Palo Alto Networks Knowledgebase: How to Check the Oversubscription on a NAT Rule

How to Check the Oversubscription on a NAT Rule

5886
Created On 02/07/19 23:44 PM - Last Updated 02/07/19 23:44 PM
Resolution

Overview

The maximum number of translations that the Palo Alto Networks firewall can perform when a Port Address Translation is configured, until it uses up the available ports on a rule, is around 64,000-1,000. The lower 1024 ports are never used because they are considered servers' ports.

To accommodate for a bigger number of translations on a given NAT rule, on Palo Alto Networks devices PA-3000, PA-4000, PA-5000, and PA-7000 there is an option for oversubscription. This is a preconfigured setting and no change is needed on the device to enable it.

Steps

To check for oversubscription on a security rule, use the following command:

> show running nat-rule-ippool rule nat1

VSYS 1 Rule nat1:

Rule: nat1, Pool index: 1, memory usage: 20336

-----------------------------------------

Oversubscription Ratio:                2

Number of Allocates:                9327

Last Allocated Index:              54528

The above output indicates that a security rule is oversubscribed twice, which is the value on the 3050 device.

The other devices have a different ratio of oversubscription. For example, the 5050/5060 have a factor of 8.

owner: ialeksov



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsZCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language