You are on page 1of 34

FortiGate Maximum Values

FortiOS 4.0 MR3

FortiGate Maximum Values 15 March 2012 01-436-92619-20120315 Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.

F o r t i G a t e M a x i m u m Va l u e s

Contents
About this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 About per VDOM limits and per unit limits . . . . . . . . . . . . . . . . . . . . . . 5 About interface maximum values . . . . . . . . . . . . . . . . . . . . . . . . . . 5 FortiGate desktop models (20C to 100A) . . . . . . . . . . . . . . . . . . . . . . . . 7 FortiWiFi models (20C to 80) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FortiGate 1U models (110C to 800F) . . . . . . . . . . . . . . . . . . . . . . . . . . FortiGate 2U, 3U, and blade models (1000A to 5000 series) . . . . . . . . . . . . . Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Revision history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 15 23 29 31

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

Contents

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

About this document

About this document


This FortiGate maximum values document lists the maximum number of configuration objects per FortiGate and FortiWiFi model that can be added to the configuration database for many FortiGate configuration settings. The maximum values in this document are the maximum configurable values and are not a promise of performance.

About per VDOM limits and per unit limits


This document lists unit limits and per virtual domain (VDOM) limits. The unit limit is the maximum number allowed when the unit is operating without VDOMs. When VDOMs are enabled, the unit limit is the limit for all VDOMs combined, and the VDOM limit is the maximum number allowed per VDOM. If a unit limit exists, it is not divided evenly among the VDOMs present on the FortiGate unit. Each VDOM can take advantage of its own limit until the combined number in all of the VDOMs reaches the unit limit. If the unit limit is met, no more instances can be created in any VDOM. For example, the FortiGate-80C address groups have a unit limit of 5000 and a VDOM limit of 4000. If VDOMs are disabled, you can create 5000 address groups. The VDOM limit doesnt affect the FortiGate unit when VDOMs are disabled. If VDOMs are enabled, you can 4000 address groups per VDOM, but the unit maximum prevents you from creating more than 5000 in total, across all the VDOMs. If you configure three VDOMs and create 3000 address groups in one VDOM, 2000 address groups in another VDOM, you will not be able to create any address groups in the remaining VDOM. The number of address groups in this example have not approached the maximum allowed per VDOM, but creating one more address group in any of the three VDOMs will exceed the unit maximum, and is therefore not permitted. Table 1: Address groups in example VDOMs Root VDOM VDOM 1 VDOM 2 3000 address groups 2000 address groups 0 address groups 5000 address groups in total For information about global and per-VDOM features, see the Virtual Domains chapter in the FortiOS Handbook.

About interface maximum values


For all FortiGate models, a virtual domain in transparent mode can have a maximum of 255 interfaces. This includes VLANs, other virtual interfaces, and physical interfaces. Virtual domains in NAT/Route mode can have from 255 to 8192 interfaces depending on the FortiGate model. This total number of interfaces also includes VLANs, other virtual interfaces, and physical interfaces.

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

About this document

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

FortiGate desktop models (20C to 100A)

FortiGate desktop models (20C to 100A)


All 50 models All 80 models All 40 and 60 models FortiGate Model All 20C and 30B models

Feature System
Interface NAT mode: Interfaces (VLAN + physical) per VDOM Transparent mode: Interfaces (VLAN + physical) per VDOM Secondary IP addresses per interface IPv6 prefix lists per interface IPv6 tunnels SIT tunnels per VDOM Zones Zone interfaces DHCP DHCP servers per VDOM DHCP exclude ranges DHCP reserved addresses SNMP v1&v2c Admin Communities Community hosts Accounts Access profiles Session-helper Session-TTL ports Mac Address table size VDOM link GRE tunnel ARP table sizeF ARP table size per VDOMF

3A 3A 32 32 4 4 20

256 255

See maximum values for system interfaces. 16 4 200 3 8 300 8 32 512 200 VDOM links are interfaces. See maximum values for system interfaces. GRE tunnels are interfaces. See maximum values for system interfaces. 2000 200 200 16 200 7 15

ARP proxy TOS-based priority Replacement messages Replacement message groups Replacement message images

Router (NAT mode)


Static Static6 Policy Static routes Static routes for IPv6 Policy routes 100 8 16

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

100A

FortiGate desktop models (20C to 100A)

