Known Issues in Panorama Plugin for AWS 2.0.x
The following list describes known issues in the Panorama plugin for AWS 2.0.x.
If the plugin is not installed and committed on both Panorama appliances in an HA pair, when failover occurs the plugin cannot make API calls to the newly active Panorama and plugin functionality is lost.
Workaround—When installing the AWS plugin on Panorama peers that are configured as an HA pair, install the plugin on a peer and commit your changes immediately. Install the same plugin version on the other peer and commit your changes immediately.
Spaces and special characters in user-defined tags are now treated differently. In previous releases both spaces and special characters caused a tag to be ignored. In the current release, user-defined tags containing empty spaces can be retrieved, provided they do not include special characters.
- An empty space in a user-defined tag is replaced with “/”, allowing the tag to be retrieved.For example, if your tag isfinance and accounts, the tag can be retrieved.
- User-defined tags with special characters are ignored and not retrieved.For example, if your tag isfinance&accounts, your tag is ignored and the log shows the following message:admin@Panorama>less plugins-log plugin_aws_ret.log2019-12-06 02:27:07.040 +0000 INFO: : vpc-0321945805d495d89: Tag aws.ec2.tag.Tag-spcl-char.<finance>&<accounts> has unsupported chars.. Ignoring...
Workaround—Modify the tag to remove special characters.
Upgrade from Panorama plugin for AWS version 1.0.0 to version 2.0.0 is not supported. If you attempt to upgrade the AWS plugin from version 1.0.0 to version 2.0.0 your version 1.0.0 plugin configuration does not migrate to version 2.0.0.
This issue is fixed in PAN-OS 9.0.6, enabling you to upgrade Panorama plugin for AWS version 1.0.0 to version 2.0.0. You
mustupgrade Panorama to PAN-OS 9.0.6 before you attempt to upgrade the Panorama plugin for AWS.
When an AWS instance running the Panorama plugin for AWS version 2.0.0 does not have some of the pre-defined tags, the plugin stops processing the tags for all instances.
This issue is addressed in Panorama plugin for AWS, version 2.0.1.)
When upgrading the Panorama plugin for AWS on peers configured as an HA pair, if you upgrade the plugin on the secondary peer first and the peer becomes active, the primary (now passive) cannot function as an HA peer.
Workaround—When upgrading the Panorama plugin for AWS on peers that are configured as an HA pair, you must install the plugin on the primary peer
firstand commit your changes
immediately, and then install the same plugin version on the secondary peer and commit your changes immediately.
This issue is fixed in Panorama plugin for AWS, version 2.0.1.
The firewall template supports a minimum of two and a maximum of three availability zones (AZs). If you supply less than two or more than three AZs you see an error message similar to the following:
An error occurred (ValidationError) when calling the CreateStack operation: Template format error: Unresolved resource dependencies
VM Monitoring on AWS GovCloud does not work when you use an IAM role with assume role, or an instance Profile with Role ARN for cross account VPC monitoring.
Workaround—Use the IAM role with long-term credentials on AWS, or an instance profile if your Panorama is deployed as an EC2 instance on AWS GovCloud.
On rare occasions, when you delete the firewall stack from the AWS console, you see an error message regarding failed deletion within the ENI interface. This error is not related to the Panorama plugin for AWS version 2.0.0.
Delete node stack fails due to dependency on network interfaces. You must delete services on the node stack, then delete the stack elements manually.
When viewing Panorama plugin for AWS logs, you cannot use the
To view the AWS plugin logs from the CLI, use the following command:
less plugins-log <plugin-logfile>
When you modify the tags that Panorama retrieves from your AWS deployment from
Select All 32 Tagsto
Custom Tags, the list of newly filtered tags is not pushed to the firewalls assigned to the device groups within the Notify Group.
If you configure the
VPC IDor the
Endpoint URIincorrectly in a Monitoring Definition on Panorama, the
Statusdetails on the web interface do not include the timestamp for when Panorama reported this issue.
If the memory allocation on a Panorama virtual appliance is lower than the minimum recommendation, you cannot access and configure the plugin. Make sure to size your Panorama appliance properly so that you can install the plugin.
Recommended For You
Recommended videos not found.