>
    Strata Copilot
    Manage, Monitor, and Troubleshoot the AWS Transit Gateway Integration CloudBlade
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. AWS Transit Gateway CloudBlade Integration
    4. Manage, Monitor, and Troubleshoot the AWS Transit Gateway Integration CloudBlade
    Download PDF
    Prisma SD-WAN

    Manage, Monitor, and Troubleshoot the AWS Transit Gateway Integration CloudBlade

    Table of Contents

    Manage, Monitor, and Troubleshoot the AWS Transit Gateway Integration CloudBlade

    Manage, Monitor, and Troubleshoot the AWS Transit Gateway Integration CloudBlade.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Prisma SD-WAN license
    • AWS Transit Gateway CloudBlade

    Enable, Pause, Disable, and Uninstall the Integration

    After the Integration has been set up, operations can be done in the CloudBlade panel. These operations have various effects on the tunnels and configurations in Prisma SD-WAN and AWS.
    Set the CloudBlade to Enabled
    This is the standard, expected mode of operation for the Extension. The CloudBlade will run every 60 seconds.If there are configuration changes, the CloudBlade will automatically reconfigure the integration on AWS and Prisma SD-WAN. In addition, during this integration run if any settings were previously modified manually on either Prisma SD-WAN or AWS (e.g. VPC resource was accidentally removed in the AWS portal) these will be reverted to the known good state automatically.
    Prisma SD-WAN resources such as GRE tunnel on port 2, Port 1 circuit, Static route, and BGP routing, if deleted or modified can be recreated by the AWS Transit Gateway CloudBlade.
    AWS resources such as VPC attachment, Connect attachment, Connect peers in connect attachment, if deleted can be recreated by the AWS Transit Gateway CloudBlade.
    Set the CloudBlade to Paused
    Pausing the CloudBlade stops all future integration runs but leaves any created objects intact. This stops any future objects from getting created, but does NOT prevent removal of any unconfigured / untagged objects on either Prisma SD-WAN or AWS.
    Set the CloudBlade to Disabled
    Disabling the CloudBlade removes / deletes all resources created in the AWS environment and the Prisma SD-WAN environment. This can cause communication interruptions if policy is not set to use other paths.
    If we need to remove all the configurations from AWS and Prisma SD-WAN, you must disable the CloudBlade. For a clean disable, ensure all Service and DC groups configurations for the traffic is unconfigured and no extra VMs are created in connect vpc in AWS.
    Uninstall the CloudBlade
    Uninstalling the CloudBlade removes the configuration for the CloudBlade, and immediately stops any changes by the CloudBlade. Uninstalling the CloudBlade does not automatically remove configuration from all sites and objects. CloudBlades may be uninstalled and reinstalled to facilitate upgrades or downgrades to different versions without traffic interruption. To completely remove all items, set the CloudBlade to Disabled for 5-6 Integration Run periods (360 seconds) before uninstalling.

    Troubleshoot the AWS Tansit Gateway Integration

    vION does not show up under unclaimed devices
    1. Check on AWS if the CloudFormation stack creation was successful.
    2. Confirm if at least 2 x v7108 licenses are available for the vION HA pair creation, for each region where you wish to deploy.
    3. Check if there are at least 2 Elastic IPs available, for each region where you wish to deploy.
    BGP peering is down
    1. Check if the GRE tunnel is created.
    2. Check if the connect attachment and connect peers are configured. Ensure the connect BGP peers is in Available state.
    3. Check on AWS if the Prisma SD-WAN Connect VPC’s route table has a route to the TGW CIDR.
    4. Check if EBGP Multihop is configured for the BGP peer on the Prisma SD-WAN portal for each ION.
    End to end traffic does not go through
    1. Check if Prisma SD-WAN VPNs are up between branch site and AWS DC site.
    2. Check if the BGP peering between Datacenter IONs and the Transit Gateway is up and the routes are learned and advertised from the active ION.
    3. Check the flow browser for the branch ION from where the traffic is being sent to the AWS VPC.
    4. Check if the service and DC group includes the AWS Datacenter.
    5. Check the Path policy.
    6. Check if there is a security policy rule that is blocking traffic.
    7. Check Application VPC’s route table and security group.

    Monitor the AWS Transit Gateway CloudBlade

    On the AWS Transit Gateway CloudBlade page, select Monitor to view the AWS status and AWS site connectivity. The Monitor tab shows if a deployment fails, or if any exceptions occur during deployment and points to the cause of the disruption.
    The AWS Status tab provides the site name, AWS Connect VPC name, AWS region, deployment status, time of the last event occurred, and the summary of the deployment.
    The AWS Site Connectivity tab provides the site name, name of the device, AWS region, AWS Connect VPC names, AWS transit gateway ID, GRE tunnel status, BGP status, GRE tunnel uptime, and the BGP uptime.

    © 2025 Palo Alto Networks, Inc. All rights reserved.