Known Issues in Panorama Plugin for AWS 3.0.2

The following list describes known issues in the Panorama Plugin for AWS 3.0.2.


The AWS access key and secret key containing a plus (+) character are not parsed correctly when configured on the Panorama plugin for AWS using an XML API call.
: Configure the access key and secret key manually through the Panorama plugin for AWS user interface or the CLI.


If you are using multiple role ARNs for multiple monitoring definitions, after upgrade to 3.0.x plugin, you must navigate to
and then change the name for every role ARN entry that the plugin has learned before you commit your new configuration after upgrade.


Using the CLI command
debug plugins aws debug-aws-orchestration name <>
before or during a deployment return error messages similar to the following:
Before deployment
<response status="success"><result>Traceback (most recent call last): File "/installed/aws/scripts/op/", line 532, in <module> get_deployment_info(deploy_name, config_xml, db) File "/installed/aws/scripts/op/", line 64, in get_deployment_info if len(deploy_entry)!=0: TypeError: object of type 'NoneType' has no len()
During deployment
{{<response status="success"><result>Traceback (most recent call last): File "/installed/aws/scripts/op/", line 543, in <module> out_dict = describe_stacks(stack_name, access_key, secret_key, region, role_arn)[0] File "/installed/aws/scripts/op/", line 166, in describe_stacks cloudwatch_client, elbv2_client, tgw_id, cross_ec2_client, role_arn) File "/installed/aws/scripts/op/", line 459, in list_stack_resources tgw_rtbID=tgw_attach_response['TransitGatewayAttachments'][0]['Association']['TransitGatewayRouteTableId'] KeyError: 'Association' }}
Use this command after a successful deployment.


When configuring Security VPC, if you select only one Availability Zone (AZ), the deployment fails and returns an error message—
An error occurred (ValidationError) when calling the CreateStack operation: Parameter 'NumberOfAZs' must be a number not less than 2
  1. Undeploy the deployment.
  2. Add two or more AZs in the Security VPC configuration.
  3. Commit the configuration to Panorama.
  4. Redeploy the deployment.


Shared device groups on Panorama do not learn IP address information received from AWS by the Panorama plugin for AWS.
: When configuring a dynamic address group, specify an individual device group instead of selecting

Recommended For You