Fortinet black logo

Administration Guide

Appendix B: Maximum configuration values

Appendix B: Maximum configuration values

These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.

Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. For example, the limit for server policies is a global one that applies to the appliance, you can configure only 256 server policies, regardless of how many ADOMs you use.

While the maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance.

Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.

You can check the current usage and maximum configuration values in System > Global Resources.

Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies

The configuration maximums for the following items apply at the appliance level, and the maximums vary on each model, as shown in the following table.

FortiWeb
model

ADOMs

Server policies

Virtual IPs

Server Objects

Domains in all ML policies
Server pools

Pool members

Virtual servers

FortiWeb 100D 0 32

1024

256

1024

1024

4
FortiWeb 100E 0 32

1024

256

1024

1024

4
FortiWeb 400C 32 64

1024

256

1024

1024

6
FortiWeb 400D 32 64

1024

256

1024

1024

6

FortiWeb 400E

32 64

1024

256

1024

1024

6
FortiWeb 600D 32 96

1024

384

1024

1024

16

FortiWeb 600E

32 96

1024

384

1024

1024

16
FortiWeb 1000D 64 256

1024

512

1024

1024

32
FortiWeb 1000E 64 256

1024

512

1024

1024

32
FortiWeb 1000F 64 256

1024

512

1024

1024

96
FortiWeb 2000E 64 256

1024

512

1024

1024

64
FortiWeb 3000C 32 256

1024

256

1024

1024

16
FortiWeb 3000CFsx 32 256

1024

256

1024

1024

16
FortiWeb 3000D 64 512

1024

512

1024

1024

32
FortiWeb 3000DFsx 64 512

1024

512

1024

1024

32
FortiWeb 3000E 64 512

1024

512

1024

1024

64
FortiWeb 3010E 64 512

1024

512

1024

1024

64
FortiWeb 4000C 32 512

1024

256

1024

1024

32
FortiWeb 4000D 64 1024

1024

1024

1024

1024

64
FortiWeb 4000E 64 1024

1024

1024

1024

1024

128
FortiWeb 1000F 64 256

1024

512

1024

1024

32
FortiWeb 2000F 64 256

1024

512

1024

1024

96
FortiWeb 3000F 64 512

1024

512

1024

1024

96
FortiWeb 4000F 64 1024

1024

1024

1024

1024

192
FortiWeb-VM

Varies with memory size:

  • 4 (memory < 4G);
  • 12 (memory < 8G);
  • 32 (memory < 16G);
  • 64 (memory >= 16G)


For details, see Maximum values on FortiWeb-VM.

1024

Varies with memory size:

  • 256 (memory < 64G);
  • 1024(memory >= 64G);

1024

1024

Varies with memory size:

  • 4 (memory < =4G);
  • 8 (memory < =8G);
  • 16 (memory < =16G);
  • 32 (memory >16G)

Per appliance configuration maximums - Network and Certificates

The configuration maximums for Network and Certificates apply also at the appliance level.

Web UI item Main table Sub-table
System

Network

Interface 1024 (total VLAN interfaces) N/A
Policy Route 250 N/A
Static Route 256 N/A
Certificates

OCSP Stapling 256 N/A

Offline SNI

1024 512
TSL CA 256 N/A
CA Group 256 256
Sign CA 256 N/A
Intermediate CA Group 256 256
CRL Group 256 256
Server Certificate Verify 256 N/A
URL Certificate 256 256
Public Key Pinning 256 N/A

Server Certificate

256

N/A

Client Certificate

256

N/A

Let's Encrypt 512 N/A

Client Certificate Group

256

256

The configuration maximums for the following certificates also apply at the appliance level, but their maximums vary with appliance models.

Web UI item

Main table Sub-table

100D/100E/400C

1000E/2000E/3000E/3010E/4000E/

1000F/2000F/3000F/4000F/VM16

the rest models

Certificates

Local

512

5000

1024

N/A

Multi-certificate

256

5000

1024

N/A

Inline SNI

1024

5000

1024

2048 (for 4000E, 4000F, and VM16 platforms)

512 (for the rest platforms)

CA

256

5000

1024

N/A

Intermediate CA

256

5000

1024

N/A

CRL

256

5000

1024

N/A

Certificate Verify

256

5000

1024

N/A

Per ADOM configuration maximums

The maximums for the following objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs.

