Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.6.0 CLI Reference
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    ADOMs

    Administrative domains (ADOMs)

    Administrative domains (ADOMs) enable the admin administrator to constrain other FortiWeb administrators’ access privileges to a subset of policies and protected host names. This can be useful for large enterprises and multi-tenant deployments such as web hosting.

    ADOMs are not enabled by default. Enabling and configuring administrative domains can only be performed by the admin administrator.

    Enabling ADOMs alters the structure of and the available functions in the GUI and CLI according to whether you're logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile.

    Differences between administrator accounts when ADOMs are enabled

    admin administrator account Other administrators

    Access to config global

    Yes

    No

    Can create administrator accounts

    Yes

    No

    Can create & enter all ADOMs

    Yes

    No

    If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted access and ADOM configuration.

    config global contains settings used by the FortiWeb itself and settings shared by ADOMs, such as RAID and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.

    If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, policies, servers, and LDAP queries specific to your ADOM. You cannot access global configuration settings or enter other ADOMs.

    By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all policies and servers. By creating ADOMs that contain a subset of policies and servers, and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the FortiWeb’s total protected servers.

    The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or global settings.

    To enable ADOMs

    Log in with the admin account.

    Other administrators do not have permissions to configure ADOMs.

    Back up your configuration. Enabling ADOMs changes the structure of your configuration, and moves non-global settings to the root ADOM. For details about how to back up the configuration, see backup full-config.

    Enter the following commands:

    config system global

    set adom-admin enable

    end


    FortiWeb terminates your administrative session.

    Log in again.

    When ADOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are config global and config vdom.

    • config global contains settings that only admin or other accounts with the prof_admin access profile can change.
    • config vdom contains each ADOM and its respective settings.

    This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus continue to appear similar to when ADOMs are disabled, except that global settings such as network interfaces, HA, and other global settings do not appear.

    Continue by defining ADOMs. For details, see Defining ADOMs.

    To disable ADOMs

    Delete all ADOM administrator accounts.

    Back up your configuration. Disabling ADOMs changes the structure of your configuration, and deletes most ADOM-related settings. It keeps settings from the root ADOM only. For details about how to back up the configuration, see backup full-config.

    Enter the following commands:

    config system global

    set adom-admin disable

    end

    FortiWeb terminates your administrative session.

    Continue by reconfiguring the appliance. For details, see the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

    See also

    Defining ADOMs

    Some settings can only be configured by the admin account—they are global. Global settings apply to the appliance overall regardless of ADOM, such as:

    • Operation mode
    • Network interfaces
    • System time
    • Backups
    • Administrator accounts
    • Access profiles
    • FortiGuard connectivity settings
    • HA and configuration sync
    • SNMP
    • RAID
    • X.509 certificates
    • TCP SYN flood anti-DoS setting
    • Vulnerability scans
    • ping and other global operations that exist only in the CLI

    Only the admin account can configure global settings.

    In the current release, some settings, such as user accounts for HTTP authentication, anti-defacement, and logging destinations are read-only for ADOM administrators. Future releases will allow ADOM administrators to configure these settings separately for their ADOM.

    Other settings can be configured separately for each ADOM. They essentially define each ADOM. For example, the policies of adom-A are separate from adom-B.

    Initially, only the root ADOM exists, and it contains settings such as policies that were global before ADOMs were enabled. Typically, you will create additional ADOMs, and few if any administrators will be assigned to the root ADOM.

    After ADOMs are created, the admin account usually assigns other administrator accounts to configure their ADOM-specific settings. However, as the root account, the admin administrator does have permission to configure all settings, including those within ADOMs.

    To create an ADOM

    Log in with the admin account.

    Enter the following commands:

    config vdom

    edit <adom_name>


    where <adom_name> is the name of your new ADOM. Alternatively, to configure the default root ADOM, type root.

    The maximum number of ADOMs you can add varies by your FortiWeb model. The number of ADOMs is limited by available physical memory (RAM), and therefore also limits the maximum number of policies and sessions per ADOM. For details, see the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

    The new ADOM exists, but its settings are not yet configured.

    Either:

    config log...

    config server-policy...

    config system...

    config waf...

    See also

    Assigning administrators to an ADOM

    The admin administrator can create other administrators and assign their account to an ADOM, constraining them to that ADOM’s configurations and data.

    To assign an administrator to an ADOM

    If you have not yet created any administrator access profiles, create at least one. For details, see system accprofile.

    In the administrator account’s accprofile "<access-profile_name>" setting, select the new access profile.

    (Administrators assigned to the prof_admin access profile will have global access. They cannot be restricted to an ADOM.)

    In the administrator account’s domains "<adom_name>" setting, select the account’s assigned ADOM. Currently, in this version of FortiWeb, administrators cannot be assigned to more than one ADOM.

