deleteVIP() does not check 1:1 NAT and Outbound NAT rules
It is possible to delete the Virtual IP that is used in 1:1 NAT rules (destination) and Outbound NAT rules (Translation Address)
additional input checks needed
see also #12356
Updated by Viktor Gurov about 1 month ago
Updated by Jim Pingle about 1 month ago
This should not be enforced strictly. Not all NAT rules need a VIP. It's possible someone may be removing an unnecessary VIP if upstream changed to routing an address to the firewall, for example. Or it may be an 'other' type VIP which isn't needed at all.
We don't have a good way to determine if it's necessary since it depends on the end user environment and how their upstream delivers the traffic to the firewall.
Unlike with IPsec, NAT rules don't use an address as an interface binding, so the two scenarios are not equivalent.