Global policy packages
Global policies and objects function in a similar fashion to local policies and objects, but are applied universally to all ADOMs and VDOMs inside your FortiManager installation. This allows users in a carrier, service provider, or large enterprise to support complex installations that may require their customers to pass traffic through their own network.
For example, a carrier or host may allow customers to transit traffic through their network, but do not want their customer to have the ability to access the carrier’s internal network or resources. Creating global policy header and footer packages to effectively surround a customer’s policy packages can help maintain security.
Global policy packages must be explicitly assigned to specific ADOMs to be used. When configuring global policies, a block of space in the policy table is reserved for Local Domain Policies. All of the policies in an ADOM’s policy table is inserted into this block when the global policy is assigned to an ADOM.
Display options for policies and objects can be configured in System Settings > Admin > Admin Settings.
Policy workflow
An administrator will typically carry out two main functions with their devices through FortiManager: provisioning new devices or VDOMs on the network and managing the day-to-day operations of managed devices and VDOMs.
Display options
Provisioning new devices
There are multiple steps to provision a new device or VDOM to be managed by the FortiManager unit:
- In the Device Manager tab, create a new VDOM or add a new device.
- Assign a system template to the provisioned device (optional).
- In the Policy & Objects tab, configure any dynamic objects you wish to assign to the new VDOM or device.
- Determine how a policy will be defined for the new device: does the new device or VDOM have a new policy package unique to itself, or will use a package that is implemented elsewhere?
- Run the Install Wizard to install any objects and policies for the new device, or create a new policy package.
- If the new device uses an existing policy package, modify the installation targets of that package to include the new device and click the Installation
Day-to-day management of devices
An administrator will often have to modify various objects for the devices they are responsible for managing. A typical set of tasks to manage an already provisioned device will include:
- Adding, deleting, or editing various objects, such as firewall information, security profiles, user access rights, antivirus signatures, etc.
- Adding, deleting, or editing all of the policy packages or individual policies within a policy package. This can include changing the order of operation, adding new policies, or modifying information or access permissions in the policy package.
- Installing updates to devices.
Question about ADOMs. In previous versions of FortiOS 4.3 maybe earlier. When you had multiple devices under an ADOM the policies and objects were clearly separated per device being managed. With the newer FortiOS it seems as though there is overlapping and my policies and objects seem to be cross contaminated between devices. What is your perspective on this and/or work around? Thank you in advance – Richard
I always keep my devices separated by Firmware version. ADOM 4.3 ADOM 5.2 ADOM 5.4 etc to keep things nice and neat.
I have an issue for deleting the V4.2 ADOMs from FMG V5.2 getting the below error.
Some ADOM(s) were not deleted successfully because they are not empty
But those ADOMs are not used anywhere. How to find out where it is used?
No admin accounts having access to the ADOM, No policy package for the ADOM.
Usually, it experiences this issue because something somewhere is still referencing it. Whether that item be a policy package as you mentioned before or a group etc.
Is there any possibilities to find out the references for that ADOM on the FMG.
Hi Mike,
We use fortimanager v5.4.1-build1082 160629 (GA) FMG-VM64 but we cant drag and drop within the rule base. (drag en drop from the object side plain does work) I have seen a instruction video were they lock the adom but also that future is non exsistent in our GUI.
You have any idea what this could be ? I did not see any issues on this subject on the fortinet site. We have upgraded from a older version FM.
kind regards and thanks for this great support site, i look here first!
Did you follow the supported upgrade path when you moved your FortiManager up through the code?
Not sure ( I was not involved and there is no change history) but i did found this in the “alert message console”
Upgrade image from v5.2.7-build0757-160408(GA) to v5.4.1-build1082-160629
Hello,
HELP !! we have multiple firewalls we would like to upload on our Fortimanager in the same ADOM.
The problem is that some objects have the same names but different IPs adresses. i read that the only solution is mapping the objects. if we do so we will have to it manually on every object (more than ~200) which is not an option for me. Can you please help me with this problem ?