Fortinet black logo

Administration Guide

Appendix B: Maximum configuration values

Appendix B: Maximum configuration values

These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.

Maximum number of ADOMs, policies, & server pools per appliance

FortiWeb
model
Maximum ADOMs Maximum server policies Maximum server pools Maximum number of domains in ML policies
FortiWeb 100D 0 32 256 4
FortiWeb 400C 32 64 256 6
FortiWeb 400D 32 64 256 6
FortiWeb 600D 32 96 384 16
FortiWeb 1000D 64 256 512 32
FortiWeb 1000E 64 256 512 32
FortiWeb 2000E 64 256 512 64
FortiWeb 3000C 32 256 256 16
FortiWeb 3000CFsx 32 256 256 16
FortiWeb 3000D 64 512 512 32
FortiWeb 3000DFsx 64 512 512 32
FortiWeb 3000E 64 512 512 64
FortiWeb 3010E 64 512 512 64
FortiWeb 4000C 32 512 256 32
FortiWeb 4000D 64 1024 1024 64
FortiWeb 4000E 64 1024 1024 128
FortiWeb-VM


Varies with memory size:

  • 4 (memory < 4G);
  • 12 (memory < 8G);
  • 32 (memory < 16G);
  • 64 (memory >= 16G)


For details, see Maximum values on FortiWeb-VM.

256

Varies with memory size:

  • 4 (memory < =4G);
  • 8 (memory < =8G);
  • 16 (memory < =16G);
  • 32 (memory >16G)

Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. The maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance. However, because the limit for server policies is a global one that applies to the appliance, you can configure only 256 server policies, regardless of how many ADOMs you use.

Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.

Per appliance configuration maximums

Web UI item Main table Sub-table
System

Network

Interface 512 (total VLAN interfaces) N/A

Virtual IP

1024

N/A

Policy Route 200 N/A
Static Route 256 N/A
Certificates

Local 512 N/A
Multi-certificate 256 N/A
OCSP Stapling 256 N/A
SNI 1024 512
CA 256 N/A
TSL CA 256 N/A
CA Group 256 256
Sign CA 256 N/A
Intermediate CA 256 N/A
Intermediate CA Group 256 256
CRL 256 N/A
CRL Group 256 256
Certificate Verify 256 N/A
Server Certificate Verify 256 N/A
URL Certificate 256 256
Public Key Pinning 256 N/A

Server Certificate

256

256

Client Certificate

256

256

Client Certificate Group

256

256

Per ADOM configuration maximums

Web UI item Main table Sub-table
Web Protection Profile Inline Protection Profile 256 N/A
Offline Protection Profile 256 N/A
Server Objects
Virtual Server 256 N/A
Server Pool

For details, see Maximum number of ADOMs, policies, & server pools per appliance.

Health Check

For details, see Per appliance configuration maximums.

Persistence
HTTP Content Routing 512 256
Protected Hostnames 256 256
Service Predefined 5 N/A
Custom 256 N/A
Traffic Mirror 256 256
Global

Known Search Engines N/A (Predefined list. Can't be edited) N/A
Predefined Global White List N/A (Predefined list. Can't be edited) N/A
Custom Global White List 256 N/A
Data Type No limit N/A
Custom Data Type 256 N/A
X- Forwarded-For 256 256
Application Delivery
URL Rewriting Policy URL Rewriting Policy 256 256
URL Rewriting Rule 256 10
Authentication Policy Authentication Policy 256 256
Authentication Rule 256 256
Site Publish

