Administrative Domains – FortiManager 5.2

Upgrade an ADOM

 

If the ADOM has already been upgraded to the latest version, this option will not be available.

  1. Select OK in the confirmation dialog box to upgrade the device.

If all of the devices within the ADOM are not already upgraded to 5.0, the upgrade will be aborted and a warning dialog box will be shown. Select OK in the dialog box, upgrade the remaining devices within the ADOM, and return to step “Administrative Domains” on page 40 to try upgrading the ADOM again.

Assigning devices to an ADOM

The admin administrator selects the devices to be included in an ADOM. You cannot assign the same device to two different ADOMs.

To assign devices to an ADOM:

  1. In the Device Manager tab, in the ADOM drop-down menu, select Manage ADOMs. Select the ADOM you want to edit, right-click and select Edit. The Edit ADOM dialog box will open.
  2. From the Available member list, select which devices you want to associate with the ADOM and select the right arrow to move them to the Selected member

If the administrative device mode is Advanced, you can add separate FortiGate VDOMs to the ADOM as well as FortiGate units. For more information see “Administrative Domains” on page 41.

  1. When done, select OK. The selected devices appear in the device list for that ADOM.
ADOM device modes

An ADOM has two device modes: normal and advanced. In normal mode, you cannot assign different FortiGate VDOMs to multiple FortiManager ADOMs. The FortiGate unit can only be added to a single ADOM. 41

In advanced mode, you can assign different VDOMs from the same FortiGate unit to multiple ADOMs.

To change to a different device mode, use the following command in the CLI:

config system global set adom-mode {normal | advanced}

end

Normal mode is the default. To change from advanced back to normal, you must ensure no FortiGate VDOMs are assigned to an ADOM.

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign an ADOM to their account, constraining them to configurations and data that apply only to devices in their ADOM.

By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root domain, which contains all devices in the device list. For more information about creating other ADOMs, see Assigning devices to an ADOM.

To assign an administrator to an ADOM:

  1. Log in as admin. Other administrators cannot configure administrator accounts when ADOMs are enabled.
  2. Go to System Settings > Admin > Administrator.
  3. Configure the administrator account, and select the Admin Domains that the administrator account will be able to use to access the FortiManager system.

Locking an ADOM

If workspace is enabled, you must lock an ADOM prior to performing any management tasks on it. An ADOM can be locked from either the Device Manager tab or the Policy & Objects tab.

To lock an ADOM from the Device Manager tab:

  1. Right-click on the ADOM name in the tree menu and select Lock from the pop-up menu.

The ADOM will now be locked, allowing you to make changes to it, and preventing other administrators from making any changes, unless lock override is enabled.

To lock an ADOM from the Policies and Objects tab:

  1. Select the specific ADOM that you are locking from the drop-down list in the toolbar, or select Global.
  2. Select the lock icon next to the drop-down list to lock the selected ADOM.

Workflow mode

The ADOM will now be locked, allowing you to make changes to it, and preventing other administrators from making any changes, unless lock override is enabled. Locked Policy & Object page

To unlock the ADOM from the Policies and Objects tab:

  1. Select the specific ADOM that you have locked from the drop-down list in the toolbar.
  2. Select the locked icon next to the drop-down list to unlock the selected ADOM.

The ADOM will now be unlocked, allowing you or another administrator to lock the ADOM and make further changes.

Workflow mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy changes. Workflow mode is enabled via the CLI only and requires workspace to also be enabled. When workflow mode is enabled, the administrator will have a new option in the admin page to approve/reject workflow requests.

This mode introduces three new permissions for Super_Admin administrative users:

  • Self-approval: The user has rights to approve or deny changes without approvals. The user cannot approve the changes of others without the Approval right.
  • Approval: The user has rights to rights to approve or deny the changes made by other users. The user cannot approve their own changes without the Self-approval right. When workflow mode is enabled, all administrators with the Approval right will receive notifications by default. l Change Notification: The user is notified via email of all changes made on the FortiManager.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the administrator that submitted the session. If the session was approved, no further action is required. If the session was rejected, the administrator will need to log on and repair their changes. Once they create a session, the administrator will make their repair on top of the last session changes.

Email notifications will be generated for the following situations:

  • A new change is pending approval. The email will contain a summary of the changes.
  • A change is approved.
  • A change is denied.

 

When you want to start a workflow, go to the Policy & Objects tab and select the Start Session button. This will lock the ADOM, generate a revision, and allow you to make changes. When you are done making changes, select the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

To enable workflow mode and disable concurrent ADOM access type the following CLI command lines:

config system global set workspace-mode workflow end

This entry was posted in Administration Guides, FortiManager and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “Administrative Domains – FortiManager 5.2

  1. santosh

    can you please tell me how to enable backup mode or normal mode ?

    as per your article there are 2 modes.
    1. normal
    2. backup.

    but how to enable them is not shown

    Reply
    1. Mike Post author

      When creating the ADOM it gives you the option. (System Settings > All ADOMS > Edit the ADOM > Change Type > Normal / Backup

      on the gate you can also configure central management for the backup settings as well:
      config system central-management
      set mode backup
      set fortimanager-fds-override enable
      set fmg “xxx.xxx.xxx.xxx” <<=========
      end

      Reply
  2. NIcolas

    Good morning, I have a query, I have a fortigate 200e connected against a fortimanager, communication works, from the fortimanager I see the fotigate, but I can’t get the logs to arrive. In Fortimanager the option of FortiAnalyzer Features is enabled, but when trying to configure the fortigate it indicates the following:
    No response, or FortiAnalyzer functionality must be enabled on FortiManager.

    Could it be that I need to inhabit a route / port / policy?

    Thank you.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.