All 50 models

All 80 models
32 128 32 64 16 20 32 32 10 10 10 20

All 40 and 60 models

FortiGate Model All 20C and 30B models

Feature
Access-list Entries Rules per entry Prefix-list Entries Rules per entry Key-chain Entries Rules per entry BGP Confederation- peers Aggregate-addresses Neighbors Networks Redistribution tables per VDOM Authentication paths RIP Networks Distribute lists Neighbors Offset lists Distances Passive interfaces Interfaces Redistribution tables per VDOM OSPF Areas Range of areas Virtual links Filter lists Interfaces Networks Neighbors Passive interfaces Summary addresses Distribute lists Redistribution tables per VDOM Route Map Map rules

n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 20
G

No set limit No set limit 1000 No set limit 100 No set limit

n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a

100 100 100

100 256

100 No set limit No set limit No set limit No set limit See maximum values for system interfaces. No set limit

No set limit

100 100

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

100A

FortiGate desktop models (20C to 100A)

All 50 models

All 80 models
4000 5000 4000 5000 1B 3H

All 40 and 60 models

FortiGate Model All 20C and 30B models

Feature Firewall
Policies VDOM Unit User groups per identity-based policy Policy pool names IPv6 policies VDOM Unit Multicast policies DNS translations Load balancing monitor Addresses VDOM Unit VDOM Unit IPv6 addresses Address group VDOM Unit Groups/VDOM Groups/Unit Addresses per group IPv6 address group Service Groups/VDOM Groups/Unit Predefined services Custom services Service group Schedules Groups Services per group One-time Recurring Virtual IP Virtual IPs VIP groups Addresses per VIP group Load Balance Virtual servers Real servers per Virtual server Protocol options Profile groups per VDOM IP pools per VDOM

200 No set limit 100

500

1000 No limit 500

64 200 No set limit 32 32 n/a n/a 256 No set limit 500 No set limit 500 No set limit 500 2500 300 500 2500 500 1024 500 300 256 256 500 500 500 n/a n/a 500 1000 No limit

32 32 512

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

100A

FortiGate desktop models (20C to 100A)

All 50 models

All 80 models
32 50

All 40 and 60 models

FortiGate Model All 20C and 30B models

Feature
Static IP/Mac bindings Traffic Shapers Per-IP traffic shaper

256 n/a 32

UTM
AntiVirus Antivirus profiles File patterns for auto-submission to Fortinet File pattern lists File pattern list entries per VDOM Intrusion Protection IPS sensors DoS sensors Custom IPS signatures Web Filter Web Filter profiles Web content lists Web content list entries per VDOM URL filter lists URL filter list entries per VDOM Regex URL filter entries per VDOM FortiGuard local categories per VDOM FortiGuard local ratings per VDOM FortiGuard admin overrides per VDOM 1000 10 100 52 2000 12000 200 20000 1000 20000 10 32000 4000 20000 32 32 256 32 10 32000 32 20 10 32000

10

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

100A

FortiGate desktop models (20C to 100A)

All 50 models

All 80 models
1000 1000 1000 1000 1000

All 40 and 60 models

FortiGate Model All 20C and 30B models

Feature
AntiSpam Email Filter profiles Banned word lists Banned word list entries per VDOM DNSBL lists DNSBL list entries per VDOM Email black/white lists Email black/white list entries per VDOM IP address black/white lists IP address black/white list entries per VDOM Trusted IP address lists Trusted IP address list entries per VDOM MIME header lists MIME header list entries per VDOM Data Leak Prevention Rules per VDOM Rules per unit Compound rules per VDOM Compound rules per unit Filters per sensor Sensors per VDOM Sensors per unit Sensitivity ratings per VDOM Application Control Application Control Lists

32 10 20000 10 20000 10 20000 10 20000 10 20000 10 20000 512 512 512 512 512 8 256 128 32 32000 16384 32768 16384 32768 16384 32000 32000 32000 32000 32000

VPN
Certificate Local CA CRL 200 200 200

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

100A

11

FortiGate desktop models (20C to 100A)

All 50 models

All 80 models
200 200 200 200 50 50

All 40 and 60 models

FortiGate Model All 20C and 30B models

Feature
IPSec Phase1 per VDOM Phase1 per unit

5 5

20 20

50 50

Phase1 interface See maximum values for system interfaces. Phase2 per VDOM Phase2 per unit 5 5 20 20 50 50 80 80

Phase2 interface See maximum values for system interfaces. Manual-keys per VDOM Manual-keys per unit 5 5 20 20 80 80

Manual-keys interface See maximum values for system interfaces. Concentrators Tunnels per concentrator 10 40 500 100 160

User
Local Radius LDAP TACACS+ FSSO FortiToken Windows AD User Group Local users Servers Servers Servers Servers Users Active Directory groups per domain User groups Members per user group Directory Service groups FortiGuard override profiles IM Users AIM users ICQ users MSN users Yahoo users 20 20 20 20 100 350 5 32 500 500 500 500 1000 1000 1000 1000 20 256 500 20 100 10 10 10 5 500 1000 500 1000

WAN Optimization
Note: WAN optimization is supported only on FortiGate models with internal storage.

