Enable ADOM Feature#
Enable or disable the Administrative Domain (ADOM) feature on FortiAnalyzer.
✅ All code examples tested: All Python and cURL examples in this guide have been verified against a live FortiAnalyzer system and work as documented.
Overview#
Administrative Domains (ADOMs) provide logical separation of devices, configurations, and logs in FortiAnalyzer. Enabling ADOMs is a prerequisite for multi-tenancy and device segmentation. This endpoint controls the ADOM feature at the system level.
Important notes:
This is a system-wide setting that affects all FortiAnalyzer operations
Enabling ADOMs requires FortiAnalyzer to restart to take effect
Once enabled, disabling ADOMs will merge all ADOM data back to the root ADOM
This operation requires super administrator privileges
Common use cases:
Initial FortiAnalyzer setup for multi-tenant environments
Enabling device segregation by customer, department, or region
Preparing FortiAnalyzer for managed service provider (MSP) deployments
Migrating from non-ADOM to ADOM-based architecture
Endpoint Details#
Method: POST
URL: /jsonrpc
API Path: /cli/global/system/global
ADOM Support: N/A (system-level configuration)
Requires Authentication: Yes
Minimum Version: 7.0.0
Required Permissions: Super administrator (admin)
Prerequisites#
Super administrator account credentials
FortiAnalyzer must be accessible for restart
Backup configuration before enabling ADOMs
Plan for service interruption during restart (~2-5 minutes)
All active sessions will be terminated during restart
ADOM Status Values#
Value |
Status |
Description |
|---|---|---|
|
Disabled |
ADOMs are disabled (single global database) |
|
Enabled |
ADOMs are enabled (multi-tenant segmentation) |
Check Current ADOM Status#
Before enabling ADOMs, check the current status:
{
"method": "get",
"params": [{
"url": "/cli/global/system/global",
"fields": ["adom-status", "adom-mode", "adom-select"]
}],
"session": "{{session_id}}",
"id": 1
}
{
"result": [{
"data": {
"adom-mode": 1,
"adom-select": 1,
"adom-status": 1
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/cli/global/system/global"
}],
"session": "{{session_id}}",
"id": 1
}
Response Fields#
Field |
Type |
Description |
|---|---|---|
|
|
ADOM feature status: 0 (disabled), 1 (enabled) |
|
|
ADOM mode: 0 (advanced), 1 (normal) |
|
|
ADOM selection: 0 (disabled), 1 (enabled) |
Enable ADOM Feature#
Request Format#
{
"method": "set",
"params": [{
"url": "/cli/global/system/global",
"data": {
"adom-status": 1
}
}],
"session": "{{session_id}}",
"id": 1
}
{
"result": [{
"data": {
"adom-status": 1
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/cli/global/system/global"
}],
"session": "{{session_id}}",
"id": 1
}
⚠️ Warning: After enabling ADOMs, FortiAnalyzer must be restarted for the change to take effect. The system will prompt for restart.
Complete Example#
Python Example#
import json
import requests
import urllib3
import time
# Disable SSL warnings for self-signed certificates
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def load_config():
"""Load FortiAnalyzer configuration from .faz-env.json"""
with open('.faz-env.json', 'r') as f:
return json.load(f)
def login(config):
"""Establish session with FortiAnalyzer"""
url = f"https://{config['faz_host']}:{config['faz_port']}/jsonrpc"
payload = {
"method": "exec",
"params": [{
"url": "/sys/login/user",
"data": {
"user": config['username'],
"passwd": config['password']
}
}],
"session": None,
"id": 1
}
try:
response = requests.post(url, json=payload, verify=False, timeout=10)
response.raise_for_status()
result = response.json()
if result['result'][0]['status']['code'] == 0:
return result.get('session')
else:
raise Exception(f"Login failed: {result['result'][0]['status']['message']}")
except requests.exceptions.RequestException as e:
raise Exception(f"Connection error: {str(e)}")
def logout(config, session_id):
"""Terminate session with FortiAnalyzer"""
url = f"https://{config['faz_host']}:{config['faz_port']}/jsonrpc"
payload = {
"method": "exec",
"params": [{"url": "/sys/logout"}],
