| Solution |
FortiManager uses Administrative Domains (ADOMs) to segment and manage Fortinet devices efficiently. This article explains the differences between:
- ADOM Operation Modes: Normal vs Backup.
- ADOM Device Modes: Normal vs Advanced.
- ADOM Modes: Normal vs Backup.
When creating an ADOM in FortiManager, one of two operation modes can be selected:
Normal ADOM Mode.
- The default mode when creating an ADOM.
- Used for full configuration management of Fortinet devices (for example, FortiGate, FortiProxy).
- Devices send real-time configuration changes to FortiManager (in case auto update and auto retrieve are enabled, as per the default settings).
Backup ADOM Mode.
- Used primarily for configuration backup and monitoring.
- Read-only from FortiManager; changes must be made directly on the device or via scripts.
- Suitable for archiving or environments with no direct config push from FortiManager.
Tip: The root ADOM cannot work in backup mode.
Comparison Table: ADOM Modes.
|
Feature
|
Normal ADOM Mode
|
Backup ADOM Mode
|
|
Access Type.
|
Read/Write.
|
Read-Only.
|
|
Configuration Management.
|
FortiManager pushes changes.
|
Directly via CLI/GUI or scripts.
|
|
Sync Behavior.
|
Real-time diff sync every 5 seconds via FGFM.
|
Sync occurs on logout, reboot, session timeout, or manual backup.
|
|
Config Change Method.
|
GUI, CLI, or scripts via FortiManager.
|
CLI/GUI on FortiGate or FortiManager scripts.
|
|
Policy Package Management.
|
Full editing and push support.
|
View only.
|
|
Object Handling.
|
Stored in the central database.
|
Stored only in the Device Manager database.
|
|
Use Cases.
|
Centralized config management, automation.
|
Backup, auditing, and archive-focused environments.
|
Summary.
- Use Normal ADOM Mode when FortiManager is your central configuration system.
- Use Backup ADOM Mode when you only need device backups and monitoring without central control.
-
ADOM Device Modes: Normal vs Advanced.
In addition to ADOM operation modes, FortiManager supports two device-level ADOM modes, found under:
System Settings → Advanced → Misc Settings → ADOM Mode.
These define how FortiGate VDOMs are assigned to ADOMs.
Normal Device Mode.
- All VDOMs from a single FortiGate are placed in the same ADOM.
- Simplifies device management.
- Ideal for single-tenant environments.
Advanced Device Mode.
- Each VDOM from the same FortiGate can be assigned to separate ADOMs.
- Allows granular, multi-tenant management.
- Useful for MSSPs or large enterprises with segmented administration.
Comparison Table: ADOM Device Modes.
|
Feature
|
Normal Device Mode
|
Advanced Device Mode
|
|
VDOM Assignment.
|
All VDOMs in one ADOM.
|
VDOMs are assigned to different ADOMs.
|
|
Use Case.
|
Centralized management.
|
Multi-tenant or departmental control.
|
|
Admin Model.
|
One team per device.
|
Different teams per VDOM.
|
|
Complexity.
|
Low.
|
Higher — requires careful VDOM mapping.
|
|
Flexibility.
|
Less — all VDOMs grouped.
|
More — individual VDOM management.
|
|
Misconfiguration Risk.
|
Low.
|
Higher if VDOM/ADOM mapping is unclear.
|
|
Typical Users.
|
SMBs, single-tenant enterprises.
|
MSSPs, universities, large enterprises.
|
Summary.
- Normal Device Mode: Easier to manage, all VDOMs from a FortiGate live in one ADOM.
- Advanced Device Mode: Greater control, VDOMs can be independently managed across multiple ADOMs.
|
