How to Check the Oversubscription on a NAT Rule

How to Check the Oversubscription on a NAT Rule

Created On 09/26/18 13:50 PM - Last Modified 02/07/19 23:44 PM



The maximum number of translations that the Palo Alto Networks firewall can perform when a Port Address Translation is configured, until it uses up the available ports on a rule, is around 64,000-1,000. The lower 1024 ports are never used because they are considered servers' ports.

To accommodate for a bigger number of translations on a given NAT rule, on Palo Alto Networks devices PA-3000, PA-4000, PA-5000, and PA-7000 there is an option for oversubscription. This is a preconfigured setting and no change is needed on the device to enable it.


To check for oversubscription on a security rule, use the following command:

> show running nat-rule-ippool rule nat1

VSYS 1 Rule nat1:

Rule: nat1, Pool index: 1, memory usage: 20336


Oversubscription Ratio:                2

Number of Allocates:                9327

Last Allocated Index:              54528

The above output indicates that a security rule is oversubscribed twice, which is the value on the 3050 device.

The other devices have a different ratio of oversubscription. For example, the 5050/5060 have a factor of 8.

owner: ialeksov

  • Print
  • Copy Link

Choose Language