Skip to main content
80211WiGuy
80211WiGuy
Explorer III
November 23, 2022
Solved

Maximum Values Table - Where are the object descriptions?

  • November 23, 2022
  • 1 reply
  • 6151 views

https://docs.fortinet.com/max-value-table

This can be a really useful tool for figuring out how certain features will scale and what to be concious of when standardizing on certain models combined with your enterprises chosen features.  I'm getting lost at determining what each object is, apart from it's name.  There's no link to a full description on what the object is and what contributes to it's usage/capacity.  Some are obvious by there name, but others not so much.  How do network designers and implementers figure out scaling and capacity factors for objects that aren't so obvious by name?

 

For example:

user.fortitoken

-Ok, that looks pretty straight forward - probably the maximum number of fortitokens that can be assigned to users on the firewall?

user.fsso-polling

-hmmm, im guessing this is the number of users that can be fsso polled - but only 20 for a FG-200F, that doesnt sound right so maybe it means something else?

 

Where do we go to understand these table objects in more detail?

 

#print tablesize

This command is cool but it doesnt give you any idea of how much of these tables are currently in use, and if you're nearing a certain hard limit.  I was hoping this could with some deductive work of making a change and seeing what usage values might change but haven't quite figured out how to check these or if it's possible.

Best answer by gfleming

So the Max Values table AFAIK is for maximum number of configured entries. FSSO using external server does not require individual configuration of entities therefore it's not really applicable to the max values table.

 

FSSO basically keep a log of mappings of username, workstation, IP Address. Fairly low overhead when you consider what's involved in tracking a single TCP session.

 

If you are literally only doing ZTNA and FSSO with no advanced security profiles, or inspection then yes possibly a lower-end FortiGate will suffice.

 

You also need to consider your throughput and future needs. Might you ever want to turn on security profiles? Might you have more users? Might you require more bandwidth. I always suggest pick the box that seems to do what you want it to today and upsize at least once to the next one up.

 

If you need more help I'd suggest talking to your Fortinet SE and getting an eval setup to ensure the box you are choosing works for you.

1 reply

gfleming
Staff
gfleming
Staff
November 23, 2022

Majority of the entires correlate to CLI commands. 

 

i.e. user.fsso-polling would equate to "config user fsso-polling"

 

Which you can see on CLI is for configuring AD Servers:

 

#config user fsso ?
fsso Configure Fortinet Single Sign On (FSSO) agents.
fsso-polling Configure FSSO active directory servers for polling mode.

 I would also argue most people go the other direction. They have a requirement or use-case and they need to know which FW model will satisfy it. So it's less about decoding all of the max values in the table and more about finding the one you need based on what you are doing. 

    80211WiGuy
    80211WiGuyAuthor
    Explorer III
    November 24, 2022

    Thanks for the reply Graham!

    I started to piece this together a little bit and noticed some objects that look to be associated directly to config lines like you provided.

     

    For me this is about considering a feature and seeing how it scales between the hardware we already have deployed.  I found another forum posting that was specific to the issue I was trying to determine the limits on (ldap group membership max for a FSSO user).  Unfortunately it's not the first time I've gotten stuck trying to find feature limits per model in the max val table.

     

    For instance, how do I find out how many simultaneous FSSO users each FG model will support? 

    gfleming
    Staff
    gfleming
    Staff
    November 24, 2022

    Depends where your FSSO users are being authenticated. If they are local users on the Fortigate well you have to consider how you add a user to the Fortigate.

     

    config user local

    Looking at the max values table I can see that there's a value for user.local.

     

    That said most FSSO deployments rely on an external authentication source which would remove effective limits of users.

    Terms & ConditionsAccessibility statement