Appendix B: Maximum configuration values
These tables provide the maximum number of configuration objects for FortiWeb products. They are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide.
Due to resource constraints, the maximums for certain objects apply to each appliance globally and you cannot increase them by adding ADOMs. For example, the limit for server policies is a global one that applies to the appliance, regardless of how many ADOMs you use.
While the maximums for other objects apply at the ADOM level only, so you can add objects beyond the maximum by adding ADOMs. For example, for a FortiWeb 1000D, you can configure up to 1024 URL Access polices for each of the 32 possible ADOMs because the limit applies to each ADOM, not the appliance.
Depending on the RAM available, adding the maximum number of objects to multiple ADOMs can have an impact on your FortiWeb's performance. Fortinet recommends that you do not add the maximum number of objects in all ADOMs.
You can check the current usage and maximum configuration values in System > Global Resources.
Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies
The configuration maximums for the following items apply at the appliance level, and the maximums vary on each model, as shown in the following table.
|
FortiWeb model |
ADOMs |
Server policies |
Virtual IPs |
Server Objects |
Domains in all ML Anomaly Detection policies |
||
|---|---|---|---|---|---|---|---|
| Server pools |
Pool members |
Virtual servers |
|||||
| FortiWeb 100D | 0 | 32 |
1024 |
256 |
1024 |
1024 |
4 |
| FortiWeb 100E | 0 | 32 |
1024 |
256 |
1024 |
1024 |
4 |
| FortiWeb 400C | 32 | 64 |
1024 |
256 |
1024 |
1024 |
6 |
| FortiWeb 400D | 32 | 64 |
1024 |
256 |
1024 |
1024 |
6 |
|
FortiWeb 400E |
32 | 64 |
1024 |
256 |
1024 |
1024 |
6 |
|
FortiWeb 400F |
32 | 64 |
1024 |
256 |
1024 |
1024 |
6 |
| FortiWeb 600D | 32 | 96 |
1024 |
384 |
1024 |
1024 |
16 |
|
FortiWeb 600E |
32 | 96 |
1024 |
384 |
1024 |
1024 |
16 |
| FortiWeb 1000D | 64 | 256 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 1000E | 64 | 256 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 1000F | 64 | 256 |
1024 |
512 |
1024 |
1024 |
96 |
| FortiWeb 2000E | 64 | 256 |
1024 |
512 |
1024 |
1024 |
64 |
| FortiWeb 3000C | 32 | 256 |
1024 |
256 |
1024 |
1024 |
16 |
| FortiWeb 3000CFsx | 32 | 256 |
1024 |
256 |
1024 |
1024 |
16 |
| FortiWeb 3000D | 64 | 512 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 3000DFsx | 64 | 512 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 3000E | 64 | 512 |
1024 |
512 |
1024 |
1024 |
64 |
| FortiWeb 3010E | 64 | 512 |
1024 |
512 |
1024 |
1024 |
64 |
| FortiWeb 4000C | 32 | 512 |
1024 |
256 |
1024 |
1024 |
32 |
| FortiWeb 4000D | 64 | 1024 |
1024 |
1024 |
1024 |
1024 |
64 |
| FortiWeb 4000E | 64 | 1024 |
1024 |
1024 |
1024 |
1024 |
128 |
| FortiWeb 1000F | 64 | 256 |
1024 |
512 |
1024 |
1024 |
32 |
| FortiWeb 2000F | 64 | 256 |
1024 |
512 |
1024 |
1024 |
96 |
| FortiWeb 3000F | 64 | 512 |
1024 |
512 |
1024 |
1024 |
96 |
| FortiWeb 4000F | 64 | 1024 |
1024 |
1024 |
1024 |
1024 |
192 |
| FortiWeb-VM |
Varies with memory size:
|
For details, see Maximum values on FortiWeb-VM. |
1024 |
Varies with memory size:
|
1024 |
1024 |
Varies with memory size:
|
Per appliance configuration maximums - Network and Certificates
The configuration maximums for Network and Certificates apply also at the appliance level.
