Getting error when committing more NAT rules "Total NAT DIPP rules 401 exceeds the capacity of 400"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Getting error when committing more NAT rules "Total NAT DIPP rules 401 exceeds the capacity of 400"

L1 Bithead

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-rule-capacities

describes the NAT Rule capacities as follows:

-----

The number of NAT rules allowed is based on the firewall model. Individual rule limits are set for static, Dynamic IP (DIP), and Dynamic IP and Port (DIPP) NAT. The sum of the number of rules used for these NAT types cannot exceed the total NAT rule capacity. For DIPP, the rule limit is based on the oversubscription setting (8, 4, 2, or 1) of the firewall and the assumption of one translated IP address per rule.

-----

 

The last sentence is unclear? I believe the limit is based on the number of NAT rules in Policies->NAT .

Or does oversubscription also affect this NAT rule capacity somehow?

Or does it mean if my oversubscription is 2x, and I have 5 of these rules, then I have 10 NAT rules used out of 400??

 

Is there a CLI that shows how many NAT rules (eg. out of the 400) are currently in use?

 

Regards ... Leslie

1 accepted solution

Accepted Solutions

L7 Applicator

 

Bi-directional NAT rules create 2 different NAT policies, even though one rule is in place. That may be tripping you up.

 

You can see all the rules in place (not including disabled rules) with the CLI command:

> show running nat-policy

 

If you want to only see the rule numbers themselves, add a match criteria such as:

> show running nat-policy | match index

 

That will spit out only the index numbers of the rules. 

 

View solution in original post

1 REPLY 1

L7 Applicator

 

Bi-directional NAT rules create 2 different NAT policies, even though one rule is in place. That may be tripping you up.

 

You can see all the rules in place (not including disabled rules) with the CLI command:

> show running nat-policy

 

If you want to only see the rule numbers themselves, add a match criteria such as:

> show running nat-policy | match index

 

That will spit out only the index numbers of the rules. 

 

  • 1 accepted solution
  • 6908 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!