Rule

Rules SSL servers

n/a n/a n/a n/a n/a

32 32 16 32 256

Peer

Authentication groups Peers

n/a n/a n/a

Web Cache

Web cache exempt lists

12

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

100A
80 80 n/a n/a

FortiGate desktop models (20C to 100A)

All 50 models

All 80 models
16 16 32 8 16 8 16 2 2

All 40 and 60 models

FortiGate Model All 20C and 30B models

Feature Wireless Controller


SSID Managed Wireless Access Points Max Number of FortiAP Access Points Supported Assigned Virtual AP list for each Physical AP

16 0 0 5 5 5 16 16

Logging
Traffic filter rules Custom log fields per firewall policy Datasets Fields per dataset Charts Chart mapping Summary Style Theme Layout Body items per layout Headers per page, per report layout Footers per page, per report layout n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 50 5 256

256

128

256

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

100A

13

FortiWiFi models (20C to 80)

FortiWiFi models (20C to 80)


All FortiWiFi maximum values are the same as the corresponding FortiGate model maximum values with the exception of the Wireless Controller values shown in the following table. See FortiGate desktop models (20C to 100A) on page 7 for other FortiWiFi maximum values. All 50 models All 80 models
16 16

Feature Wireless Controller


SSID Managed Wireless Access Points Max Number of FortiAP Access Points Supported Assigned Virtual AP list for each Physical AP

16 1 0 5 5 16

14

All 40 and 60 models

FortiWiFi Models All 20C and 30B models

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

FortiGate 1U models (110C to 800F)

FortiGate 1U models (110C to 800F)


FortiGate Model 110C, 111C, 100D 600C, 620B
8192 200 64 256 512 200 VDOM links are interfaces. See maximum values for system interfaces. GRE tunnels are interfaces. See maximum values for system interfaces. 2000 200 200 16 200 15 30 15 10240 1024 2000 200 10240 1024 2000 200 10000 500 100 250 100 250

300C, 310B, 311B

224B

200B

200A

300A

400A

500A

Feature System
Interface NAT mode: Interfaces (VLAN + physical) per VDOM Transparent mode: Interfaces (VLAN + physical) per VDOM Secondary IP addresses per interface IPv6 prefix lists per interface IPv6 tunnels SIT tunnels per VDOM Zones Zone interfaces DHCP DHCP servers per VDOM DHCP exclude ranges DHCP reserved addresses SNMP v1&v2c Admin Communities Community hosts Accounts Access profiles Session-helper Session-TTL ports Mac Address table size VDOM link GRE tunnel ARP table sizeF ARP table size per VDOMF

4096 255 32 32 4 4 50

8192

4096

100 See maximum values for system interfaces. 40 16 200 3 8 300 16

32

ARP proxy TOS-based priority Replacement messages Replacement message groups Replacement message images

Router (NAT mode)


Static Static6 Policy Static routes Static routes for IPv6 Policy routes 500 500

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

800 800F
100 16

15

FortiGate 1U models (110C to 800F)

FortiGate Model 110C, 111C, 100D 600C, 620B


512 100 64 16 20 No set limit No set limit 1000 No set limit 100 No set limit 100 100 100 32 100 300 32 100 No set limit No set limit No set limit No set limit See maximum values for system interfaces. No set limit 10 No set limit 10 10 100 100 20 5000 1000 100 16

300C, 310B, 311B

224B

200B

200A

300A

400A

500A

Feature
Access-list Entries Rules per entry Prefix-list Entries Rules per entry Key-chain Entries Rules per entry BGP Confederation- peers Aggregate-addresses Neighbors Networks Redistribution tables per VDOM Authentication paths RIP Networks Distribute lists Neighbors Offset lists Distances Passive interfaces Interfaces Redistribution tables per VDOM OSPF Areas Range of areas Virtual links Filter lists Interfaces Networks Neighbors Passive interfaces Summary addresses Distribute lists Redistribution tables per VDOM Route Map Map rule

100 256 256

16

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

800 800F

FortiGate 1U models (110C to 800F)