| Web UI item | Main table | Sub-table | |
|---|---|---|---|
| System | |||
|
Network
|
Interface | 1024 (total VLAN interfaces) | N/A |
| Policy Route | 250 | N/A | |
| Static Route | 256 | N/A | |
| Certificates
|
OCSP Stapling | 256 | N/A |
|
Offline SNI |
1024 | 512 | |
| TSL CA | 256 | N/A | |
| CA Group | 256 | 256 | |
| Sign CA | 256 | N/A | |
| Intermediate CA Group | 256 | 256 | |
| CRL Group | 256 | 256 | |
| Server Certificate Verify | 256 | N/A | |
| URL Certificate | 256 | 256 | |
| Public Key Pinning | 256 | N/A | |
|
Server Certificate |
256 |
N/A |
|
|
Client Certificate |
256 |
N/A |
|
| Let's Encrypt |
512 Let's Encrypt SAN (Subject Alternative Name): 10 domains maximum per certificate |
N/A | |
|
Client Certificate Group |
256 |
256 |
|
The configuration maximums for the following certificates also apply at the appliance level, but their maximums vary with appliance models.
| Web UI item
|
Main table | Sub-table | |||
|---|---|---|---|---|---|
|
100D/100E/400C |
1000E/2000E/3000E/3010E/4000E/ 1000F/2000F/3000F/4000F/VM16 |
the rest models |
|
||
| Certificates
|
Local |
512 |
5000 |
1024 |
N/A |
|
Multi-certificate |
256 |
5000 |
1024 |
N/A |
|
|
Inline SNI |
1024 |
5000 |
1024 |
2048 (for 4000E, 4000F, and VM16 platforms) 512 (for the rest platforms) |
|
|
CA |
256 |
5000 |
1024 |
N/A |
|
|
Intermediate CA |
256 |
5000 |
1024 |
N/A |
|
|
CRL |
256 |
5000 |
1024 |
N/A | |
|
Certificate Verify |
256 |
5000 |
1024 |
N/A |
|
Advanced Bot Protection policy configuration maximums
The maximum number of Advanced Bot Protection policies is subject to a per-appliance limit of 1024. Additionally, there is a limitation at the ADOM level, as illustrated below.
|
Appliance model |
Maximum Advanced Bot Protection policies per ADOM |
|---|---|
|
100E/400E/400F |
256 |
|
600E |
384 |
|
1000F/2000F/3000F
|
512 |
| 4000F | 1024 |
Per ADOM configuration maximums
The maximums for the rest of the objects apply at the ADOM level only, allowing you to surpass the limit by adding additional ADOMs.
The maximum per-ADOM value is also displayed in System > Global Resources. If there is a discrepancy between the value shown in System > Global Resources and the value presented in this table, please consider the value indicated in System > Global Resources as accurate.
| Web UI item | Main table | Sub-table | |
|---|---|---|---|
| Web Protection Profile | Inline Protection Profile | 256 | N/A |
| Offline Protection Profile | 256 | N/A | |
|
Server Objects
|
|||
|
Health Check |
256 |
16 |
|
|
Persistence |
256 |
N/A |
|
| HTTP Content Routing | 512 | 256 | |
| Protected Hostnames | 256 | 255 | |
| Service | Predefined | 5 | N/A |
| Custom | 256 | N/A | |
| Traffic Mirror | 256 | 256 | |
|
|
Predefined Global allow list | N/A (Predefined list. Can't be edited) | N/A |
|
|
Custom Global allow list | 256 | N/A |
|
|
Data Type | No limit | N/A |
|
|
Custom Data Type | 256 | N/A |
| X- Forwarded-For | 256 | 256 | |
| Application Delivery | |||
| URL Rewriting Policy | URL Rewriting Policy | 256 | 256 |
| URL Rewriting Rule | 512 | 10 | |
| Authentication Policy | Authentication Policy | 256 | 256 |