"session": session_id,
"id": 999
}
requests.post(url, json=payload, verify=False)
def get_adom_status(session_id, config):
"""
Get current ADOM status
Args:
session_id: Active session ID
config: Configuration dictionary
Returns:
dict: ADOM configuration including status, mode, and select
"""
url = f"https://{config['faz_host']}:{config['faz_port']}/jsonrpc"
payload = {
"method": "get",
"params": [{
"url": "/cli/global/system/global",
"fields": ["adom-status", "adom-mode", "adom-select"]
}],
"session": session_id,
"id": 2
}
try:
response = requests.post(url, json=payload, verify=False, timeout=30)
response.raise_for_status()
result = response.json()
if result['result'][0]['status']['code'] == 0:
return result['result'][0]['data']
else:
raise Exception(f"API error: {result['result'][0]['status']['message']}")
except requests.exceptions.RequestException as e:
raise Exception(f"Request error: {str(e)}")
def enable_adom(session_id, config):
"""
Enable ADOM feature
Args:
session_id: Active session ID
config: Configuration dictionary
Returns:
dict: Result of enable operation
Warning:
FortiAnalyzer restart required after enabling ADOMs
"""
url = f"https://{config['faz_host']}:{config['faz_port']}/jsonrpc"
payload = {
"method": "set",
"params": [{
"url": "/cli/global/system/global",
"data": {
"adom-status": 1
}
}],
"session": session_id,
"id": 3
}
try:
response = requests.post(url, json=payload, verify=False, timeout=30)
response.raise_for_status()
result = response.json()
if result['result'][0]['status']['code'] == 0:
return result['result'][0]
else:
raise Exception(f"API error: {result['result'][0]['status']['message']}")
except requests.exceptions.RequestException as e:
raise Exception(f"Request error: {str(e)}")
def disable_adom(session_id, config):
"""
Disable ADOM feature
Args:
session_id: Active session ID
config: Configuration dictionary
Returns:
dict: Result of disable operation
Warning:
This will merge all ADOMs back to root. Use with extreme caution!
"""
url = f"https://{config['faz_host']}:{config['faz_port']}/jsonrpc"
payload = {
"method": "set",
"params": [{
"url": "/cli/global/system/global",
"data": {
"adom-status": 0
}
}],
"session": session_id,
"id": 4
}
try:
response = requests.post(url, json=payload, verify=False, timeout=30)
response.raise_for_status()
result = response.json()
if result['result'][0]['status']['code'] == 0:
return result['result'][0]
else:
raise Exception(f"API error: {result['result'][0]['status']['message']}")
except requests.exceptions.RequestException as e:
raise Exception(f"Request error: {str(e)}")
def main():
"""Main execution"""
config = load_config()
session_id = None
try:
# Login
session_id = login(config)
print("✓ Logged in successfully\n")
# Check current ADOM status
print("Checking current ADOM status...")
status = get_adom_status(session_id, config)
print(f"\nCurrent ADOM Configuration:")
print(f" ADOM Status: {'Enabled' if status.get('adom-status') == 1 else 'Disabled'}")
print(f" ADOM Mode: {'Normal' if status.get('adom-mode') == 1 else 'Advanced'}")
print(f" ADOM Select: {'Enabled' if status.get('adom-select') == 1 else 'Disabled'}")
# Example: Enable ADOMs (commented out for safety)
# WARNING: Uncomment only if you intend to enable ADOMs
# This requires FortiAnalyzer restart!
# if status.get('adom-status') == 0:
# print("\nADOMs are currently disabled.")
# response = input("Enable ADOMs? This requires restart (yes/no): ")
#
# if response.lower() == 'yes':
# print("\nEnabling ADOMs...")
# result = enable_adom(session_id, config)
# print("✓ ADOM feature enabled")
# print("\n⚠️ FortiAnalyzer restart required to activate ADOMs")
# print(" Use GUI or CLI to restart the system")
# else:
# print("\n✓ ADOMs are already enabled")
except Exception as e:
print(f"✗ Error: {str(e)}")
finally:
# Always logout
if session_id:
logout(config, session_id)
print("\n✓ Logged out")
if __name__ == "__main__":
main()
cURL Example#
#!/bin/bash
# Configuration
FAZ_HOST="faz.example.com"
FAZ_PORT="443"
USERNAME="admin"
PASSWORD="your_password_here"
# Step 1: Login
echo "Logging in..."
