Fortinet white logo
Fortinet white logo

CLI Reference

About ADOMs

About ADOMs

Enabling ADOMs alters the structure and available functionality of the GUI and CLI according to whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile.

The admin administrator can further restrict other administrators’ access to specific configuration areas within their ADOM by using access profiles .

Characteristics of the CLI and GUI when ADOMs are enabled

Admin administrator account

Other administrators

Access to config system global

Yes

No

Can create administrator accounts

Yes

No

Can enter all ADOMs

Yes

No

  • If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted access and ADOM configuration.
  • config system global contains settings used by the FortiAnalyzer unit itself and settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.

  • If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or enter other ADOMs.
  • By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer unit’s total devices or VDOMs.

The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or Global Configuration.

The maximum number of ADOMs varies by FortiAnalyzer model.

FortiAnalyzer Model

Maximum ADOMs

FAZ-100C

100

FAZ-200D

150

FAZ-300D

175

FAZ-400C

300

FAZ-1000C, and FAZ-1000D

2 000

FAZ-3000D and FAZ-3000E

2 000

FAZ-3500E and FAZ-3900E

4 000

FAZ-4000B

2 000

FAZ-VM32 and FAZ-VM64

10 000

About ADOMs

About ADOMs

Enabling ADOMs alters the structure and available functionality of the GUI and CLI according to whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile.

The admin administrator can further restrict other administrators’ access to specific configuration areas within their ADOM by using access profiles .

Characteristics of the CLI and GUI when ADOMs are enabled

Admin administrator account

Other administrators

Access to config system global

Yes

No

Can create administrator accounts

Yes

No

Can enter all ADOMs

Yes

No

  • If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted access and ADOM configuration.
  • config system global contains settings used by the FortiAnalyzer unit itself and settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.

  • If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or enter other ADOMs.
  • By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer unit’s total devices or VDOMs.

The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or Global Configuration.

The maximum number of ADOMs varies by FortiAnalyzer model.

FortiAnalyzer Model

Maximum ADOMs

FAZ-100C

100

FAZ-200D

150

FAZ-300D

175

FAZ-400C

300

FAZ-1000C, and FAZ-1000D

2 000

FAZ-3000D and FAZ-3000E

2 000

FAZ-3500E and FAZ-3900E

4 000

FAZ-4000B

2 000

FAZ-VM32 and FAZ-VM64

10 000