Known Issues in Panorama Plugin for AWS 2.0.x

The following list describes known issues in the Panorama plugin for AWS 2.0.x.

PAN-132652

If the plugin is not installed and committed on both Panorama appliances in an HA pair, when failover occurs the plugin cannot make API calls to the newly active Panorama and plugin functionality is lost.
Workaround
—When installing the AWS plugin on Panorama peers that are configured as an HA pair, install the plugin on a peer and commit your changes immediately. Install the same plugin version on the other peer and commit your changes immediately.

PAN-119033

Spaces and special characters in user-defined tags are now treated differently. In previous releases both spaces and special characters caused a tag to be ignored. In the current release, user-defined tags containing empty spaces can be retrieved, provided they do not include special characters.
  • An empty space in a user-defined tag is replaced with “/”, allowing the tag to be retrieved.
    For example, if your tag is
    finance and accounts
    , the tag can be retrieved.
  • User-defined tags with special characters are ignored and not retrieved.
    For example, if your tag is
    finance&accounts
    , your tag is ignored and the log shows the following message:
    admin@Panorama>
    less plugins-log plugin_aws_ret.log
    2019-12-06 02:27:07.040 +0000 INFO: : vpc-0321945805d495d89: Tag aws.ec2.tag.Tag-spcl-char.<finance>&<accounts> has unsupported chars.. Ignoring...
Workaround
—Modify the tag to remove special characters.

PAN-116383

Upgrade from Panorama plugin for AWS version 1.0.0 to version 2.0.0 is not supported. If you attempt to upgrade the AWS plugin from version 1.0.0 to version 2.0.0 your version 1.0.0 plugin configuration does not migrate to version 2.0.0.
This issue is fixed in PAN-OS 9.0.6, enabling you to upgrade Panorama plugin for AWS version 1.0.0 to version 2.0.0. You
must
upgrade Panorama to PAN-OS 9.0.6 before you attempt to upgrade the Panorama plugin for AWS.

PLUG-3923

PLUG-3923
When an AWS instance running the Panorama plugin for AWS version 2.0.0 does not have some of the pre-defined tags, the plugin stops processing the tags for all instances.
(
This issue is addressed in Panorama plugin for AWS, version 2.0.1.
)

PLUG-3806

When upgrading the Panorama plugin for AWS on peers configured as an HA pair, if you upgrade the plugin on the secondary peer first and the peer becomes active, the primary (now passive) cannot function as an HA peer.
Workaround
—When upgrading the Panorama plugin for AWS on peers that are configured as an HA pair, you must install the plugin on the primary peer
first
and commit your changes
immediately
, and then install the same plugin version on the secondary peer and commit your changes immediately.
This issue is fixed in Panorama plugin for AWS, version 2.0.1.

PLUG-3437

PLUG-3437
The firewall template supports a minimum of two and a maximum of three availability zones (AZs). If you supply less than two or more than three AZs you see an error message similar to the following:
An error occurred (ValidationError) when calling the CreateStack operation: Template format error: Unresolved resource dependencies

PLUG-3295

VM Monitoring on AWS GovCloud does not work when you use an IAM role with assume role, or an instance Profile with Role ARN for cross account VPC monitoring.
Workaround
—Use the IAM role with long-term credentials on AWS, or an instance profile if your Panorama is deployed as an EC2 instance on AWS GovCloud.

PLUG-3275

On rare occasions, when you delete the firewall stack from the AWS console, you see an error message regarding failed deletion within the ENI interface. This error is not related to the Panorama plugin for AWS version 2.0.0.

PLUG-2253

Delete node stack fails due to dependency on network interfaces. You must delete services on the node stack, then delete the stack elements manually.

PLUG-2246

When viewing Panorama plugin for AWS logs, you cannot use the
tail
command.
To view the AWS plugin logs from the CLI, use the following command:
less plugins-log <plugin-logfile>

PLUG-1978

When you modify the tags that Panorama retrieves from your AWS deployment from
Select All 32 Tags
to
Custom Tags
, the list of newly filtered tags is not pushed to the firewalls assigned to the device groups within the Notify Group.

PLUG-1975

If you configure the
VPC ID
or the
Endpoint URI
incorrectly in a Monitoring Definition on Panorama, the
Status
details on the web interface do not include the timestamp for when Panorama reported this issue.

PLUG-676

If the memory allocation on a Panorama virtual appliance is lower than the minimum recommendation, you cannot access and configure the plugin. Make sure to size your Panorama appliance properly so that you can install the plugin.

Recommended For You