Administrative Domains – FortiAnalyzer – FortiOS 6.2.3

Administrative Domains

Administrative domains (ADOMs) enable administrators to manage only those devices that they are specifically assigned, based on the ADOMs to which they have access. When the ADOM mode is advanced, FortiGate devices with multiple VDOMs can be divided among multiple ADOMs.

Administrator accounts can be tied to one or more ADOMs, or denied access to specific ADOMs. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. Super user administrator accounts, such as the admin account, can see and maintain all ADOMs and the devices within them.

Each ADOM specifies how long to store and how much disk space to use for its logs. You can monitor disk utilization for each ADOM and adjust storage settings for logs as needed.

The maximum number of ADOMs you can add depends on the FortiAnalyzer system model. Please refer to the FortiAnalyzer data sheet for more information.

When the maximum number of ADOMs has been reached, you will be unable to create a new ADOM.

When upgrading to FortiAnalyzer 6.2.1 or later, you will continue to have access to any ADOMs exceeding the limit, however, no additional ADOMs can be created, and an alert will be issued in the Alert Message Console in System Settings > Dashboard.

By default, ADOMs are disabled. Enabling and configuring ADOMs can only be done by administrators with the Super_ User profile. See Administrators on page 222.

The root ADOM and Security Fabric ADOMs are available for visibility into all Fabric devices. See Creating a Security Fabric ADOM on page 40.

Default ADOMs

FortiAnalyzer includes default ADOMs for specific types of devices. When you add one or more of these devices to the FortiAnalyzer, the devices are automatically added to the appropriate ADOM, and the ADOM becomes selectable. When a default ADOM contains no devices, the ADOM is not selectable.

For example, when you add a FortiClient EMS device to the FortiAnalyzer, the FortiClient EMS device is automatically added to the default FortiClient ADOM. After the FortiClient ADOM contains a FortiClient EMS device, the FortiClient ADOM is selectable when you log into FortiAnalyzer or when you switch between ADOMs.

You can view all of the ADOMs, including default ADOMs without devices, on the System Settings > All ADOMs pane.

Root ADOM

When ADOMs are enabled, the default root ADOM type is Fabric. Fabric ADOMs show combined results from all Security Fabric devices in the Device Manager, Log View, SOC, Incidents & Events and Reports panes. For more information on Fabric ADOMs, see Creating a Security Fabric ADOM on page 40.

In FortiAnalyzer 6.2.0 and earlier, the root ADOM is a FortiGate ADOM. When upgrading to FortiAnalyzer 6.2.1 and later, the root ADOM type will not be changed to Fabric. Resetting the FortiAnalyzer settings through a factory reset will cause the root ADOM to become a Fabric ADOM.

Organizing devices into ADOMs

You can organize devices into ADOMs to allow you to better manage these devices. Devices can be organized by whatever method you deem appropriate, for example:

  • Firmware version: group all devices with the same firmware version into an ADOM.
  • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM.
  • Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
  • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

FortiClient support and ADOMs

FortiClient logs are stored in the device that the FortiClient endpoint is registered to.

For example, when endpoints are registered to a FortiGate device, FortiClient logs are viewed on the FortiGate device. When endpoints are registered to a FortiClient EMS, FortiClient logs are viewed in the FortiClient ADOM that the FortiClient EMS device is added to.

ADOMs must be enabled to support FortiClient EMS devices.

Merge FortiAnalyzer Logging Support for FortiClient EMS for Chromebooks

  1. Add https-logging to the allowaccess list using the following CLI command:

config system interface edit “port1” set allowaccess https ssh https-logging

next

end

  1. Add SSL certificate to enable communication.

An SSL certificate is required to support communication and send logs between FortiClient Web Filter extension and FortiAnalyzer. If you use a public SSL certificate, you only need to add the public SSL certificate to FortiAnalyzer.

However, if you prefer to use a certificate that is not from a common CA, you must add the SSL certificate to

FortiAnalyzer, and you must push the root CA of your certificate to the Google Chromebooks. Otherwise, the HTTPS connection between the FortiClient EMS Chromebook Web Filter extension and FortiAnalyzer will not work. The common name of the certificate must be the FortiAnalyzer IP address.

  1. In FortiAnalyzer, go to System Settings > Certificates > Local Certificates.
  2. Click Import. The Import Local Certificate dialog box appears.
  3. In the Type list, select Certificate. Or,

In the Type list, select PKCS#12 Certificate to upload the certificate in PK12 format.

  1. Beside the Certificate File field, click Browse to select the certificate.
  2. Enter the password and certificate name.
  3. Click OK.
  1. Select certificates for HTTPS connections:
    1. In FortiAnalyzer, go to System Settings > Admin > Admin Settings.
    2. In the HTTPS & Web Service Certificate box, select the certificate you want to use for HTTPS connections, and click Apply.
  2. Enable the FortiClient ADOM using the following CLI command:

conf sys global set adom-status enable

end

  1. Add FortiClient EMS for Chromebooks as a device to the FortiClient ADOM:

Go to Device Manager> click the + Add Device button to add FortiClient EMS for Chromebooks as a FortiClient ADOM device.

