Managing ADOMs

When the ADOMs feature is enabled and you log in as the admin user, all the available ADOMs will be listed in the tree menus on the different available tabs. In the Policy & Objects tab, a menu bar is available that allows to select either Global, or a specific ADOM from the drop-down list. Selecting Global or a specific ADOM will then display the policy packages and objects appropriate for your selection.

To configure and manage ADOMs, go to the Device Manager tab, or to System Settings > All ADOMs. See All ADOMs for more information.

Extend workspace to entire ADOM

When concurrent ADOM access is disabled, administrators are able to lock the ADOM. A right-click menu option has been added to allow you to lock/unlock ADOM access; see Locking an ADOM. The ADOM lock status is displayed by a lock icon to the left side of the ADOM name. FortiManager 5.0.6 adds the ability to lock and edit the policy package independent from the ADOM lock.

The lock status is as follows:

• Grey lock icon: The ADOM/Policy Package is currently unlocked, and is read/write. l Green lock icon: The ADOM/Policy Package is locked by you when logged in as an administrator.
• Red lock icon: The ADOM/Policy Package is locked by another administrator.

An additional CLI command has been added to enable or disable ADOM/Policy Package lock override:

config system global set lock-preempt [enable | disable]

end

When the ADOM/Policy Package lock override is enabled, if two administrators are concurrently accessing an ADOM/Policy Package and one attempts to lock the ADOM/Policy Package, the other administrator can kick the administrator off the ADOM/Policy Package, preventing the ADOM/Policy Package from being locked.

Workspace is disabled by default, and is enabled in the CLI console. When workspace is enabled, the Device Manager and Policy & Objects tabs are read-only. You must lock the ADOM to enable read/write permission to make changes to the ADOM.

Concurrent ADOM access

System administrators can enable or disable concurrent access to the same ADOM if multiple administrators are responsible for managing a single ADOM. When enabled, multiple administrators can log in to the same ADOM concurrently. When disabled, only a single administrator has read/write access to the ADOM, while all other administrators have read-only permission. Concurrent ADOM access can be enabled or disabled using the CLI.

Concurrent ADOM access is enabled by default. To prevent concurrent administrators from making changes to the FortiManager database at the same time, and thereby causing conflicts, you must enable the workspace function.

To enable ADOM locking and disable concurrent ADOM access type the following CLI command lines:

config system global set workspace-mode normal

end

To disable ADOM locking and enable concurrent ADOM access type the following CLI command lines:

config system global set workspace-mode disabled

Warning: disabling workspaces may cause some logged in users to lose their unsaved data. Do you want to continue? (y/n) y

end

Adding an ADOM

To add an ADOM, you must be logged in as the admin administrator. You must also first enable administrative domains in the Web-based Manager; see To enable the ADOM feature:.

To create an ADOM

1. Do one of the following: l Go to the Device Manager tab and select Manage ADOMs from the ADOM drop-down list. Select Create New

in the Manage ADOMs toolbar.

l Go to System Settings > All ADOMs and either select Create New, or right-click in the content pane and select New from the pop-up menu.

The Create ADOM dialog box will open which will allow you to configure the new ADOM.

Create ADOM dialog box

Configure the following settings:

Name	Type a name that will allow you to distinguish this ADOM from your other ADOMs. ADOM names must be unique.
Device Type	Select either FortiGate or FortiCarrier from the drop-down menu. Other devices types are added to their respective default ADOM upon registering with FortiManager.
Version	Select the version of FortiGate devices in the ADOM. FortiManager v5.2 supports FortiOS v5.2, v5.0, and v4.3. For information on supported device firmware version, see the FortiManager Release Notes.
Mode	Select Normal mode if you want to manage and configure the connected FortiGate devices from the FortiManager Web-based Manager. Select Backup mode if you want to backup the FortiGate configurations to the FortiManager, but configure each FortiGate locally.
VPN Management	Select Central VPN Console or select Policy & Device VPNs. When Central VPN Console is selected, the VPN Console menu item will be visible under the Policy & Objects tab. You can configure VPN topologies and managed/external gateway objects.
Device	Select members from the Available member list and transfer them to the Selected member list to assign the devices to the ADOM.
Default Device Selection for Install	Select either Select All Devices/Groups or Specify Devices/Groups.

3. Select OK to create the ADOM.

The number of ADOMs that can be created is dependent on the FortiManager model and their supported value. For more information on ADOM support values, see the FortiManager data sheet at http://www.fortinet.com/products/fortimanager/index.html.

Deleting an ADOM

To delete an ADOM, you must be logged in as the admin administrator.

To delete an ADOM

1. In the Device Manager tab, right-click on an ADOM name in the tree menu and, under the ADOM heading in the pop-up menu, select Delete.

Upgrading an ADOM

To upgrade an ADOM, you must be logged in as the admin administrator.

To upgrade an ADOM:

1. Go to the System Settings tab and select All ADOMs.
2. Right click the ADOM you would like to upgrade from the ADOM list in the content pane and select Upgrade from the pop-up menu.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!