FortiGate Model 110C, 111C, 100D 600C, 620B


50000 10000 0 50000 10000 0 128 1024 256 No set limit 2000 No set limit 1000 No set limit 500 2500 300 500 2500 500 1024 500 300 256 256 500 500 500 3 8 500 16 8 2048 500 8196 500 4096 10000 500 2500 3000 6000 3000 6000 6000 12000 6000 12000 3000 6000 3000 6000 6000 12000 6000 12000 10000 20000 10000 20000 4096 10000 6000 12000 6000 12000 500 2500 512 500 500 2048 1024

300C, 310B, 311B

224B

200B

200A

300A

400A

500A

Feature Firewall
Policies VDOM Unit User groups per identity-based policy Policy pool names IPv6 policies VDOM Unit Multicast policies DNS translations Load balancing monitor Addresses VDOM Unit VDOM Unit IPv6 addresses Address group VDOM Unit Groups/VDOM Groups/Unit Addresses per group IPv6 address group Service Groups/VDOM Groups/Unit Predefined services Custom services Service group Schedules Groups Services per group One-time Recurring Virtual IP Virtual IPs VIP groups Addresses per VIP group Load Balance Virtual servers Real servers per Virtual server Protocol options Profile groups per VDOM IP pools per VDOM

5000 10000

2000 4000

8000 16000

5000 10000

20000 40000

5000 10000

20000 40000

500 64 5000 10000 2000 4000 64 32 512 8000 16000 5000 10000 20000 40000 128 5000 10000 64 20000 40000 20000 40000

32 32 512 1024 512

500 500 1024

32 32

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

800 800F
20000 40000

17

FortiGate 1U models (110C to 800F)

FortiGate Model 110C, 111C, 100D 600C, 620B


500 500 500 500 10 32000 10 32000 4000 1000 50000 1000 50000 10000 400

300C, 310B, 311B

224B

200B

200A

300A

400A

500A

Feature
Static IP/Mac bindings Traffic Shapers Per-IP traffic shaper

1000 32 32 500 500 32 32

UTM
AntiVirus Antivirus profiles File patterns for auto-submission to Fortinet File pattern lists File pattern list entries per VDOM Intrusion Protection IPS sensors DoS sensors Custom IPS signatures Web Filter Web Filter profiles Web content lists Web content list entries per VDOM URL filter lists URL filter list entries per VDOM Regex URL filter entries per VDOM FortiGuard local categories per VDOM FortiGuard local ratings per VDOM FortiGuard admin overrides per VDOM 200 32000 32 10 32000 10 20000 4000 52 12000 400 200 32000 10 32000 32 32 256 500 1000 50000 1000 50000 10000 32 32 20 1000 50000 10 32000 1000 50000 500 32

18

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

800 800F

FortiGate 1U models (110C to 800F)

FortiGate Model 110C, 111C, 100D 600C, 620B


500 10 32000 10 32000 10 32000 10 32000 10 32000 10 32000 1000 50000 1000 50000 1000 50000 1000 50000 1000 50000 1000 50000

300C, 310B, 311B

224B

200B

200A

300A

400A

500A

Feature
AntiSpam Email Filter profiles Banned word lists Banned word list entries per VDOM DNSBL lists DNSBL list entries per VDOM Email black/white lists Email black/white list entries per VDOM IP address black/white lists IP address black/white list entries per VDOM Trusted IP address lists Trusted IP address list entries per VDOM MIME header lists MIME header list entries per VDOM Data Leak Prevention Rules per VDOM Rules per unit Compound rules per VDOM Compound rules per unit Filters per sensor Sensors per VDOM Sensors per unit Sensitivity ratings per VDOM Application Control Application Control Lists

32 10 32000 10 32000 10 32000 10 32000 10 32000 10 32000

500 1000 50000 1000 50000 1000 50000 1000 50000 1000 50000 1000 50000 16384 32768 16384 32768 16384

32

8 256

25000 50000 128 32

8 256

25000 50000

VPN
Certificate Local CA CRL 200 200 200 500

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

800 800F
19

FortiGate 1U models (110C to 800F)

FortiGate Model 110C, 111C, 100D 600C, 620B


5000 10000 5000 10000 5000 10000 128 128 64 128 256

300C, 310B, 311B

224B

200B

200A

300A

400A

500A

Feature
IPSec Phase1 per VDOM Phase1 per unit Phase1 interface Phase2 per VDOM Phase2 per unit Phase2 interface Manual-keys per VDOM Manual-keys per unit Manual-keys interface Concentrators Tunnels per concentrator

