Fortinet white logo
Fortinet white logo

Administration Guide

Appendix B: Maximum configuration values

Appendix B: Maximum configuration values

These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.

Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. For example, the limit for server policies is a global one that applies to the appliance, you can configure only 256 server policies, regardless of how many ADOMs you use.

While the maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance.

Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.

Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies

The configuration maximums for the following items apply at the appliance level, and the maximums vary on each model, as shown in the following table.

FortiWeb
model

ADOMs

Server policies

Virtual IPs

Server Objects

Domains in all ML policies
Server pools

Pool members

Virtual servers

FortiWeb 100D 0 32

1024

256

1024

1024

4
FortiWeb 400C 32 64

1024

256

1024

1024

6
FortiWeb 400D 32 64

1024

256

1024

1024

6

FortiWeb 400E

32 64

1024

256

1024

1024

6
FortiWeb 600D 32 96

1024

384

1024

1024

16

FortiWeb 600E

32 96

1024

384

1024

1024

16
FortiWeb 1000D 64 256

1024

512

1024

1024

32
FortiWeb 1000E 64 256

6000

6000

12000

6000

32
FortiWeb 2000E 64 256

6000

6000

12000

6000

64
FortiWeb 3000C 32 256

1024

256

1024

1024

16
FortiWeb 3000CFsx 32 256

1024

256

1024

1024

16
FortiWeb 3000D 64 512

1024

512

1024

1024

32
FortiWeb 3000DFsx 64 512

1024

512

1024

1024

32
FortiWeb 3000E 64 512

6000

6000

12000

6000

64
FortiWeb 3010E 64 512

6000

6000

12000

6000

64
FortiWeb 4000C 32 512

1024

256

1024

1024

32
FortiWeb 4000D 64 1024

1024

1024

1024

1024

64
FortiWeb 4000E 64 1024

6000

6000

12000

6000

128
FortiWeb-VM

Varies with memory size:

  • 4 (memory < 4G);
  • 12 (memory < 8G);
  • 32 (memory < 16G);
  • 64 (memory >= 16G)


For details, see Maximum values on FortiWeb-VM.

1024

256

1024

1024

Varies with memory size:

  • 4 (memory < =4G);
  • 8 (memory < =8G);
  • 16 (memory < =16G);
  • 32 (memory >16G)

Per appliance configuration maximums - Network and Certificates

The configuration maximums for Network and Certificates apply also at the appliance level.

For the certificates marked with ^ in the following table, their configuration maximums are increased to 5000 on FortiWeb appliances 1000E, 2000E, 3000E, 3010E, and 4000E. For other models, their configuration maximums are as shown in the table.

Web UI item Main table Sub-table
System

Network

Interface 1024 (total VLAN interfaces) N/A
Policy Route 250 N/A
Static Route 256 N/A
Certificates

Local^

512 N/A

Multi-certificate^

256 N/A
OCSP Stapling 256 N/A

Inline SNI^

1024

512

Offline SNI

1024 512

CA^

256

N/A

TSL CA 256 N/A
CA Group 256 256
Sign CA 256 N/A

Intermediate CA^

256

N/A

Intermediate CA Group 256 256

CRL^

256 N/A
CRL Group 256 256

Certificate Verify^

256

N/A

Server Certificate Verify 256 N/A
URL Certificate 256 256
Public Key Pinning 256 N/A

Server Certificate

256

256

Client Certificate

256

N/A

Client Certificate Group

256

256

Per ADOM configuration maximums

The maximums for the following objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs.

Web UI item Main table Sub-table
Web Protection Profile Inline Protection Profile 256 N/A
Offline Protection Profile 256 N/A

Server Objects

Health Check

256

16

Persistence

256

N/A

HTTP Content Routing 512 256
Protected Hostnames 256 255
Service Predefined 5 N/A
Custom 256 N/A
Traffic Mirror 256 256

Predefined Global White List N/A (Predefined list. Can't be edited) N/A

Custom Global White List 256 N/A

Data Type No limit N/A

Custom Data Type 256 N/A
X- Forwarded-For 256 256
Application Delivery
URL Rewriting Policy URL Rewriting Policy 256 256
URL Rewriting Rule 256 10
Authentication Policy Authentication Policy 256 256
Authentication Rule 256 256
Site Publish

Site Publish Policy 256 256
Site Publish Rule 256 N/A
Keytab File 256 N/A
Authentication Server Pool 256 256
Service Principal Name Pool 256 256
Compression File Compress Policy 256 10
Exclusion Rule 256 256
Caching Web Cache Policy 256 256
Bypass URL 256 N/A
Cookie List 256 N/A

