How to reduce the number of NAT policies configured on the Firewall
8903
Created On 02/03/23 07:59 AM - Last Modified 11/29/23 17:47 PM
Objective
- To Check the maximum capacity of the Firewall in the number of NAT Policies.
- To Check the current number of configured NAT Policies on the Firewall.
- To Determine which NAT Policies that can be deleted.
- To Reduce the NAT Policies of a locally managed Firewall.
- To Reduce the NAT Policies of a Panorama-managed Firewall.
Environment
- Palo Alto Firewall (FW)
- Supported PAN-OS
- NAT Policies
Procedure
Attention Strata Cloud Manager Users: If you've been redirected to this knowledge article, please skip ahead and start with Step 2 .
- Check the maximum capacity of NAT Policies for your Firewall.
- Use Firewall CLI:
show system state filter cfg.general.max* | match nat
Note: In case the value is listed in hexadecimal format 0x then it needs to be converted to decimal. Most recent platforms and PAN-OS versions will list the value in decimal.
- Use the Product Selection web page click Show More under your platform name to find the maximum NAT rules.
- For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command:
> show system info
- Check the current number of NAT Policies from Policies > NAT
Note: If the Firewall is configured for multi-vsys, Add the number of items listed under each vsys to get the total of NAT Policies configured on the FW.
- To determine which NAT Policies can be deleted, use Tips & Tricks: How to Identify Unused Policies on a Palo Alto Networks Device. Although the article focuses on Security Policy, the same principle can be applied to NAT Policies.
- For Locally managed Firewall:
- Delete the unused NAT Policies configured under Policies > NAT
- For Panorama managed Firewall:
- Revisit your device-group hierarchy: consider placing the FW(s) with lesser capacity limit under a different device-group than the FW(s) with a higher capacity limit.
- Reduce the number of NAT Policies configured under Device Groups > Policies > NAT.
- If the number of NAT policies cannot be reduced below the capacity limit after following the recommendations above:
- For a hardware FW consider upgrading your FW to a higher capacity platform.
- For a VM-Flex FW if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.