  1. Enable logging in FortiClient EMS for Chromebooks:

You will need to enable logging in FortiClient EMS for Chromebooks, see the FortiClient EMS forChromebooks Administration Guide for more information.

Enabling and disabling the ADOM feature

By default, ADOMs are disabled. Enabling and configuring ADOMs can only be done by super user administrators.

When ADOMs are enabled, the Device Manager, SOC, Log View, Incidents & Events, and Reports panes are displayed per ADOM. You select the ADOM you need to work in when you log into the FortiAnalyzer unit. See Switching between ADOMs on page 15.

To enable the ADOM feature:

  1. Log in to the FortiAnalyzer as a super user administrator.
  2. Go to System Settings > Dashboard.
  3. In the System Information widget, toggle the Administrative Domain switch to ON.

You will be automatically logged out of the FortiAnalyzer and returned to the log in screen.

To disable the ADOM feature:

  1. Remove all the devices from all non-root ADOMs. That is, add all devices to the root ADOM.
  2. Delete all non-root ADOMs. See Deleting ADOMs on page 184.

Only after removing all the non-root ADOMs can ADOMs be disabled.

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, toggle the Administrative Domain switch to OFF.

You will be automatically logged out of the FortiAnalyzer and returned to the log in screen.

ADOM device modes

An ADOM has two device modes: Normal (default) and Advanced.

In Normal mode, you cannot assign different FortiGate VDOMs to different ADOMs. The FortiGate unit can only be added to a single ADOM.

In Advanced mode, you can assign a VDOM from a single device to a different ADOM. This allows you to analyze data for individual VDOMs, but will result in more complicated management scenarios. It is recommended only for advanced users.

To change from Advanced mode back to Normal mode, you must ensure no FortiGate VDOMs are assigned to an ADOM.

To change the ADOM device mode:

  1. Go to System Settings > Advanced > Advanced Settings.
  2. In the ADOM Mode field, select either Normal or Advanced.
  3. Select Apply to apply your changes.

Managing ADOMs

The ADOMs feature must be enabled before ADOMs can be created or configured. See Enabling and disabling the ADOM feature on page 179.

To create and manage ADOMs, go to System Settings > All ADOMs.

Create New Create a new ADOM. See Creating ADOMs on page 181.
Edit Edit the selected ADOM. This option is also available from the right-click menu. See Editing an ADOM on page 184.
Delete Delete the selected ADOM or ADOMs. You cannot delete default ADOMs. This option is also available from the right-click menu. See Deleting ADOMs on page 184.
Enter ADOM Switch to the selected ADOM. This option is also available from the right-click menu.
More Select Expand Devices to expand all of the ADOMs to show the devices in each ADOM. Select Collapse Devices to collapses the device lists. These options are also available from the right-click menu.
Search Enter a search term to search the ADOM list.
Name The name of the ADOM.

ADOMs are listed in the following groups: FortiGates and OtherDevice Types.

A group can be collapsed or expanded by clicking the triangle next to its name.

Firmware Version The firmware version of the ADOM. Devices in the ADOM should have the same firmware version.
Allocated Storage The amount of hard drive storage space allocated to the ADOM.
Devices The number of devices and VDOMs that the ADOM contains. The device list can be expanded or by clicking the triangle.

Creating ADOMs

To create a new ADOM, you must be logged in as a super user administrator.

Consider the following when creating ADOMs:

  • The maximum number of ADOMs that can be created depends on the FortiAnalyzer model. For more information, see the FortiAnalyzer data sheet at https://www.fortinet.com/products/management/fortianalyzer.html. When the maximum number of ADOMs has been exceeded, an alert will be issued in the Alert Message Console in System Settings > Dashboard.
  • You must use an administrator account that is assigned the Super_User administrative profile. l You can add a device to only one ADOM. You cannot add a device to multiple ADOMs.
  • You cannot add FortiGate and FortiCarrier devices to the same ADOM. FortiCarrier devices are added to a specific, default FortiCarrier ADOM.
  • You can add one or more VDOMs from a FortiGate device to one ADOM. If you want to add individual VDOMs from a FortiGate device to different ADOMs, you must first enable advanced device mode. See ADOM device modes on page 180.
  • You can configure how an ADOM handles log files from its devices. For example, you can configure how much disk space an ADOM can use for logs, and then monitor how much of the allotted disk space is used. You can also specify how long to keep logs in the SQL database and how long to keep logs stored in compressed format.

To create an ADOM

  1. Ensure that ADOMs are enabled. See Enabling and disabling the ADOM feature on page 179.
  2. Go to System Settings > All ADOMs.
  3. Click Create New in the toolbar. The Create New ADOM pane is displayed.
  4. Configure the following settings, then click OK to create the ADOM.
Name Type a name that allows you to distinguish this ADOM from your other ADOMs. ADOM names must be unique.
Type Select the type of device that you are creating an ADOM for. The ADOM type cannot be edited.

