaltonetworks.com/resources/ebooks/cn-series-container-firewalls-for-kubernetes), or explore [CN-Series on Qwiklabs](https://qwiklabs-dot-paloaltonetworks-public.appspot.com/qwiklabs/de27e26a-4572-4784-abe4-d2904939e158).

***About the Log4j Vulnerability***

*To stay on top of the latest Log4j analysis and mitigation, as well as the latest vulnerability updates, please continue checking the* [*Unit 42 blog*](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/)*or view the on-demand replay of the* [*Unit 42 Briefing: Apache Log4j Threat Update*](https://start.paloaltonetworks.com/apache-log4j-threat-update.html)*.*

*** ** * ** ***

## Related Blogs

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Calculate Your Organization's Big Virtual Firewall ROI Potential](https://www2.paloaltonetworks.com/blog/network-security/calculate-virtual-firewalls-roi-potential/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### CN-Series Container NGFWs Now on Red Hat OpenShift Platform OperatorHub](https://www2.paloaltonetworks.com/blog/network-security/cn-series-red-hat-openshift-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### The Need for Zero Trust for Enterprise Public Cloud](https://www2.paloaltonetworks.com/blog/2022/09/zero-trust-for-enterprise-public-cloud/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Virtual Firewall ROI --- US Signal and Guest from Forrester Explain](https://www2.paloaltonetworks.com/blog/2022/07/virtual-firewall-roi/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### CN-Series Container Firewalls on AWS Marketplace for Containers Anywhere](https://www2.paloaltonetworks.com/blog/network-security/cn-series-aws-marketplace-for-containers-anywhere/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)

[#### Secure Amazon EKS on Outposts with CN-Series](https://www2.paloaltonetworks.com/blog/network-security/amazon-eks-with-cn-series-container-firewalls/)

### Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language