1500 1500

200 200

2000 2000

1500 3000

3000 6000

See maximum values for system interfaces. 1500 1500 200 200 2000 2000 1500 3000 3000 6000 3000 6000

See maximum values for system interfaces. 200 200 2000 2000 1500 3000 3000 6000 1500 3000 3000 6000 3000 6000

See maximum values for system interfaces. 500 300

User
Local Radius LDAP TACACS+ FSSO FortiToken Windows AD User Group Local users Servers Servers Servers Servers Users Active Directory groups per domain User groups Members per user group Directory Service groups FortiGuard override profiles IM Users AIM users ICQ users MSN users Yahoo users 256 500 350 5 32 1000 1000 1000 1000 1000 10 10 10 5 1000 1024

WAN Optimization
Note: WAN optimization is supported only on FortiGate models with internal storage.

Rule

Rules SSL servers

64 64 32 64 256

n/a n/a n/a n/a n/a

64 64 32 64 256

n/a n/a n/a n/a n/a

128 128 64 128 256

n/a n/a n/a n/a n/a

Peer

Authentication groups Peers

Web Cache

Web cache exempt lists

20

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

800 800F
3000 6000 n/a n/a n/a n/a n/a

FortiGate 1U models (110C to 800F)

FortiGate Model 110C, 111C, 100D 600C, 620B


512 512 320 32 256 8 16 128 8 16 256 2 2 32 256 16 32 16 128 8 16 320 256

300C, 310B, 311B

224B

200B

200A

300A

400A

500A

Feature Wireless Controller


SSID Managed Wireless Access Points Max Number of FortiAP Access Points Supported Assigned Virtual AP list for each Physical AP

16 32 32 16 256 256 64 64 256 256

Logging
Traffic filter rules Custom log fields per firewall policy Datasets Fields per dataset Charts Chart mapping Summary Style Theme Layout Body items per layout Headers per page, per report layout Footers per page, per report layout 256 50 5 256

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

800 800F
21

FortiGate 1U models (110C to 800F)

22

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

FortiGate 2U, 3U, and blade models (1000A to 5000 series)

FortiGate 2U, 3U, and blade models (1000A to 5000 series)


1000C, 1240B 3040B, 3140B 3950B, 3951B 3600,3600A 3016B, 3810A FortiGate Model 1000A 1000FA2 5000 Series
550 64 256 512 200 VDOM links are interfaces. See maximum values for system interfaces. GRE tunnels are interfaces. See maximum values for system interfaces. 2000 200 200 16 200 30 81920 8192

Feature System
Interface NAT mode: Interfaces (VLAN + physical) per VDOM Transparent mode: Interfaces (VLAN + physical) per VDOM Secondary IP addresses per interface IPv6 prefix lists per interface IPv6 tunnels SIT tunnels per VDOM Zones Zone interfaces DHCP DHCP servers per VDOM DHCP exclude ranges DHCP reserved addresses SNMP v1&v2c Admin Communities Community hosts Accounts Access profiles Session-helper Session-TTL ports Mac Address table size VDOM link GRE tunnel ARP table sizeF ARP table size per VDOMF

8192 255 32 32 4 4 200 500 See maximum values for system interfaces. 40 16 200 3 8 300

ARP proxy TOS-based priority Replacement messages Replacement message groups Replacement message images

Router (NAT mode)


Static Static6 Policy Static routes Static routes for IPv6 Policy routes 10000 500 250

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

VM, VM64

23

FortiGate 2U, 3U, and blade models (1000A to 5000 series)

1000C, 1240B

3040B, 3140B

3950B, 3951B

3600,3600A 3016B, 3810A

FortiGate Model 1000A 1000FA2

Feature
Access-list Entries Rules per entry Prefix-list Entries Rules per entry Key-chain Entries Rules per entry BGP Confederation- peers Aggregate-addresses Neighbors Networks Redistribution tables per VDOM Authentication paths RIP Networks Distribute lists Neighbors Offset lists Distances Passive interfaces Interfaces Redistribution tables per VDOM OSPF Areas Range of areas Virtual links Filter lists Interfaces Networks Neighbors Passive interfaces Summary addresses Distribute lists Redistribution tables per VDOM Route Map Map rule

100 256 100 64 100 20 No set limit No set limit 5000 No set limit 100 No set limit 100 100 100 32 100 300 32 100 No set limit No set limit No set limit No set limit See maximum values for system interfaces. No set limit 10 No set limit 10 10 100 100 20 512

24

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

5000 Series

VM, VM64

FortiGate 2U, 3U, and blade models (1000A to 5000 series)