Acceleration

Acceleration Policy

256

N/A

Acceleration Exception

256

256

Web Protection
Known attacks Signatures/Exceptions 64 Enabled main classes: 64
Disabled sub-classes: 256
Disabled signature table: 2048
Filter table: 10240
Note: It's allowed to create at most 128 filters for the same signature-id.
Score disable table : 256
Score grade table : 256
Alert-only table: 1024
Disabled False Positive Mitigation table: 256
Global Disable Signature 1024 N/A
Custom Signature Group 256 64
Custom Signature 256 256
Advanced Protection

Custom Policy 1024 1024
Custom Rule 1024 Source IPv4/IPv6: 256
GEO IP: 256
User: 256
Time period: 1
URL: 256
HTTP Header: 256
Access Rate Limit: 1
Signature main class: 256
Signature sub-class: 256
Signature: 10240
Custom signature: 1
Transaction Timeout: 1
Response Code: 256
Content Type: 1
Packet Interval Timeout: 1
Parameter: 256
Occurrence: 1
Padding Oracle Protection 256 256
CSRF Protection Rule 256 256
HTTP Header Security Policy 256 256
Man in the Browser Protection Rule 256 256
Man in the Browser Protection Policy 256 256

URL Encryption Policy

256 256

URL Encryption Rule

256 256
SQL/XSS Syntax Based Detection 256 256

Cookie Security

Cookie Security 256 256
Input Validation Parameter Validation Policy 256 1024
Parameter Validation Rule 1024 192
Hidden Fields Policy 256 256
Hidden Fields Rule 256

32 (Hidden Fields Table)

10 (Post URL Table)

File Security Policy 256 256
File Security Rule 256 256
Protocol

HTTP Protocol Constraints 256 N/A
HTTP Constraints Exception 256 32
WebSocket Security Policy 256 256
WebSocket Security Rule 256 256
Access URL Access Policy 1024 1024
URL Access Rule 1024 32
Allow Method Policy 256 N/A
Allow Method Exceptions 256 32
IP List 256 256
Geo IP 256 256
Geo IP Exceptions 256 256
Allowed Origin 256 256
CORS Protection Rule 256 256
CORS Protection Policy 256 256
FTP Security
FTP Command Restriction 256 256
FTP File Security 256 N/A
DoS Protection
Application HTTP Access Limit 256 N/A
Malicious IPs 256 N/A
HTTP Flood Prevention 256 N/A
Network TCP Flood Prevention 256 N/A
Dos Protection Policy 256 N/A
IP Reputation
Exceptions 256 N/A
Tracking
User Tracking User Tracking Rule 256 10
User Tracking Policy 256 256
Machine Learning
Anomaly Detection Policy 256 256
Bot Detection Policy 256 256
Machine Learning Templates URL Replacer Policy 256 256
URL Replacer Rule 256 256
Predefined Pattern Data Type Group 256 512
Data Type None N/A
URL Pattern None N/A
Suspicious URL 256 512
Custom Pattern Data Type 256 N/A
Suspicious URL Policy 256 64
Suspicious URL Rule 256 N/A
Application Templates Application Policy 256 256
URL Replacer 256 N/A
Web Vulnerability Scan
Web Vulnerability Scan Policy 256 N/A
Scan Profile Scan Profile 256 N/A
Scan Template 256 N/A
Web Vulnerability Scan Schedule 256 N/A
Scanner Integration N/A N/A
API Protection
JSON Protection

JSON Protection Policy 256 256

JSON Protection Rule

256

N/A

JSON Schema

256

N/A

XML Protection

XML Protection Policy 256 256

XML Protection Rule

256

N/A

XML Schema

256

N/A

WSDL

256

N/A

Exempted URLs

256

256

WS-Security Rule

256

256

OpenAPI Validation Policy

OpenAPI Validation Policy

256

256

OpenAPI File

256

N/A

API Gateway

API User

256

32

API User Group

256

256

API Gateway Rule

256

N/A

API Gateway Policy

256

256

Bot Mitigation

Biometrics Based Detection

256

256

Threshold Based Detection

256

N/A

Bot Deception

256

256

Bot Mitigation Policy

256

N/A

Mobile API Protection Policy

256

256

Mobile API Protection Rule

256

256

Known Bots

256

256

Maximum values on FortiWeb-VM

FortiWeb-VM has 10 virtual network interfaces (vNICs, or virtual ports).

The maximum number of server policies initially varies by the maximum amount of virtual memory (vRAM) available to FortiWeb-VM, up to a hard limit. FortiWeb-VM allows up to 20 policies for the first 1 GB of vRAM, then an additional 15 policies per additional 1 GB of vRAM, up to a maximum of 150 server policies.

In other words, at first, the server policy limit increases linearly with vRAM. But after 10 GB of vRAM, further increasing the vRAM no longer has an affect. 11 GB or more vRAM allows up to 150 server policies. Keep in mind that increasing the vRAM may still benefit performance.

