Focus

Cloud NGFW for AWS

Cloud NGFW for AWS Known Issues

Table of Contents

Cloud NGFW for AWS Known Issues

The following known issues have been identified in the Cloud NGFW for AWS.

ID	Description
FWAAS-8622	Cloud NGFW for AWS rulestack might become stuck in precommit state when the Validate button is used before the first commit. Workaround : Do not validate your rulestack configuration changes; instead, Commit without validation.
FWAAS-5842	You cannot display individual cloud device group logs sent to CDL using the Monitor tab in Panorama. Logs for all cloud device groups are displayed.
FWAAS-6542	Template stack fails to update when applying it to a different device group.
FWAAS-6540	An existing device group erroneously allows you to apply a different template stack after creating it. You cannot associate a different template stack for the same device group across tenants.
FWAAS-6536	Cloud NGFW fails to display all cloud device groups when you select All on the Tenants page. If you select an individual tenant, all cloud device groups appear in the list.
FWAAS-3009	Cloud NGFW allows you to use an S3 bucket as a logging destination for the NGFW resources. In AWS regions outside the US, Cloud NGFW expects you to use the S3 buckets created in the same AWS region, where you deploy the NGFW resources.
FWAAS-2589	When you onboard an AWS account to your Cloud NGFW tenant, you choose one of these two endpoint creation modes - customer-managed vs. service-managed. Cloud NGFW will not allow you to switch modes after completing the account onboarding process.
FWAAS-1501	Cloud NGFW uses the native AWS Route 53 Resolver for resolving FQDNs you configure in your rules. When used, the AWS Route 53 Resolver may resolve an FQDN to an IP address, different than what you may see when you use the Route 53 Resolver in your VPCs.
FWAAS-6503	Modifying a cloud device group, then committing the change may generate an error message but completes the commit action. However, pushing the change to the cloud device group fails.
FWAAS-6380	An error message may appear when pushing an uncommitted change to a cloud device group. Commit your changes before pushing.
FWAAS-5823	When creating a new cloud device group, you cannot select which certificates are used for forward trust or forward untrust .
FWAAS-5817	The Panorama UI does not display any error message when cloud manager or cloud NGFW service push fails. You will only know about push failure when the firewall commit fails.
FWAAS-6961	On the Panorama AWS Plugin for Cloud NGFW service, the first time tenant linked to Panorama will not be able to see any VPCs under the Discovered VPC tab. Workaround: The first time tenant must click Refresh Vpc button under Discover VPC tab to get a list of VPCs.
FWAAS-7721	In a scaled environment, the AWS plugin user interface crashes when displaying IP address-to-tags payload in the Monitoring Definition dashboard. Workaround : Use the Panorama CLI to run command: show plugins aws details-dashboard .
FWAAS-7766	The Discovered VPC page on Cloud NGFW UI does not show the failure reason if the Monitoring Status is Failed for a discovered VPC.

Cloud NGFW for AWS Addressed Issues