1000C, 1240B

3040B, 3140B

3950B, 3951B

3600,3600A 3016B, 3810A

FortiGate Model 1000A 1000FA2

Feature Firewall
Policies VDOM Unit User groups per identity-based policy Policy pool names IPv6 policies VDOM Unit Multicast policies DNS translations Load balancing monitor Addresses VDOM Unit VDOM Unit IPv6 addresses Address group VDOM Unit Groups/VDOM Groups/Unit Addresses per group IPv6 address group Service Groups/VDOM Groups/Unit Predefined services Custom services Service group Schedules Groups Services per group One-time Recurring Virtual IP Virtual IPs VIP groups Addresses per VIP group Load Balance Virtual servers Real servers per Virtual server Protocol options Profile groups per VDOM IP pools per VDOM

50000 100000 800 64 50000 100000 128 512 256 256 1024 512 No set limit 10000J 20000J 40000 40000 10000 20000 4096 10000 300L 4096 10000 500 1024 500N 300 256 256 8196C 10000Q 500 500 8196C 10000 16 1024 No limit 10000
E

10000K 20000K

No limit

300M

4096 1000 500P

No limit

10000
D

500 500 1024 4096R 2048 4096

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

5000 Series
32

VM, VM64

25

FortiGate 2U, 3U, and blade models (1000A to 5000 series)

1000C, 1240B

3040B, 3140B

3950B, 3951B

3600,3600A 3016B, 3810A

FortiGate Model 1000A 1000FA2

Feature
Static IP/Mac bindings Traffic Shapers Per-IP traffic shaper

1000 500 500

UTM
AntiVirus Antivirus profiles File patterns for auto-submission to Fortinet File pattern lists File pattern list entries per VDOM Intrusion Protection IPS sensors DoS sensors Custom IPS signatures Web Filter Web Filter profiles Web content lists Web content list entries per VDOM URL filter lists URL filter list entries per VDOM Regex URL filter entries per VDOM FortiGuard local categories per VDOM FortiGuard local ratings per VDOM FortiGuard admin overrides per VDOM 1000 50000 1000 50000 10000 52 12000 400 500 1000 50000 500 20 2000 250000 32 32 256 500 2000 250000 2000 250000 20000

26

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

5000 Series

VM, VM64

FortiGate 2U, 3U, and blade models (1000A to 5000 series)

1000C, 1240B

3040B, 3140B

3950B, 3951B

3600,3600A 3016B, 3810A

FortiGate Model 1000A 1000FA2

Feature
AntiSpam Email Filter profiles Banned word lists Banned word list entries per VDOM DNSBL lists DNSBL list entries per VDOM Email black/white lists Email black/white list entries per VDOM IP address black/white lists IP address black/white list entries per VDOM Trusted IP address lists Trusted IP address list entries per VDOM MIME header lists MIME header list entries per VDOM Data Leak Prevention Rules per VDOM Rules per unit Compound rules per VDOM Compound rules per unit Filters per sensor Sensors per VDOM Sensors per unit Sensitivity ratings per VDOM Application Control Application Control Lists

500 1000 50000 1000 50000 1000 50000 1000 50000 1000 50000 1000 50000 2000 250000 2000 250000 2000 250000 2000 250000 2000 250000 2000 250000 16384 32768 16384 32768 16384 25000 50000 32000 64000 128 32

VPN
Certificate Local CA CRL 500 200 200 1000

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

5000 Series
27

VM, VM64

FortiGate 2U, 3U, and blade models (1000A to 5000 series)

1000C, 1240B

3040B, 3140B

3950B, 3951B

3600,3600A 3016B, 3810A

FortiGate Model 1000A 1000FA2

Feature
IPSec Phase1 per VDOM Phase1 per unit Phase1 interface Phase2 per VDOM Phase2 per unit Phase2 interface Manual-keys per VDOM Manual-keys per unit Manual-keys interface Concentrators Tunnels per concentrator

5000 10000 See maximum values for system interfaces. 5000 10000 See maximum values for system interfaces. 5000 10000 See maximum values for system interfaces. 500 300

User
Local Radius LDAP TACACS+ FSSO FortiToken Windows AD User Group Local users Servers Servers Servers Servers Users Active Directory groups per domain User groups Members per user group Directory Service groups FortiGuard override profiles IM Users AIM users ICQ users MSN users Yahoo users 1000 1000 10 10 10 5 5000 1024 800 350 5 32 1000 1000 1000 1000 5000

WAN Optimization
Note: WAN optimization is supported only on FortiGate models with internal storage.

