Cloud NGFW for AWS Known Issues
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
- Cloud NGFW for AWS Certifications
- Cloud NGFW for AWS Privacy and Data Protection
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Configure Zone-based Policy Rules
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Cloud NGFW for AWS Known Issues
Cloud NGFW for AWS known issues.
The following known issues have been
identified in the Cloud NGFW for AWS.
| ID | Description |
|---|---|
|
FWAAS-12750
|
Multiple Cloud NGFW tenants can be linked to a Panorama. Unlinking a
single tenant causes all linked tenants to be removed. To resolve
this issue, re-link the tenant using the
Integrations tab in the Cloud NGFW
console. This effectively re-links all tenants back to Panorama.
Use show plugins
aws cngfw-tenants to display the list of linked
tenants. |
|
DIT-40616
|
In some cases, validating a rulestack change and then committing it
could cause your Cloud NGFW resource to apply an incorrect
configuration. This issue can also cause an auto-scaled firewall to
apply an incorrect configuration file at boot up. To resolve this
issue, Palo Alto Networks recommends that you do not click
Validate when making a change to your
rulestack. Instead, commit the change without validation.
|
|
FWAAS-1501
|
Cloud NGFW uses the native AWS Route 53 Resolver for resolving FQDNs
you configure in your rules. When used, the AWS Route 53 Resolver
may resolve an FQDN to an IP address, different than what you may
see when you use the Route 53 Resolver in your VPCs.
|
|
FWAAS-2589
|
When you onboard an AWS account to your Cloud NGFW tenant, you choose
one of these two endpoint creation modes - customer-managed vs.
service-managed. Cloud NGFW will not allow you to switch modes after
completing the account onboarding process.
|
| FWAAS-3009 | Cloud NGFW allows you to use an S3 bucket as a logging destination for the NGFW resources. In AWS regions outside the US, Cloud NGFW expects you to use the S3 buckets created in the same AWS region, where you deploy the NGFW resources. |
| FWAAS-5817 | The Panorama UI does not display any error message when cloud manager or cloud NGFW service push fails. You will only know about push failure when the firewall commit fails. |
| FWAAS-5823 | When creating a new cloud device group, you cannot select which certificates are used for forward trust or forward untrust. |
| FWAAS-6380 | An error message may appear when pushing an uncommitted change to a cloud device group. Commit your changes before pushing. |
| FWAAS-6540 | An existing device group erroneously allows you to apply a different template stack after creating it. You cannot associate a different template stack for the same device group across tenants. |
|
FWAAS-6542
|
Template stack fails to update when applying it to a different device
group.
|
| FWAAS-6961 | On the Panorama AWS Plugin for Cloud NGFW service, the
first time tenant linked to Panorama will not be able to see any VPCs
under the Discovered VPC tab. Workaround: The first time tenant must
click Refresh Vpc button under Discover VPC tab to get
a list of VPCs. |
| FWAAS-7721 | In a scaled environment, the AWS plugin user interface
crashes when displaying IP address-to-tags payload in the Monitoring
Definition dashboard. Workaround: Use the Panorama CLI
to run command: show plugins aws
details-dashboard. |
| FWAAS-7766 | The Discovered VPC page on Cloud NGFW UI does not show the failure reason if the Monitoring Status is Failed for a discovered VPC. |
| FWAAS-10971 | Issuing the reset command with invalid firewall resource IDs does not reset the rule usage counters. This behavior is expected. |