Administrative Domains

Administrative Domains

When ADOMs are enabled, you must select the ADOM from the drop-down list in the toolbar.

The Device Manager, FortiView, Event Management, and Reports tab are displayed per ADOM. The devices within each ADOM are shown in the default All FortiGate group. When ADOMs are disabled, the tree menu simply displays All FortiGates and Unregistered Devices, if there are any. Non-FortiGate devices are grouped into their own specific ADOMs.

ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator. The maximum number of ADOMs you can add depends on the specific FortiAnalyzer system model. Please refer to the FortiAnalyzer data sheet for information on the maximum number of devices and ADOMs that your model supports.

The number of devices within each group is shown in parentheses next to the group name.

  1. Log in as admin.
  2. Go to System Settings > Dashboard.
  3. In the System Information widget, select Enable next to Administrative Domain.
  4. Select OK in the confirmation dialog box to enable ADOMs.

To disable the ADOM feature:

  1. Remove all log devices from all non-root ADOMs.
  2. Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and selecting Delete from the pop-up menu.
  3. Go to System Settings > Dashboard.
  4. In the system information widget, select Disable next to Administrative Domain.
  5. Select OK in the confirmation dialog box to disable ADOMs.

Adding an ADOM

You can create both FortiGate and FortiCarrier ADOMs for versions 5.2, 5.0, and 4.3. FortiAnalyzer has default ADOMs for all non-FortiGate devices. When one of these devices is promoted to the DVM table, the device is added to their respective default ADOM and will be visible in the tree menu.

To add an ADOM:

  1. Go to System Settings > All ADOMs and select Create New in the toolbar.

Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, select Create New.

The Create ADOM dialog box opens.

Figure 7: Create an ADOM

  1. Enter the following information:
Name Enter an unique name that will allow you to distinguish this ADOM from your other ADOMs.
Device Type Select the device type from the drop-down list.
Version Select the firmware version of the devices that will be in the ADOM. Select one the following: 5.2, 5.0, or 4.3.
Search Enter a search term to find a specific device (optional).
Devices

Groups

Transfer devices, VDOMs, and groups from the available member list on the left to the selected member list on the right to assign those devices to the ADOM.
  1. Select OK to create the ADOM.

To edit an ADOM:

  1. Go to System Settings > All ADOMs, right-click on the ADOM you need to edit, and select Edit in the right-click menu.

Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, right-click on the ADOM you need to edit, and select Edit in the right-click menu.

The Edit ADOM dialog box opens.

Figure 8: Edit an ADOM

  1. Edit the following information as required:
Name Edit the ADOM name.
Device Type This field cannot be edited.
Version This field cannot be edited.
Search Enter a search term to find a specific device (optional).
Devices

Groups

Transfer devices VDOMs, and groups from the available member list on the left to the selected member list on the right to assign those devices to the ADOM.
Status Enable or disable the ADOM.
  1. Select OK to finish editing the ADOM.

To delete an ADOM:

  1. Go to System Settings > All ADOMs, right-click on the ADOM you need to delete, and select Delete in the right-click menu.
  2. Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, right-click on the ADOM you need to delete, and select Delete in the right-click menu.
  3. Select OK in the confirmation dialog box to delete the ADOM.

Assigning devices to an ADOM

The admin administrator selects the devices to be included in an ADOM. You cannot assign the same device to two different ADOMs.

To assign devices to an ADOM:

  1. Open the Edit ADOM dialog box (see “To edit an ADOM:” on page 29).
  2. From the Available member list, select which devices you want to associate with the ADOM and select the right arrow to move them to the Selected member

If the administrative device mode is Advanced, you can add separate FortiGate VDOMs to the ADOM as well as FortiGate units.

  1. When done, select OK. The selected devices appear in the device list for that ADOM.

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign an ADOM to their account, constraining them to configurations and data that apply only to devices in their ADOM.

By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root domain, which contains all devices in the device list. For more information about creating other ADOMs, see “Adding an ADOM” on page 28.

To assign an administrator to an ADOM:

  1. Log in as admin.

Other administrators cannot configure administrator accounts when ADOMs are enabled.

  1. Go to System Settings > Admin > Administrator.
  2. Configure the administrator account, and select the Admin Domains that the administrator account will be able to use to access the FortiManager system.

See “Administrator” on page 75 for more information.

ADOM device modes

An ADOM has two device modes: normal and advanced. In normal mode, you cannot assign different FortiGate VDOMs to multiple FortiManager ADOMs. The FortiGate unit can only be added to a single ADOM.

In advanced mode, you can assign different VDOMs from the same FortiGate unit to multiple

ADOMs.

Advanced ADOM mode will allow users to assign VDOMs from a single device to different ADOMs, but will result in a reduced operation mode and more complicated management scenarios. It is recommended for advanced users only.

To change the ADOM mode, go to System Settings > Advanced > Advanced Settings and change the selection in the ADOM Mode field.

Alternatively, use the following command in the CLI:

config system global set adom-mode {normal | advanced}

end

Normal mode is the default setting. To change from advanced back to normal, you must ensure no FortiGate VDOMs are assigned to an ADOM.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

3 thoughts on “Administrative Domains

  1. Hi Mike,

    I came across your site as googling about this topics. I’m trying to look for the answer for my question but not able to find it anywhere.

    I’m grouping Fortigates into ADOM but the Fortigates have different versions (all three 4.3, 5.0, 5.2), so I’m wondering what kind of affect the version setting of the ADOM have. Can you group all the Fortigates with different versions into one ADOM (say version 5.2) or you have to create different ADOM for different version of Fortigate. What would happen in case of one ADOM?

    Do you have any experiences on this?

    Cuong Pham

    • Thanks for the reply, Mike.

      And that’s right, your answer was straight to the point.
      The big picture is that I have several users (restricted_user admins) that I’d like to create 1 ADOM for each user (just to simplify the process), hence the need for grouping different versions of FGT into one ADOM.

      I understand the right version for ADOM would be prefered. If I have only one FGT I wouldn’t think of choosing different version for the ADOM. What I was trying to figure out is what kind of issues would come up in order to convince other users to deal with multiple ADOMs.

      • Pham,

        You can organize these devices by:
        • Firmware version: group all devices with the same firmware version into an ADOM.
        • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM.
        • Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
        • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

        I went ahead and deleted my other comments as I misunderstood what your initial goal is. My apologies!

Leave a Reply

Name *
Email *
Website