Appendix B: Maximum configuration values

Appendix B: Maximum configuration values

These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.

Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. For example, the limit for server policies is a global one that applies to the appliance, you can configure only 256 server policies, regardless of how many ADOMs you use.

While the maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance.

Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.

Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies

The configuration maximums for the following items apply at the appliance level, and the maximums vary on each model, as shown in the following table.

FortiWeb
model

ADOMs

Server policies

Virtual IPs

Server Objects

Domains in all ML policies
Server pools

Pool members

Virtual servers

FortiWeb 100D 0 32

1024

256

1024

1024

4
FortiWeb 400C 32 64

1024

256

1024

1024

6
FortiWeb 400D 32 64

1024

256

1024

1024

6

FortiWeb 400E

32 64

1024

256

1024

1024

6
FortiWeb 600D 32 96

1024

384

1024

1024

16

FortiWeb 600E

32 96

1024

384

1024

1024

16
FortiWeb 1000D 64 256

1024

512

1024

1024

32
FortiWeb 1000E 64 256

6000

6000

12000

6000

32
FortiWeb 2000E 64 256

6000

6000

12000

6000

64
FortiWeb 3000C 32 256

1024

256

1024

1024

16
FortiWeb 3000CFsx 32 256

1024

256

1024

1024

16
FortiWeb 3000D 64 512

1024

512

1024

1024

32
FortiWeb 3000DFsx 64 512

1024

512

1024

1024

32
FortiWeb 3000E 64 512

6000

6000

12000

6000

64
FortiWeb 3010E 64 512

6000

6000

12000

6000

64
FortiWeb 4000C 32 512

1024

256

1024

1024

32
FortiWeb 4000D 64 1024

1024

1024

1024

1024

64
FortiWeb 4000E 64 1024

6000

6000

12000

6000

128
FortiWeb-VM

Varies with memory size:

  • 4 (memory < 4G);
  • 12 (memory < 8G);
  • 32 (memory < 16G);
  • 64 (memory >= 16G)


For details, see Maximum values on FortiWeb-VM.

1024

256

1024

1024

Varies with memory size:

  • 4 (memory < =4G);
  • 8 (memory < =8G);
  • 16 (memory < =16G);
  • 32 (memory >16G)

Per appliance configuration maximums - Network and Certificates

The configuration maximums for Network and Certificates apply also at the appliance level.

For the certificates marked with ^ in the following table, their configuration maximums are increased to 5000 on FortiWeb appliances 1000E, 2000E, 3000E, 3010E, and 4000E. For other models, their configuration maximums are as shown in the table.

Web UI item Main table Sub-table
System

Network

Interface 1024 (total VLAN interfaces) N/A
Policy Route 250 N/A
Static Route 256 N/A
Certificates

Local^

512 N/A

Multi-certificate^

256 N/A
OCSP Stapling 256 N/A

Inline SNI^

1024

512

Offline SNI

1024 512

CA^

256

N/A

TSL CA 256 N/A
CA Group 256 256
Sign CA 256 N/A

Intermediate CA^

256

N/A

Intermediate CA Group 256 256

CRL^

256 N/A
CRL Group 256 256

Certificate Verify^

256

N/A

Server Certificate Verify 256 N/A
URL Certificate 256 256
Public Key Pinning 256 N/A

Server Certificate

256

256

Client Certificate

256

N/A

Client Certificate Group

256

256

Per ADOM configuration maximums

The maximums for the following objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs.

Web UI item Main table Sub-table
Web Protection Profile Inline Protection Profile 256 N/A
Offline Protection Profile 256 N/A

Server Objects

Health Check

256

16

Persistence

256

N/A

HTTP Content Routing 512 256
Protected Hostnames 256 255
Service Predefined 5 N/A
Custom 256 N/A
Traffic Mirror 256 256

Predefined Global White List N/A (Predefined list. Can't be edited) N/A

Custom Global White List 256 N/A

Data Type No limit N/A

Custom Data Type 256 N/A
X- Forwarded-For 256 256
Application Delivery
URL Rewriting Policy URL Rewriting Policy 256 256
URL Rewriting Rule 256 10
Authentication Policy Authentication Policy 256 256
Authentication Rule 256 256
Site Publish

Site Publish Policy 256 256
Site Publish Rule 256 N/A
Keytab File 256 N/A
Authentication Server Pool 256 256
Service Principal Name Pool 256 256
Compression File Compress Policy 256 10
Exclusion Rule 256 256
Caching Web Cache Policy 256 256
Bypass URL 256 N/A
Cookie List 256 N/A

