Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    External resource entry limit enhancements 7.4.4

    External resource entry limit enhancements 7.4.4

    The external resource entry limit is now global, and file size restrictions change according to the device model. This allows for a more flexible and optimized use of resources, tailored to the specific capabilities and requirements of the different device models.

    If VDOMs are enabled, global entries are counted first, then VDOM entries in alphabetical order based on the VDOMs' names.

    If more than the maximum number of entries are added, the most recently added entries are truncated, unless the order is manually changed. The entry order can be changed using the move CLI command. For example:

    config system external-resource
    move "entry2" before "entry1"
end

    The following table lists the maximum number of each type of entry and the file size limit for each model range:

    High-End (Data Center)

    Mid-Range (Campus)

    Entry-Level (Branch)

    Category

    2 000 000

    300 000

    150 000

    IP address

    300 000

    300 000

    300 000

    Domain

    5 000 000

    3 000 000

    1 000 000

    MAC

    1 000 000

    1 000 000

    1 000 000

    File size limit (MB)

    128

    64

    32

    For example, a FortiGate 601E, a mid-range device, is configured as follows:

    • global VDOM: One threat feed, g-category-push, with one entry.

    • root VDOM: One threat feed, r-category-push, with one entry.

    • vd1 VDOM: Two threat feeds, v‑category‑300000 with 300000 entries first, and v‑category‑push with one entry second.

    • vd2 VDOM: One threat feed, z-category-push, with one entry.

    There are more than 300000 entries, so some of the entries will be truncated.

    • The global VDOM is counted first, so its entry is kept:

      FGT (global)# diagnose sys external-resource stats
name: g-category-push; uuid_idx: 606; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;

    • The root VDOM is alphabetically before the vd1 and vd2 VDOMs, so its entry is kept:

      FGT (root)# diagnose sys external-resource stats
name: g-category-push; uuid_idx: 606; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;
name: r-category-push; uuid_idx: 746; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;

    • The vd1 VDOM is next alphabetically. The maximum number of entries is 300000, so 299998 entries from the v‑category‑3000000 threat feed are kept, and no entries from the v‑category‑push feed:

      FGT (vd1)# diagnose sys external-resource stats
name: g-category-push; uuid_idx: 606; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;
name: v-category-300000; uuid_idx: 863; type: category; update_method: feed; truncated total lines: 300000; valid lines: 299999; error lines: 1; used: no; buildable: 299998; total in count file: 300000;
name: v-category-push; uuid_idx: 868; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: yes; buildable: 0; total in count file: 1;

    • The vd2 VDOM is last alphabetically and the maximum number of entries has already been reached, so all of its entries are truncated:

      FGT (vd2)# diagnose sys external-resource stats
name: g-category-push; uuid_idx: 606; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;
name: z-category-push; uuid_idx: 989; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 0; total in count file: 1;
    Previous
    Next

    External resource entry limit enhancements 7.4.4

    External resource entry limit enhancements 7.4.4

    The external resource entry limit is now global, and file size restrictions change according to the device model. This allows for a more flexible and optimized use of resources, tailored to the specific capabilities and requirements of the different device models.

    If VDOMs are enabled, global entries are counted first, then VDOM entries in alphabetical order based on the VDOMs' names.

    If more than the maximum number of entries are added, the most recently added entries are truncated, unless the order is manually changed. The entry order can be changed using the move CLI command. For example:

    config system external-resource
    move "entry2" before "entry1"
end

    The following table lists the maximum number of each type of entry and the file size limit for each model range:

    High-End (Data Center)

    Mid-Range (Campus)

    Entry-Level (Branch)

    Category

    2 000 000

    300 000

    150 000

    IP address

    300 000

    300 000

    300 000

    Domain

    5 000 000

    3 000 000

    1 000 000

    MAC

    1 000 000

    1 000 000

    1 000 000

    File size limit (MB)

    128

    64

    32

    For example, a FortiGate 601E, a mid-range device, is configured as follows:

    • global VDOM: One threat feed, g-category-push, with one entry.

    • root VDOM: One threat feed, r-category-push, with one entry.

    • vd1 VDOM: Two threat feeds, v‑category‑300000 with 300000 entries first, and v‑category‑push with one entry second.

    • vd2 VDOM: One threat feed, z-category-push, with one entry.

    There are more than 300000 entries, so some of the entries will be truncated.

    • The global VDOM is counted first, so its entry is kept:

      FGT (global)# diagnose sys external-resource stats
name: g-category-push; uuid_idx: 606; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;

    • The root VDOM is alphabetically before the vd1 and vd2 VDOMs, so its entry is kept:

      FGT (root)# diagnose sys external-resource stats
name: g-category-push; uuid_idx: 606; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;
name: r-category-push; uuid_idx: 746; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;

    • The vd1 VDOM is next alphabetically. The maximum number of entries is 300000, so 299998 entries from the v‑category‑3000000 threat feed are kept, and no entries from the v‑category‑push feed:

      FGT (vd1)# diagnose sys external-resource stats
name: g-category-push; uuid_idx: 606; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;
name: v-category-300000; uuid_idx: 863; type: category; update_method: feed; truncated total lines: 300000; valid lines: 299999; error lines: 1; used: no; buildable: 299998; total in count file: 300000;
name: v-category-push; uuid_idx: 868; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: yes; buildable: 0; total in count file: 1;

    • The vd2 VDOM is last alphabetically and the maximum number of entries has already been reached, so all of its entries are truncated:

      FGT (vd2)# diagnose sys external-resource stats
name: g-category-push; uuid_idx: 606; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 1; total in count file: 1;
name: z-category-push; uuid_idx: 989; type: category; update_method: push; total lines: 1; valid lines: 1; error lines: 0; used: no; buildable: 0; total in count file: 1;
    Previous
    Next