Using elements with administrative Domains

Each element automatically belongs to either the Domain in which it was created or to the Shared Domain. When you create elements, first log on to the correct Domain and then create the elements so that the elements belong to the right Domain.

You can freely decide to which Domain most elements belong, except for the following elements:

  • Domains, Management Servers, Log Pruning Filters, and Administrator accounts with unrestricted permissions (superusers) are elements that automatically belong to the Shared Domain. You can only create these elements in the Shared Domain, and you cannot move them to any other Domain.
  • Licenses and update packages always belong to the Shared Domain.
  • The Management Server’s internal LDAP user database (the LDAP Domain element called InternalDomain). Configure external LDAP servers in the Domains to create Domain-specific accounts for end-user authentication.
  • If you have Master NGFW Engine and Virtual NGFW Engine elements, the Master NGFW Engine must either belong to the Shared Domain or to the same Domain as the Virtual NGFW Engines.

In addition, there are limitations for selecting the Domain for some elements that are closely associated with other elements:

  • A Log Server that is selected as the Log Server for a Management Server must belong to the Shared Domain.
  • If a Log Server has a backup Log Server, both Log Servers must belong to the same Domain.
  • A Log Server and the NGFW Engines that send their event data to the Log Server must be in the same Domain.
  • A Task and the target of the Task (for example, an Export Log Task and the target Log Servers) must be in the same Domain. Otherwise, the Task cannot be run.
  • By default, all elements used in a VPN must belong to the same Domain. You can also use some elements that belong to the Shared Domain when you configure a VPN in another Domain. These elements include the VPN Client gateway, Certificate Authorities, Gateway Certificates, Gateway Profiles, Gateway Settings, and VPN Profiles.
Note: The elements in the Shared Domain are displayed to all administrators when they are logged on to any Domain in the Management Client.

When an administrator modifies a simple element, Management Server checks whether the administrator has permissions to all the granted elements that the edited element refers to. This is done to avoid a situation where one administrator modifies an element used in several sub-domains without the administrators of other sub-domains getting notified about this change.

The Management Server reference check is enabled on all the SMC versions. To allow administrators to make changes to elements shared in several sub-domains, you need perform the following steps to disable the reference check.

  • On the Management Server host, open the <smc_installation_folder>/data/SGConfiguration.txt file for editing.
  • Add the CHECK_REFERENCES_DURING_EDITION=false definition.
  • Save the file.
  • Restart Management Server service.
Note: The other sub-domain administrators can notice the change from Pending Changes.