Rule

Rules SSL servers

n/a n/a n/a n/a n/a

256 256 128 256 256

Peer

Authentication groups Peers

Web Cache

Web cache exempt lists

28

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

5000 Series

VM, VM64

Notes

1000C, 1240B

3040B, 3140B

3950B, 3951B

3600,3600A 3016B, 3810A

FortiGate Model 1000A 1000FA2

Feature Wireless Controller


SSID Managed Wireless Access Points Max Number of FortiAP Access Points Supported Assigned Virtual AP list for each Physical AP

16 256 256 512 512 16 1024 1024

Logging
Traffic filter rules Custom log fields per firewall policy Datasets Fields per dataset Charts Chart mapping Summary Style Theme Layout Body items per layout Headers per page, per report layout Footers per page, per report layout 16 128 8 16 256 2 2 256 8 32 256 16 32 256 32 320 50 5 320

Notes
A The

30-series do not have VLAN or VDOM support. Only the physical interfaces are available.
B FortiGate-82C

value = 3 value = 500 and 5001FA2 value = 4096

C FortiGate-1000A D FortiGate-5001 E F

FortiGate-5001FA2 value = 4096

The listed ARP limits apply only to static MAC addresses that you manually assign. The number of MAC addresses the FortiGate unit will learn on its own it limited only by system memory.
G FortiGate-51B H FortiGate-82C J

value = 128 value = 8 and 5001B value = 40000 and 5001B value = 1000

FortiGate-3810A value = 40000 FortiGate-3810A value = 1000

K FortiGate-5001A L M FortiGate-5001A

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

5000 Series
29

VM, VM64

Notes

N P

FortiGate-3810A value = 1000 FortiGate-5001A and 5001B value = 1000 value = 4096 FortiGate-3600 and 3600A value = 2048

Q FortiGate-3600 R

30

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

Revision history

Revision history
Version 49 Description of changes Corrected the values for the Max Number of FortiAP Access Points Supported for FortiWiFi models for FortiOS 4.0 MR3 patch 6. Added values for the FortiGate-100D. Renamed the field Managed Physical AP to Managed Wireless Access Points. Added a new field Max Number of FortiAP Access Points Supported. For all FortiGate models these two values are the same; however, they are different for some FortiWiFi models. Changed the section names of this document, added a new FortiWiFi section, added a Contents section. Reversed the sort order and altered the columns of this Revision History table. 47 46 Added values for the FortiGate-20C series and the FortiGate-40C series. Added values for the FortiGate-300C, 600C, and 1000C. Updated the BGP neighbors values to 4.0 MR3 Patch 3. Updated the IP pools label to indicate the value is the maximum number of IP pools per VDOM. Updated to include 4.0 MR3, Patch 1 information. Added values for the FortiGate VM model. Added values for replacement message groups and replacement message images. Made a number of corrections to the values in the 2U, 3U, blade models table. 42 Updated to include 4.0 MR3 information. Divided the table into three parts for easier viewing. Virtual AP is now called SSID. Fortinet Server Authentication Extension (FSAE) is now called Fortinet Single Sign-On (FSSO). Added DLP filters per sensor, DLP fingerprinting sensitivity ratings per VDOM, FortiToken, FSSO, profile groups per VDOM. 41 Expanded the introduction with transparent mode information and additional details about VDOMs. Moved revision history to the end of the document. Added information for FortiGate-3040B, FortiGate3950B and 3951B. 4 February 2011 17 March 2011 20 December 2011 16 November 2011 Date 15 March 2012

48

7 February 2012

45 44 43

4 October 2011 6 July 2011 4 May 2011

40

16 December 2010

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

31

Revision history

Version 39 38

Description of changes Corrected the ARP table size information. Corrected the IPsec VPN Phase 1 and Phase 2 maximum values, as well as the Manual Key value. Updated the introductory paragraph and where to go for additional virtual domain information. Corrected the Managed Physical AP numbers for 30B and 50 series. Corrected the firewall policies number for FortiGate200B. Updated information for wireless controller section and added directory service user groups.

