Known Issues in Panorama Plugin for AWS 1.0.x

The following list describes known issues in the Panorama plugin for AWS 1.0.0.


When upgrading the Panorama plugin for AWS on peers configured as an HA pair, if you upgrade the plugin on the secondary peer first and the peer becomes active, the primary (now passive) cannot function as an HA peer.
—When upgrading the Panorama plugin for AWS on peers that are configured as an HA pair, you must install the plugin on the primary peer
and commit your changes
, and then install the same plugin version on the secondary peer and commit your changes immediately.
This issue is fixed in Panorama plugin for AWS, version 1.0.1.


Spaces and special characters in user-defined tags are now treated differently. In previous releases both spaces and special characters caused a tag to be ignored. In the current release, user-defined tags containing empty spaces can be retrieved, provided they do not include special characters.
  • An empty space in a user-defined tag is replaced with “/”, allowing the tag to be retrieved.
    For example, if your tag is
    finance and accounts
    , the tag can be retrieved.
  • User-defined tags with special characters are ignored and not retrieved.
    For example, if your tag is
    , your tag is ignored and the log shows the following message:
    less plugins-log plugin_aws_ret.log
    2019-12-06 02:27:07.040 +0000 INFO: : vpc-0321945805d495d89: Tag aws.ec2.tag.Tag-spcl-char.<finance>&<accounts> has unsupported chars.. Ignoring...
—Modify the tag to remove special characters.
This issue is fixed in the Panorama plugin for AWS, version 1.0.1.


If you have more than one plugin installed on Panorama, uninstalling the AWS plugin requires a Panorama reboot or a restart of the configd process. So, please make sure to perform the uninstallation during a maintenance window. For Panorama management servers in an HA configuration, you must reboot both Panorama HA peers.
To restart the configd process :
  1. Log in to the Panorama CLI.
  2. Enter the following command:
    admin@ >
    debug software restart process configd
  3. Verify if the configd process has restarted.
    admin@ >
    show system software status | match configdProcess configd running (pid: 3061)


For firewalls running PAN-OS 8.1, if the total number of tags exceeds 7000 for a device group that contains a firewall or a group of firewalls, an XML parsing error displays. This parsing error causes the failure to register tags to the firewalls. For firewalls running PAN-OS 8.0.x, this XML parsing error limit is met at 2500 tags.


For a Dynamic address group that is not referenced in a Security policy rule, the list of registered IP addresses displayed on
Address Groups
is not accurate. This is a display issue only, and security policy is properly enforced on all your running VMs in the VPC.
: Use the Dynamic address group in a Security policy to see the most current list of registered IP addresses on the firewall, or use the CLI command
show object dynamic-address-group all
for an up-to-date list of IP addresses.


If the memory allocation on a Panorama virtual appliance is lower than the minimum recommendation, you cannot access and configure the plugin. Make sure to size your Panorama appliance properly so that you can install the plugin.


Before you can uninstall the plugin on
, you need to
Remove Config
for the plugin and
your changes. Then, on
you must delete the
administrative user account before you can
the plugin.
For HA peers, you must complete this process on the active peer and repeat on the passive Panorama HA peer.

Recommended For You