Strata Cloud Manager Alert "NAT Resource Pool - NAT Pool Usage"
Symptom
- Alert from Strata Cloud Manager regarding a high usage of NAT resource pool.
- Recommendation from Strata Cloud Manager to increase the NAT resource pool.
Environment
- PAN-OS
- Strata Cloud Manager
Cause
Depending on the percentage of the pool usage, Strata Cloud Manager will trigger an alert based on the severity of resources left in the pool.
Resolution
This alert indicates a high NAT pool usage which warns of a NAT Pool depletion follow the steps below to address this problem.
- Identify the source NAT rule which is having a high NAT IP pool usage base on the metric nat_resources_dipp_dp-slot_rule_name (where rule name is replaced by the name of the NAT rule) emitted by the Strata Cloud Manager.
- You can check the same from firewall CLI using the command below and compare the Used versus Available of this command for each of the NAT rules displayed.
> show running ippool
- Review the configuration of that source NAT rule under firewall UI Policies> NAT and it validity base on the different NAT used cases in NAT Configuration Examples and in KB article Source NAT translation Types and typical use cases.
- Address the high NAT pool usage using below option(s):
- Edit that source NAT rule under Policies > NAT by increasing its translated address Pool:
- Click the NAT policy that Strata Cloud Manager flagged for NAT pool depletion.
- Click the Translated Packet tab.
- Under Source Address Translation.
- Click Add.
- Key in the new IP address/es.
- Click OK.
- Click Commit on the upper right corner.
- Apply the same to all the source NAT DIP or DIPP rules which are having high NAT pool usage problem.
- If unable to add more public IPs to the translated address pool and if the problem of high pool usage affects DIPP NAT rule (s) then consider option B.
- Edit that source NAT rule under Policies > NAT by increasing its translated address Pool:
- Increase the Oversubscription Rate for DIPP NAT:
- Click DEVICE> Setup tab.
- Click Session.
- Click Session Settings Gear.
- Under NAT Oversubscription Rate, choose a ratio value that is greater than the current configuration.
- To determine the current value of the NAT oversubscription rate use the command:
> show running ippool
- Click OK.
- Click Commit.
Note:
- The NAT oversubscription rate is a firewall global setting and will affect all the NAT DIPP rules.
- The NAT oversubscription rate is referring to the reusability of the translated IP and port. Increasing the oversubscription rate will increase the number of source device translations per NAT rule, but will provide lower the number of overall DIP and DIPP NAT rules allowed per firewall.
- Step 5 will only affect DIPP NAT pool usage and will not help in case of DIP high NAT pool usage.
Additional Information
General Dynamic IP deployment recommendations to consider:
1) Try to allocate at least a one-to-one ratio of source IPs to translated addresses.
2) For multi-DP systems (like the PA-5250 and PA-7000 series) it is recommended to use 1.5x number of translated
IPs per 1x source IPs, to create a buffer to avoid retries and conflicts when the firewall is looking for an IP, which
can result in dropped packets.
3) Configure Dynamic IP and Port fallback for Dynamic IP NAT rules to serve as a backup in case the Dynamic IP address pool runs out of IPs.
4) Configure hash-source as the session distribution policy on platforms with an FPP to improve performance in heavily NATed environments.
In the CLI - set session distribution policy hash source
Additional references used in this knowledge Article:
HOW TO CHANGE THE NAT OVERSUBSCRIPTION RATE
PACKET DROP DUE TO SOURCE NAT IP/PORT ALLOCATION FAILED
Dynamic IP and Port NAT Oversubscription