I recently came across a problem when configuring a large multi tenant FortiMail setup in that the domain administrators did not want other domain owners to be able to see their logs (Understandable, obviously).
I did a lot of research and it seemed a few people have had this same problem, and I had seen rumors of an MSSP license for the appliances that would achieve this – this would not have sat well with the customer who was already heavily invested in appliance and licensing costs.
If you find yourself in this position, all is not lost. There is a CLI command for the FAZ that enables log segregation per domain. Below I’ve screen grabbed the command, and a simple example of its use.
Once you have done the above, simply create an ADOM for the domain, add the ‘vdom’ log sources to it that you created above, assign the relevant admin permissions to that ADOM, and you will have logs for that domain only (And any associated domains) flowing through without other domain level admins seeing them!