Fortinet black logo

CLI Reference

Configuring ADOMs

Configuring ADOMs

To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiManager administrators to ADOMs.

Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiManager unit configuration before enabling ADOMs.

ADOMs must be enabled before adding FortiMail, FortiWeb, and FortiCarrier devices to the FortiManager system. FortiMail and FortiWeb devices are added to their respective pre-configured ADOMs.

In FortiManager 5.0.3 and later, FortiGate and FortiCarrier devices can no longer be grouped into the same ADOM. FortiCarrier devices should be grouped into a dedicated FortiCarrier ADOM.

Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the GUI.

To Enable/disable ADOMs:

Enter the following CLI command:

config system global

set adom-status {enable | disable}

end

An administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.

Enabling the advanced mode option will result in more complicated management scenarios. It is recommended only for advanced users.

To change ADOM device modes:

Enter the following CLI command:

config system global

set adom-mode {advanced | normal}

end

To assign an administrator to an ADOM:

Enter the following CLI command:

config system admin user

edit <name>

set adom <adom_name>

next

end

where <name> is the administrator user name and <adom_name> is the ADOM name.

Concurrent ADOM Access

System administrators can enable/disable concurrent access to the same ADOM if multiple administrators are responsible for managing a single ADOM. When enabled, multiple administrators can log in to the same ADOM concurrently. When disabled, only a single administrator has read/write access to the ADOM, while all other administrators have read-only access.

Concurrent ADOM access can be enabled or disabled using the CLI or the GUI. The settings apply to all ADOMs, unless you set workspace-mode to per-ADOM. When per-ADOM is enabled, you can apply different settings to each ADOM by using the GUI.

Concurrent ADOM access is enabled by default. This can cause conflicts if two administrators attempt to make configuration changes to the same ADOM concurrently.

To enable ADOM locking and disable concurrent ADOM access for all ADOMs:

config system global

set workspace-mode normal

end

To disable ADOM locking and enable concurrent ADOM access for all ADOMs:

config system global

set workspace-mode disabled

Warning: disabling workspaces may cause some logged in users to lose their unsaved data. Do you want to continue? (y/n) y

end

To enable workspace workflow mode for all ADOMs:

config system global

set workspace-mode workflow

end

When workflow mode is enabled, then the admin will have and extra option in the admin page under profile to allow the admin to approve or reject workflow requests.

To enable per-ADOM workspace mode settings:

config system global

set workspace-mode per-adom

end

When per-adom is enabled, then the admin can set the workspace mode for each ADOM by using the GUI.

Configuring ADOMs

To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiManager administrators to ADOMs.

Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiManager unit configuration before enabling ADOMs.

ADOMs must be enabled before adding FortiMail, FortiWeb, and FortiCarrier devices to the FortiManager system. FortiMail and FortiWeb devices are added to their respective pre-configured ADOMs.

In FortiManager 5.0.3 and later, FortiGate and FortiCarrier devices can no longer be grouped into the same ADOM. FortiCarrier devices should be grouped into a dedicated FortiCarrier ADOM.

Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the GUI.

To Enable/disable ADOMs:

Enter the following CLI command:

config system global

set adom-status {enable | disable}

end

An administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.

Enabling the advanced mode option will result in more complicated management scenarios. It is recommended only for advanced users.

To change ADOM device modes:

Enter the following CLI command:

config system global

set adom-mode {advanced | normal}

end

To assign an administrator to an ADOM:

Enter the following CLI command:

config system admin user

edit <name>

set adom <adom_name>

next

end

where <name> is the administrator user name and <adom_name> is the ADOM name.

Concurrent ADOM Access

System administrators can enable/disable concurrent access to the same ADOM if multiple administrators are responsible for managing a single ADOM. When enabled, multiple administrators can log in to the same ADOM concurrently. When disabled, only a single administrator has read/write access to the ADOM, while all other administrators have read-only access.

Concurrent ADOM access can be enabled or disabled using the CLI or the GUI. The settings apply to all ADOMs, unless you set workspace-mode to per-ADOM. When per-ADOM is enabled, you can apply different settings to each ADOM by using the GUI.

Concurrent ADOM access is enabled by default. This can cause conflicts if two administrators attempt to make configuration changes to the same ADOM concurrently.

To enable ADOM locking and disable concurrent ADOM access for all ADOMs:

config system global

set workspace-mode normal

end

To disable ADOM locking and enable concurrent ADOM access for all ADOMs:

config system global

set workspace-mode disabled

Warning: disabling workspaces may cause some logged in users to lose their unsaved data. Do you want to continue? (y/n) y

end

To enable workspace workflow mode for all ADOMs:

config system global

set workspace-mode workflow

end

When workflow mode is enabled, then the admin will have and extra option in the admin page under profile to allow the admin to approve or reject workflow requests.

To enable per-ADOM workspace mode settings:

config system global

set workspace-mode per-adom

end

When per-adom is enabled, then the admin can set the workspace mode for each ADOM by using the GUI.