Dynamic IP and Port (DIPP) NAT allows you to use each
translated IP address and port pair multiple times (8, 4, or 2 times)
in concurrent sessions. This reusability of an IP address and port
(known as oversubscription) provides scalability for customers who
have too few public IP addresses. The design is based on the assumption
that hosts are connecting to different destinations, therefore sessions
can be uniquely identified and collisions are unlikely. The oversubscription
rate in effect multiplies the original size of the address/port
pool to 8, 4, or 2 times the size. For example, the default limit
of 64K concurrent sessions allowed, when multiplied by an oversubscription
rate of 8, results in 512K concurrent sessions allowed.
The oversubscription rates that are allowed vary based on the
model. The oversubscription rate is global; it applies to the firewall.
This oversubscription rate is set by default and consumes memory,
even if you have enough public IP addresses available to make oversubscription
unnecessary. You can reduce the rate from the default setting to
a lower setting or even 1 (which means no oversubscription). By
configuring a reduced rate, you decrease the number of source device
translations possible, but increase the DIP and DIPP NAT rule capacities.
To change the default rate, see Modify the Oversubscription Rate for DIPP NAT.
If you select
, your explicit
configuration of oversubscription is turned off and the default
oversubscription rate for the model applies, as shown in the table
for an upgrade or downgrade of a software release.
The following table lists the default (highest) oversubscription
rate for each model.
The firewall supports a maximum of 256 translated IP addresses
per NAT rule, and each model supports a maximum number of translated
IP addresses (for all NAT rules combined). If oversubscription causes
the maximum translated addresses per rule (256) to be exceeded,
the firewall will automatically reduce the oversubscription ratio
in an effort to have the commit succeed. However, if your NAT rules
result in translations that exceed the maximum translated addresses
for the model, the commit will fail.