Appendix B: Maximum configuration values
These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.
Maximum number of ADOMs, policies, & server pools per appliance
|
FortiWeb model |
Maximum ADOMs | Maximum server policies | Maximum server pools | Maximum number of domains in ML policies |
|---|---|---|---|---|
| FortiWeb 100D | 0 | 32 | 256 | 4 |
| FortiWeb 400C | 32 | 64 | 256 | 6 |
| FortiWeb 400D | 32 | 64 | 256 | 6 |
| FortiWeb 600D | 32 | 96 | 384 | 16 |
| FortiWeb 1000D | 64 | 256 | 512 | 32 |
| FortiWeb 1000E | 64 | 256 | 512 | 32 |
| FortiWeb 2000E | 64 | 256 | 512 | 64 |
| FortiWeb 3000C | 32 | 256 | 256 | 16 |
| FortiWeb 3000CFsx | 32 | 256 | 256 | 16 |
| FortiWeb 3000D | 64 | 512 | 512 | 32 |
| FortiWeb 3000DFsx | 64 | 512 | 512 | 32 |
| FortiWeb 3000E | 64 | 512 | 512 | 64 |
| FortiWeb 3010E | 64 | 512 | 512 | 64 |
| FortiWeb 4000C | 32 | 512 | 256 | 32 |
| FortiWeb 4000D | 64 | 1024 | 1024 | 64 |
| FortiWeb 4000E | 64 | 1024 | 1024 | 128 |
| FortiWeb-VM |
|
For details, see Maximum values on FortiWeb-VM. |
256 |
Varies with memory size:
|
Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. The maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance. However, because the limit for server policies is a global one that applies to the appliance, you can configure only 256 server policies, regardless of how many ADOMs you use.
Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.
Per appliance configuration maximums
| Web UI item | Main table | Sub-table | |
|---|---|---|---|
| System | |||
| Network | Policy Route | 200 | N/A |
| Static Route | 256 | N/A | |
| Certificates
|
Local | 512 | N/A |
| Multi-certificate | 256 | N/A | |
| Remote | 256 | N/A | |
| SNI | 1024 | 512 | |
| CA | 256 | N/A | |
| TSL CA | 256 | N/A | |
| CA Group | 256 | 256 | |
| Sign CA | 256 | N/A | |
| Intermediate CA | 256 | N/A | |
| Intermediate CA Group | 256 | 256 | |
| CRL | 256 | N/A | |
| CRL Group | 256 | 256 | |
| Certificate Verify | 256 | N/A | |
| Server Certificate Verify | 256 | N/A | |
| URL Certificate | 256 | 256 | |
| Public Key Pinning | 256 | N/A | |
|
Server Certificate |
256 |
256 |
|
|
Client Certificate |
256 |
256 |
|
|
Client Certificate Group |
256 |
256 |
|
| Server Objects | |||
| Server | Health Check | 256 (excluding predefined rules) | N/A |
| Persistence | 256 | N/A | |
Per ADOM configuration maximums
| Web UI item | Main table | Sub-table | |
|---|---|---|---|
| System | |||
| Network | Interface | 512 (total VLAN interfaces) | N/A |
| Web Protection Profile | Inline Protection Profile | 256 | N/A |
| Offline Protection Profile | 256 | N/A | |
| Server Objects | |||
| Virtual Server | 256 | N/A | |
| Server Pool |
For details, see Maximum number of ADOMs, policies, & server pools per appliance. |
||
| Health Check |
For details, see Per appliance configuration maximums. |
||
| Persistence | |||
| HTTP Content Routing | 512 | 256 | |
| Protected Hostnames | 256 | 256 | |
| Service | Predefined | 5 | N/A |
| Custom | 256 | N/A | |
| Traffic Mirror | 256 | 256 | |
| Global
|
Known Search Engines | N/A (Predefined list. Can't be edited) | N/A |
| Predefined Global White List | N/A (Predefined list. Can't be edited) | N/A | |
| Custom Global White List | 256 | N/A | |
| Data Type | No limit | N/A | |
| Custom Data Type | 256 | N/A | |
| X- Forwarded-For | 256 | 256 | |
| Application Delivery | |||
| URL Rewriting Policy | URL Rewriting Policy | 256 | 256 |
| URL Rewriting Rule | 256 | 10 | |
| Authentication Policy | Authentication Policy | 256 | 256 |
| Authentication Rule | 256 | 256 | |
| Site Publish
|
Site Publish Policy | 256 | 256 |
| Site Publish Rule | 256 | N/A | |
| Keytab File | 256 | N/A | |
| Authentication Server Pool | 256 | 256 | |
| Service Principal Name Pool | 256 | 256 | |
| Compression | File Compress Policy | 256 | 10 |
| Exclusion Rule | 256 | 256 | |
| Caching | Web Cache Policy | 256 | 256 |
| Web Cache Exception | 256 | 256 | |
| Web Protection | |||
| Known attacks | Signatures/Exceptions | 64 | Enabled main classes: 64 |
