- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-09-2019 12:46 PM
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-rule-capacities
describes the NAT Rule capacities as follows:
-----
The number of NAT rules allowed is based on the firewall model. Individual rule limits are set for static, Dynamic IP (DIP), and Dynamic IP and Port (DIPP) NAT. The sum of the number of rules used for these NAT types cannot exceed the total NAT rule capacity. For DIPP, the rule limit is based on the oversubscription setting (8, 4, 2, or 1) of the firewall and the assumption of one translated IP address per rule.
-----
The last sentence is unclear? I believe the limit is based on the number of NAT rules in Policies->NAT .
Or does oversubscription also affect this NAT rule capacity somehow?
Or does it mean if my oversubscription is 2x, and I have 5 of these rules, then I have 10 NAT rules used out of 400??
Is there a CLI that shows how many NAT rules (eg. out of the 400) are currently in use?
Regards ... Leslie
01-09-2019 01:30 PM
Bi-directional NAT rules create 2 different NAT policies, even though one rule is in place. That may be tripping you up.
You can see all the rules in place (not including disabled rules) with the CLI command:
> show running nat-policy
If you want to only see the rule numbers themselves, add a match criteria such as:
> show running nat-policy | match index
That will spit out only the index numbers of the rules.
01-09-2019 01:30 PM
Bi-directional NAT rules create 2 different NAT policies, even though one rule is in place. That may be tripping you up.
You can see all the rules in place (not including disabled rules) with the CLI command:
> show running nat-policy
If you want to only see the rule numbers themselves, add a match criteria such as:
> show running nat-policy | match index
That will spit out only the index numbers of the rules.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!