Wednesday, 24 May 2017

Palo Alto - How to Check the NAT Buffer Pool

Details


To display the NAT IP pool cache, run the show running ippool command:

> show running ippool

VSYS 1 has 3 NAT rules, DIP and DIPP rules:
Rule                             Type            Used       Available  Mem Size Ratio
-------------------------------- --------------- ---------- ---------- -------- -----
Trusted-to-Untrusted             Dynamic IP/Port 273        128751        20336    2

In the above example from PAN-OS 7.1, the NAT rule, Trusted-to-Untrusted, is using 273 buffers out of 128751 at present for NAT operation.
The RATIO is also known as the over-subscription rate. The RATIO varies among platforms, this one being a PA-200. It specifies the number of sessions from one source IP and port combination to different destination IPs that can use the same source port in the translation.

There are a total of 66536 high TCP ports. The first 1024 are reserved, leaving the firewall with 64512 to choose from in a DIPP (dynamic ip-and-port) NAT rule. Multiply 64512 by the ratio and the product is the total number of ports available, which is 129024, the sum of 273 and 128751 in the output above.

To reclaim the NAT buffers, which only clears the stale buffers and not the current NAT which is in use in an existing session, run the following command:
> debug dataplane nat sync-ippool rule <rulename>

To clear the value and all sessions, run the following command:
> clear session all

To check a specific NAT rule IP pool usage, use the show running nat-rule-ippool show-freelist yes rule <NAT-rule-name> command:

> show running nat-rule-ippool show-freelist yes rule Trusted-to-Untrusted
VSYS 1 Rule yes:
Rule: Trusted-to-Untrusted, Pool index: 1, memory usage: 20336
-----------------------------------------
Oversubscription Ratio:                2
Number of Allocates:               34285
Last Allocated Index:               1339

Oversubscription Ratio:
  • Indicates the number of sessions from one source IP and port combination to different destination IPs that can use the same source port in the translation.

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...