| Authentication Rule | 256 | 256 | |
| Site Publish
|
Site Publish Policy | 256 | 256 |
| Site Publish Rule | 512 | N/A | |
| Keytab File | 256 | N/A | |
| Authentication Server Pool | 256 | 256 | |
| Service Principal Name Pool | 256 | 256 | |
| Compression | File Compress Policy | 256 | 10 |
| Exclusion Rule | 256 | 256 | |
| Caching | Web Cache Policy | 256 | 256 |
| Bypass URL | 256 | N/A | |
| Cookie List | 256 | N/A | |
|
Acceleration
|
Acceleration Policy |
256 |
N/A |
|
Acceleration Exception |
256 |
256 |
|
| Web Protection | |||
| Known attacks | Signatures (User Defined)/Exceptions |
100E/400E/400F: 64 600E:128 1000E/2000E/3000E/3010E/4000E/ 2000F/3000F/4000F: 256 |
Enabled main classes: 64 |
| Disabled sub-classes: 256 | |||
| Disabled signature table: 2048 | |||
| Filter table: 10240 Note: It's allowed to create at most 128 filters for the same signature-id. |
|||
| Score disable table : 256 | |||
| Score grade table : 256 | |||
| Alert-only table: 1024 | |||
| Disabled False Positive Mitigation table: 256 | |||
| Global Disable Signature | 1024 | N/A | |
| Custom Signature Group | 256 | 64 | |
| Custom Signature | 256 | 256 | |
| Advanced Protection
|
Custom Policy | 1024 | 1024 |
| Custom Rule |
1024 (On-premise FortiWeb devices) 6000 (FortiWeb-VM) |
Source IPv4/IPv6: 256 | |
| GEO IP: 256 | |||
| User: 256 | |||
| Time period: 1 | |||
| URL: 256 | |||
| HTTP Header: 256 | |||
| Access Rate Limit: 1 | |||
| Signature main class: 256 | |||
| Signature sub-class: 256 | |||
| Signature: 10240 | |||
| Custom signature: 1 | |||
| Transaction Timeout: 1 | |||
| Response Code: 256 | |||
| Content Type: 1 | |||
| Packet Interval Timeout: 1 | |||
| Parameter: 256 | |||
| Occurrence: 1 | |||
| Padding Oracle Protection | 256 | 256 | |
| CSRF Protection Rule | 256 | 256 | |
| HTTP Header Security Policy | 256 | 256 | |
| Man in the Browser Protection Rule | 256 | 256 | |
| Man in the Browser Protection Policy | 256 | 256 | |
|
URL Encryption Policy |
256 | 256 | |
|
URL Encryption Rule |
256 | 256 | |
| SQL/XSS Syntax Based Detection | 256 | 128 | |
|
Cookie Security |
Cookie Security | 256 | 256 |
| Data Loss Prevention
|
DLP Dictionary | 256 | 256 |
|
DLP Sensor |
256 |
256 |
|
|
DLP Rule |
256 |
N/A |
|
|
DLP Policy |
256 |
256 |
|
| Input Validation | Parameter Validation Policy | 256 | 1024 |
| Parameter Validation Rule | 1024 | 192 | |
| Hidden Fields Policy | 256 | 256 | |
| Hidden Fields Rule | 256 |
32 (Hidden Fields Table) 10 (Post URL Table) |
|
| File Security Policy | 256 | 256 | |
| File Security Rule | 256 | 256 | |
| Protocol
|
HTTP Protocol Constraints | 256 | N/A |
| HTTP Constraints Exception | 256 | 32 | |
| WebSocket Security Policy | 256 | 256 | |
| WebSocket Security Rule | 256 | 256 | |
| Access | URL Access Policy | 1024 | 1024 |
| URL Access Rule | 1024 | 32 | |
| Allow Method Policy | 256 | N/A | |
| Allow Method Exceptions | 256 | 32 | |
| IP List | 256 | 256 | |
| Geo IP | 256 | 256 | |
| Geo IP Exceptions | 256 | 256 | |
| Allowed Origin | 256 | 256 | |
| CORS Protection Rule | 256 | 256 | |
| CORS Protection Policy | 256 | 256 | |
| FTP Security | |||
