Panorama integration with Cloud NGFW for AWS fails at license with Unauthorized client error.

• Cloud NGFW for AWS is setup and a user is trying to integrate Panorama for policy management.
• After integration panorama cloud connector plugin does not list any resources
• Cloud connector plugin display the following error.

admin@Panorama> show plugins cloudconnector status

fail
CloudConnector plugin is enabled. Cloud NGFW functionality is enabled.
License check has failed for region https://prod.us.secure-policy.cloudmgmt.paloaltonetworks.com. Server returned 401 {"statusCode":401,"error":"Unauthorized","message":"Unauthorized client. x-trace-id: xxxxx-xxxx-xxxx-xxxx-xxxxxxxx"}

• Cloud NGFW for AWS
• Panorama version 10.2.3 or higher.
• Cloud connector plugin 2.0.1 or later.
• AWS plugin 5.1.1 or later.

• Check the Cloud NGFW region deployed.
• The cloud connector plugin points to the US region by default and inherits the region information from Device telemetry configuration.
• In this scenario, the panorama device telemetry was pointing to US but the Cloud NGFW is deployed in Australia region.
• Cloud connector plugin is pointing to US region URL

  admin@Panorama> show plugins cloudconnector status
  
  fail
  CloudConnector plugin is enabled. Cloud NGFW functionality is enabled.
  License check has failed for region https://prod.us.secure-policy.cloudmgmt.paloaltonetworks.com. Server returned 401 {"statusCode":401,"error":"Unauthorized","message":"Unauthorized client. x-trace-id: xxxxx-xxxx-xxxx-xxxx-xxxxxxxx"}

• Device telemetry is set to Americas.

  admin@Panorama> show device-telemetry region-list
  
  Device Telemetry Region List:
      Americas
  
  admin@Panorama> show device-telemetry settings
  
  Device Telemetry Settings:
      device-health-performance: yes
      product-usage: yes
      threat-prevention: yes
      region: Americas
      status: Device Certificate is valid

1. The device telemetry region on Panorama should be same as the one where the Cloud NGFW is deployed.
2. Change the Panorama device telemetry region to Australia. (Or the region where your Cloud NGFW if other than Americas)
3. Once the region is changed, wait for upto 10 minutes, now the cloud connector will also point to the Australia region.

admin@Panorama> show device-telemetry region-list
Device Telemetry Region List:
    Australia

admin@Panorama> show plugins cloudconnector status
pass
CloudConnector plugin is enabled. Cloud NGFW functionality is enabled.
Connectivity to region https://prod.au.secure-policy.cloudmgmt.paloaltonetworks.com and license check is a success.