Known Issues Affecting ACE
Note: In our technical documentation, we use the term "Azure Native Firewall" to refer to Azure Firewall (Policy-based) devices, distinguishing it from Azure Firewall (Classic).
Cloud Network Security (CNS)
General
| Area | Issue | Notes |
|---|---|---|
| Shared VPCs | ACE does not display shared VPCs for the participant account when the owner account is not onboarded. |
Onboarding
| Area | Issue | Workaround / Notes |
|---|---|---|
| Duplicate account names | Only accounts with unique names can be onboarded. If an account name already exists for a specific vendor the account with the duplicate name will not be onboarded. | Rename one of the accounts on the vendor side. Applies to AWS, Azure, and Google Cloud. |
| AWS organization-level stack | Names are inherited from the organization account. | Manual renames in ACE are overwritten by vendor-side names. |
Policy and Connectivity
| Area | Issue / Limitation | Details / Notes |
|---|---|---|
| Azure NSGs (scale sets) | ACE PowerShell script for enabling resource logs does not apply to NSGs in a scale set. | Configure manually. |
| Azure Native Firewall (Policy-based) | Supported capabilities | Policy visibility, Risks, Rule usage, Traffic Simulation Query. For Azure Firewall (Classic), only Policy visibility is supported. |
| ASMS Connectivity Check | Supported only for Azure NSG policies. | Not supported for AWS SGs, Azure Native Firewall, Azure Firewall (Classic), Google Cloud Projects, service tags with no IPs (e.g., AzureLoadBalancer, GatewayManager), NSG rules with disconnected ASGs, or VNETs with no IPs. |
| Kafka host | All AlgoSec SaaS products connect to the same Kafka host. | Multi-zone not supported. To change the Kafka host, see the AlgoPedia article. |
| AWS NACLs | Policy visibility, risks, and changes are not supported. | When calculating internet access, NACLs are considered in Traffic Simulation Queries (via ASMS). |
| Azure Native Firewall support | Requires ASMS build A32.60.260-94 or higher. | For Azure NSG TSQ and FireFlow on ASMS A32.60, upgrade to build A32.60.260-94+; no upgrade needed for A32.50 or below. |
| For Azure NSG TSQ and FireFlow Support | If using ASMS A32.60 upgrade to build version A32.60.260-94 or higher | |
| Shared VPC routing | Participant routing table may be incomplete. | Traffic Simulation Query results may be inaccurate when paths traverse the shared VPC. |
Risks
| Area | Issue / Limitation | Notes |
|---|---|---|
| Azure Native Firewall | Affected assets are not calculated; tag filtering on the Risks page is not supported. | |
| Azure NSG Service Tags | Standard Risk Profile considers only VirtualNetwork, AzureLoadBalancer, Internet. | Custom profiles consider all tags, but VirtualNetwork and Internet are only partially supported and may cause false positives. |
| Azure Firewall (Classic) | Risk analysis is not supported. | |
| Risk severity refresh | After activating or suppressing a risk, the browser must be refreshed to reflect updated severity. | |
| CSV risk report exports |
Azure: Virtual Network ID column is always empty. Google Cloud: Regions column is empty due to excessive entries. |
Search and Policy Management
| Area | Issue / Limitation | Notes |
|---|---|---|
| Search results | IPs in Public Addresses or Private Subnets are not included in search results for the Accounts or VPCs/VNets tabs. | |
| AWS shared VPC flow logs | Collected only for the owner account. | Participant accounts display “Flow logs disabled” in the Last Used column. |
| Azure Native Firewall flow logs | When two policies exist, the “Last Used” column reflects only child policy rule usage. | Parent policy data is not shown. |
| Azure Native Firewall IP group names | Duplicate IP group names in different resource groups can associate rules with the wrong object. | Ensure unique IP group names within the same subscription. |
| Google Cloud policies | Risk information is not calculated for Network Firewall policies. | “N/A” in the Network Policies page; “0” in the exported CSV policy report. The flag network-firewall-policy-enforcement-order supports only AFTER_CLASSIC_FIREWALL. |
| Network Policy page operations | Policy merge and Policy edit are not supported. |
Cloud App Analyzer (CAA)
| Area | Issue / Condition | Impact / Notes |
|---|---|---|
| AWS VPC limits | CAA creates temporary VPCs to scan AWS EC2 instances. | If the AWS VPC limit is reached in a region, scans fail and the status changes to “Failed.” |
Fixed Issues
08-Apr-25: Some risks may be missing when using customized risk profiles that contain conditions, if those profiles were uploaded to Cloud Network Security before April 8, 2025. If you are using a customized risk profile that contains conditions, we recommend re-uploading the risk profile Excel file to Cloud Network Security.
03-Dec-24: Network Policy Search field fixed to filter results based only on policy names.
05-Feb-24: Risk Severity of Outbound “To Any allow ANY Service” rules to Public IP’s (Risk ID: O01-I-SG) in CF was changed from High to Critical.
Clear your browser's cache