https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37848#M27697 <HTML><HEAD></HEAD><BODY><P>Is there information on Security and NAT "add rule" configuration limitations for the PA-4000 series?</P></BODY></HTML> Thu, 25 Feb 2010 20:58:36 GMT twhite 2010-02-25T20:58:36Z https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37848#M27697 <HTML><HEAD></HEAD><BODY><P>Is there information on Security and NAT "add rule" configuration limitations for the PA-4000 series?</P></BODY></HTML> Thu, 25 Feb 2010 20:58:36 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37848#M27697 twhite 2010-02-25T20:58:36Z https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37849#M27698 <HTML><HEAD></HEAD><BODY><P>4020</P><P>Total NAT rules: 1000 (max of 200 dynamic IP/port rules)</P><P>Security rules: 10000</P><P></P><P>4050/4060</P><P>Total NAT rules: 4000 (max of 200 dynamic IP/port rules and 2000 dynamic IP rules)</P><P>Security rules: 20000</P></BODY></HTML> Thu, 25 Feb 2010 21:45:10 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37849#M27698 mjacobsen 2010-02-25T21:45:10Z https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37850#M27699 <HTML><HEAD></HEAD><BODY><P>do you know the max rules on the rest of the Policy categories i.e. SSL decryption, App Override, QOS, and Captive Portal?</P></BODY></HTML> Fri, 26 Feb 2010 13:52:48 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37850#M27699 twhite 2010-02-26T13:52:48Z https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37851#M27700 <HTML><HEAD></HEAD><BODY><P>Here is a CLI command you can run on a device to print out the system limits:</P><P></P><P>show system state filter cfg.general.max*</P><P></P><P>Some of the output is cryptic but hopefully the common ones are easily identifiable.</P><P></P><P>Mike</P></BODY></HTML> Fri, 26 Feb 2010 16:45:39 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37851#M27700 mjacobsen 2010-02-26T16:45:39Z https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37852#M27701 <HTML><HEAD></HEAD><BODY><P>Hi Mike,</P><P></P><P>I have some questions.</P><P>1/ Is the number of dynamic ip/port rules limited to 200 on 2.1.x too?</P><P>2/ Why is the limit defined?</P><P>3/ Will does the number of dynamic-ip/port rules increase?</P><P></P><DIV class="jive-rendered-content"><P>&gt;4020</P><P>&gt;Total NAT rules: 1000 (max of 200 dynamic IP/port rules)</P><P>&gt;Security rules: 10000</P><P style="padding: 0px; min-height: 8pt; height: 8pt;">&gt;</P><P>&gt;4050/4060</P><P>&gt;Total NAT rules: 4000 (max of 200 dynamic IP/port rules and 2000 dynamic IP rules)</P><P>&gt;Security rules: 20000</P><P></P><P>Regards,</P><P>Tomoyuki Komure</P></DIV></BODY></HTML> Tue, 02 Mar 2010 04:32:31 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37852#M27701 migration 2010-03-02T04:32:31Z https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37853#M27702 <HTML><HEAD></HEAD><BODY><P>1. Not sure. The same command mentioned earlier should allow you to check that.</P><P>2. Each rule consumes resources.</P><P>3. We are considering increasing this limit in future releases.</P></BODY></HTML> Tue, 02 Mar 2010 06:51:39 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37853#M27702 mjacobsen 2010-03-02T06:51:39Z https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37854#M27703 <HTML><HEAD></HEAD><BODY><P>Hi Mike,</P><P></P><P>I have a same scenario with the 5000 platform.</P><P>Can you please give me the details for the limitations:</P><P>Error: Number of dynamic-ip-and-port rules (401) exceeds vsys capacity (400)</P><P></P><P>I see the command above gives us a general perception of max limitations on box.</P><P>For NAT this is what I see,</P><P>cfg.general.max-nat-policy-rule</P><P></P><P>Thanks</P><P>Samshodh</P></BODY></HTML> Mon, 16 Apr 2012 13:03:52 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-4000-security-and-nat-quot-add-rule-quot-configuration-limit/m-p/37854#M27703 Phoenix 2012-04-16T13:03:52Z