Web UI item Main table Sub-table
Web Protection Profile Inline Protection Profile 256 N/A
Offline Protection Profile 256 N/A

Server Objects

Health Check

256

16

Persistence

256

N/A

HTTP Content Routing 512 256
Protected Hostnames 256 255
Service Predefined 5 N/A
Custom 256 N/A
Traffic Mirror 256 256

Predefined Global allow list N/A (Predefined list. Can't be edited) N/A

Custom Global allow list 256 N/A

Data Type No limit N/A

Custom Data Type 256 N/A
X- Forwarded-For 256 256
Application Delivery
URL Rewriting Policy URL Rewriting Policy 256 256
URL Rewriting Rule 512 10
Authentication Policy Authentication Policy 256 256
Authentication Rule 256 256
Site Publish

Site Publish Policy 256 256
Site Publish Rule 512 N/A
Keytab File 256 N/A
Authentication Server Pool 256 256
Service Principal Name Pool 256 256
Compression File Compress Policy 256 10
Exclusion Rule 256 256
Caching Web Cache Policy 256 256
Bypass URL 256 N/A
Cookie List 256 N/A

Acceleration

Acceleration Policy

256

N/A

Acceleration Exception

256

256

Web Protection
Known attacks Signatures (User Defined)/Exceptions

100E/400E: 64

600E:128

1000E/2000E/3000E/3010E/4000E/

2000F/3000F/4000F: 256

Enabled main classes: 64
Disabled sub-classes: 256
Disabled signature table: 2048
Filter table: 10240
Note: It's allowed to create at most 128 filters for the same signature-id.
Score disable table : 256
Score grade table : 256
Alert-only table: 1024
Disabled False Positive Mitigation table: 256
Global Disable Signature 1024 N/A
Custom Signature Group 256 64
Custom Signature 256 256
Advanced Protection

Custom Policy 1024 1024
Custom Rule

1024 (On-premise FortiWeb devices)

6000 (FortiWeb-VM)

Source IPv4/IPv6: 256
GEO IP: 256
User: 256
Time period: 1
URL: 256
HTTP Header: 256
Access Rate Limit: 1
Signature main class: 256
Signature sub-class: 256
Signature: 10240
Custom signature: 1
Transaction Timeout: 1
Response Code: 256
Content Type: 1
Packet Interval Timeout: 1
Parameter: 256
Occurrence: 1
Padding Oracle Protection 256 256
CSRF Protection Rule 256 256
HTTP Header Security Policy 256 256
Man in the Browser Protection Rule 256 256
Man in the Browser Protection Policy 256 256

URL Encryption Policy

256 256

URL Encryption Rule

256 256
SQL/XSS Syntax Based Detection 256 256

Cookie Security

Cookie Security 256 256
Input Validation Parameter Validation Policy 256 1024
Parameter Validation Rule 1024 192
Hidden Fields Policy 256 256
Hidden Fields Rule 256

32 (Hidden Fields Table)

10 (Post URL Table)

File Security Policy 256 256
File Security Rule 256 256
Protocol

HTTP Protocol Constraints 256 N/A
HTTP Constraints Exception 256 32
WebSocket Security Policy 256 256
WebSocket Security Rule 256 256
Access URL Access Policy 1024 1024
URL Access Rule 1024 32
Allow Method Policy 256 N/A
Allow Method Exceptions 256 32
IP List 256 256
Geo IP 256 256
Geo IP Exceptions 256 256
Allowed Origin 256 256
CORS Protection Rule 256 256
CORS Protection Policy 256 256
FTP Security
FTP Command Restriction 256 256
FTP File Security 256 N/A
DoS Protection
Application HTTP Access Limit 256 N/A
Malicious IPs 256 N/A
HTTP Flood Prevention 256 N/A
Network TCP Flood Prevention 256 N/A
Dos Protection Policy 256 N/A
IP Reputation
Exceptions 256 N/A
Tracking
User Tracking User Tracking Rule 256 10
User Tracking Policy 256 256
Machine Learning
Anomaly Detection Policy 256 256
Anomaly Detection - Parameters per domain 1000 N/A
Bot Detection Policy 256 256
Machine Learning Templates URL Replacer Policy 256 256
URL Replacer Rule 256 256
Predefined Pattern Data Type Group 256 512
Data Type None N/A
URL Pattern None N/A
Suspicious URL 256 512
Custom Pattern Data Type 256 N/A
Suspicious URL Policy 256 64
Suspicious URL Rule 256 N/A
Application Templates Application Policy 256 256
URL Replacer 256 N/A
Web Vulnerability Scan
Web Vulnerability Scan Policy 256 N/A
Scan Profile Scan Profile 256 N/A
Scan Template 256 N/A
Web Vulnerability Scan Schedule 256 N/A
Scanner Integration N/A N/A
API Protection
JSON Protection

