How to Check the Oversubscription on a NAT Rule
Resolution
Overview
The maximum number of translations that the Palo Alto Networks firewall can perform when a Port Address Translation is configured, until it uses up the available ports on a rule, is around 64,000-1,000. The lower 1024 ports are never used because they are considered servers' ports.
To accommodate for a bigger number of translations on a given NAT rule, on Palo Alto Networks devices PA-3000, PA-4000, PA-5000, and PA-7000 there is an option for oversubscription. This is a preconfigured setting and no change is needed on the device to enable it.
Steps
To check for oversubscription on a security rule, use the following command:
> show running nat-rule-ippool rule nat1
VSYS 1 Rule nat1:
Rule: nat1, Pool index: 1, memory usage: 20336
-----------------------------------------
Oversubscription Ratio: 2
Number of Allocates: 9327
Last Allocated Index: 54528
The above output indicates that a security rule is oversubscribed twice, which is the value on the 3050 device.
The other devices have a different ratio of oversubscription. For example, the 5050/5060 have a factor of 8.
owner: ialeksov