Site Publish Policy 256 256
Site Publish Rule 256 N/A
Keytab File 256 N/A
Authentication Server Pool 256 256
Service Principal Name Pool 256 256
Compression File Compress Policy 256 10
Exclusion Rule 256 256
Caching Web Cache Policy 256 256
Web Cache Exception 256 256
Web Protection
Known attacks Signatures/Exceptions 64 Enabled main classes: 64
Disabled sub-classes: 256
Disabled signature table: 2048
Filter table: 128
Alert-only table: 1024
Disabled False Positive Mitigation table: 256
Global Disable Signature 1024 N/A
Custom Signature Group 256 64
Custom Signature 256 256
Advanced Protection Custom Policy 1024 1024
Custom Rule 1024 Source IPv4/IPv6: 256
URL: 256
HTTP Header: 256
Access Rate Limit: 1
Signature main class: 256
Signature sub-class: 256
Signature: 10240
Custom signature: 1
Transaction Timeout: 1
Response Code: 256
Content Type: 1
Packet Interval Timeout: 1
Parameter: 256
Occurrence: 1
Padding Oracle Protection 256 256
CSRF Protection Rule 256 256
HTTP Header Security Policy 256 256
Man in the Browser Protection Rule 256 256
Man in the Browser Protection Policy 256 256
Input Validation Parameter Validation Policy 256 1024
Parameter Validation Rule 1024 192
Hidden Fields Policy 256 256
Hidden Fields Rule 256

32 (Hidden Fields Table)

10 (Post URL Table)

File Security Policy 256 256
File Security Rule 256 256
Protocol

HTTP Protocol Constraints 256 N/A
HTTP Constraints Exception 256 32
WebSocket Security Policy 256 256
WebSocket Security Rule 256 256
Access Brute Force 256 256
URL Access Policy 1024 1024
URL Access Rule 1024 32
Page Access 256 16
Start Pages 256 32
Allow Method Policy 256 256
Allow Method Exceptions 256 32
IP List 256 256
Geo IP 256 240
Geo IP Exceptions 256 256
Allowed Origin 256 256
CORS Protection Rule 256 256
CORS Protection Policy 256 256
DoS Protection
Application HTTP Access Limit 256 N/A
Malicious IPs 256 N/A
HTTP Flood Prevention 256 N/A
Network TCP Flood Prevention 256 N/A
Dos Protection Policy 256 N/A
IP Reputation
Exceptions 256 N/A
Tracking
User Tracking User Tracking Rule 256 10
User Tracking Policy 256 256
Device Reputation Device Reputation Exceptions 256 22
Device Reputation Security Policy 256 N/A
Machine Learning
Anomaly Detection Policy 256 256
Bot Detection Policy 256 256
Machine Learning Templates URL Replacer Rule 256 256
URL Replacer Rule 256 256
Predefined Pattern Data Type Group 256 512
Data Type None N/A
URL Pattern None N/A
Suspicious URL 256 512
Custom Pattern Data Type 256 N/A
Suspicious URL Policy 256 64
Suspicious URL Rule 256 N/A
Application Templates Application Policy 256 256
URL Replacer 256 N/A
Web Vulnerability Scan
Web Vulnerability Scan Policy 256 N/A
Scan Profile Scan Profile 256 N/A
Scan Template 256 N/A
Web Vulnerability Scan Schedule 256 N/A
Scanner Integration 256 N/A
API Protection
JSON Protection

JSON Protection Policy 256 256

JSON Protection Rule

256

N/A

JSON Schema

256

N/A

XML Protection

XML Protection Policy 256 256

XML Protection Rule

256

N/A

XML Schema

256

N/A

WSDL

256

N/A

Exempted URLs

256

256

WS-Security Rule

256

256

OpenAPI Validation Policy

OpenAPI Validation Policy

256

256

OpenAPI File

256

N/A

API Gateway

API User

256

N/A

API User Group

256

256

API Gateway Rule

256

N/A

API Gateway Policy

256

256

Bot Mitigation

Biometrics Based Detection

256

256

Threshold Based Detection

256

N/A

Bot Deception

256

256

Bot Mitigation Policy

256

N/A

Mobile API Protection Policy

256

256

Mobile API Protection Rule

256

256

Maximum values on FortiWeb-VM

FortiWeb-VM has 4 virtual network interfaces (vNICs, or virtual ports).

The maximum number of server policies initially varies by the maximum amount of virtual memory (vRAM) available to FortiWeb-VM in VMware, up to a hard limit. FortiWeb-VM allows up to 20 policies for the first 1 GB of vRAM, then an additional 15 policies per additional 1 GB of vRAM, up to a maximum of 150 server policies.

In other words, at first, the server policy limit increases linearly with vRAM. But after 10 GB of vRAM, further increasing the vRAM no longer has an affect. 11 GB or more vRAM allows up to 150 server policies. Keep in mind that increasing the vRAM may still benefit performance.

