Details
To display the NAT IP pool cache, run the show running ippool command:
> show running ippool
VSYS 1 has 3 NAT rules, DIP and DIPP rules:
Rule Type Used Available Mem Size Ratio
-------------------------------- --------------- ---------- ---------- -------- -----
Trusted-to-Untrusted Dynamic IP/Port 273 128751 20336 2
In the above example from PAN-OS 7.1, the NAT rule, Trusted-to-Untrusted, is using 273 buffers out of 128751 at present for NAT operation.
The RATIO is also known as the over-subscription rate. The RATIO varies among platforms, this one being a PA-200. It specifies the number of sessions from one source IP and port combination to different destination IPs that can use the same source port in the translation.
There are a total of 65536 high TCP ports. The first 1024 are reserved, leaving the firewall with 64512 to choose from in a DIPP (dynamic ip-and-port) NAT rule. Multiply 64512 by the ratio and the product is the total number of ports available, which is 129024, the sum of 273 and 128751 in the output above.
To reclaim the NAT buffers, which only clears the stale buffers and not the current NAT which is in use in an existing session, run the following command:
> debug dataplane nat sync-ippool rule <rulename>
To clear the value and all sessions, run the following command:
> clear session all
To check a specific NAT rule IP pool usage, use the show running nat-rule-ippool show-freelist yes rule <NAT-rule-name> command:
> show running nat-rule-ippool show-freelist yes rule Trusted-to-Untrusted
VSYS 1 Rule yes:
Rule: Trusted-to-Untrusted, Pool index: 1, memory usage: 20336
-----------------------------------------
Oversubscription Ratio: 2
Number of Allocates: 34285
Last Allocated Index: 1339
Oversubscription Ratio:
- Indicates the number of sessions from one source IP and port combination to different destination IPs that can use the same source port in the translation.