https://docs.fortinet.com/max-value-table
This can be a really useful tool for figuring out how certain features will scale and what to be concious of when standardizing on certain models combined with your enterprises chosen features. I'm getting lost at determining what each object is, apart from it's name. There's no link to a full description on what the object is and what contributes to it's usage/capacity. Some are obvious by there name, but others not so much. How do network designers and implementers figure out scaling and capacity factors for objects that aren't so obvious by name?
For example:
user.fortitoken
-Ok, that looks pretty straight forward - probably the maximum number of fortitokens that can be assigned to users on the firewall?
user.fsso-polling
-hmmm, im guessing this is the number of users that can be fsso polled - but only 20 for a FG-200F, that doesnt sound right so maybe it means something else?
Where do we go to understand these table objects in more detail?
#print tablesize
This command is cool but it doesnt give you any idea of how much of these tables are currently in use, and if you're nearing a certain hard limit. I was hoping this could with some deductive work of making a change and seeing what usage values might change but haven't quite figured out how to check these or if it's possible.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So the Max Values table AFAIK is for maximum number of configured entries. FSSO using external server does not require individual configuration of entities therefore it's not really applicable to the max values table.
FSSO basically keep a log of mappings of username, workstation, IP Address. Fairly low overhead when you consider what's involved in tracking a single TCP session.
If you are literally only doing ZTNA and FSSO with no advanced security profiles, or inspection then yes possibly a lower-end FortiGate will suffice.
You also need to consider your throughput and future needs. Might you ever want to turn on security profiles? Might you have more users? Might you require more bandwidth. I always suggest pick the box that seems to do what you want it to today and upsize at least once to the next one up.
If you need more help I'd suggest talking to your Fortinet SE and getting an eval setup to ensure the box you are choosing works for you.
Majority of the entires correlate to CLI commands.
i.e. user.fsso-polling would equate to "config user fsso-polling"
Which you can see on CLI is for configuring AD Servers:
#config user fsso ?
fsso Configure Fortinet Single Sign On (FSSO) agents.
fsso-polling Configure FSSO active directory servers for polling mode.
I would also argue most people go the other direction. They have a requirement or use-case and they need to know which FW model will satisfy it. So it's less about decoding all of the max values in the table and more about finding the one you need based on what you are doing.
Thanks for the reply Graham!
I started to piece this together a little bit and noticed some objects that look to be associated directly to config lines like you provided.
For me this is about considering a feature and seeing how it scales between the hardware we already have deployed. I found another forum posting that was specific to the issue I was trying to determine the limits on (ldap group membership max for a FSSO user). Unfortunately it's not the first time I've gotten stuck trying to find feature limits per model in the max val table.
For instance, how do I find out how many simultaneous FSSO users each FG model will support?
Depends where your FSSO users are being authenticated. If they are local users on the Fortigate well you have to consider how you add a user to the Fortigate.
config user local
Looking at the max values table I can see that there's a value for user.local.
That said most FSSO deployments rely on an external authentication source which would remove effective limits of users.
We're leveraging FAC with FSSO and I'm wondering if even the smallest units can handle 500+ users with lots of groups from LDAP being pushed down.
Created on 11-23-2022 07:52 PM Edited on 11-23-2022 07:53 PM
If you're leveraging FAC then it is doing all the heavy lifting in terms of user databases. All your FGT is doing is polling it for authentication services. There is no limit from the FGT's perpsective for this action.
However, each Fortigate should be sized according to the general number of users that it will be servicing, regardless of FSSO. You need to consider the values of the Fortigate's maximum sessions, throughput (with all features enabled), connection rates, etc...these values are easily found on the data sheet.
I will say fairly confidently that even the smallest units will quite likely not handle 500 users, regardless of FSSO.
Created on 11-24-2022 05:38 AM Edited on 11-24-2022 05:45 AM
I completely agree with you on right-sizing but we don't have plans to turn on many of the more resource heavy features like content processing. The current plan is to take advantage of ZTNA+FSSO to apply simple, yet many, access rules dynamically to users - without deep inspection. I get this isn't a typical customer scenario.
As a solution designer, at the end of the day I just want to be able to find clear engineering documentation that helps me make decisions quickly and confidently and doesn't leave me guessing.
Even with FAC doing all the heavy lifting, how do I know how many dynamic "user" entries can fill up in ?x-table? on my firewalls before the smallest one gets exhausted? At what point do I need to be concerned about filtering FSSO sessions towards specific firewalls vs. blasting them out by region, or company wide?
So the Max Values table AFAIK is for maximum number of configured entries. FSSO using external server does not require individual configuration of entities therefore it's not really applicable to the max values table.
FSSO basically keep a log of mappings of username, workstation, IP Address. Fairly low overhead when you consider what's involved in tracking a single TCP session.
If you are literally only doing ZTNA and FSSO with no advanced security profiles, or inspection then yes possibly a lower-end FortiGate will suffice.
You also need to consider your throughput and future needs. Might you ever want to turn on security profiles? Might you have more users? Might you require more bandwidth. I always suggest pick the box that seems to do what you want it to today and upsize at least once to the next one up.
If you need more help I'd suggest talking to your Fortinet SE and getting an eval setup to ensure the box you are choosing works for you.
Thanks for the very thorough feedback Graham, much appreciated!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.