[email protected]
0
[email protected]

Shopping cart

Subtotal:

$0.00
View cartCheckout

FCP_FMG_AD-7.4 Global ADOM and Central Management

Global ADOM and Central Management

Detailed list of FCP_FMG_AD-7.4 knowledge points

Global ADOM and Central Management Detailed Explanation

5.1 Administrative Domains (ADOMs)

What Are Administrative Domains (ADOMs)?

ADOMs (Administrative Domains) allow multiple organizations or departments to be managed independently within a single FortiManager instance. Each ADOM contains its own devices, policies, and settings, preventing conflicts between different environments.

Why Use ADOMs?

  • Network Segmentation – Different business units or customers can have separate configurations.
  • Role-Based Access Control (RBAC) – Administrators can be assigned to specific ADOMs without affecting other networks.
  • Multi-Tenancy – Service providers can manage multiple customers in a single FortiManager without mixing configurations.

Types of ADOMs in FortiManager

FortiManager supports two types of ADOMs:

ADOM Type Purpose
Global ADOM Used for shared policies and objects across multiple ADOMs.
Regular ADOM Contains specific device groups, firewall rules, and configurations.

Key Difference:

  • The Global ADOM is like a master configuration area that applies standard security policies to all networks.
  • Regular ADOMs are separate environments with their own customized policies and device settings.

Real-World Use Case for ADOMs

Imagine a Managed Security Provider (MSP) that provides firewall management for multiple customers:

Customer ADOM Used Purpose
Retail Store Chain Regular ADOM Each store has unique network policies.
Banking Network Regular ADOM Requires strict security policies different from retail.
Corporate HQ Global ADOM Enforces standard policies across all branch offices.

Using ADOMs, the MSP can keep customer configurations separate while managing them from one FortiManager.

How to Enable ADOMs in FortiManager

By default, FortiManager does not enable ADOMs. You must turn them on manually.

Step 1: Enable ADOMs
  1. Log in to FortiManager GUI.
  2. Navigate to System Settings → General Settings.
  3. Find the Administrative Domains (ADOMs) setting.
  4. Click Enable.
  5. Click Apply to save the changes.

Expected Outcome:

  • The ADOMs feature is now activated, allowing administrators to create separate management environments.

How to Create an ADOM

Once ADOMs are enabled, you can create separate ADOMs for different environments.

Step 1: Create a New ADOM
  1. Go to System Settings → ADOMs.
  2. Click Create New ADOM.
  3. Enter a name for the ADOM (e.g., "Retail_Network").
  4. Choose the FortiOS version of the devices to be managed in the ADOM.
  5. Click OK to create the ADOM.

Expected Outcome:

  • A new ADOM is created, and you can assign FortiGate devices to this ADOM.

How to Assign a FortiGate to an ADOM

After creating an ADOM, you need to assign devices to it.

Step 1: Move a FortiGate to an ADOM
  1. Go to Device Manager.
  2. Click Import Device.
  3. Select the FortiGate firewall you want to add.
  4. Choose the ADOM to assign it to.
  5. Click OK.

Expected Outcome:

  • The FortiGate is now managed under the specified ADOM, and its configuration is isolated from other ADOMs.

5.2 Centralized Configuration Features

One of the biggest advantages of FortiManager is its ability to manage multiple firewalls from a central location. Below are key features that make centralized management efficient.

1. Shared Policy Management Across ADOMs

  • The Global ADOM allows security teams to create standard policies and apply them to all ADOMs.
  • Instead of configuring each FortiGate separately, administrators define rules once and push them across the network.

Example:
A company with 50 branch offices needs to apply a standard web filtering policy across all locations.

Solution:

  1. Create a global policy in the Global ADOM.
  2. Assign it to all branch ADOMs.
  3. Install the policy to push it to all firewalls.

Expected Outcome:

  • All 50 locations now follow the same security policy, ensuring consistency.

2. Central Logging and Integration with FortiAnalyzer

  • FortiManager collects logs from all FortiGate devices and integrates with FortiAnalyzer for deep analysis.
  • This allows security teams to monitor threats, failed login attempts, and traffic patterns in one dashboard.

Example:
A company wants to track all denied traffic across all branch offices.

Solution:

  1. Enable logging for denied traffic in firewall policies.
  2. Send logs to FortiAnalyzer via FortiManager.
  3. Use FortiAnalyzer to generate security reports.

