Administrative Domains – FortiManager 5.2

Administrative Domains

FortiManager appliances scale to manage thousands of Fortinet devices. Administrative domains (ADOMs) enable administrators to manage only those devices that are specific to their geographic location or business division. FortiGate devices with multiple VDOMs can be divided among multiple ADOMs.

If ADOMs are enabled, each administrator account is tied to an ADOM. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. Administrator accounts that have special permissions, such as the admin account, can see and maintain all ADOMs and the devices within those domains.

ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator. For more information, see Enabling and disabling the ADOM feature.

The maximum number of ADOMs you can add depends on the FortiManager system model. Please refer to the FortiManager data sheet for information on the maximum number of devices that your model supports.

This section includes the following topics:

  • Enabling and disabling the ADOM feature
  • ADOM modes
  • ADOM versions
  • Managing ADOMs

What is the best way to organize my devices using ADOMs?

You can organize devices into ADOMs to allow you to better manage these devices. You can organize these devices by:

  • Firmware version: group all devices with the same firmware version into an ADOM.
  • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM.
  • Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
  • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

Enabling and disabling the ADOM feature

To enable or disable the ADOM feature, you must be logged in as the admin administrator. Only this user has the ability to enable or disable this feature.

Enabling and disabling the ADOM feature

To enable the ADOM feature:

  1. Log in as admin.
  2. Go to System Settings > Dashboard.
  3. In the system information widget, select Enable next to Administrative Domain Enabling ADOMs

To disable the ADOM feature:

  1. Remove all the managed devices from all ADOMs.
  2. Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and selecting Delete from the pop-up menu.

After removing the ADOMs, you can now disable the ADOM feature.

  1. Go to System Settings > Dashboard.
  2. In the system information widget, select Disable next to Administrative Domain.

ADOM modes

ADOM modes

When the ADOMs feature is enabled and you log in as the admin user, all the available ADOMs will be listed in the tree menus on different tabs.

In the Policy & Objects tab, a menu bar is available that allows to select either Global, or a specific ADOM from the drop-down list. Selecting Global or a specific ADOM will then display the policy packages and objects appropriate for your selection.

Switching between ADOMs

As an admin administrator, you are able to move between all the ADOMs created on the FortiManager system. This enables you to view, configure and manage the various domains.

Other administrators are only able to move between the ADOMs to which they have been given permission. They are able to view and administer the domains based on their account‘s permission settings.

To access a specific ADOM, simply select that ADOM in the tree menu. The FortiManager system presents you with the available options for that domain, depending on what tab you are currently using.

Normal mode ADOMs

When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are able to make changes to the ADOM and managed devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every 5 seconds. If there has been a configuration change, the FortiGate unit will send a diff revision on the change to the FortiManager using the FGFM protocol.

Backup mode ADOMs

When creating an ADOM in Backup Mode, the ADOM is consider Read Only, where you are not able to make changes to the ADOM and managed devices from the FortiManager. Changes are made via scripts which are run on the managed device, or through the device’s Web-based Manager or CLI directly. Revisions are sent to the FortiManager when specific conditions are met:

l Configuration change and session timeout l Configuration change and logout l Configuration change and reboot l Manual configuration backup from the managed device.

Backup mode enables you to configure an ADOM where all the devices that are added to the ADOM will only have their configuration backed up. Configuration changes cannot be made to the devices in backup ADOM. You can push any existing revisions to managed devices. You can still monitor and review the revision history for these devices, and scripting is still allowed for pushing scripts directly to FortiGate units.

ADOM versions

ADOM versions

ADOMs can concurrently manage FortiGate units running both FortiOS v4.3 and v5.0, or v5.0 and v5.2, allowing devices running these versions to share a common database. This allows you to continue to manage an ADOM as normal while upgrading the devices within that ADOM.

Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that are in that ADOM. This version is selected when creating a new ADOM (see Adding an ADOM), and can be updated after the all of the devices within the ADOM have been updated to the latest FortiOS firmware version.

The general steps for upgrading an ADOM that contains multiple devices running FortiOS v4.3 from v4.3 to v5.0 are as follows:

  1. Make sure that the FortiManager unit is upgraded to a version that supports this feature.
  2. In the ADOM, upgrade one of the FortiGate units to FortiOS v5.0, and then resynchronize the device.
  3. All the ADOM objects, including Policy Packages, remain as v4.3.
  4. Upgrade the rest of the FortiGate units in the ADOM to version 5.0 firmware.
  5. Upgrade the ADOM to v5.0. See “Administrative Domains” on page 40 for more information.

All of the database objects will be converted the v5.0 format, and the Web-based Manager content for the ADOM will change to reflect the v5.0 features and behavior.

This entry was posted in Administration Guides, FortiManager and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “Administrative Domains – FortiManager 5.2

  1. santosh

    can you please tell me how to enable backup mode or normal mode ?

    as per your article there are 2 modes.
    1. normal
    2. backup.

    but how to enable them is not shown

    1. Mike Post author

      When creating the ADOM it gives you the option. (System Settings > All ADOMS > Edit the ADOM > Change Type > Normal / Backup

      on the gate you can also configure central management for the backup settings as well:
      config system central-management
      set mode backup
      set fortimanager-fds-override enable
      set fmg “” <<=========

  2. NIcolas

    Good morning, I have a query, I have a fortigate 200e connected against a fortimanager, communication works, from the fortimanager I see the fotigate, but I can’t get the logs to arrive. In Fortimanager the option of FortiAnalyzer Features is enabled, but when trying to configure the fortigate it indicates the following:
    No response, or FortiAnalyzer functionality must be enabled on FortiManager.

    Could it be that I need to inhabit a route / port / policy?

    Thank you.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.