Acceleration

Acceleration Policy

256

N/A

Acceleration Exception

256

256

Web Protection
Known attacks Signatures/Exceptions 64 Enabled main classes: 64
Disabled sub-classes: 256
Disabled signature table: 2048
Filter table: 10240
Note: It's allowed to create at most 128 filters for the same signature-id.
Score disable table : 256
Score grade table : 256
Alert-only table: 1024
Disabled False Positive Mitigation table: 256
Global Disable Signature 1024 N/A
Custom Signature Group 256 64
Custom Signature 256 256
Advanced Protection

Custom Policy 1024 1024
Custom Rule 1024 Source IPv4/IPv6: 256
GEO IP: 256
User: 256
Time period: 1
URL: 256
HTTP Header: 256
Access Rate Limit: 1
Signature main class: 256
Signature sub-class: 256
Signature: 10240
Custom signature: 1
Transaction Timeout: 1
Response Code: 256
Content Type: 1
Packet Interval Timeout: 1
Parameter: 256
Occurrence: 1
Padding Oracle Protection 256 256
CSRF Protection Rule 256 256
HTTP Header Security Policy 256 256
Man in the Browser Protection Rule 256 256
Man in the Browser Protection Policy 256 256

URL Encryption Policy

256 256

URL Encryption Rule

256 256
SQL/XSS Syntax Based Detection 256 256

Cookie Security

Cookie Security 256 256
Input Validation Parameter Validation Policy 256 1024
Parameter Validation Rule 1024 192
Hidden Fields Policy 256 256
Hidden Fields Rule 256

32 (Hidden Fields Table)

10 (Post URL Table)

File Security Policy 256 256
File Security Rule 256 256
Protocol

HTTP Protocol Constraints 256 N/A
HTTP Constraints Exception 256 32
WebSocket Security Policy 256 256
WebSocket Security Rule 256 256
Access URL Access Policy 1024 1024
URL Access Rule 1024 32
Allow Method Policy 256 N/A
Allow Method Exceptions 256 32
IP List 256 256
Geo IP 256 256
Geo IP Exceptions 256 256
Allowed Origin 256 256
CORS Protection Rule 256 256
CORS Protection Policy 256 256
FTP Security
FTP Command Restriction 256 256
FTP File Security 256 N/A
DoS Protection
Application HTTP Access Limit 256 N/A
Malicious IPs 256 N/A
HTTP Flood Prevention 256 N/A
Network TCP Flood Prevention 256 N/A
Dos Protection Policy 256 N/A
IP Reputation
Exceptions 256 N/A
Tracking
User Tracking User Tracking Rule 256 10
User Tracking Policy 256 256
Machine Learning
Anomaly Detection Policy 256 256
Bot Detection Policy 256 256
Machine Learning Templates URL Replacer Policy 256 256
URL Replacer Rule 256 256
Predefined Pattern Data Type Group 256 512
Data Type None N/A
URL Pattern None N/A
Suspicious URL 256 512
Custom Pattern Data Type 256 N/A
Suspicious URL Policy 256 64
Suspicious URL Rule 256 N/A
Application Templates Application Policy 256 256
URL Replacer 256 N/A
Web Vulnerability Scan
Web Vulnerability Scan Policy 256 N/A
Scan Profile Scan Profile 256 N/A
Scan Template 256 N/A
Web Vulnerability Scan Schedule 256 N/A
Scanner Integration N/A N/A
API Protection
JSON Protection

JSON Protection Policy 256 256

JSON Protection Rule

256

N/A

JSON Schema

256

N/A

XML Protection

XML Protection Policy 256 256

XML Protection Rule

256

N/A

XML Schema

256

N/A

WSDL

256

N/A

Exempted URLs

256

256

WS-Security Rule

256

256

OpenAPI Validation Policy

OpenAPI Validation Policy

256

256

OpenAPI File

256

N/A

API Gateway

API User

256

32

API User Group

256

256

API Gateway Rule

256

N/A

API Gateway Policy

256

256

Bot Mitigation

Biometrics Based Detection

256

256

Threshold Based Detection

256

N/A

Bot Deception

256

256

Bot Mitigation Policy

256

N/A

Mobile API Protection Policy

256

256

Mobile API Protection Rule

256

256

Known Bots

256

256

Maximum values on FortiWeb-VM

FortiWeb-VM has 10 virtual network interfaces (vNICs, or virtual ports).

The maximum number of server policies initially varies by the maximum amount of virtual memory (vRAM) available to FortiWeb-VM, up to a hard limit. FortiWeb-VM allows up to 20 policies for the first 1 GB of vRAM, then an additional 15 policies per additional 1 GB of vRAM, up to a maximum of 150 server policies.

In other words, at first, the server policy limit increases linearly with vRAM. But after 10 GB of vRAM, further increasing the vRAM no longer has an affect. 11 GB or more vRAM allows up to 150 server policies. Keep in mind that increasing the vRAM may still benefit performance.