- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-13-2022 06:49 AM
My attempt to delete a cloud NGFW instance is stuck. This was a standalone tenant account that i upgraded to an AWS administrator account and introduced AWS FMS to the mix. The issue is this.
1. When you upgrade a standalone tenant account to an admin account for AWS FMS onboarding, deleting the existing/newly created (?) NGFW resource goes for a whack.
2. After waiting for an hour, i ended up deleting the stackset and the endpoint from my account thinking i need to clean up my account before the ngfw firewall resource will be cleaned up.
3. I even revoked the admin access for my AWS account to make sure everything is clean from my side and then upgraded my account to administrator account again to try set things right. But no luck!
4. The one thing that i noticed is that if i get to the "Firewall Settings" page, i get an error "Account XXXX does not exist as a member".
5. I cannot add another AWS account now since the account is already onboarded (and i get a prompt popup mentioning the same)
Somewhere, a disconnect/access permission issue makes it harder for the ngfw resources to get stuck in deleting state.
06-13-2022 10:14 PM
Sounds good. That AwsServiceLinkRole was controlled by AWS FMS, so you may not want to manually deleting it. Regarding your PaloAlto FW service, your account was reset back to init state, since you already cleaned up the role stack, you need do following to start able to deploy firewall again.
1. Go to Account Page, download the CFT and run it.
2. From PaloAlto SAAS UI User page, add LocalFirewall Admin and LocalRuleStack Admin role back to the Tenant Admin user.
Then you should be ok.
06-15-2022 11:29 AM
Hi @MWhittaker
Greetings from Palo Alto Networks!
To unsubscribe please navigate to AWS Marketplace > Manage Subscriptions > Palo Alto Networks Cloud NGFW.
Regards,
Edison K Benny
Product specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/cloud-ngfw-help-center/ct-p/Cloud_NGFW
*Don’t forget to accept the solution provided!*
06-13-2022 07:02 AM
Could this be the issue? In AWS FMS page, the disassociation is stuck for ever...
06-13-2022 09:47 AM
There is a iam role called CustomerPANWCloudNGFWRole created under your account for PAN to assume, this role allow PAN to validate the VPC information for the firewall, can you verify that role still exist?
06-13-2022 09:56 PM
I see this list right now. But then, PAN support has already cleaned up the cloud NGFW resources from your side. And i have deleted the IAM account from the portal.
May be i will try to recreate the scenario and let you know if the cross-launch IAM roles are properly set
06-13-2022 10:14 PM
Sounds good. That AwsServiceLinkRole was controlled by AWS FMS, so you may not want to manually deleting it. Regarding your PaloAlto FW service, your account was reset back to init state, since you already cleaned up the role stack, you need do following to start able to deploy firewall again.
1. Go to Account Page, download the CFT and run it.
2. From PaloAlto SAAS UI User page, add LocalFirewall Admin and LocalRuleStack Admin role back to the Tenant Admin user.
Then you should be ok.
06-13-2022 10:20 PM
Thanks. i will note it down to make sure i keep the link-role intact for PAN to operate into my account.
I am running a test to delete my tenant account from the portal and also unsubscribe the cloud ngfw (a clean exit to start again).
And i see this in the portal and thats good.
But i still see that the subscription is active.
How do i unsubscribe from the cloud ngfw service and delete the current tenant account in the portal? I dont see a way to do this myself.
06-15-2022 11:29 AM
Hi @MWhittaker
Greetings from Palo Alto Networks!
To unsubscribe please navigate to AWS Marketplace > Manage Subscriptions > Palo Alto Networks Cloud NGFW.
Regards,
Edison K Benny
Product specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/cloud-ngfw-help-center/ct-p/Cloud_NGFW
*Don’t forget to accept the solution provided!*
06-20-2022 02:15 PM
this did not help - as I still cannot see Manage NGFWs or create Firewall in Cloud Tenant. Old Firewall is still in Deleting status for almost 6 hours now
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!