PAT Translations per NAT Source IP on a PA-5000 Series Firewall
29290
Created On 09/25/18 19:43 PM - Last Modified 06/06/23 08:05 AM
Resolution
Overview
The maximum number of (Port Address Translation) PAT translations per NAT source IP is 65536.
However, running the following show session command may show a number greater than 65536:
> show session all filter nat-rule <rule name> count yes
Number of sessions that match filter: 83298.
Details
The PA-5000 Series Firewall can reuse each available source port (up to 8 times for PA-5050 and PA-5060, up to 4 times for PA-5020). This is called DIPP oversubscription. The firewall can use 63k source ports since the available port range is roughly 1k-64k. The allocated ports can support up to 8 (4 on PA-5020) sessions, if they are destined to unique hosts.
owner: shasnain