Expected Outcome:

  • The security team can now analyze threats across all firewalls from a single interface.

3. Automated Configuration Deployment for Consistency

  • Instead of manually configuring each firewall, FortiManager can automatically push settings to all devices.
  • This ensures standardized security policies and prevents configuration drift.

Example:
A company wants to apply the same VPN settings to all branch offices.

Solution:

  1. Create a VPN configuration template.
  2. Assign it to all branch office ADOMs.
  3. Install the configuration to deploy settings to all firewalls.

Expected Outcome:

  • VPN settings are automatically applied to all locations, ensuring consistent security.

5.3 Advanced ADOM Configurations

1. Inheritance and Policy Overrides Between Global and Regular ADOMs

One of the powerful features of FortiManager is the ability to inherit global policies while allowing custom modifications per ADOM.

How Inheritance Works:
  • Global ADOM policies are shared across all Regular ADOMs.
  • Regular ADOM administrators cannot modify global policies, ensuring consistent security settings.
  • However, Regular ADOMs can add additional policies or override local rules.

Example:
A company enforces strict security rules across all branch offices but allows specific exceptions per location.

Solution:

  1. Create a standard security policy in the Global ADOM.
  2. Apply the policy to all branch office ADOMs.
  3. Allow local admins to add site-specific rules for their ADOMs.

Expected Outcome:

  • Global security rules remain enforced, but each branch can customize certain aspects without violating security policies.

2. Policy Package Cloning for Multi-ADOM Deployments

Managing multiple ADOMs manually can be time-consuming. FortiManager allows policy package cloning, making it easy to duplicate policies across ADOMs.

Example:
A company has three departments (HR, IT, Sales), and each requires similar but slightly different security policies.

Solution:

  1. Create a master policy package in the Global ADOM.
  2. Clone the policy package into the HR, IT, and Sales ADOMs.
  3. Modify department-specific rules in each ADOM.

Expected Outcome:

  • Saves time by reusing security policies, while allowing department-level adjustments.

3. Inter-ADOM Policy Communication (Cross-ADOM Objects)

By default, ADOMs are isolated. However, FortiManager allows certain objects (addresses, services, or policies) to be shared across ADOMs.

Steps to Enable Cross-ADOM Object Sharing:
  1. Go to System Settings → ADOMs.
  2. Select Global ADOM and enable Cross-ADOM Object Sharing.
  3. Choose which objects to share (IP addresses, firewall policies, VPN settings, etc.).

Example:
A company wants all branch offices to use a shared VPN gateway, but each site has unique policies.

Solution:

  • The VPN configuration is defined in Global ADOM.
  • Each branch office inherits the VPN settings but applies local policies.

Expected Outcome:

  • VPN settings remain uniform, while each site maintains its security rules.

5.4 Role-Based Access Control (RBAC) for ADOMs

1. Why Use RBAC?

Role-Based Access Control (RBAC) restricts what administrators can access and modify in FortiManager. This ensures that users only have access to the ADOMs and features they need.

2. RBAC User Roles in FortiManager

Role Type Permissions Use Case
Super_Admin Full control over all ADOMs and system settings. Used for top-level administrators.
Restricted_Admin Limited access to specific ADOMs and policies. Used for department-specific IT teams.
Read-Only_Admin Can view configurations but cannot make changes. Used for auditors or compliance officers.
API_User Can access the FortiManager API but not the GUI. Used for automation and scripting.

Example:
An organization wants to allow branch office IT staff to manage their own FortiGates, but they should not modify global settings.

Solution:

  1. Create Restricted_Admin accounts.
  2. Assign them access only to their ADOMs.
  3. Prevent changes to Global ADOM policies.

Expected Outcome:

  • Branch IT staff can manage their local settings, while global security policies remain protected.

5.5 Troubleshooting Common ADOM Issues

Even with careful configuration, ADOM-related issues can occur. Below are common problems and solutions.

1. ADOMs Are Not Available in FortiManager

Possible Causes:

  • ADOMs are disabled in FortiManager.
  • User account does not have ADOM permissions.

Solution:

  1. Go to System Settings → General Settings.
  2. Ensure ADOMs are enabled.
  3. Assign the correct ADOM permissions to the user.

