Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

system resource-limits

Use this command to configure resource limits that will apply to all VDOMs. When you set a global resource limit, you cannot exceed that resource limit in any VDOM. For example, enter the following command to limit all VDOMs to 100 VPN IPSec Phase 1 tunnels:

config global

config system resource-limits

set ipsec-phase1 100

end

end

With this global limit set, you can add only a maximum of 100 VPN IPSec Phase 1 Tunnels to any VDOM.

You can also edit the resource limits for individual VDOMs to further limit the number of resources that you can add to individual VDOMs. See the system vdom-property command.

A resource limit of 0 means no limit, which means the resource is not being limited by the resource limit configuration. Instead, the resource is limited by other factors. The FortiGate unit limits dynamic resources by the capacity of the FortiGate unit and can vary depending on how busy the system is. Limits for static resources are set by limitations in the FortiGate configuration, as documented in the FortiGate Maximum Values Table.

The default maximum value for each resource depends on the FortiGate model. Dynamic resources (Sessions, Dial-up Tunnels, and SSL VPN) do not have default maximums so the default maximum for dynamic resources is always 0 (meaning unlimited). Static resources may have a limit set or many may be set to 0, which means they are limited by the resource limit configuration.

If you set the maximum resource usage for a VDOM, you cannot reduce the default maximum global limit for all VDOMs below this maximum.

This command is available only when VDOMs are enabled.

config system resource-limits
    set session {integer}   Maximum number of sessions. range[0-4294967295]
    set ipsec-phase1 {integer}   Maximum number of VPN IPsec phase1 tunnels. range[0-4294967295]
    set ipsec-phase2 {integer}   Maximum number of VPN IPsec phase2 tunnels. range[0-4294967295]
    set ipsec-phase1-interface {integer}   Maximum number of VPN IPsec phase1 interface tunnels. range[0-4294967295]
    set ipsec-phase2-interface {integer}   Maximum number of VPN IPsec phase2 interface tunnels. range[0-4294967295]
    set dialup-tunnel {integer}   Maximum number of dial-up tunnels. range[0-4294967295]
    set firewall-policy {integer}   Maximum number of firewall policies (IPv4, IPv6, policy46, policy64, DoS-policy4, DoS-policy6, multicast). range[0-4294967295]
    set firewall-address {integer}   Maximum number of firewall addresses (IPv4, IPv6, multicast). range[0-4294967295]
    set firewall-addrgrp {integer}   Maximum number of firewall address groups (IPv4, IPv6). range[0-4294967295]
    set custom-service {integer}   Maximum number of firewall custom services. range[0-4294967295]
    set service-group {integer}   Maximum number of firewall service groups. range[0-4294967295]
    set onetime-schedule {integer}   Maximum number of firewall one-time schedules. range[0-4294967295]
    set recurring-schedule {integer}   Maximum number of firewall recurring schedules. range[0-4294967295]
    set user {integer}   Maximum number of local users. range[0-4294967295]
    set user-group {integer}   Maximum number of user groups. range[0-4294967295]
    set sslvpn {integer}   Maximum number of SSL-VPN. range[0-4294967295]
    set proxy {integer}   Maximum number of concurrent proxy users. range[0-4294967295]
    set log-disk-quota {integer}   Log disk quota in MB. range[0-4294967295]
end

Additional information

The following section is for those options that require additional explanation.

custom-service <maximum_number>

Enter the maximum number of firewall custom services.

Possible values: 0 to 4294967295.

dialup-tunnel <maximum_number>

Enter the maximum number of dial-up tunnels.

Possible values: 0 to 4294967295.

firewall-address <maximum_number>

Enter the maximum number of firewall addresses.

Possible values: 0 to 4294967295.

firewall-addrgrp <maximum_number>

Enter the maximum number of firewall address groups.

Possible values: 0 to 4294967295.

firewall-policy <maximum_number>

Enter the maximum number of firewall policies.

Possible values: 0 to 4294967295.

ipsec-phase1 <maximum_number>

Enter the maximum number of IPSec phase1 tunnels.

Possible values: 0 to 4294967295.

ipsec-phase2 <maximum_number>

Enter the maximum number of IPSec phase2 tunnels.

Possible values: 0 to 4294967295.

 

log-disk-quota <maximum_MB>

Enter the maximum amount of log disk space available, in MB, for global log messages.

The range of values depends on the amount of hard disk space available.

onetime-schedule <maximum_number>

Enter the maximum number of onetime schedules.

Possible values: 0 to 4294967295.

proxy <maximum_number>

Enter the maximum number of users that can use the explicit proxy at one time.

How the number of concurrent explicit proxy users is determined depends on their authentication method:

  • For session-based authenticated users, each authenticated user is counted as a single user. Since multiple users can have the same user name, the proxy attempts to identify users according to their authentication membership (based on whether they were authenticated using RADIUS, LADAP, FSSO, local database, etc.). If a user of one session has the same name and membership as a user of another session, the explicit proxy assumes this is one user.
  • For IP-based authentication, no authentication, or if no explicit proxy security policy has been added, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

Possible values: 0 to 4294967295.

recurring-schedule <maximum_number>

Enter the maximum number of recurring schedules.

Possible values: 0 to 4294967295.

service-group <maximum_number>

Enter the maximum number of firewall service groups.

Possible values: 0 to 4294967295.

session <maximum_number>

Enter the maximum number of sessions.

Possible values: 0 to 4294967295.

sslvpn <maximum_number>

Enter the maximum number of SSL VPNs.

Possible values: 0 to 4294967295.

user <maximum_number>

Enter the maximum number of users.

Possible values: 0 to 4294967295.

user-group <maximum_number>

Enter the maximum number of user groups.

