Focus

VM-Series and Panorama Plugins Release Notes

Known Issues in Panorama Plugin for AWS 1.0.x

Table of Contents

Known Issues in Panorama Plugin for AWS 1.0.x

The following list describes known issues in the Panorama plugin for AWS 1.0.0.

PLUG-3806

When upgrading the Panorama plugin for AWS on peers configured as an HA pair, if you upgrade the plugin on the secondary peer first and the peer becomes active, the primary (now passive) cannot function as an HA peer.

Workaround—When upgrading the Panorama plugin for AWS on peers that are configured as an HA pair, you must install the plugin on the primary peer first and commit your changes immediately, and then install the same plugin version on the secondary peer and commit your changes immediately.

This issue is fixed in Panorama plugin for AWS, version 1.0.1.

PLUG-2000

Spaces and special characters in user-defined tags are now treated differently. In previous releases both spaces and special characters caused a tag to be ignored. In the current release, user-defined tags containing empty spaces can be retrieved, provided they do not include special characters.

An empty space in a user-defined tag is replaced with “/”, allowing the tag to be retrieved.
For example, if your tag is finance and accounts, the tag can be retrieved.

User-defined tags with special characters are ignored and not retrieved.

For example, if your tag is finance&accounts, your tag is ignored and the log shows the following message:

admin@Panorama> less plugins-log plugin_aws_ret.log

2019-12-06 02:27:07.040 +0000 INFO: : vpc-0321945805d495d89: Tag aws.ec2.tag.Tag-spcl-char.<finance>&<accounts> has unsupported chars.. Ignoring...

Workaround—Modify the tag to remove special characters.

This issue is fixed in the Panorama plugin for AWS, version 1.0.1.

PLUG-1029

If you have more than one plugin installed on Panorama, uninstalling the AWS plugin requires a Panorama reboot or a restart of the configd process. So, please make sure to perform the uninstallation during a maintenance window. For Panorama management servers in an HA configuration, you must reboot both Panorama HA peers.

To restart the configd process :

Enter the following command:

admin@ > debug software restart process configd

Verify if the configd process has restarted.

admin@ > show system software status | match configdProcess configd running  (pid: 3061)

PLUG-996

For firewalls running PAN-OS 8.1, if the total number of tags exceeds 7000 for a device group that contains a firewall or a group of firewalls, an XML parsing error displays. This parsing error causes the failure to register tags to the firewalls. For firewalls running PAN-OS 8.0.x, this XML parsing error limit is met at 2500 tags.

PLUG-718

For a Dynamic address group that is not referenced in a Security policy rule, the list of registered IP addresses displayed on ObjectsAddress Groups is not accurate. This is a display issue only, and security policy is properly enforced on all your running VMs in the VPC.

Workaround: Use the Dynamic address group in a Security policy to see the most current list of registered IP addresses on the firewall, or use the CLI command show object dynamic-address-group all for an up-to-date list of IP addresses.

PLUG-676

If the memory allocation on a Panorama virtual appliance is lower than the minimum recommendation, you cannot access and configure the plugin. Make sure to size your Panorama appliance properly so that you can install the plugin.

PLUG-554

Before you can uninstall the plugin on PanoramaPlugins, you need to Remove Config for the plugin and Commit your changes. Then, on PanoramaAdministrators you must delete the _aws administrative user account before you can Uninstall the plugin.

For HA peers, you must complete this process on the active peer and repeat on the passive Panorama HA peer.

Panorama Plugin for AWS 1.0.0

Panorama Plugin for GCP