JSON Protection Policy 256 256

JSON Protection Rule

256

N/A

JSON Schema

256

N/A

XML Protection

XML Protection Policy 256 256

XML Protection Rule

256

N/A

XML Schema

256

N/A

WSDL

256

N/A

Exempted URLs

256

256

WS-Security Rule

256

256

OpenAPI Validation Policy

OpenAPI Validation Policy

256

256

OpenAPI File

256

N/A

API Gateway

API User

256

32

API User Group

256

256

API Gateway Rule

256

N/A

API Gateway Policy

256

256

Bot Mitigation

Biometrics Based Detection

256

256

Threshold Based Detection

256

N/A

Bot Deception

256

256

Bot Mitigation Policy

256

N/A

Mobile API Protection Policy

256

256

Mobile API Protection Rule

256

256

Known Bots

256

256

ZTNA

ZTNA Profile

256

N/A

ZTNA Rule

256

N/A

Maximum values on FortiWeb-VM

FortiWeb-VM has 10 virtual network interfaces (vNICs, or virtual ports).

The maximum number of server policies initially varies by the maximum amount of virtual memory (vRAM) available to FortiWeb-VM, up to a hard limit.

If vRAM is less than 64 GB, FortiWeb-VM allows up to 20 policies for the first 1 GB of vRAM, then an additional 15 policies per additional 1 GB of vRAM, up to a maximum of 256 server policies.

If vRAM is 64 GB or more, FortiWeb-VM allows up to 1024 server policies.

The vRAM refers to the vRAM value obtained from the MemTotal attribute of the diagnose hardware mem list command. The KB displayed in MemTotal should be rounded down to an integer in GB. For instance, if the MemTotal shows 15971428 KB, it will be rounded down to 15 GB. The maximum number of server policy will be 20+(15-1)*15=230.

Appendix B: Maximum configuration values

Appendix B: Maximum configuration values

These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.

Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. For example, the limit for server policies is a global one that applies to the appliance, you can configure only 256 server policies, regardless of how many ADOMs you use.

While the maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance.

Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.

You can check the current usage and maximum configuration values in System > Global Resources.

Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies

The configuration maximums for the following items apply at the appliance level, and the maximums vary on each model, as shown in the following table.

FortiWeb
model

ADOMs

Server policies

Virtual IPs

Server Objects

Domains in all ML policies
Server pools

Pool members

Virtual servers

FortiWeb 100D 0 32

1024

256

1024

1024

4
FortiWeb 100E 0 32

1024

256

1024

1024

4
FortiWeb 400C 32 64

1024

256

1024

1024

6
FortiWeb 400D 32 64

1024

256

1024

1024

6

FortiWeb 400E

32 64

1024

256

1024

1024

6
FortiWeb 600D 32 96

1024

384

1024

1024

16

FortiWeb 600E

32 96

1024

384

1024

1024

16
FortiWeb 1000D 64 256

1024

512

1024

1024

32
FortiWeb 1000E 64 256

1024

512

1024

1024

32
FortiWeb 1000F 64 256

1024

512

1024

1024

96
FortiWeb 2000E 64 256

1024

512

1024

1024

64
FortiWeb 3000C 32 256

1024

256

1024

1024

16
FortiWeb 3000CFsx 32 256

1024

256

1024

1024

16
FortiWeb 3000D 64 512

1024

512

1024

1024

32
FortiWeb 3000DFsx 64 512

1024

512

1024

1024

32
FortiWeb 3000E 64 512

1024

512

1024

1024

64
FortiWeb 3010E 64 512

1024

512

1024

1024

64
FortiWeb 4000C 32 512

1024

256

1024

1024

32
FortiWeb 4000D 64 1024

1024

1024

1024

1024

64
FortiWeb 4000E 64 1024

1024

1024

1024

1024

128
FortiWeb 1000F 64 256

1024

512

1024

1024

32
FortiWeb 2000F 64 256

1024

512

1024

1024

96
FortiWeb 3000F 64 512

1024

512

1024

1024

96
FortiWeb 4000F 64 1024

1024

1024

1024

1024

192
FortiWeb-VM

Varies with memory size:

