Problem: The FMS admin account-id isn’t displayed in the Firewall Manager console Problem: The CloudFormation StackSets instance displays as Outdated Problem: InternalErrorException when creating a policy in Firewall Manager Problem: Throttling exception with AWS APIs

Other errors

This section addresses other known errors when deploying or using this solution.

Problem: The FMS admin account-id isn’t displayed in the Firewall Manager console

The Firewall Manager settings don’t reflect the Admin account ID provided in the CloudFormation stack.

Resolution

It might take up to five minutes for the changes to update in the console.

Problem: The CloudFormation StackSets instance displays as Outdated

The CloudFormation StackSets instance displays an Outdated status.

Screenshot showing OUTDATED status for AWS Regions.

Resolution

The Outdated status is temporary. Allow more time for the CloudFormation StackSets to update to a final state after the StackSets operation completes. Creating StackSets instances across multiple accounts and Regions is a time-intensive process. For example, for 6 accounts in approximately 18 Regions, it takes about 90 minutes to complete the StackSets operation.

Problem: InternalErrorException when creating a policy in Firewall Manager

Firewall Manager fails to create policies due to InternalErrorException.

Example error showing "code": "InternalErrorExeception".

Resolution

This issue is transient in nature, and invoking the Lambda function again fixes the issue. For example, after updating the /FMS/Regions parameter, follow the steps to invoke the update again. Use the following steps to invoke the event again:

Sign in to the AWS Systems Manager console.
On the navigation menu, under Application Management, select Parameter Store.
Select the /FMS/Regions parameter and choose Edit.
Keep the default value and choose Save changes.

This invokes the policyManager Lambda function again using the same value. The Firewall Manager policy should successfully create.

Problem: Throttling exception with AWS APIs

AWS APIs throttling can occur if the solution is handling large number of Firewall Manager policies and AWS accounts. The following error is logged in CloudWatch logs:

CloudWatch log error

Resolution

The Lambda functions include a MAX_ATTEMPTS environment variable, which you can adjust to fix this issue. The MAX_ATTEMPTS variable controls how many times the solution attempts to retry an API request.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Config errors

Contact Support