Getting error when committing more NAT rules "Total NAT DIPP rules 401 exceeds the capacity of 400"

LeslieGomba — Wed, 09 Jan 2019 20:46:54 GMT

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-rule-capacities

describes the NAT Rule capacities as follows:

-----

The number of NAT rules allowed is based on the firewall model. Individual rule limits are set for static, Dynamic IP (DIP), and Dynamic IP and Port (DIPP) NAT. The sum of the number of rules used for these NAT types cannot exceed the total NAT rule capacity. For DIPP, the rule limit is based on the oversubscription setting (8, 4, 2, or 1) of the firewall and the assumption of one translated IP address per rule.

-----

The last sentence is unclear? I believe the limit is based on the number of NAT rules in Policies->NAT .

Or does oversubscription also affect this NAT rule capacity somehow?

Or does it mean if my oversubscription is 2x, and I have 5 of these rules, then I have 10 NAT rules used out of 400??

Is there a CLI that shows how many NAT rules (eg. out of the 400) are currently in use?

Regards ... Leslie

Re: Getting error when committing more NAT rules "Total NAT DIPP rules 401 exceeds the capacity

gwesson — Wed, 09 Jan 2019 21:30:57 GMT

Bi-directional NAT rules create 2 different NAT policies, even though one rule is in place. That may be tripping you up.

You can see all the rules in place (not including disabled rules) with the CLI command:

> show running nat-policy

If you want to only see the rule numbers themselves, add a match criteria such as:

> show running nat-policy | match index

That will spit out only the index numbers of the rules.

topic Getting error when committing more NAT rules "Total NAT DIPP rules 401 exceeds the capacity of 400" in General Topics

Getting error when committing more NAT rules "Total NAT DIPP rules 401 exceeds the capacity of 400"

Re: Getting error when committing more NAT rules "Total NAT DIPP rules 401 exceeds the capacity