  • 4 (memory < 4G);
  • 12 (memory < 8G);
  • 32 (memory < 16G);
  • 64 (memory >= 16G)


For details, see Maximum values on FortiWeb-VM.

1024

Varies with memory size:

  • 256 (memory < 64G);
  • 1024(memory >= 64G);

1024

1024

Varies with memory size:

  • 4 (memory < =4G);
  • 8 (memory < =8G);
  • 16 (memory < =16G);
  • 32 (memory >16G)

Per appliance configuration maximums - Network and Certificates

The configuration maximums for Network and Certificates apply also at the appliance level.

Web UI item Main table Sub-table
System

Network

Interface 1024 (total VLAN interfaces) N/A
Policy Route 250 N/A
Static Route 256 N/A
Certificates

OCSP Stapling 256 N/A

Offline SNI

1024 512
TSL CA 256 N/A
CA Group 256 256
Sign CA 256 N/A
Intermediate CA Group 256 256
CRL Group 256 256
Server Certificate Verify 256 N/A
URL Certificate 256 256
Public Key Pinning 256 N/A

Server Certificate

256

N/A

Client Certificate

256

N/A

Let's Encrypt 512 N/A

Client Certificate Group

256

256

The configuration maximums for the following certificates also apply at the appliance level, but their maximums vary with appliance models.

Web UI item

Main table Sub-table

100D/100E/400C

1000E/2000E/3000E/3010E/4000E/

1000F/2000F/3000F/4000F/VM16

the rest models

Certificates

Local

512

5000

1024

N/A

Multi-certificate

256

5000

1024

N/A

Inline SNI

1024

5000

1024

2048 (for 4000E, 4000F, and VM16 platforms)

512 (for the rest platforms)

CA

256

5000

1024

N/A

Intermediate CA

256

5000

1024

N/A

CRL

256

5000

1024

N/A

Certificate Verify

256

5000

1024

N/A

Per ADOM configuration maximums

The maximums for the following objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs.

Web UI item Main table Sub-table
Web Protection Profile Inline Protection Profile 256 N/A
Offline Protection Profile 256 N/A

Server Objects

Health Check

256

16

Persistence

256

N/A

HTTP Content Routing 512 256
Protected Hostnames 256 255
Service Predefined 5 N/A
Custom 256 N/A
Traffic Mirror 256 256

Predefined Global allow list N/A (Predefined list. Can't be edited) N/A

Custom Global allow list 256 N/A

Data Type No limit N/A

Custom Data Type 256 N/A
X- Forwarded-For 256 256
Application Delivery
URL Rewriting Policy URL Rewriting Policy 256 256
URL Rewriting Rule 512 10
Authentication Policy Authentication Policy 256 256
Authentication Rule 256 256
Site Publish

Site Publish Policy 256 256
Site Publish Rule 512 N/A
Keytab File 256 N/A
Authentication Server Pool 256 256
Service Principal Name Pool 256 256
Compression File Compress Policy 256 10
Exclusion Rule 256 256
Caching Web Cache Policy 256 256
Bypass URL 256 N/A
Cookie List 256 N/A

Acceleration

Acceleration Policy

256

N/A

Acceleration Exception

256

256

Web Protection
Known attacks Signatures (User Defined)/Exceptions

100E/400E: 64

600E:128

1000E/2000E/3000E/3010E/4000E/

2000F/3000F/4000F: 256

Enabled main classes: 64
Disabled sub-classes: 256
Disabled signature table: 2048
Filter table: 10240
Note: It's allowed to create at most 128 filters for the same signature-id.
Score disable table : 256
Score grade table : 256
Alert-only table: 1024
Disabled False Positive Mitigation table: 256
Global Disable Signature 1024 N/A
Custom Signature Group