ZTNA object maximum values
For various zero trust network access (ZTNA) object types, FortiOS may limit the number of each object type that you can create. To verify the maximum number of objects for each object type, run the following command on your FortiGate:
# print tablesize
The following provides example output for ZTNA (access proxy)-related objects from a FortiGate-VM04:
# print tablesize firewall.access-proxy-virtual-host: 0 256 512 1 firewall.access-proxy-virtual-host:ssl-certificate: 0 0 0 1 firewall.access-proxy-ssh-client-cert: 0 256 512 0 firewall.access-proxy-ssh-client-cert:cert-extension: 0 0 0 0 firewall.access-proxy: 0 256 512 3 firewall.access-proxy:api-gateway: 0 0 0 3 firewall.access-proxy:api-gateway:realservers: 0 0 0 3 firewall.access-proxy:api-gateway:realservers:ssh-host-key: 0 0 0 0 firewall.access-proxy:api-gateway:application: 0 0 0 0 firewall.access-proxy:api-gateway:ssl-cipher-suites: 0 0 0 0 firewall.access-proxy:api-gateway6: 0 0 0 0 firewall.access-proxy:api-gateway6:realservers: 0 0 0 0 firewall.access-proxy:api-gateway6:realservers:ssh-host-key: 0 0 0 0 firewall.access-proxy:api-gateway6:application: 0 0 0 0 firewall.access-proxy:api-gateway6:ssl-cipher-suites: 0 0 0 0 firewall.access-proxy6: 0 256 512 0 firewall.access-proxy6:api-gateway: 0 0 0 0 firewall.access-proxy6:api-gateway:realservers: 0 0 0 0 firewall.access-proxy6:api-gateway:realservers:ssh-host-key: 0 0 0 0 firewall.access-proxy6:api-gateway:application: 0 0 0 0 firewall.access-proxy6:api-gateway:ssl-cipher-suites: 0 0 0 0 firewall.access-proxy6:api-gateway6: 0 0 0 0 firewall.access-proxy6:api-gateway6:realservers: 0 0 0 0 firewall.access-proxy6:api-gateway6:realservers:ssh-host-key: 0 0 0 0 firewall.access-proxy6:api-gateway6:application: 0 0 0 0 firewall.access-proxy6:api-gateway6:ssl-cipher-suites: 0 0 0 0 ztna.web-portal: 0 256 512 0 ztna.web-portal-bookmark: 0 256 512 0 ztna.web-portal-bookmark:users: 0 0 0 0 ztna.web-portal-bookmark:groups: 0 0 0 0 ztna.web-portal-bookmark:bookmarks: 0 0 0 0
|
These values may vary between FortiGate models. |
The four columns of values provide the following information, respectively:
- Maximum number of variables allowed for this object type
- Maximum number of objects of this type allowed per virtual domain (VDOM)
- System global limit for maximum number of objects of this type
- Current total number of objects of this type existing in FortiOS
A value of 0 indicates that there is no maximum value limit.
The following presents the example output in a table format, showing each object type and its associated maximum and current values:
|
Object |
Maximum variables allowed |
Maximum per VDOM |
Global maximum |
Current total objects in use |
|---|---|---|---|---|
|
firewall.access-proxy-virtual-host |
0 |
256 |
512 |
1 |
|
firewall.access-proxy-virtual-host:ssl-certificate |
0 |
0 |
0 |
1 |
|
firewall.access-proxy-ssh-client-cert |
0 |
256 |
512 |
0 |
|
firewall.access-proxy-ssh-client-cert:cert-extension |
0 |
0 |
0 |
0 |
|
firewall.access-proxy |
0 |
256 |
512 |
3 |
|
firewall.access-proxy:api-gateway |
0 |
0 |
0 |
3 |
|
firewall.access-proxy:api-gateway:realservers |
0 |
0 |
0 |
3 |
|
firewall.access-proxy:api-gateway:realservers:ssh-host-key |
0 |
0 |
0 |
0 |
|
firewall.access-proxy:api-gateway:application |
0 |
0 |
0 |
0 |
|
firewall.access-proxy:api-gateway:ssl-cipher-suites |
0 |
0 |
0 |
0 |
|
firewall.access-proxy:api-gateway6 |
0 |
0 |
0 |
0 |
|
firewall.access-proxy:api-gateway6:realservers |
0 |
0 |
0 |
0 |
|
firewall.access-proxy:api-gateway6:realservers:ssh-host-key |
0 |
0 |
0 |
0 |
|
firewall.access-proxy:api-gateway6:application |
0 |
0 |
0 |
0 |
|
firewall.access-proxy:api-gateway6:ssl-cipher-suites |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6 |
0 |
256 |
512 |
0 |
|
firewall.access-proxy6:api-gateway |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway:realservers |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway:realservers:ssh-host-key |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway:application |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway:ssl-cipher-suites |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway6 |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway6:realservers |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway6:realservers:ssh-host-key |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway6:application |
0 |
0 |
0 |
0 |
|
firewall.access-proxy6:api-gateway6:ssl-cipher-suites |
0 |
0 |
0 |
0 |
|
ztna.web-portal |
0 |
256 |
512 |
0 |
|
ztna.web-portal-bookmark |
0 |
256 |
512 |
0 |
|
ztna.web-portal-bookmark:users |
0 |
0 |
0 |
0 |
|
ztna.web-portal-bookmark:groups |
0 |
0 |
0 |
0 |
|
ztna.web-portal-bookmark:bookmarks |
0 |
0 |
0 |
0 |
For example, consider the values for firewall.access-proxy-virtual-host:
|
Object |
Maximum variables allowed |
Maximum per VDOM |
Global maximum |
Current total objects in use |
|---|---|---|---|---|
|
firewall.access-proxy-virtual-host |
0 |
256 |
512 |
1 |
You can interpret this as follows for the virtual host object type:
- For each VDOM, FortiOS allows a maximum of 256 virtual hosts used within a ZTNA server definition.
- Globally, FortiOS allows a maximum of 512 virtual hosts used within a ZTNA server definition.
- Currently, FortiOS has one virtual host object defined.
For another example, consider the values for firewall.access-proxy:api-gateway:realservers:
|
Object |
Maximum variables allowed |
Maximum per VDOM |
Global maximum |
Current total objects in use |
|---|---|---|---|---|
|
firewall.access-proxy:api-gateway:realservers |
0 |
0 |
0 |
3 |
You can interpret this as follows for the real server object type:
- There is no per-VDOM or global limit on the number of real servers associated with ZTNA servers.
- Currently, FortiOS has three real servers defined.
For other maximum values, see Maximum Values Table.