How to Check the Oversubscription on a NAT Rule

How to Check the Oversubscription on a NAT Rule

65033
Created On 09/26/18 13:50 PM - Last Modified 07/10/25 20:46 PM


Objective


To check the oversubscription factor on a NAT rule.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Dynamic NAT

Procedure


  1. To accommodate for a bigger number of translations on a given NAT rule, there is an option for oversubscription. This is a preconfigured setting and no change is needed on the device to enable it.
  2. To check for oversubscription on a security rule, use the command "show running nat-rule-ippool rule <rule name>. Example below
> show running nat-rule-ippool rule nat1
VSYS 1 Rule nat1:
Rule: nat1, Pool index: 1, memory usage: 20336
-----------------------------------------
Oversubscription Ratio:                2
Number of Allocates:                9327
Last Allocated Index:              54528
  1. The above output indicates that a security rule is oversubscribed twice. Different platforms have a different ratio of oversubscription.
  2. For details Refer : NAT Rule Capacities and Dynamic IP and Port Oversubscription.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsZCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language