PA-5020 NAT Limitations ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-5020 NAT Limitations ?

L3 Networker

All,

We're in the process of doing a Checkpoing to PA conversion and we think we've found a possible show stopping issue. On our Checkpoints we have a large number of NATs that we need to port over. Our vendor runs through the conversion tool and generates a config for us, when we Commit it to the 5020's we get the following error:

Error: Number of nat rules (1087) exceeds vsys capacity (1000)

Seems crazy that the high end PA's would have such a limitation, where as a 6 year old SPLAT box doesn't..

So, are we sunk?

Thanks!

-Steve

1 accepted solution

Accepted Solutions

L6 Presenter

Hi...Yes, the PA5020 only supports 1,000 NAT rules. The higher 5000 models can go up to 8,000 NAT rules.

Do you have contiguous IP addresses that can be grouped together to reduce the NAT rules. For example, if you have 4 NAT rules:

10.10.10.10.1 ==> 190.10.10.1

10.10.10.10.2 ==> 190.10.10.2

10.10.10.10.3 ==> 190.10.10.3

10.10.10.10.4 ==> 190.10.10.4

We can group them into one rule:

10.10.10.10.1-4 ==> 190.10.10.1-4

Thanks.

View solution in original post

5 REPLIES 5

L6 Presenter

Hi...Yes, the PA5020 only supports 1,000 NAT rules. The higher 5000 models can go up to 8,000 NAT rules.

Do you have contiguous IP addresses that can be grouped together to reduce the NAT rules. For example, if you have 4 NAT rules:

10.10.10.10.1 ==> 190.10.10.1

10.10.10.10.2 ==> 190.10.10.2

10.10.10.10.3 ==> 190.10.10.3

10.10.10.10.4 ==> 190.10.10.4

We can group them into one rule:

10.10.10.10.1-4 ==> 190.10.10.1-4

Thanks.

Ohhh.. That's not good.. We might be able to rework some of the NATs, but in the long run having that low limit is quite an issue..

Thanks!

-Steve

Did you escalate this as a supportcase through your sales engineer?

Also go through and verify so not the convert script did any bad converts.

You can also setup nat based on zones if im not mistaken.

I know it's a bit offtopic, but personally I think it's not a good idea to convert a CP Policy one to one to a PA Policy. CP for example does not have a zone concept which PA has. Also by just converting the policy you actually degrade the PA FW to a port based Firewall.

In my opinion the conversion might serve for a starting point in order to go from there and build a new PA Security Policy. Usually this way the amount of Rules can be reduced significantly.

rgds Roland

We're working with our vendor and PA for resolution, right now we're in a holding pattern...

We realize that using the conversion tool isn't the ideal way to go, but due to time contraints and other things we're going to initially use the tool, then once we have everything in place and working we're going to rework the policy rule by rule to get everything updated into Palo-Alto speak! Smiley Happy

Our replacement is in 3 phases, so the hope is to have everything reworked by the end of phase 3..

Now, if we could just get going on phase 1 we'd be in much better shape!

-Steve

  • 1 accepted solution
  • 2926 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!