When creating an ADOM, the mode can be set to Normal or Backup.
When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are able to make changes to the ADOM and managed devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every 5 seconds. If there has been a configuration change, the FortiGate unit will send a diff revision on the change to the FortiManager using the FGFM protocol.
When creating an ADOM in Backup Mode, the ADOM is considered Read Only, where you cannot make changes to the ADOM and managed devices from FortiManager. Changes are made via scripts, which are run on the managed device, or through the device’s GUI or CLI directly. Revisions are sent to the FortiManager when specific conditions are met:
- Configuration change and session timeout
- Configuration change and log out
- Configuration change and reboot
- Manual configuration backup from the managed device.
When you add a device to an ADOM in backup mode, you can import firewall address and service objects to FortiManager, and FortiManager stores the objects in the Device Manager database. You can view the objects on the Policy & Objects pane. Although you can view the objects on the Policy & Objects pane, the objects are not stored in the central database. This lets you maintain a repository of objects used by all devices in the backup ADOM that is separate from the central database.
All devices that are added to the ADOM will only have their configuration backed up. Configuration changes cannot be made to the devices in a backup ADOM. You can push any existing revisions to managed devices. You can still monitor and review the revision history for these devices, and scripting is still allowed for pushing scripts directly to FortiGate units.