| FTP Command Restriction | 256 | 256 | |
| FTP File Security | 256 | N/A | |
| DoS Protection | |||
| Application | HTTP Access Limit | 256 | N/A |
| Malicious IPs | 256 | N/A | |
| HTTP Flood Prevention | 256 | N/A | |
| Network | TCP Flood Prevention | 256 | N/A |
| Dos Protection Policy | 256 | N/A | |
| IP Reputation | |||
| Exceptions | 256 | N/A | |
| Tracking | |||
| User Tracking | User Tracking Rule | 256 | 10 |
| User Tracking Policy | 256 | 256 | |
| Machine Learning | |||
| Anomaly Detection Policy | 256 | 256 | |
| Anomaly Detection - Parameters per domain | 1000 | N/A | |
| Bot Detection Policy | 256 | 256 | |
| Machine Learning Templates | URL Replacer Policy | 256 | 256 |
| URL Replacer Rule | 256 | 256 | |
| Predefined Pattern | Data Type Group | 256 | 512 |
| Data Type | None | N/A | |
| URL Pattern | None | N/A | |
| Suspicious URL | 256 | 512 | |
| Custom Pattern | Data Type | 256 | N/A |
| Suspicious URL Policy | 256 | 64 | |
| Suspicious URL Rule | 256 | N/A | |
| Application Templates | Application Policy | 256 | 256 |
| URL Replacer | 256 | N/A | |
| Web Vulnerability Scan | |||
| Web Vulnerability Scan Policy | 256 | N/A | |
| Scan Profile | Scan Profile | 256 | N/A |
| Scan Template | 256 | N/A | |
| Web Vulnerability Scan Schedule | 256 | N/A | |
| Scanner Integration | N/A | N/A | |
| API Protection | |||
| JSON Protection
|
JSON Protection Policy | 256 | 256 |
|
JSON Protection Rule |
256 |
N/A |
|
|
JSON Schema |
256 |
N/A |
|
| XML Protection
|
XML Protection Policy | 256 | 256 |
|
XML Protection Rule |
256 |
N/A |
|
|
XML Schema |
256 |
N/A |
|
|
WSDL |
256 |
N/A |
|
|
Exempted URLs |
256 |
256 |
|
|
WS-Security Rule |
256 |
256 |
|
|
OpenAPI Validation Policy
|
OpenAPI Validation Policy |
256 |
256 |
|
OpenAPI File |
256 |
N/A |
|
|
API Gateway
|
API User |
256 |
256 |
|
API User Group |
256 |
256 |
|
|
API Gateway Rule |
256 |
N/A |
|
|
API Gateway Policy |
256 |
256 |
|
|
Bot Mitigation |
Biometrics Based Detection |
256 |
256 |
|
Threshold Based Detection |
256 |
N/A |
|
|
Bot Deception |
256 |
256 |
|
|
Bot Mitigation Policy |
256 |
N/A |
|
|
Mobile API Protection Policy |
256 |
256 |
|
|
Mobile API Protection Rule |
256 |
256 |
|
|
Known Bots |
256 |
256 |
|
|
ZTNA |
ZTNA Profile |
256 |
N/A |
|
ZTNA Rule |
256 |
N/A |
|
Maximum values on FortiWeb-VM
FortiWeb-VM has 10 virtual network interfaces (vNICs, or virtual ports).
The maximum number of server policies initially varies by the maximum amount of virtual memory (vRAM) available to FortiWeb-VM, up to a hard limit.
If vRAM is less than 64 GB, FortiWeb-VM allows up to 20 policies for the first 1 GB of vRAM, then an additional 15 policies per additional 1 GB of vRAM, up to a maximum of 256 server policies.
If vRAM is 64 GB or more, FortiWeb-VM allows up to 1024 server policies.
The vRAM refers to the vRAM value obtained from the MemTotal attribute of the diagnose hardware mem list command. The KB displayed in MemTotal should be rounded down to an integer in GB. For instance, if the MemTotal shows 15971428 KB, it will be rounded down to 15 GB. The maximum number of server policy will be 20+(15-1)*15=230.