: Cloud NGFW for AWS Known Issues
Focus
Focus

Cloud NGFW for AWS Known Issues

Table of Contents

Cloud NGFW for AWS Known Issues

The following known issues have been identified in the Cloud NGFW for AWS.
ID
Description
FWAAS-8622
Cloud NGFW for AWS rulestack might become stuck in precommit state when the
Validate
button is used before the first commit.
Workaround
: Do not validate your rulestack configuration changes; instead,
Commit
without validation.
FWAAS-5842
You cannot display individual cloud device group logs sent to CDL using the
Monitor
tab in Panorama. Logs for all cloud device groups are displayed.
FWAAS-6542
Template stack fails to update when applying it to a different device group.
FWAAS-6540
An existing device group erroneously allows you to apply a different template stack after creating it. You cannot associate a different template stack for the same device group across tenants.
FWAAS-6536
Cloud NGFW fails to display all cloud device groups when you select
All
on the
Tenants
page. If you select an individual tenant, all cloud device groups appear in the list.
FWAAS-3009
Cloud NGFW allows you to use an S3 bucket as a logging destination for the NGFW resources. In AWS regions outside the US, Cloud NGFW expects you to use the S3 buckets created in the same AWS region, where you deploy the NGFW resources.
FWAAS-2589
When you onboard an AWS account to your Cloud NGFW tenant, you choose one of these two endpoint creation modes - customer-managed vs. service-managed. Cloud NGFW will not allow you to switch modes after completing the account onboarding process.
FWAAS-1501
Cloud NGFW uses the native AWS Route 53 Resolver for resolving FQDNs you configure in your rules. When used, the AWS Route 53 Resolver may resolve an FQDN to an IP address, different than what you may see when you use the Route 53 Resolver in your VPCs.
FWAAS-6503
Modifying a cloud device group, then committing the change may generate an error message but completes the commit action. However, pushing the change to the cloud device group fails.
FWAAS-6380
An error message may appear when pushing an uncommitted change to a cloud device group. Commit your changes before pushing.
FWAAS-5823
When creating a new cloud device group, you cannot select which certificates are used for
forward trust
or
forward untrust
.
FWAAS-5817
The Panorama UI does not display any error message when cloud manager or cloud NGFW service push fails. You will only know about push failure when the firewall
commit
fails.
FWAAS-6961
On the Panorama AWS Plugin for Cloud NGFW service, the first time tenant linked to Panorama will not be able to see any VPCs under the Discovered VPC tab.
Workaround: The first time tenant must click
Refresh Vpc
button under
Discover VPC
tab to get a list of VPCs.
FWAAS-7721
In a scaled environment, the AWS plugin user interface crashes when displaying IP address-to-tags payload in the
Monitoring Definition
dashboard.
Workaround
: Use the Panorama CLI to run command:
show plugins aws details-dashboard
.
FWAAS-7766
The
Discovered VPC
page on Cloud NGFW UI does not show the failure reason if the Monitoring Status is Failed for a discovered VPC.

Recommended For You