For Security Fabric ADOMs, select Fabric.

Although you can create a different ADOM for each type of device, FortiAnalyzer does not enforce this setting.

Devices Add a device or devices with the selected versions to the ADOM. The search field can be used to find specific devices. See Assigning devices to an ADOM on page 183.
Data Policy Specify how long to keep logs in the indexed and compressed states.
Keep Logs for

Analytics

Specify how long to keep logs in the indexed state.

During the indexed state, logs are indexed in the SQL database for the specified amount of time. Information about the logs can be viewed in the SOC > FortiView, Incidents & Events, and Reports modules. After the specified length of time expires, Analytics logs are automatically purged from the SQL database.

Keep Logs for

Archive

Specify how long to keep logs in the compressed state.

During the compressed state, logs are stored in a compressed format on the FortiAnalyzer unit. When logs are in the compressed state, information about the log messages cannot be viewed in the SOC > FortiView, Incidents & Events, or Reports modules. After the specified length of time expires, Archive logs are automatically deleted from the FortiAnalyzer unit.

Disk Utilization Specify how much disk space to use for logs.
Maximum Allowed Specify the maximum amount of FortiAnalyzer disk space to use for logs, and select the unit of measure.

The total available space on the FortiAnalyzer unit is shown.

  For more information about the maximum available space for each FortiAnalyzer unit, see Disk space allocation on page 54.
Analytics : Archive Specify the percentage of the allotted space to use for Analytics and Archive logs.

Analytics logs require more space than Archive logs. For example, a setting of 70% and 30% indicates that 70% of the allotted disk space will be used for Analytics logs, and 30% of the allotted space will be used for Archive logs.

Select the Modify checkbox to change the setting.

Alert and Delete

When Usage

Reaches

Specify at what data usage percentage an alert messages will be generated and logs will be automatically deleted. The oldest Archive log files or Analytics database tables are deleted first.

Assigning devices to an ADOM

To assign devices to an ADOM you must be logged in as a super user administrator. Devices cannot be assigned to multiple ADOMs.

To assign devices to an ADOM:

  1. Go to System Settings > All ADOMs.
  2. Double-click on an ADOM, right-click on an ADOM and then select the Edit from the menu, or select the ADOM then click Edit in the toolbar. The Edit ADOM pane opens.
  3. Click Select Device. The Select Device list opens on the right side of the screen.
  4. Select the devices that you want to add to the ADOM. Only devices with the same version as the ADOM can be added. The selected devices are displayed in the Devices

If the ADOM mode is Advanced you can add separate VDOMs to the ADOM as well as units.

  1. When done selecting devices, click Close to close the Select Device
  2. Click OK.

The selected devices are removed from their previous ADOM and added to this one.

Assigning administrators to an ADOM

Super user administrators can create other administrators and either assign ADOMs to their account or exclude them from specific ADOMs, constraining them to configurations and data that apply only to devices in the ADOMs they can access.

By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root domain, which contains all devices in the device list. For more information about creating other ADOMs, see Creating ADOMs on page 181.

To assign an administrator to specific ADOMs:

  1. Log in as a super user administrator. Other types of administrators cannot configure administrator accounts when ADOMs are enabled.
  2. Go to System Settings > Admin > Administrator.
  3. Double-click on an administrator, right-click on an administrator and then select the Edit from the menu, or select the administrator then click Edit in the toolbar. The Edit Administrator pane opens.
  4. Edit the Administrative Domain field as required, either assigning or excluding specific ADOMs.
  5. Select OK to apply your changes.

Editing an ADOM

To edit an ADOM you must be logged in as a super user administrator. The ADOM type and version cannot be edited. For the default ADOMs, the name cannot be edited.

To edit an ADOM:

  1. Go to System Settings > All ADOMs.
  2. Double-click on an ADOM, right-click on an ADOM and then select Edit from the menu, or select the ADOM then click Edit in the toolbar. The Edit ADOM pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.

Deleting ADOMs

To delete an ADOM, you must be logged in as a super-user administrator (see Administrator profiles on page 228), such as the admin administrator.

Prior to deleting an ADOM:

l All devices must be removed from the ADOM. Devices can be moved to another ADOM, or to the root ADOM. See Assigning devices to an ADOM on page 183.

To delete an ADOM:

  1. Go to System Settings > All ADOMs.
  2. Ensure that the ADOM or ADOMs being deleted have no devices in them.
  3. Select the ADOM or ADOMs you need to delete.
  4. Click Delete in the toolbar, or right-click and select Delete.
  5. Click OK in the confirmation box to delete the ADOM or ADOMs.
  6. If there are users or policy packages referring to the ADOM, they are displayed in the ADOM References Detected Click Delete Anyway to delete the ADOM or ADOMs. The references to the ADOMs are also deleted.
This entry was posted in Administration Guides, FortiAnalyzer, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.