In order to deploy our VM-Series firewall we use the Lambda console as the script host. This is where code is executed and it must be able to communicate with the management interface of the firewall to properly function. Sometimes there will be issues with Lambda, such as ENI IP address changes, and you will need to look at the logs to gain more insight into the problem. It may not be a problem with the actual VM-Series firewall but without understanding how to view the Lambda logs, you will not have the confidence to direct someone to AWS for further assistance.
1. The Lambda Function logs will be named similiar to the template stack you deployed using the Cloud Formation Template console in AWS. Make note of the stack that was used to lauch the firewall template or complete VPC template including the firewall.
2. Navigate to the Lambda console and you will see individual function names for each lambda function. The logs you need will be located within here.
ASG_xxxxx - Auto Scale Group Logs. These logs will match the FW name within the respective ASG ASG_xxxxx - Auto Scale Group Logs. These logs will match the FW name within the respective ASG
Lambda-sched-event - Will provide a log for all events run within Lambda AddEniLambda - You may see errors here releated EIP resource issues as this log is primary related to adding ENI's InitLambda - This log is usually only generated from the initial template spinup.
3. Click into one of the lambda functions and select the monitoring tab.
4. On the right, select "view logs in Cloudwatch"
5. From here, you will see different log groups with different time stamps.
6. Just like the physical firewall, you will need the timestamp of the issue in order to look at the logs for each function. You will not know what you are looking for until you find it. Take note of any suspicious logs around the time of the issue.
If you have an existing support case open, we may request that you export and upload the lambda function logs to the support case for further review.