: Known Issues in the Panorama Plugin for Azure 3.0.1
Focus
Focus

Known Issues in the Panorama Plugin for Azure 3.0.1

Table of Contents

Known Issues in the Panorama Plugin for Azure 3.0.1

The following list describes known issues in the Panorama plugin for Azure 3.0.1.

PLUG-7780

When the monitoring definition service principle for VM monitoring in Azure is configured correctly on the Panorama plugin for Azure 3.0.x with PAN-OS 10.0.x, the service principal validation check displays as failed under PanoramaAzure SetupService Principal.

PLUG-6674

If an authcode, device certificate PIN ID, device certificate PIN value, or jumbo frame configuration is changed and a deployment update is done, an automatic rolling update is not triggered. These new changes will only apply to newly deployed firewalls.
Workaround: Because rolling updates do not support authcodes, device certificate information, or jumbo frame configuration, you must manually delete the firewalls in the VMSS one by one. The changes will be applied to the new firewalls that come up.

PLUG-6543

When deploying or updating multiple deployments, the Panorama plugin for Azure might fail to commit your changes when too many commits have been issued by the plugin. This occurs because Panorama allows a maximum of 10 administrator-initiated commits. See Panorama Commit, Validation, and Preview Operations for more information.
Workaround: To resolve this issue, perform a manual commit.

PLUG-6343

Dynamic address groups that include the resource group tag retrieves the IP addresses for application gateways and load balancers but not the IP addresses of VM instances in the resource group. This occurs because the Azure API sometimes returns the resource group tag string in all capital letters and sometimes in all lower case letters.
Workaround: When creating a dynamic address group with a resource group tag, add the all-capital tag and all-lower case tag separated by the OR operator.

PLUG-5793

The VM-Series firewall on Azure can only handle traffic that originated in the same region where the firewall is deployed. Traffic originating from a different region is not seen by the firewall.

PLUG-5389

When a deployment is first added on Panorama, the status displays Commit Changes directing you to perform a commit. However, when you make a change to the deployment configuration, the status does not change although a commit is required before your Azure stack is updated.
Workaround: Perform a commit on Panorama.

PLUG-4572

In an Azure deployment orchestrated from Panorama, outbound ICMP traffic cannot be handled by the VM-Series firewall due to a limitation in the Azure load balancer.