PAT Translations per NAT Source IP on a PA-5000 Series Firewall

PAT Translations per NAT Source IP on a PA-5000 Series Firewall

27185
Created On 09/25/18 19:43 PM - Last Modified 06/06/23 08:05 AM


Resolution


Overview

The maximum number of (Port Address Translation) PAT translations per NAT source IP is 65536.

However, running the following show session command may show a number greater than 65536:

> show session all filter nat-rule <rule name> count yes

Number of sessions that match filter: 83298.

 

Details

The PA-5000 Series Firewall can reuse each available source port (up to 8 times for PA-5050 and PA-5060, up to 4 times for PA-5020). This is called DIPP oversubscription. The firewall can use 63k source ports since the available port range is roughly 1k-64k. The allocated ports can support up to 8 (4 on PA-5020) sessions, if they are destined to unique hosts.

 

owner: shasnain
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbsCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language