cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

cloud ngfw and resources stuck in "DELETING" stage - post onboarding the tenant account to AWS FMS

L1 Bithead

My attempt to delete a cloud NGFW instance is stuck. This was a standalone tenant account that i upgraded to an AWS administrator account and introduced AWS FMS to the mix. The issue is this.

1. When you upgrade a standalone tenant account to an admin account for AWS FMS onboarding, deleting the existing/newly created (?) NGFW resource goes for a whack.

2. After waiting for an hour, i ended up deleting the stackset and the endpoint from my account thinking i need to clean up my account before the ngfw firewall resource will be cleaned up.

3. I even revoked the admin access for my AWS account to make sure everything is clean from my side and then upgraded my account to administrator account again to try set things right. But no luck!

4. The one thing that i noticed is that if i get to the "Firewall Settings" page, i get an error "Account XXXX does not exist as a member". 

5. I cannot add another AWS account now since the account is already onboarded (and i get a prompt popup mentioning the same)

Somewhere, a disconnect/access permission issue makes it harder for the ngfw resources to get stuck in deleting state. 

2 accepted solutions

Accepted Solutions

Sounds good. That AwsServiceLinkRole was controlled by AWS FMS, so you may not want to manually deleting it. Regarding your PaloAlto FW service, your account was reset back to init state, since you already cleaned up the role stack, you need do following to start able to deploy firewall again.
1. Go to Account Page, download the CFT and run it.
2. From PaloAlto SAAS UI User page, add LocalFirewall Admin and LocalRuleStack Admin role back to the Tenant Admin user.

Then you should be ok.

View solution in original post

Hi @MWhittaker

 

Greetings from Palo Alto Networks!

 

To unsubscribe please navigate to AWS Marketplace > Manage Subscriptions > Palo Alto Networks Cloud NGFW.

 

 

 

Regards,

Edison K Benny

Product specialist

Palo Alto Networks

https://live.paloaltonetworks.com/t5/cloud-ngfw-help-center/ct-p/Cloud_NGFW 

*Don’t forget to accept the solution provided!*

View solution in original post

7 REPLIES 7

L1 Bithead

MWhittaker_0-1655128911922.png

 

Could this be the issue? In AWS FMS page, the disassociation is stuck for ever...

L0 Member

There is a iam role called CustomerPANWCloudNGFWRole created under your account for PAN to assume, this role allow PAN to validate the VPC information for the firewall, can you verify that role still exist?

 

L1 Bithead

I see this list right now. But then, PAN support has already cleaned up the cloud NGFW resources from your side. And i have deleted the IAM account from the portal. 

MWhittaker_0-1655182515821.png

 

May be i will try to recreate the scenario and let you know if the cross-launch IAM roles are properly set

Sounds good. That AwsServiceLinkRole was controlled by AWS FMS, so you may not want to manually deleting it. Regarding your PaloAlto FW service, your account was reset back to init state, since you already cleaned up the role stack, you need do following to start able to deploy firewall again.
1. Go to Account Page, download the CFT and run it.
2. From PaloAlto SAAS UI User page, add LocalFirewall Admin and LocalRuleStack Admin role back to the Tenant Admin user.

Then you should be ok.

L1 Bithead

Thanks. i will note it down to make sure i keep the link-role intact for PAN to operate into my account. 

I am running a test to delete my tenant account from the portal and also unsubscribe the cloud ngfw (a clean exit to start again).

And i see this in the portal and thats good. 

MWhittaker_0-1655183933619.png

 

But i still see that the subscription is active.

 

MWhittaker_1-1655183968174.png

 

How do i unsubscribe from the cloud ngfw service and delete the current tenant account in the portal? I dont see a way to do this myself. 

Hi @MWhittaker

 

Greetings from Palo Alto Networks!

 

To unsubscribe please navigate to AWS Marketplace > Manage Subscriptions > Palo Alto Networks Cloud NGFW.

 

 

 

Regards,

Edison K Benny

Product specialist

Palo Alto Networks

https://live.paloaltonetworks.com/t5/cloud-ngfw-help-center/ct-p/Cloud_NGFW 

*Don’t forget to accept the solution provided!*

this did not help - as I still cannot see Manage NGFWs or create Firewall in Cloud Tenant. Old Firewall is still in Deleting status for almost 6 hours now

  • 2 accepted solutions
  • 3577 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!