topic Re: cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS in Cloud NGFW for AWS Discussions

cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

MWhittaker — Mon, 13 Jun 2022 13:49:14 GMT

My attempt to delete a cloud NGFW instance is stuck. This was a standalone tenant account that i upgraded to an AWS administrator account and introduced AWS FMS to the mix. The issue is this.

1. When you upgrade a standalone tenant account to an admin account for AWS FMS onboarding, deleting the existing/newly created (?) NGFW resource goes for a whack.

2. After waiting for an hour, i ended up deleting the stackset and the endpoint from my account thinking i need to clean up my account before the ngfw firewall resource will be cleaned up.

3. I even revoked the admin access for my AWS account to make sure everything is clean from my side and then upgraded my account to administrator account again to try set things right. But no luck!

4. The one thing that i noticed is that if i get to the "Firewall Settings" page, i get an error "Account XXXX does not exist as a member".

5. I cannot add another AWS account now since the account is already onboarded (and i get a prompt popup mentioning the same)

Somewhere, a disconnect/access permission issue makes it harder for the ngfw resources to get stuck in deleting state.

Re: cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

MWhittaker — Mon, 13 Jun 2022 14:02:30 GMT

Could this be the issue? In AWS FMS page, the disassociation is stuck for ever...

Re: cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

XSun — Mon, 13 Jun 2022 16:47:27 GMT

There is a iam role called CustomerPANWCloudNGFWRole created under your account for PAN to assume, this role allow PAN to validate the VPC information for the firewall, can you verify that role still exist?

Re: cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

MWhittaker — Tue, 14 Jun 2022 04:56:00 GMT

I see this list right now. But then, PAN support has already cleaned up the cloud NGFW resources from your side. And i have deleted the IAM account from the portal.

May be i will try to recreate the scenario and let you know if the cross-launch IAM roles are properly set

Re: cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

XSun — Tue, 14 Jun 2022 05:14:23 GMT

Sounds good. That AwsServiceLinkRole was controlled by AWS FMS, so you may not want to manually deleting it. Regarding your PaloAlto FW service, your account was reset back to init state, since you already cleaned up the role stack, you need do following to start able to deploy firewall again.
1. Go to Account Page, download the CFT and run it.
2. From PaloAlto SAAS UI User page, add LocalFirewall Admin and LocalRuleStack Admin role back to the Tenant Admin user.

Then you should be ok.

Re: cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

MWhittaker — Tue, 14 Jun 2022 05:20:39 GMT

Thanks. i will note it down to make sure i keep the link-role intact for PAN to operate into my account.

I am running a test to delete my tenant account from the portal and also unsubscribe the cloud ngfw (a clean exit to start again).

And i see this in the portal and thats good.

But i still see that the subscription is active.

How do i unsubscribe from the cloud ngfw service and delete the current tenant account in the portal? I dont see a way to do this myself.

Re: cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AW...

ebenny — Wed, 15 Jun 2022 18:29:35 GMT

Hi @MWhittaker

Greetings from Palo Alto Networks!

To unsubscribe please navigate to AWS Marketplace > Manage Subscriptions > Palo Alto Networks Cloud NGFW.

Regards,

Edison K Benny

Product specialist

Palo Alto Networks

https://live.paloaltonetworks.com/t5/cloud-ngfw-help-center/ct-p/Cloud_NGFW

*Don’t forget to accept the solution provided!*

Re: cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

SGopal11 — Mon, 20 Jun 2022 21:15:20 GMT

this did not help - as I still cannot see Manage NGFWs or create Firewall in Cloud Tenant. Old Firewall is still in Deleting status for almost 6 hours now