Using elements with administrative Domains

Each element automatically belongs to either the Domain in which it was created or to the Shared Domain. When you create elements, first log on to the correct Domain and then create the elements so that the elements belong to the right Domain.

You can freely decide to which Domain most elements belong, except for the following elements:

• Domains, Management Servers, Log Pruning Filters, and Administrator accounts with unrestricted permissions are elements that automatically belong to the Shared Domain. You can only create these elements in the Shared Domain, and you cannot move them to any other Domain.
• Licenses and update packages always belong to the Shared Domain.
• The Management Server’s internal LDAP user database (the LDAP Domain element called InternalDomain). Configure external LDAP servers in the Domains to create Domain-specific accounts for end-user authentication.
• If you have Master NGFW Engine and Virtual NGFW Engine elements, the Master NGFW Engine must either belong to the Shared Domain or to the same Domain as the Virtual NGFW Engines.

In addition, there are limitations for selecting the Domain for some elements that are closely associated with other elements:

• A Log Server that is selected as the Log Server for a Management Server must belong to the Shared Domain.
• If a Log Server has a backup Log Server, both Log Servers must belong to the same Domain.
• A Log Server and the NGFW Engines that send their event data to the Log Server must be in the same Domain.
• A Task and the target of the Task (for example, an Export Log Task and the target Log Servers) must be in the same Domain. Otherwise, the Task cannot be run.
• By default, all elements used in a VPN must belong to the same Domain. You can also use some elements that belong to the Shared Domain when you configure a VPN in another Domain. These elements include the VPN Client gateway, Certificate Authorities, Gateway Certificates, Gateway Profiles, Gateway Settings, and VPN Profiles.