Appendix B: Maximum configuration values
These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.
Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. For example, the limit for server policies is a global one that applies to the appliance, you can configure only 256 server policies, regardless of how many ADOMs you use.
While the maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance.
Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.
Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies
The configuration maximums for the following items apply at the appliance level, and the maximums vary on each model, as shown in the following table.
|
FortiWeb model |
ADOMs |
Server policies |
Virtual IPs |
Server Objects |
Domains in all ML policies |
||
|---|---|---|---|---|---|---|---|
| Server pools |
Pool members |
Virtual servers |
|||||
| FortiWeb 100D | 0 | 32 |
1024 |
256 |
1024 |
1024 |
4 |
| FortiWeb 100E | 0 | 32 |
1024 |
256 |
1024 |
1024 |
4 |
| FortiWeb 400C | 32 | 64 |
1024 |
256 |
1024 |
1024 |
6 |
| FortiWeb 400D | 32 | 64 |
1024 |
256 |
1024 |
1024 |
6 |
|
FortiWeb 400E |
32 | 64 |
1024 |
256 |
1024 |
1024 |
6 |
| FortiWeb 600D | 32 | 96 |
1024 |
384 |
1024 |
1024 |
16 |
|
FortiWeb 600E |
32 | 96 |
1024 |
384 |
1024 |
1024 |
16 |
| FortiWeb 1000D | 64 | 256 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 1000E | 64 | 256 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 2000E | 64 | 256 |
1024 |
512 |
1024 |
1024 |
64 |
| FortiWeb 3000C | 32 | 256 |
1024 |
256 |
1024 |
1024 |
16 |
| FortiWeb 3000CFsx | 32 | 256 |
1024 |
256 |
1024 |
1024 |
16 |
| FortiWeb 3000D | 64 | 512 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 3000DFsx | 64 | 512 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 3000E | 64 | 512 |
1024 |
512 |
1024 |
1024 |
64 |
| FortiWeb 3010E | 64 | 512 |
1024 |
512 |
1024 |
1024 |
64 |
| FortiWeb 4000C | 32 | 512 |
1024 |
256 |
1024 |
1024 |
32 |
| FortiWeb 4000D | 64 | 1024 |
1024 |
1024 |
1024 |
1024 |
64 |
| FortiWeb 4000E | 64 | 1024 |
1024 |
1024 |
1024 |
1024 |
128 |
| FortiWeb-VM |
Varies with memory size:
|
For details, see Maximum values on FortiWeb-VM. |
1024 |
256 |
1024 |
1024 |
Varies with memory size:
|
Per appliance configuration maximums - Network and Certificates
The configuration maximums for Network and Certificates apply also at the appliance level.
For the certificates marked with ^ in the following table, their configuration maximums are increased to 5000 on FortiWeb appliances 1000E, 2000E, 3000E, 3010E, and 4000E. For other models, their configuration maximums are as shown in the table.
| Web UI item | Main table | Sub-table | |
|---|---|---|---|
| System | |||
|
Network
|
Interface | 1024 (total VLAN interfaces) | N/A |
| Policy Route | 250 | N/A | |
| Static Route | 256 | N/A | |
| Certificates
|
Local^ |
512 | N/A |
|
Multi-certificate^ |
256 | N/A | |
| OCSP Stapling | 256 | N/A | |
|
Inline SNI^ |
1024 |
512 |
|
|
Offline SNI |
1024 | 512 | |
|
CA^ |
256 |
N/A |
|
| TSL CA | 256 | N/A | |
| CA Group | 256 | 256 | |
| Sign CA | 256 | N/A | |
|
Intermediate CA^ |
256 |
N/A |
|
| Intermediate CA Group | 256 | 256 | |
|
CRL^ |
256 | N/A | |
| CRL Group | 256 | 256 | |
|
Certificate Verify^ |
256 |
N/A |
|
| Server Certificate Verify | 256 | N/A | |
| URL Certificate | 256 | 256 | |
| Public Key Pinning | 256 | N/A | |
|
Server Certificate |
256 |
256 |
|
|
Client Certificate |
256 |
N/A |
|
|
Client Certificate Group |
256 |
256 |
|
Per ADOM configuration maximums
The maximums for the following objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs.
