PA-5020 NAT Limitations ?

Reply
L3 Networker

PA-5020 NAT Limitations ?

All,

We're in the process of doing a Checkpoing to PA conversion and we think we've found a possible show stopping issue. On our Checkpoints we have a large number of NATs that we need to port over. Our vendor runs through the conversion tool and generates a config for us, when we Commit it to the 5020's we get the following error:

Error: Number of nat rules (1087) exceeds vsys capacity (1000)

Seems crazy that the high end PA's would have such a limitation, where as a 6 year old SPLAT box doesn't..

So, are we sunk?

Thanks!

-Steve

Tags (2)
L6 Presenter

Re: PA-5020 NAT Limitations

Hi...Yes, the PA5020 only supports 1,000 NAT rules. The higher 5000 models can go up to 8,000 NAT rules.

Do you have contiguous IP addresses that can be grouped together to reduce the NAT rules. For example, if you have 4 NAT rules:

10.10.10.10.1 ==> 190.10.10.1

10.10.10.10.2 ==> 190.10.10.2

10.10.10.10.3 ==> 190.10.10.3

10.10.10.10.4 ==> 190.10.10.4

We can group them into one rule:

10.10.10.10.1-4 ==> 190.10.10.1-4

Thanks.

L3 Networker

Re: PA-5020 NAT Limitations

Ohhh.. That's not good.. We might be able to rework some of the NATs, but in the long run having that low limit is quite an issue..

Thanks!

-Steve

L6 Presenter

Re: PA-5020 NAT Limitations

Did you escalate this as a supportcase through your sales engineer?

Also go through and verify so not the convert script did any bad converts.

You can also setup nat based on zones if im not mistaken.

L4 Transporter

Re: PA-5020 NAT Limitations

I know it's a bit offtopic, but personally I think it's not a good idea to convert a CP Policy one to one to a PA Policy. CP for example does not have a zone concept which PA has. Also by just converting the policy you actually degrade the PA FW to a port based Firewall.

In my opinion the conversion might serve for a starting point in order to go from there and build a new PA Security Policy. Usually this way the amount of Rules can be reduced significantly.

rgds Roland

L3 Networker

Re: PA-5020 NAT Limitations

We're working with our vendor and PA for resolution, right now we're in a holding pattern...

We realize that using the conversion tool isn't the ideal way to go, but due to time contraints and other things we're going to initially use the tool, then once we have everything in place and working we're going to rework the policy rule by rule to get everything updated into Palo-Alto speak! :smileyhappy:

Our replacement is in 3 phases, so the hope is to have everything reworked by the end of phase 3..

Now, if we could just get going on phase 1 we'd be in much better shape!

-Steve

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!