    See also
    Previous
    Next

    ADOMs

    Administrative domains (ADOMs)

    Administrative domains (ADOMs) enable the admin administrator to constrain other FortiWeb administrators’ access privileges to a subset of policies and protected host names. This can be useful for large enterprises and multi-tenant deployments such as web hosting.

    ADOMs are not enabled by default. Enabling and configuring administrative domains can only be performed by the admin administrator.

    Enabling ADOMs alters the structure of and the available functions in the GUI and CLI according to whether you're logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile.

    Differences between administrator accounts when ADOMs are enabled

    admin administrator account Other administrators

    Access to config global

    Yes

    No

    Can create administrator accounts

    Yes

    No

    Can create & enter all ADOMs

    Yes

    No

    If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted access and ADOM configuration.

    config global contains settings used by the FortiWeb itself and settings shared by ADOMs, such as RAID and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.

    If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, policies, servers, and LDAP queries specific to your ADOM. You cannot access global configuration settings or enter other ADOMs.

    By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all policies and servers. By creating ADOMs that contain a subset of policies and servers, and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the FortiWeb’s total protected servers.

    The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or global settings.

    To enable ADOMs

    Log in with the admin account.

    Other administrators do not have permissions to configure ADOMs.

    Back up your configuration. Enabling ADOMs changes the structure of your configuration, and moves non-global settings to the root ADOM. For details about how to back up the configuration, see backup full-config.

    Enter the following commands:

    config system global

    set adom-admin enable

    end


    FortiWeb terminates your administrative session.

    Log in again.

    When ADOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are config global and config vdom.

    • config global contains settings that only admin or other accounts with the prof_admin access profile can change.
    • config vdom contains each ADOM and its respective settings.

    This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus continue to appear similar to when ADOMs are disabled, except that global settings such as network interfaces, HA, and other global settings do not appear.

    Continue by defining ADOMs. For details, see Defining ADOMs.

    To disable ADOMs

    Delete all ADOM administrator accounts.

    Back up your configuration. Disabling ADOMs changes the structure of your configuration, and deletes most ADOM-related settings. It keeps settings from the root ADOM only. For details about how to back up the configuration, see backup full-config.

    Enter the following commands:

    config system global

    set adom-admin disable

    end

    FortiWeb terminates your administrative session.

    Continue by reconfiguring the appliance. For details, see the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

    See also

    Defining ADOMs

    Some settings can only be configured by the admin account—they are global. Global settings apply to the appliance overall regardless of ADOM, such as:

    • Operation mode
    • Network interfaces
    • System time
    • Backups
    • Administrator accounts
    • Access profiles
    • FortiGuard connectivity settings
    • HA and configuration sync
    • SNMP
    • RAID
    • X.509 certificates
    • TCP SYN flood anti-DoS setting
    • Vulnerability scans
    • ping and other global operations that exist only in the CLI

    Only the admin account can configure global settings.

    In the current release, some settings, such as user accounts for HTTP authentication, anti-defacement, and logging destinations are read-only for ADOM administrators. Future releases will allow ADOM administrators to configure these settings separately for their ADOM.

    Other settings can be configured separately for each ADOM. They essentially define each ADOM. For example, the policies of adom-A are separate from adom-B.

    Initially, only the root ADOM exists, and it contains settings such as policies that were global before ADOMs were enabled. Typically, you will create additional ADOMs, and few if any administrators will be assigned to the root ADOM.

    After ADOMs are created, the admin account usually assigns other administrator accounts to configure their ADOM-specific settings. However, as the root account, the admin administrator does have permission to configure all settings, including those within ADOMs.

    To create an ADOM

    Log in with the admin account.

    Enter the following commands:

    config vdom

    edit <adom_name>


    where <adom_name> is the name of your new ADOM. Alternatively, to configure the default root ADOM, type root.

    The maximum number of ADOMs you can add varies by your FortiWeb model. The number of ADOMs is limited by available physical memory (RAM), and therefore also limits the maximum number of policies and sessions per ADOM. For details, see the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

    The new ADOM exists, but its settings are not yet configured.

    Either:

    config log...

    config server-policy...

    config system...

    config waf...

    See also

    Assigning administrators to an ADOM

    The admin administrator can create other administrators and assign their account to an ADOM, constraining them to that ADOM’s configurations and data.

    To assign an administrator to an ADOM

    If you have not yet created any administrator access profiles, create at least one. For details, see system accprofile.

    In the administrator account’s accprofile "<access-profile_name>" setting, select the new access profile.

    (Administrators assigned to the prof_admin access profile will have global access. They cannot be restricted to an ADOM.)

    In the administrator account’s domains "<adom_name>" setting, select the account’s assigned ADOM. Currently, in this version of FortiWeb, administrators cannot be assigned to more than one ADOM.

    See also
    Previous
    Next