| Web UI item | Main table | Sub-table | |
|---|---|---|---|
| Web Protection Profile | Inline Protection Profile | 256 | N/A |
| Offline Protection Profile | 256 | N/A | |
|
Server Objects
|
|||
|
Health Check |
256 |
16 |
|
|
Persistence |
256 |
N/A |
|
| HTTP Content Routing | 512 | 256 | |
| Protected Hostnames | 256 | 255 | |
| Service | Predefined | 5 | N/A |
| Custom | 256 | N/A | |
| Traffic Mirror | 256 | 256 | |
|
|
Predefined Global White List | N/A (Predefined list. Can't be edited) | N/A |
|
|
Custom Global White List | 256 | N/A |
|
|
Data Type | No limit | N/A |
|
|
Custom Data Type | 256 | N/A |
| X- Forwarded-For | 256 | 256 | |
| Application Delivery | |||
| URL Rewriting Policy | URL Rewriting Policy | 256 | 256 |
| URL Rewriting Rule | 512 | 10 | |
| Authentication Policy | Authentication Policy | 256 | 256 |
| Authentication Rule | 256 | 256 | |
| Site Publish
|
Site Publish Policy | 256 | 256 |
| Site Publish Rule | 256 | N/A | |
| Keytab File | 256 | N/A | |
| Authentication Server Pool | 256 | 256 | |
| Service Principal Name Pool | 256 | 256 | |
| Compression | File Compress Policy | 256 | 10 |
| Exclusion Rule | 256 | 256 | |
| Caching | Web Cache Policy | 256 | 256 |
| Bypass URL | 256 | N/A | |
| Cookie List | 256 | N/A | |
|
Acceleration
|
Acceleration Policy |
256 |
N/A |
|
Acceleration Exception |
256 |
256 |
|
| Web Protection | |||
| Known attacks | Signatures/Exceptions |
100E/400E: 64 600E:128 1000E/2000E/3000E/3010E/4000E: 256 |
Enabled main classes: 64 |
| Disabled sub-classes: 256 | |||
| Disabled signature table: 2048 | |||
| Filter table: 10240 Note: It's allowed to create at most 128 filters for the same signature-id. |
|||
| Score disable table : 256 | |||
| Score grade table : 256 | |||
| Alert-only table: 1024 | |||
| Disabled False Positive Mitigation table: 256 | |||
| Global Disable Signature | 1024 | N/A | |
| Custom Signature Group | 256 | 64 | |
| Custom Signature | 256 | 256 | |
| Advanced Protection
|
Custom Policy | 1024 | 1024 |
| Custom Rule | 1024 | Source IPv4/IPv6: 256 | |
| GEO IP: 256 | |||
| User: 256 | |||
| Time period: 1 | |||
| URL: 256 | |||
| HTTP Header: 256 | |||
| Access Rate Limit: 1 | |||
| Signature main class: 256 | |||
| Signature sub-class: 256 | |||
| Signature: 10240 | |||
| Custom signature: 1 | |||
| Transaction Timeout: 1 | |||
| Response Code: 256 | |||
| Content Type: 1 | |||
| Packet Interval Timeout: 1 | |||
| Parameter: 256 | |||
| Occurrence: 1 | |||
| Padding Oracle Protection | 256 | 256 | |
| CSRF Protection Rule | 256 | 256 | |
| HTTP Header Security Policy | 256 | 256 | |
| Man in the Browser Protection Rule | 256 | 256 | |
| Man in the Browser Protection Policy | 256 | 256 | |
|
URL Encryption Policy |
256 | 256 | |
|
URL Encryption Rule |
256 | 256 | |
| SQL/XSS Syntax Based Detection | 256 | 256 | |
|
Cookie Security |
Cookie Security | 256 | 256 |
| Input Validation | Parameter Validation Policy | 256 | 1024 |
| Parameter Validation Rule | 1024 | 192 | |
| Hidden Fields Policy | 256 | 256 | |
| Hidden Fields Rule | 256 |
32 (Hidden Fields Table) 10 (Post URL Table) |
|
| File Security Policy | 256 | 256 | |
| File Security Rule | 256 | 256 | |
| Protocol
|
HTTP Protocol Constraints | 256 | N/A |
| HTTP Constraints Exception | 256 | 32 | |
