| Solution | FortiManager uses Administrative Domains (ADOMs) to segment and manage Fortinet devices efficiently. This article explains the differences between: - ADOM Operation Modes: Normal vs Backup.
- ADOM Device Modes: Normal vs Advanced.
- ADOM Modes: Normal vs Backup.
When creating an ADOM in FortiManager, one of two operation modes can be selected: Normal ADOM Mode. - The default mode when creating an ADOM.
- Used for full configuration management of Fortinet devices (for example, FortiGate, FortiProxy).
- Devices send real-time configuration changes to FortiManager (in case auto update and auto retrieve are enabled, as per the default settings).
Backup ADOM Mode. - Used primarily for configuration backup and monitoring.
- Read-only from FortiManager; changes must be made directly on the device or via scripts.
- Suitable for archiving or environments with no direct config push from FortiManager.
Tip: The root ADOM cannot work in backup mode. Comparison Table: ADOM Modes. | Feature | Normal ADOM Mode | Backup ADOM Mode | | Access Type. | Read/Write. | Read-Only. | | Configuration Management. | FortiManager pushes changes. | Directly via CLI/GUI or scripts. | | Sync Behavior. | Real-time diff sync every 5 seconds via FGFM. | Sync occurs on logout, reboot, session timeout, or manual backup. | | Config Change Method. | GUI, CLI, or scripts via FortiManager. | CLI/GUI on FortiGate or FortiManager scripts. | | Policy Package Management. | Full editing and push support. | View only. | | Object Handling. | Stored in the central database. | Stored only in the Device Manager database. | | Use Cases. | Centralized config management, automation. | Backup, auditing, and archive-focused environments. | Summary. - Use Normal ADOM Mode when FortiManager is your central configuration system.
- Use Backup ADOM Mode when you only need device backups and monitoring without central control.
-
ADOM Device Modes: Normal vs Advanced. In addition to ADOM operation modes, FortiManager supports two device-level ADOM modes, found under:
System Settings → Advanced → Misc Settings → ADOM Mode.
These define how FortiGate VDOMs are assigned to ADOMs.
Normal Device Mode. - All VDOMs from a single FortiGate are placed in the same ADOM.
- Simplifies device management.
- Ideal for single-tenant environments.
Advanced Device Mode. - Each VDOM from the same FortiGate can be assigned to separate ADOMs.
- Allows granular, multi-tenant management.
- Useful for MSSPs or large enterprises with segmented administration.
Comparison Table: ADOM Device Modes. | Feature | Normal Device Mode | Advanced Device Mode | | VDOM Assignment. | All VDOMs in one ADOM. | VDOMs are assigned to different ADOMs. | | Use Case. | Centralized management. | Multi-tenant or departmental control. | | Admin Model. | One team per device. | Different teams per VDOM. | | Complexity. | Low. | Higher — requires careful VDOM mapping. | | Flexibility. | Less — all VDOMs grouped. | More — individual VDOM management. | | Misconfiguration Risk. | Low. | Higher if VDOM/ADOM mapping is unclear. | | Typical Users. | SMBs, single-tenant enterprises. | MSSPs, universities, large enterprises. | Summary. - Normal Device Mode: Easier to manage, all VDOMs from a FortiGate live in one ADOM.
- Advanced Device Mode: Greater control, VDOMs can be independently managed across multiple ADOMs.
|