Possible values: 0 to 4294967295.

system resource-limits

Use this command to configure resource limits that will apply to all VDOMs. When you set a global resource limit, you cannot exceed that resource limit in any VDOM. For example, enter the following command to limit all VDOMs to 100 VPN IPSec Phase 1 tunnels:

config global

config system resource-limits

set ipsec-phase1 100

end

end

With this global limit set, you can add only a maximum of 100 VPN IPSec Phase 1 Tunnels to any VDOM.

You can also edit the resource limits for individual VDOMs to further limit the number of resources that you can add to individual VDOMs. See the system vdom-property command.

A resource limit of 0 means no limit, which means the resource is not being limited by the resource limit configuration. Instead, the resource is limited by other factors. The FortiGate unit limits dynamic resources by the capacity of the FortiGate unit and can vary depending on how busy the system is. Limits for static resources are set by limitations in the FortiGate configuration, as documented in the FortiGate Maximum Values Table.

The default maximum value for each resource depends on the FortiGate model. Dynamic resources (Sessions, Dial-up Tunnels, and SSL VPN) do not have default maximums so the default maximum for dynamic resources is always 0 (meaning unlimited). Static resources may have a limit set or many may be set to 0, which means they are limited by the resource limit configuration.

If you set the maximum resource usage for a VDOM, you cannot reduce the default maximum global limit for all VDOMs below this maximum.

This command is available only when VDOMs are enabled.

config system resource-limits
    set session {integer}   Maximum number of sessions. range[0-4294967295]
    set ipsec-phase1 {integer}   Maximum number of VPN IPsec phase1 tunnels. range[0-4294967295]
    set ipsec-phase2 {integer}   Maximum number of VPN IPsec phase2 tunnels. range[0-4294967295]
    set ipsec-phase1-interface {integer}   Maximum number of VPN IPsec phase1 interface tunnels. range[0-4294967295]
    set ipsec-phase2-interface {integer}   Maximum number of VPN IPsec phase2 interface tunnels. range[0-4294967295]
    set dialup-tunnel {integer}   Maximum number of dial-up tunnels. range[0-4294967295]
    set firewall-policy {integer}   Maximum number of firewall policies (IPv4, IPv6, policy46, policy64, DoS-policy4, DoS-policy6, multicast). range[0-4294967295]
    set firewall-address {integer}   Maximum number of firewall addresses (IPv4, IPv6, multicast). range[0-4294967295]
    set firewall-addrgrp {integer}   Maximum number of firewall address groups (IPv4, IPv6). range[0-4294967295]
    set custom-service {integer}   Maximum number of firewall custom services. range[0-4294967295]
    set service-group {integer}   Maximum number of firewall service groups. range[0-4294967295]
    set onetime-schedule {integer}   Maximum number of firewall one-time schedules. range[0-4294967295]
    set recurring-schedule {integer}   Maximum number of firewall recurring schedules. range[0-4294967295]
    set user {integer}   Maximum number of local users. range[0-4294967295]
    set user-group {integer}   Maximum number of user groups. range[0-4294967295]
    set sslvpn {integer}   Maximum number of SSL-VPN. range[0-4294967295]
    set proxy {integer}   Maximum number of concurrent proxy users. range[0-4294967295]
    set log-disk-quota {integer}   Log disk quota in MB. range[0-4294967295]
end

Additional information

The following section is for those options that require additional explanation.

custom-service <maximum_number>

Enter the maximum number of firewall custom services.

Possible values: 0 to 4294967295.

dialup-tunnel <maximum_number>

Enter the maximum number of dial-up tunnels.

Possible values: 0 to 4294967295.

firewall-address <maximum_number>

Enter the maximum number of firewall addresses.

Possible values: 0 to 4294967295.

firewall-addrgrp <maximum_number>

Enter the maximum number of firewall address groups.

Possible values: 0 to 4294967295.

firewall-policy <maximum_number>

Enter the maximum number of firewall policies.

Possible values: 0 to 4294967295.

ipsec-phase1 <maximum_number>

Enter the maximum number of IPSec phase1 tunnels.

Possible values: 0 to 4294967295.

ipsec-phase2 <maximum_number>

Enter the maximum number of IPSec phase2 tunnels.

Possible values: 0 to 4294967295.

 

log-disk-quota <maximum_MB>

Enter the maximum amount of log disk space available, in MB, for global log messages.

The range of values depends on the amount of hard disk space available.

onetime-schedule <maximum_number>

Enter the maximum number of onetime schedules.

Possible values: 0 to 4294967295.

proxy <maximum_number>

Enter the maximum number of users that can use the explicit proxy at one time.

How the number of concurrent explicit proxy users is determined depends on their authentication method:

  • For session-based authenticated users, each authenticated user is counted as a single user. Since multiple users can have the same user name, the proxy attempts to identify users according to their authentication membership (based on whether they were authenticated using RADIUS, LADAP, FSSO, local database, etc.). If a user of one session has the same name and membership as a user of another session, the explicit proxy assumes this is one user.
  • For IP-based authentication, no authentication, or if no explicit proxy security policy has been added, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

Possible values: 0 to 4294967295.

recurring-schedule <maximum_number>

Enter the maximum number of recurring schedules.

Possible values: 0 to 4294967295.

service-group <maximum_number>

Enter the maximum number of firewall service groups.

Possible values: 0 to 4294967295.

session <maximum_number>

Enter the maximum number of sessions.

Possible values: 0 to 4294967295.

sslvpn <maximum_number>

Enter the maximum number of SSL VPNs.

Possible values: 0 to 4294967295.

user <maximum_number>

Enter the maximum number of users.

Possible values: 0 to 4294967295.

user-group <maximum_number>

Enter the maximum number of user groups.

Possible values: 0 to 4294967295.