| WebSocket Security Policy | 256 | 256 | |
| WebSocket Security Rule | 256 | 256 | |
| Access | URL Access Policy | 1024 | 1024 |
| URL Access Rule | 1024 | 32 | |
| Allow Method Policy | 256 | N/A | |
| Allow Method Exceptions | 256 | 32 | |
| IP List | 256 | 256 | |
| Geo IP | 256 | 256 | |
| Geo IP Exceptions | 256 | 256 | |
| Allowed Origin | 256 | 256 | |
| CORS Protection Rule | 256 | 256 | |
| CORS Protection Policy | 256 | 256 | |
| FTP Security | |||
| FTP Command Restriction | 256 | 256 | |
| FTP File Security | 256 | N/A | |
| DoS Protection | |||
| Application | HTTP Access Limit | 256 | N/A |
| Malicious IPs | 256 | N/A | |
| HTTP Flood Prevention | 256 | N/A | |
| Network | TCP Flood Prevention | 256 | N/A |
| Dos Protection Policy | 256 | N/A | |
| IP Reputation | |||
| Exceptions | 256 | N/A | |
| Tracking | |||
| User Tracking | User Tracking Rule | 256 | 10 |
| User Tracking Policy | 256 | 256 | |
| Machine Learning | |||
| Anomaly Detection Policy | 256 | 256 | |
| Bot Detection Policy | 256 | 256 | |
| Machine Learning Templates | URL Replacer Policy | 256 | 256 |
| URL Replacer Rule | 256 | 256 | |
| Predefined Pattern | Data Type Group | 256 | 512 |
| Data Type | None | N/A | |
| URL Pattern | None | N/A | |
| Suspicious URL | 256 | 512 | |
| Custom Pattern | Data Type | 256 | N/A |
| Suspicious URL Policy | 256 | 64 | |
| Suspicious URL Rule | 256 | N/A | |
| Application Templates | Application Policy | 256 | 256 |
| URL Replacer | 256 | N/A | |
| Web Vulnerability Scan | |||
| Web Vulnerability Scan Policy | 256 | N/A | |
| Scan Profile | Scan Profile | 256 | N/A |
| Scan Template | 256 | N/A | |
| Web Vulnerability Scan Schedule | 256 | N/A | |
| Scanner Integration | N/A | N/A | |
| API Protection | |||
|
JSON Protection
|
JSON Protection Policy | 256 | 256 |
|
JSON Protection Rule |
256 |
N/A |
|
|
JSON Schema |
256 |
N/A |
|
|
XML Protection
|
XML Protection Policy | 256 | 256 |
|
XML Protection Rule |
256 |
N/A |
|
|
XML Schema |
256 |
N/A |
|
|
WSDL |
256 |
N/A |
|
|
Exempted URLs |
256 |
256 |
|
|
WS-Security Rule |
256 |
256 |
|
|
OpenAPI Validation Policy
|
OpenAPI Validation Policy |
256 |
256 |
|
OpenAPI File |
256 |
N/A |
|
|
API Gateway
|
API User |
256 |
32 |
|
API User Group |
256 |
256 |
|
|
API Gateway Rule |
256 |
N/A |
|
|
API Gateway Policy |
256 |
256 |
|
|
Bot Mitigation |
Biometrics Based Detection |
256 |
256 |
|
Threshold Based Detection |
256 |
N/A |
|
|
Bot Deception |
256 |
256 |
|
|
Bot Mitigation Policy |
256 |
N/A |
|
|
Mobile API Protection Policy |
256 |
256 |
|
|
Mobile API Protection Rule |
256 |
256 |
|
|
Known Bots |
256 |
256 |
|
Maximum values on FortiWeb-VM
FortiWeb-VM has 10 virtual network interfaces (vNICs, or virtual ports).
The maximum number of server policies initially varies by the maximum amount of virtual memory (vRAM) available to FortiWeb-VM, up to a hard limit. FortiWeb-VM allows up to 20 policies for the first 1 GB of vRAM, then an additional 15 policies per additional 1 GB of vRAM, up to a maximum of 150 server policies.
In other words, at first, the server policy limit increases linearly with vRAM. But after 10 GB of vRAM, further increasing the vRAM no longer has an affect. 11 GB or more vRAM allows up to 150 server policies. Keep in mind that increasing the vRAM may still benefit performance.