The number of NAT rules allowed is based on the firewall
platform. Individual rule limits are set for static, Dynamic IP
(DIP), and Dynamic IP and Port (DIPP) NAT. The sum of the number
of rules used for these NAT types cannot exceed the total NAT rule
capacity. For DIPP, the rule limit is based on the oversubscription
setting (8, 4, 2, or 1) of the firewall and the assumption of one
translated IP address per rule. To see platform-specific NAT rule
limits and translated IP address limits, use the Compare Firewalls tool.
Consider the following when working with NAT rules:
If you run out of pool resources, you cannot create more
NAT rules, even if the platform’s maximum rule count has not been
If you consolidate NAT rules, the logging and reporting will
also be consolidated. The statistics are provided per the rule,
not per all of the addresses within the rule. If you need granular
logging and reporting, do not combine the rules.