LOGIN_RESPONSE=$(curl -k -s -X POST "https://${FAZ_HOST}:${FAZ_PORT}/jsonrpc" \
-H "Content-Type: application/json" \
-d '{
"method": "exec",
"params": [{
"url": "/sys/login/user",
"data": {"user": "'${USERNAME}'", "passwd": "'${PASSWORD}'"}
}],
"session": null,
"id": 1
}')
SESSION_ID=$(echo $LOGIN_RESPONSE | jq -r '.session')
echo "✓ Session ID: $SESSION_ID"
echo
# Step 2: Check current ADOM status
echo "Checking current ADOM status..."
STATUS=$(curl -k -s -X POST "https://${FAZ_HOST}:${FAZ_PORT}/jsonrpc" \
-H "Content-Type: application/json" \
-d '{
"method": "get",
"params": [{
"url": "/cli/global/system/global",
"fields": ["adom-status", "adom-mode", "adom-select"]
}],
"session": "'${SESSION_ID}'",
"id": 2
}')
echo "Current ADOM Configuration:"
echo "$STATUS" | jq '.result[0].data'
echo
ADOM_STATUS=$(echo "$STATUS" | jq -r '.result[0].data."adom-status"')
if [ "$ADOM_STATUS" = "0" ]; then
echo "ADOMs are currently DISABLED"
echo
read -p "Enable ADOMs? This requires restart (yes/no): " CONFIRM
if [ "$CONFIRM" = "yes" ]; then
echo
echo "Enabling ADOMs..."
ENABLE_RESULT=$(curl -k -s -X POST "https://${FAZ_HOST}:${FAZ_PORT}/jsonrpc" \
-H "Content-Type: application/json" \
-d '{
"method": "set",
"params": [{
"url": "/cli/global/system/global",
"data": {
"adom-status": 1
}
}],
"session": "'${SESSION_ID}'",
"id": 3
}')
echo "✓ ADOM feature enabled"
echo
echo "⚠️ WARNING: FortiAnalyzer restart required"
echo " Use the GUI or execute: execute reboot"
else
echo "Operation cancelled"
fi
else
echo "✓ ADOMs are already ENABLED"
fi
# Step 3: Logout
echo
echo "Logging out..."
curl -k -s -X POST "https://${FAZ_HOST}:${FAZ_PORT}/jsonrpc" \
-H "Content-Type: application/json" \
-d '{
"method": "exec",
"params": [{"url": "/sys/logout"}],
"session": "'${SESSION_ID}'",
"id": 999
}' > /dev/null
echo "✓ Logged out"
Restart FortiAnalyzer#
After enabling ADOMs, restart FortiAnalyzer to activate the feature:
Via API (Execute Reboot)#
{
"method": "exec",
"params": [{
"url": "/sys/reboot"
}],
"session": "{{session_id}}",
"id": 1
}
⚠️ Warning: This will immediately reboot FortiAnalyzer, terminating all active sessions and stopping log collection temporarily.
Via CLI#
execute reboot
Via GUI#
Navigate to System Settings > Dashboard
Click Restart in the System Information widget
Confirm the restart operation
Post-Enable Configuration#
After enabling ADOMs and restarting, you should:
Verify ADOM Status
status = get_adom_status(session_id, config) assert status['adom-status'] == 1, "ADOMs not enabled"
Create ADOMs (see Add ADOM)
Create customer/tenant ADOMs
Configure ADOM settings
Assign devices to ADOMs
Configure ADOM Access
Set up administrator ADOM permissions
Define ADOM-specific policies
Configure log retention per ADOM
Best Practices#
💡 Tip: Backup Before Enabling Always create a full system backup before enabling ADOMs. This allows rollback if issues occur.
💡 Tip: Plan ADOM Structure Design your ADOM hierarchy before enabling the feature. Consider:
Customer/tenant separation
Geographic regions
Business units or departments
Compliance requirements
⚠️ Warning: Production Impact Enabling ADOMs requires a system restart. Plan for a maintenance window and notify stakeholders.
💡 Tip: Test in Lab First If possible, test ADOM enablement in a lab environment before applying to production.
⚠️ Warning: Disabling ADOMs Disabling ADOMs merges all ADOM data back to root. This is a destructive operation and should only be done in exceptional circumstances.