Date 30 November 2010 8 November 2010

37 36

20 September 2010 12 August 2010

35 34 33 32 31 30 29 28 27 26

Corrected the number in IP pool for the FortiGate-3000 13 July 2010 series column. Corrected the number in the All 80 models column for Real servers per Virtual server. Removed 200B from the column, 200A, 200B, 224B. Added the FortiGate-ONE information. Updated to include 4.0 MR2 information. 22 April 2010 19 April 2010 13 April 2010

Added information for FortiGate-1240B and FortiGate- 2 February 2010 200B. Corrected numbers for virtual servers for 80 models and 110C and 111C models. Added FortiGate-200B values. Revised numbers for virtual servers. Updated to include virtual servers and real servers per virtual server. 23 November 2009 17 November 2009 12 November 2009 11 November 2009

Updated to include FortiGate-1240B units running 3 November 2009 special build 3.0 MR7. This is intended for only those FortiGate-1240B units running special build 3.0 MR7 and contains information that is supported for that build. For example, application control and DLP information is left blank because there is no application control or DLP feature in FortiOS 3.0 MR7. Updated the values for 4.0MR1 and added the FortiWiFi-80CM, FortiGate-80CM, 80C, and 82C. Expanded the virtual servers and real servers per virtual server information to cover all models and moved it into the main table under Firewall. Corrected some FortiGate-30B values and added the virtual servers table. 10 September 2009 29 July 2009

25 24

23

22 May 2009

32

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/

Revision history

Version 22

Description of changes Added the FortiGate-3600, 50B, 51B, 110C and 111C models. Added maximum values for DLP, application control, identity-based policies, traffic shapers, endpoint control, transparent mode interface limit, antispam banned words, antispam DNSBL, antispam email black/white lists, antispam IP address black/white lists, antispam trusted IP lists, antispam MIME header lists, SIT tunnel, WAN opt authentication groups, WAN opt peers, WAN opt rules, WAN opt SSL servers, web filter content block, web filter exempt, web filter URL filter, FortiGuard web filtering local ratings, and FortiGuard web filtering overrides. Updated the values for 4.0 and added the FortiGate110B and the FortiGate-620B. Updated the values for 3.0MR7 and added the FortiGate-30B. Added the FortiGate-310B. Added/updated features for FortiOS v3.0 MR6 FCS 15 January 2008. Included increased values for remote authentication servers, increase in local users and static routes, addition of TACACS+ users, SSL VPN bookmarks, load-balancing monitors, router authentication paths, and removal of IPS anomalies. Added/updated features for FortiOS v3.0 MR5 PD 25 June 2007. Corrected system interface values, divided into Transparent and NAT mode. Corrected value in Router (NAT mode), Static, Static routes. Added/updated features for FortiOS v3.0 MR4 PD 29 December 2006. Added/updated features for FortiOS v3.0 MR3 PD 29 September 2006. Added new features for FortiOS v3.0 MR2 PD 19 June 2006. Added new features, updated limits for existing features where required. Added VDOM/global limits to features that can be configured per VDOM and globally. Note: The feature DHCP IP/MAC Bindings is now referred to as DHCP Reserved addresses.

Date 15 April 2009

21 20 19 18

4 March 2009 26 August 2008 15 May 2008 15 January 2008

17 16 15 14 13 12 11

15 June 2007 11 April 2007 08 February 2007 29 December 2006 29 September 2006 19 June 2006 28 April 2006

10 9 8

Changed number of interfaces for 100A to 64. Updated, reformatted for FortiOS v3.0. Corrected DHCP Servers entry. For models 200 and above, the maximum number of DHCP servers is 32 per VDOM, not 8. This is a long-standing error.

26 October 2005 4 October 2005 12 May 2005

FortiGate Maximum Values 01-436-92619-20120315 http://docs.fortinet.com/

33

Revision history

Version 7

Description of changes Removed items that depend on memory availability, including Web Filter and Spam Filter lists. Removed (per virtual domain) indications and added the statement that limits are global for globally configured features, per-VDOM for features configured in each VDOM. Added 50AM, 60M, 100A, 200A, 300A, 400A, 500A models. Added statement the maximum values table shows maximum configurable values and is not a promise of performance.

Date 08 April 2005

25 February 2005

5 4

Corrected max number of protection profiles to 200 for 5 November 2004 models 3000 and up. Updated maximum numbers of Virtual Domains for 17 August 2004 NAT/Route and Transparent mode. Clarified Spam Filter limits. Removed model 2000. FortiOS v2.80 MR4 Complete change for FortiOS v2.80 Updated the DHCP address scopes and DHCP reserved IP/MAC pairs maximum values. Added FortiGate-800, FortiGate-4000, FortiGate-50A, and FortiWiFi-60. Updated Web filter and email filter maximum values. FortiOS v2.50 FortiOS v2.50 5 May 2004 9 March 2004

3 2

First Release

23 October 2003

34

Maximum Values for FortiOS 4.0 MR3 01-436-92619-20120315 http://docs.fortinet.com/