Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiManager 7.4.4 CLI Reference
    7.4.4
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.8
    5.6.7
    5.6.7
    5.6.6
    5.6.6
    5.6.5
    5.6.5
    5.6.4
    5.6.4
    5.6.3
    5.6.3
    5.6.2
    5.6.2
    5.6.1
    5.6.1
    5.6.0
    5.6.0
    5.4.7
    5.4.6
    5.4.6
    5.4.5
    5.4.5
    5.4.4
    5.4.4
    5.4.3
    5.4.3
    5.4.2
    5.4.2
    5.4.1
    5.4.1
    5.4.0
    5.4.0
    5.2.10
    5.2.9
    5.2.9
    5.2.7
    5.2.7
    5.2.6
    5.2.6
    5.2.4
    5.2.4
    5.2.3
    5.2.3
    5.2.2
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.12
    5.0.11
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.0
    4.0.0

    Configuring ADOMs

    Configuring ADOMs

    To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiManager administrators to ADOMs.

    Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiManager unit configuration before enabling ADOMs.

    ADOMs must be enabled before adding FortiMail, FortiWeb, and FortiCarrier devices to the FortiManager system. FortiMail and FortiWeb devices are added to their respective pre-configured ADOMs.

    In FortiManager 5.0.3 and later, FortiGate and FortiCarrier devices can no longer be grouped into the same ADOM. FortiCarrier devices should be grouped into a dedicated FortiCarrier ADOM.

    Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the GUI.

    To Enable/disable ADOMs:

    Enter the following CLI command:

    config system global

    set adom-status {enable | disable}

    end

    An administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.

    Enabling the advanced mode option will result in more complicated management scenarios. It is recommended only for advanced users.
    To change ADOM device modes:

    Enter the following CLI command:

    config system global

    set adom-mode {advanced | normal}

    end

    To assign an administrator to an ADOM:

    Enter the following CLI command:

    config system admin user

    edit <name>

    set adom <adom_name>

    next

    end

    where <name> is the administrator user name and <adom_name> is the ADOM name.

    Concurrent ADOM Access

    System administrators can enable/disable concurrent access to the same ADOM if multiple administrators are responsible for managing a single ADOM. When enabled, multiple administrators can log in to the same ADOM concurrently. When disabled, only a single administrator has read/write access to the ADOM, while all other administrators have read-only access.

    Concurrent ADOM access can be enabled or disabled using the CLI or the GUI. The settings apply to all ADOMs, unless you set workspace-mode to per-ADOM. When per-ADOM is enabled, you can apply different settings to each ADOM by using the GUI.

    Concurrent ADOM access is enabled by default. This can cause conflicts if two administrators attempt to make configuration changes to the same ADOM concurrently.
    To enable ADOM locking and disable concurrent ADOM access for all ADOMs:

    config system global

    set workspace-mode normal

    end

    To disable ADOM locking and enable concurrent ADOM access for all ADOMs:

    config system global

    set workspace-mode disabled

    Warning: disabling workspaces may cause some logged in users to lose their unsaved data. Do you want to continue? (y/n) y

    end

    To enable workspace workflow mode for all ADOMs:

    config system global

    set workspace-mode workflow

    end

    When workflow mode is enabled, then the admin will have and extra option in the admin page under profile to allow the admin to approve or reject workflow requests.

    To enable per-ADOM workspace mode settings:

    config system global

    set workspace-mode per-adom

    end

    When per-adom is enabled, then the admin can set the workspace mode for each ADOM by using the GUI.
    Previous
    Next

    Configuring ADOMs

    Configuring ADOMs

    To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiManager administrators to ADOMs.

    Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiManager unit configuration before enabling ADOMs.

    ADOMs must be enabled before adding FortiMail, FortiWeb, and FortiCarrier devices to the FortiManager system. FortiMail and FortiWeb devices are added to their respective pre-configured ADOMs.

    In FortiManager 5.0.3 and later, FortiGate and FortiCarrier devices can no longer be grouped into the same ADOM. FortiCarrier devices should be grouped into a dedicated FortiCarrier ADOM.

    Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the GUI.

    To Enable/disable ADOMs:

    Enter the following CLI command:

    config system global

    set adom-status {enable | disable}

    end

    An administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.

    Enabling the advanced mode option will result in more complicated management scenarios. It is recommended only for advanced users.
    To change ADOM device modes:

    Enter the following CLI command:

    config system global

    set adom-mode {advanced | normal}

    end

    To assign an administrator to an ADOM:

    Enter the following CLI command:

    config system admin user

    edit <name>

    set adom <adom_name>

    next

    end

    where <name> is the administrator user name and <adom_name> is the ADOM name.

    Concurrent ADOM Access

    System administrators can enable/disable concurrent access to the same ADOM if multiple administrators are responsible for managing a single ADOM. When enabled, multiple administrators can log in to the same ADOM concurrently. When disabled, only a single administrator has read/write access to the ADOM, while all other administrators have read-only access.

    Concurrent ADOM access can be enabled or disabled using the CLI or the GUI. The settings apply to all ADOMs, unless you set workspace-mode to per-ADOM. When per-ADOM is enabled, you can apply different settings to each ADOM by using the GUI.

    Concurrent ADOM access is enabled by default. This can cause conflicts if two administrators attempt to make configuration changes to the same ADOM concurrently.
    To enable ADOM locking and disable concurrent ADOM access for all ADOMs:

    config system global

    set workspace-mode normal

    end

    To disable ADOM locking and enable concurrent ADOM access for all ADOMs:

    config system global

    set workspace-mode disabled

    Warning: disabling workspaces may cause some logged in users to lose their unsaved data. Do you want to continue? (y/n) y

    end

    To enable workspace workflow mode for all ADOMs:

    config system global

    set workspace-mode workflow

    end

    When workflow mode is enabled, then the admin will have and extra option in the admin page under profile to allow the admin to approve or reject workflow requests.

    To enable per-ADOM workspace mode settings:

    config system global

    set workspace-mode per-adom

    end

    When per-adom is enabled, then the admin can set the workspace mode for each ADOM by using the GUI.
    Previous
    Next