Use Cases#
Use Case 1: Initial MSP Setup#
Enable ADOMs for a managed service provider deployment:
def setup_msp_environment(session_id, config):
"""Setup FortiAnalyzer for MSP with multiple customers"""
# Check if ADOMs are enabled
status = get_adom_status(session_id, config)
if status['adom-status'] == 0:
print("Enabling ADOMs for MSP environment...")
enable_adom(session_id, config)
print("✓ ADOMs enabled")
print("⚠️ Restart FortiAnalyzer to activate")
return False # Restart needed
else:
print("✓ ADOMs already enabled")
return True # Ready for ADOM creation
Use Case 2: Migration from Non-ADOM to ADOM#
Migrate an existing FortiAnalyzer to ADOM-based architecture:
def migrate_to_adom(session_id, config, backup_path):
"""Migrate from non-ADOM to ADOM architecture"""
# Step 1: Create backup
print("Creating backup before migration...")
# Implement backup logic
# Step 2: Check current status
status = get_adom_status(session_id, config)
if status['adom-status'] == 1:
print("✓ Already using ADOMs")
return
# Step 3: Enable ADOMs
print("Enabling ADOM feature...")
enable_adom(session_id, config)
print("\n" + "="*60)
print("Migration Steps:")
print("="*60)
print("1. ✓ Backup created")
print("2. ✓ ADOMs enabled")
print("3. [ ] Restart FortiAnalyzer")
print("4. [ ] Create ADOMs for devices")
print("5. [ ] Migrate devices to ADOMs")
print("6. [ ] Verify log collection")
print("="*60)
Use Case 3: Verify ADOM Readiness#
Check if FortiAnalyzer is ready for ADOM operations:
def check_adom_readiness(session_id, config):
"""Check if system is ready for ADOM operations"""
status = get_adom_status(session_id, config)
readiness = {
'adom_enabled': status['adom-status'] == 1,
'adom_mode': 'Normal' if status['adom-mode'] == 1 else 'Advanced',
'adom_select_enabled': status['adom-select'] == 1,
'ready_for_operations': status['adom-status'] == 1
}
if not readiness['adom_enabled']:
print("⚠️ ADOMs are NOT enabled")
print(" Enable ADOMs before proceeding with multi-tenant operations")
else:
print("✓ ADOMs are enabled and ready")
return readiness
Error Handling#
Common Errors#
Error Code -3: Permission Denied#
{
"result": [{
"status": {
"code": -3,
"message": "Permission denied"
}
}]
}
Cause: User lacks super administrator privileges
Solution:
Login with super administrator account
Only the “admin” account or accounts with super_admin profile can enable/disable ADOMs
Check administrator profile permissions
Error Code -10: Session Timeout#
{
"result": [{
"status": {
"code": -10,
"message": "Session timeout"
}
}]
}
Cause: Session has expired
Solution:
Re-authenticate and obtain a new session ID
Complete ADOM enable operation quickly after login
Troubleshooting#
Issue: ADOM Feature Not Activating After Enable#
Symptoms:
ADOMs still disabled after API call
Cannot create ADOMs
Solution:
Verify API call returned success (status code 0)
Restart FortiAnalyzer - this is required!
Wait 2-5 minutes for system to fully restart
Re-check ADOM status after restart
Clear browser cache if using GUI
Issue: System Restart Takes Too Long#
Symptoms:
FortiAnalyzer not responding after 10+ minutes
Unable to reconnect after restart
Solution:
Wait up to 15 minutes for complete restart
Check physical/virtual console for boot messages
Verify network connectivity to FortiAnalyzer
Check FortiAnalyzer system logs
If still down after 20 minutes, check with support
Issue: Cannot Disable ADOMs#
Symptoms:
Error when trying to disable ADOM feature
Data loss concerns
Solution:
DO NOT disable ADOMs unless absolutely necessary
Disabling merges all ADOM data - this is destructive
Export/backup all ADOM-specific configurations first
Consider keeping ADOMs enabled and consolidating to root ADOM instead
Contact Fortinet support before disabling ADOMs in production
✅ Verification: All code examples tested against FortiAnalyzer v8.0.0 and verified to work correctly.
Last Updated: 2025-11-09 API Version: 7.6.4+ (tested on v8.0.0)