Manage Auto-Execute Deployed Firewalls

Table of Contents

Deploy Prisma AIRS Runtime and VM-Series Firewalls with Auto-Execute

Deploy a VM-Series Firewall from Strata Cloud Manager

Manage Auto-Execute Deployed Firewalls

Learn how to decommission AI Runtime Firewalls and associated cloud resources that you deployed with the Auto-Execute process.

Where Can I Use This?	What Do I Need?
Strata Cloud Manager Prisma AIRS AI Runtime Firewall	Onboard Cloud Account in AWS Onboard Cloud Account in Azure

You might need to decommission some deployed firewalls and cloud resources as your network changes. To decommission a auto-executed firewall, delete a Terraform template of an auto-execute deployment, the associated firewalls, and any cloud resources deployed in your cloud environment. Additionally, this process releases the Software NGFW credits used to license the deployed firewalls. This process does not modify or delete your cloud account, so you can deploy more firewalls in that cloud account as needed.

If you have mesh-enabled firewalls deployed in AWS or you have an AWS account onboarded for orchestration, but not yet deployed any mesh-enabled firewalls,ensure that you've added the permission "ec2:RevokeSecurityGroupIngress" to your IAM roles. Then reapply the Terraform template to sync your IAM Role with the latest permissions required by Prisma AIRS orchestration.

Log in to Strata Cloud Manager.
Disable and reenable the cloud account.
Navigate to AI SecurityAI RuntimeAI Runtime Firewall.
Click the shield

icon.
Click the Terraform Templates tab.
Select the delete

icon to decommission the Terraform template and cloud resources deployed by Prisma AIRS.

Monitor the Decomissioning Process

You can monitor the progress of the removal on the Cloud Task log tab. If any errors occur, the removal fails and the log states the reason for the failure.

Navigate to AI SecurityAI RuntimeAI Runtime Firewall.
Click the shield

icon.
Select the Cloud Task log tab.
Locate the Terraform template by entering its name in the search bar.

The decommission might succeed but some errors might be logged. In the following example, the decommission succeeded but the Cloud Task log displayed errors in the Purge MSF Managed Folders from SCM.

The Purge MSF Managed Folders from SCM activity within the Decommission task may currently log an error if other active firewall clusters exist in the same folder, but this error has no functional impact on the system.