2. Global ADOM Policies Are Not Being Applied

Possible Causes:

  • The Global ADOM policy package is not assigned to Regular ADOMs.
  • The policy installation failed.

Solution:

  1. Go to Policy & Objects → Policy Packages.
  2. Ensure the policy is assigned to the correct ADOMs.
  3. Click Install Wizard to deploy the policy.
  4. Verify the installation log for any errors.

3. ADOM Sync Status Shows "Out of Sync"

Possible Causes:

  • The FortiGate device has local changes that conflict with FortiManager.
  • The latest configuration was not retrieved.

Solution:

  1. Open Device Manager.
  2. Select the affected FortiGate device.
  3. Click Retrieve Config to update FortiManager with the latest settings.
  4. Click Install Wizard to resynchronize configurations.

Expected Outcome:

  • The ADOM should now show as "In Sync".

4. Users Cannot Modify Their Assigned ADOM

Possible Causes:

  • The user role does not have write permissions for the ADOM.
  • The ADOM is in read-only mode.

Solution:

  1. Go to System Settings → Admin Profiles.
  2. Select the user role and ensure write permissions are enabled.
  3. Check if the ADOM is locked by another admin.

Expected Outcome:

  • Users should now be able to modify policies within their ADOM.

5.6 Best Practices for Global ADOM and Central Management

1. Use Global ADOM for Standard Security Policies

  • Define firewall rules, logging settings, and VPN configurations once.
  • Apply them across all Regular ADOMs for consistency.

2. Limit ADOM Access Using RBAC

  • Assign Super_Admin to manage Global ADOM.
  • Assign Restricted_Admins to manage specific ADOMs.
  • Use Read-Only_Admins for auditors.

3. Enable Cross-ADOM Object Sharing for Reusable Configurations

  • Use shared address objects for common subnets.
  • Define VPN gateways globally, so all ADOMs can use them.

4. Regularly Synchronize ADOMs

  • Run Retrieve Config weekly to keep FortiManager up to date.
  • Check the ADOM sync status to prevent conflicts.

5. Automate Policy Deployment

  • Use Automated Install Schedules to deploy security updates outside business hours.

Frequently Asked Questions

What is the purpose of the Global ADOM in FortiManager?

Answer:

It allows administrators to create global policies and objects that apply across multiple ADOMs.

Explanation:

The Global ADOM acts as a centralized configuration layer above individual ADOMs. Administrators can define objects, policies, and configurations that should be shared across multiple ADOM environments. These global elements can then be applied to local ADOM policy packages. This simplifies large deployments where many ADOMs require consistent security configurations.

Common exam trap:

Global ADOM does not replace local ADOM policies—it supplements them.

Demand Score: 78

Exam Relevance Score: 86

Why would an organization use Global Policy Packages?

Answer:

To enforce consistent security policies across multiple ADOMs.

Explanation:

Global policy packages allow administrators to define common security rules that should be applied to multiple environments. This ensures that baseline policies such as blocking malicious traffic or enforcing compliance standards are consistent across the entire network infrastructure. Individual ADOMs can still maintain their own local policies for environment-specific requirements.

Demand Score: 74

Exam Relevance Score: 85

How does Global ADOM simplify centralized network management?

Answer:

It allows shared configuration elements to be defined once and reused across multiple ADOMs.

Explanation:

Instead of creating identical objects or policies in every ADOM, administrators can define them once in the Global ADOM. These configurations are then inherited by other ADOMs when policies are installed. This approach reduces duplication, simplifies policy updates, and ensures consistency across multiple network environments.

Demand Score: 71

Exam Relevance Score: 83

What happens when a Global Policy Package is updated?

Answer:

The updated policy must be reinstalled on the affected devices to take effect.

Explanation:

FortiManager maintains configurations in its database. When administrators modify a global policy package, the change is stored in the management database but not automatically applied to devices. Administrators must perform a policy installation so the changes are pushed to the managed FortiGate devices.

Demand Score: 70

Exam Relevance Score: 84

 FCP_FMG_AD-7.4 Study Plan FCP_FMG_AD-7.4 Study Methods And Exam Tips FCP_FMG_AD-7.4 Training Details
FCP_FMG_AD-7.4 Training Course
$68$29.99
Related Products
FCP_FMG_AD-7.4 Training Course