Appendix B: Maximum configuration values

These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.

Maximum number of ADOMs, policies, & server pools per appliance

FortiWeb
model
Maximum ADOMs Maximum server policies Maximum server pools Maximum number of domains in ML policies
FortiWeb 100D 0 32 256 4
FortiWeb 400C 32 64 256 6
FortiWeb 400D 32 64 256 6
FortiWeb 600D 32 96 384 16
FortiWeb 1000D 64 256 512 32
FortiWeb 1000E 64 256 512 32
FortiWeb 2000E 64 256 512 64
FortiWeb 3000C 32 256 256 16
FortiWeb 3000CFsx 32 256 256 16
FortiWeb 3000D 64 512 512 32
FortiWeb 3000DFsx 64 512 512 32
FortiWeb 3000E 64 512 512 64
FortiWeb 3010E 64 512 512 64
FortiWeb 4000C 32 512 256 32
FortiWeb 4000D 64 1024 1024 64
FortiWeb 4000E 64 1024 1024 128
FortiWeb-VM


Varies with memory size:

  • 4 (memory < 4G);
  • 12 (memory < 8G);
  • 32 (memory < 16G);
  • 64 (memory >= 16G)


For details, see Maximum values on FortiWeb-VM.

256

Varies with memory size:

  • 4 (memory < =4G);
  • 8 (memory < =8G);
  • 16 (memory < =16G);
  • 32 (memory >16G)

Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. The maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance. However, because the limit for server policies is a global one that applies to the appliance, you can configure only 256 server policies, regardless of how many ADOMs you use.

Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.

Per appliance configuration maximums

Web UI item Main table Sub-table
System

Network

Interface 512 (total VLAN interfaces) N/A

Virtual IP

1024

N/A

Policy Route 200 N/A
Static Route 256 N/A
Certificates

Local 512 N/A
Multi-certificate 256 N/A
OCSP Stapling 256 N/A
SNI 1024 512
CA 256 N/A
TSL CA 256 N/A
CA Group 256 256
Sign CA 256 N/A
Intermediate CA 256 N/A
Intermediate CA Group 256 256
CRL 256 N/A
CRL Group 256 256
Certificate Verify 256 N/A
Server Certificate Verify 256 N/A
URL Certificate 256 256
Public Key Pinning 256 N/A

Server Certificate

256

256

Client Certificate

256

256

Client Certificate Group

256

256

Per ADOM configuration maximums

Web UI item Main table Sub-table
Web Protection Profile Inline Protection Profile 256 N/A
Offline Protection Profile 256 N/A
Server Objects
Virtual Server 256 N/A
Server Pool

For details, see Maximum number of ADOMs, policies, & server pools per appliance.

Health Check

For details, see Per appliance configuration maximums.

Persistence
HTTP Content Routing 512 256
Protected Hostnames 256 256
Service Predefined 5 N/A
Custom 256 N/A
Traffic Mirror 256 256
Global

Known Search Engines N/A (Predefined list. Can't be edited) N/A
Predefined Global White List N/A (Predefined list. Can't be edited) N/A
Custom Global White List 256 N/A
Data Type No limit N/A
Custom Data Type 256 N/A
X- Forwarded-For 256 256
Application Delivery
URL Rewriting Policy URL Rewriting Policy 256 256
URL Rewriting Rule 256 10
Authentication Policy Authentication Policy 256 256
Authentication Rule 256 256
Site Publish

Site Publish Policy 256 256
Site Publish Rule 256 N/A
Keytab File 256 N/A
Authentication Server Pool 256 256
Service Principal Name Pool 256 256
Compression File Compress Policy 256 10
Exclusion Rule 256 256
Caching Web Cache Policy 256 256
Web Cache Exception 256 256
Web Protection
Known attacks Signatures/Exceptions 64 Enabled main classes: 64
Disabled sub-classes: 256
Disabled signature table: 2048
Filter table: 128
Alert-only table: 1024
Disabled False Positive Mitigation table: 256
Global Disable Signature 1024 N/A
Custom Signature Group 256 64
Custom Signature 256 256
Advanced Protection Custom Policy 1024 1024
Custom Rule 1024 Source IPv4/IPv6: 256
URL: 256
HTTP Header: 256
Access Rate Limit: 1
Signature main class: 256
Signature sub-class: 256
Signature: 10240
Custom signature: 1
Transaction Timeout: 1
Response Code: 256
Content Type: 1
Packet Interval Timeout: 1
Parameter: 256
Occurrence: 1
Padding Oracle Protection 256 256
CSRF Protection Rule 256 256
HTTP Header Security Policy 256 256
Man in the Browser Protection Rule 256 256
Man in the Browser Protection Policy 256 256
Input Validation Parameter Validation Policy 256 1024
Parameter Validation Rule 1024 192
Hidden Fields Policy 256 256
Hidden Fields Rule 256

