- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-06-2012 01:42 PM
All,
We're in the process of doing a Checkpoing to PA conversion and we think we've found a possible show stopping issue. On our Checkpoints we have a large number of NATs that we need to port over. Our vendor runs through the conversion tool and generates a config for us, when we Commit it to the 5020's we get the following error:
Error: Number of nat rules (1087) exceeds vsys capacity (1000)
Seems crazy that the high end PA's would have such a limitation, where as a 6 year old SPLAT box doesn't..
So, are we sunk?
Thanks!
-Steve
02-06-2012 01:53 PM
Hi...Yes, the PA5020 only supports 1,000 NAT rules. The higher 5000 models can go up to 8,000 NAT rules.
Do you have contiguous IP addresses that can be grouped together to reduce the NAT rules. For example, if you have 4 NAT rules:
10.10.10.10.1 ==> 190.10.10.1
10.10.10.10.2 ==> 190.10.10.2
10.10.10.10.3 ==> 190.10.10.3
10.10.10.10.4 ==> 190.10.10.4
We can group them into one rule:
10.10.10.10.1-4 ==> 190.10.10.1-4
Thanks.
02-06-2012 01:53 PM
Hi...Yes, the PA5020 only supports 1,000 NAT rules. The higher 5000 models can go up to 8,000 NAT rules.
Do you have contiguous IP addresses that can be grouped together to reduce the NAT rules. For example, if you have 4 NAT rules:
10.10.10.10.1 ==> 190.10.10.1
10.10.10.10.2 ==> 190.10.10.2
10.10.10.10.3 ==> 190.10.10.3
10.10.10.10.4 ==> 190.10.10.4
We can group them into one rule:
10.10.10.10.1-4 ==> 190.10.10.1-4
Thanks.
02-06-2012 02:25 PM
Ohhh.. That's not good.. We might be able to rework some of the NATs, but in the long run having that low limit is quite an issue..
Thanks!
-Steve
02-07-2012 12:34 AM
Did you escalate this as a supportcase through your sales engineer?
Also go through and verify so not the convert script did any bad converts.
You can also setup nat based on zones if im not mistaken.
02-07-2012 01:10 AM
I know it's a bit offtopic, but personally I think it's not a good idea to convert a CP Policy one to one to a PA Policy. CP for example does not have a zone concept which PA has. Also by just converting the policy you actually degrade the PA FW to a port based Firewall.
In my opinion the conversion might serve for a starting point in order to go from there and build a new PA Security Policy. Usually this way the amount of Rules can be reduced significantly.
rgds Roland
02-07-2012 08:05 AM
We're working with our vendor and PA for resolution, right now we're in a holding pattern...
We realize that using the conversion tool isn't the ideal way to go, but due to time contraints and other things we're going to initially use the tool, then once we have everything in place and working we're going to rework the policy rule by rule to get everything updated into Palo-Alto speak!
Our replacement is in 3 phases, so the hope is to have everything reworked by the end of phase 3..
Now, if we could just get going on phase 1 we'd be in much better shape!
-Steve
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!