02. Administration And Management Flashcards
Enable ADOM
- From gui > system info > admin domain
- From CLI
Conf sys global
Set adom-status enable/disable
End
Admin with what profile can enable ADOMS
Super_User
ADOM can be created in which modes
- Normal - full access to make config changes for ADOM and devices from FMG
- Backup - backup config changes made directly on managed device
How frequently config changes are checked in normal ADOM mode?
Every 5 sec diff config sent to FMG
What protocol is used to send config diff
FortiGate-FortiManager communication protocol (FGFM)
Limitation of auto update?
updates only device manager changes and not policy and object changes.
Backup mode ADOM
- Read only
- Not all management panes available. AP Manager, VPN Manager, FortiSwitch Manager are not available
- can add and delete devices, but the device-level settings are not available for configuration and installation.
- can import firewall address and service objects into FortiManager, and FortiManager stores the objects in the Device Manager database. You can view the objects on the Policy & Objects pane. Although you can view the objects on the Policy & Objects pane, the objects are not stored in the central database. This lets you maintain a repository of objects used by all devices in the backup ADOM that is separate from the central database.
- Only use the script feature on FortiManager to make configuration changes to managed devices.
What is the difference between normal and advanced ADOM device modes
- Normal -all VDOMs on same FGT to same ADOM only
- Advanced - can assign different VDOMs from the same FortiGate device to different ADOMs
At what level ADOM device mode is applied
Globally to all ADOMs
What is the main purpose of backup ADOM
A. To maintain backup config of managed devices
B. To install policy package changes offline
A. To maintain backup config of managed devices
Which action can you perform in advanced VDOMs mode
A. Assign different VDOMs from same FGT to different ADOMs
B. Assign same VDOM to different ADOMs
A. Assign different VDOMs from same FGT to different ADOMs
Super_User
All system permissions
All device permissions
Standard_User
No system permissions
RW all device permissions
Restricted_User
No system permissions
RO device permissions
Package_User
RW access to policy packages and object permissions
RO access to system and another permissions
Types of administrator profiles defined in profile settings
System admin - allow them to view and configure as much, or as little, as required
Restricted admin - make changes to the web filtering profile, IPS sensor, and application sensor associated with their ADOM
Methods to control and restrict administrator access
- Administrative profiles
- ADOMs
- Trusted hosts
- all or selected policy packages
External user authentication servers
- LDAP
- RADIUS
- TACACS+
- PKI
track installation changes from the FortiManager user from FortiGate
Log & Report > Events on the managed FortiGate device
How can you restrict admin access only to a few ADOMS on FMG
A. By disabling concurrent access to ADOMs
B. By assigning ADOMs to admin account
B. By assigning ADOMs to admin account