32 (Hidden Fields Table)

10 (Post URL Table)

File Security Policy 256 256
File Security Rule 256 256
Protocol

HTTP Protocol Constraints 256 N/A
HTTP Constraints Exception 256 32
WebSocket Security Policy 256 256
WebSocket Security Rule 256 256
Access Brute Force 256 256
URL Access Policy 1024 1024
URL Access Rule 1024 32
Page Access 256 16
Start Pages 256 32
Allow Method Policy 256 256
Allow Method Exceptions 256 32
IP List 256 256
Geo IP 256 240
Geo IP Exceptions 256 256
Allowed Origin 256 256
CORS Protection Rule 256 256
CORS Protection Policy 256 256
DoS Protection
Application HTTP Access Limit 256 N/A
Malicious IPs 256 N/A
HTTP Flood Prevention 256 N/A
Network TCP Flood Prevention 256 N/A
Dos Protection Policy 256 N/A
IP Reputation
Exceptions 256 N/A
Tracking
User Tracking User Tracking Rule 256 10
User Tracking Policy 256 256
Device Reputation Device Reputation Exceptions 256 22
Device Reputation Security Policy 256 N/A
Machine Learning
Anomaly Detection Policy 256 256
Bot Detection Policy 256 256
Machine Learning Templates URL Replacer Rule 256 256
URL Replacer Rule 256 256
Predefined Pattern Data Type Group 256 512
Data Type None N/A
URL Pattern None N/A
Suspicious URL 256 512
Custom Pattern Data Type 256 N/A
Suspicious URL Policy 256 64
Suspicious URL Rule 256 N/A
Application Templates Application Policy 256 256
URL Replacer 256 N/A
Web Vulnerability Scan
Web Vulnerability Scan Policy 256 N/A
Scan Profile Scan Profile 256 N/A
Scan Template 256 N/A
Web Vulnerability Scan Schedule 256 N/A
Scanner Integration 256 N/A
API Protection
JSON Protection

JSON Protection Policy 256 256

JSON Protection Rule

256

N/A

JSON Schema

256

N/A

XML Protection

XML Protection Policy 256 256

XML Protection Rule

256

N/A

XML Schema

256

N/A

WSDL

256

N/A

Exempted URLs

256

256

WS-Security Rule

256

256

OpenAPI Validation Policy

OpenAPI Validation Policy

256

256

OpenAPI File

256

N/A

API Gateway

API User

256

N/A

API User Group

256

256

API Gateway Rule

256

N/A

API Gateway Policy

256

256

Bot Mitigation

Biometrics Based Detection

256

256

Threshold Based Detection

256

N/A

Bot Deception

256

256

Bot Mitigation Policy

256

N/A

Mobile API Protection Policy

256

256

Mobile API Protection Rule

256

256

Maximum values on FortiWeb-VM

FortiWeb-VM has 4 virtual network interfaces (vNICs, or virtual ports).

The maximum number of server policies initially varies by the maximum amount of virtual memory (vRAM) available to FortiWeb-VM in VMware, up to a hard limit. FortiWeb-VM allows up to 20 policies for the first 1 GB of vRAM, then an additional 15 policies per additional 1 GB of vRAM, up to a maximum of 150 server policies.

In other words, at first, the server policy limit increases linearly with vRAM. But after 10 GB of vRAM, further increasing the vRAM no longer has an affect. 11 GB or more vRAM allows up to 150 server policies. Keep in mind that increasing the vRAM may still benefit performance.