Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MohamedA
New Contributor

FORTIMANGER/ADOM

Hello,

some questions, please

 

 1 ) I need know  use case between (limitation, advantage/inconvenience) :

                       use GLOBAL ADOM (push to many devices or vdom)

                       have many device in ADOM and push same policy package

 

What it is your opinion ?

 

 

2 ) maximum number of managed devices for each ADOM, (it is depend  : hardware, license or unlimited)

 

3 ) What you did think to use fortigate with nat and transparent mode in HA (problem / complexy / limitation)

 

 

thank you in advance.

 

1 Solution
Debbie_FTNT
Staff
Staff

To elaborate on Adam's reply:

1. you need different ADOMs if you have FGTs with different firmware version as well; Global database is to allow you to create objects you can then push to any ADOM, no matter what firmware it is. You can't really share objects/config between ADOMs, each is its own, isolated container usuallly

-> it depends very much on your FortiManager use case

-> if you're unsure, you can reach out to Fortinet Sales/Professional Services for assistance in assessing what you need and what FortiManager configuration is suitable

2. An ADOM can contain up to the maximum number of devices the FortiManager itself supports. How many devices the FortiManager supports depends on HW model or VM licence. Note that FortiGate VDOMs count as individual devices

3. FortiGates should have an identical configuration in an active-passive (or active-active) cluster, so they will either be in transparent OR in NAT mode (or have VDOMs with both), but if you try to form a cluster with different modes, then the secondary unit will be overwritten

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

6 REPLIES 6
adambomb1219
Contributor III

  1. Do you manage multiple divisions, companies, groups of firewalls?  If not use root.  No sense in complicating things.
  2. Not sure, AFAIK limited up to the total number of licensed firewalls and the size of FortiManager deployed.
  3. What is your use-case?  This isn't a NAT is better than transparent discussion.  They are two totally separate and unique features.
MohamedA

hello,

 

It is same company but in differents building,(we use adom advance mode). The root is alone. But i would like to know if to use in same adom what it is all benifit of both.

 

The adom it depend of liense or hardware, but for 1 adom how many vdom/device it is possible

no nat we use only layer 4

adambomb1219

Why?  Why not use the same ADOM for all devices then?  I see no point here in using ADOMs.  
Unlimited up until the maximum supported by the FortiManager.

Routed mode / NAT mode means layer4.  Transparent is Layer2.  So you should not deploy your firewalls in transparent mode.

Debbie_FTNT
Staff
Staff

To elaborate on Adam's reply:

1. you need different ADOMs if you have FGTs with different firmware version as well; Global database is to allow you to create objects you can then push to any ADOM, no matter what firmware it is. You can't really share objects/config between ADOMs, each is its own, isolated container usuallly

-> it depends very much on your FortiManager use case

-> if you're unsure, you can reach out to Fortinet Sales/Professional Services for assistance in assessing what you need and what FortiManager configuration is suitable

2. An ADOM can contain up to the maximum number of devices the FortiManager itself supports. How many devices the FortiManager supports depends on HW model or VM licence. Note that FortiGate VDOMs count as individual devices

3. FortiGates should have an identical configuration in an active-passive (or active-active) cluster, so they will either be in transparent OR in NAT mode (or have VDOMs with both), but if you try to form a cluster with different modes, then the secondary unit will be overwritten

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
sw2090
Honored Contributor

To be able to share objects (that are not device config) between adoms the global adom does exist.

Objects and Policies in there can be assigned to any available adom. 

I mainly use this e.g. to maintain my Security Profile Groups and filters so I only need to maintain these in one place but can use these an any of my adoms.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
MohamedA
New Contributor

Hello,

 

 

thanks to everyone,

I have my reponse I will use one Adom and put all device, eeasy for security, upgrade firmware group,

 

I mean we use layer 4 we not do nat.

I close this subject

Again thanks