| Disabled sub-classes: 256 | |||
| Disabled signature table: 2048 | |||
| Filter table: 128 | |||
| Alert-only table: 1024 | |||
| Disabled False Positive Mitigation table: 256 | |||
| Global Disable Signature | 1024 | N/A | |
| Custom Signature Group | 256 | 64 | |
| Custom Signature | 256 | 256 | |
| Advanced Protection | Custom Policy | 1024 | 1024 |
| Custom Rule | 1024 | Source IPv4/IPv6: 256 | |
| URL: 256 | |||
| HTTP Header: 256 | |||
| Access Rate Limit: 1 | |||
| Signature main class: 256 | |||
| Signature sub-class: 256 | |||
| Signature: 10240 | |||
| Custom signature: 1 | |||
| Transaction Timeout: 1 | |||
| Response Code: 256 | |||
| Content Type: 1 | |||
| Packet Interval Timeout: 1 | |||
| Parameter: 256 | |||
| Occurrence: 1 | |||
| Padding Oracle Protection | 256 | 256 | |
| CSRF Protection Rule | 256 | 256 | |
| HTTP Header Security Policy | 256 | 256 | |
| Man in the Browser Protection Rule | 256 | 256 | |
| Man in the Browser Protection Policy | 256 | 256 | |
| Input Validation | Parameter Validation Policy | 256 | 1024 |
| Parameter Validation Rule | 1024 | 192 | |
| Hidden Fields Policy | 256 | 256 | |
| Hidden Fields Rule | 256 |
32 (Hidden Fields Table) 10 (Post URL Table) |
|
| File Security Policy | 256 | 256 | |
| File Security Rule | 256 | 256 | |
| Protocol
|
HTTP Protocol Constraints | 256 | N/A |
| HTTP Constraints Exception | 256 | 32 | |
| WebSocket Security Policy | 256 | 256 | |
| WebSocket Security Rule | 256 | 256 | |
| Access | Brute Force | 256 | 256 |
| URL Access Policy | 1024 | 1024 | |
| URL Access Rule | 1024 | 32 | |
| Page Access | 256 | 16 | |
| Start Pages | 256 | 32 | |
| Allow Method Policy | 256 | 256 | |
| Allow Method Exceptions | 256 | 32 | |
| IP List | 256 | 256 | |
| Geo IP | 256 | 240 | |
| Geo IP Exceptions | 256 | 256 | |
| Allowed Origin | 256 | 256 | |
| CORS Protection Rule | 256 | 256 | |
| CORS Protection Policy | 256 | 256 | |
| Web Anti-Defacement | Anti Defacement | 256 | N/A |
| Anti-Defacement File Filter | 256 | 256 | |
| DoS Protection | |||
| Application | HTTP Access Limit | 256 | N/A |
| Malicious IPs | 256 | N/A | |
| HTTP Flood Prevention | 256 | N/A | |
| Network | TCP Flood Prevention | 256 | N/A |
| Dos Protection Policy | 256 | N/A | |
| IP Reputation | |||
| Exceptions | 256 | N/A | |
| Tracking | |||
| User Tracking | User Tracking Rule | 256 | 10 |
| User Tracking Policy | 256 | 256 | |
| Device Reputation | Device Reputation Exceptions | 256 | 22 |
| Device Reputation Security Policy | 256 | N/A | |
| Machine Learning | |||
| Anomaly Detection Policy | 256 | 256 | |
| Bot Detection Policy | 256 | 256 | |
| Machine Learning Templates | URL Replacer Rule | 256 | 256 |
| URL Replacer Rule | 256 | 256 | |
| Web Vulnerability Scan | |||
| Web Vulnerability Scan Policy | 256 | N/A | |
| Scan Profile | Scan Profile | 256 | N/A |
| Scan Template | 256 | N/A | |
| Web Vulnerability Scan Schedule | 256 | N/A | |
| Scanner Integration | 256 | N/A | |
| API Protection | |||
|
JSON Protection
|
JSON Protection Policy | 256 | 256 |
|
JSON Protection Rule |
256 |
N/A |
|
|
JSON Schema |
256 |
N/A |
|
|
XML Protection
|
XML Protection Policy | 256 | 256 |
|
XML Protection Rule |
256 |
N/A |
|
|
XML Schema |
256 |
N/A |
|
|
WSDL |
256 |
N/A |
|
|
Exempted URLs |
256 |
256 |
|
|
WS-Security Rule |
256 |
256 |
|
Maximum values on FortiWeb-VM
FortiWeb-VM has 4 virtual network interfaces (vNICs, or virtual ports).
The maximum number of server policies initially varies by the maximum amount of virtual memory (vRAM) available to FortiWeb-VM in VMware, up to a hard limit. FortiWeb-VM allows up to 20 policies for the first 1 GB of vRAM, then an additional 15 policies per additional 1 GB of vRAM, up to a maximum of 150 server policies.
In other words, at first, the server policy limit increases linearly with vRAM. But after 10 GB of vRAM, further increasing the vRAM no longer has an affect. 11 GB or more vRAM allows up to 150 server policies. Keep in mind that increasing the vRAM may still benefit performance.