Fortinet fcp fmg ad 7 6 practice test
FCP - FortiManager 7.6 Administrator
Question 1
You want to let multiple administrators work in the same ADOM without creating configuration
conflicts.
What is the best and the most effective solution to apply?
- A. Configure RADIUS authentication to assign ADOM roles to each user.
- B. Enable workflow mode, which is the only way to prevent concurrent configuration conflicts.
- C. Assign administrators with JSON API access to the FortiManager.
- D. Activate workspace mode in the ADOM settings.
Answer:
D
Explanation:
Activating workspace mode in the ADOM settings allows multiple administrators to work
concurrently in the same ADOM by isolating their configuration changes in separate workspaces,
preventing conflicts and enabling effective collaboration.
Question 2
Refer to the exhibit.
If the monitored interface for the primary FortiManager device fails, what must you do to maintain
high availability (HA)?
- A. The FortiManager HA failover is transparent to administrators and does not require any additional action.
- B. Manually promote one of the working secondary devices to the primary role: and reboot the original primary device to remove the peer IP address of the failed device.
- C. Reconfigure the primary device to remove the peer IP address of the failed device from its configuration.
- D. Check the integrity database of the primary device to force a secondary device to become the new primary with all active interfaces.
Answer:
A
Explanation:
In a FortiManager HA cluster configured with VRRP failover, the failover process is automatic and
transparent to administrators. If the monitored interface on the primary device fails, the secondary
device takes over without requiring manual intervention to maintain HA.
Question 3
Refer to the exhibit.
An administrator has created a firewall address object that is used in multiple policy packages for
multiple FortiGate devices in an ADOM.
After the installation operation is performed, which IP/netmask will be installed on Remote-Firewall
[VDOM1] for the LAN firewall address object?
- A. 21.21.2.5/255.255.255.255
- B. 172.16.5.20/255.255.255.255
- C. 172.16.5.0/255.255.255.0
- D. 10.10.10.5/255.255.255.255
Answer:
A
Explanation:
The per-device mapping overrides the global IP/netmask setting for the firewall address object. For
the device "Remote-Firewall," the mapped IP/netmask is 21.21.2.5/255.255.255.255, so this value
will be installed on Remote-Firewall [VDOM1].
Question 4
Refer to the exhibits.
An administrator needed to recover all the configurations related to the user, Support. The
configurations were saved in configuration revision ID 9.
The administrator reverted the configuration using the Configuration Revision History window and
received the CLI output shown in the exhibit.
What can you conclude from the CLI output?
- A. The administrator set the flag to 0 to prevent configuration overrides.
- B. The administrator reinstalled the policy package.
- C. The administrator needs to retrieve the device to correctly detect the FortiGate firmware version.
- D. The administrator installed only the device-level configuration.
Answer:
C
Explanation:
The CLI output shows the status "dev-db: not modified; conf: in sync; cond: OK; dm: installed," but
the firmware version for the device is listed as "[unknown]." This indicates that FortiManager has not
properly detected the FortiGate firmware version, likely because the device needs to be retrieved to
update its information.
Question 5
An administrator wants to configure and manage multiple objects in the FortiManager database and
give access to other users who work in the same database.
To stay in control of the changes made to firewall policies by other team members, the administrator
needs a setup where all modifications go through a central check before they can be installed.
How can the administrator create this setup?
- A. Enable the prompt asking the administrator to accept firewall policies changes before saving.
- B. Enable the workspace (for all ADOMs) to control all changes made by any administrator.
- C. Enable device lock and the advanced mode feature in the ADOM.
- D. Enable workflow mode and the ADOM lock feature.
Answer:
D
Explanation:
Enabling workflow mode along with the ADOM lock feature ensures that all configuration changes go
through a centralized review and approval process before installation, allowing controlled and
coordinated management of firewall policies by multiple administrators.
Question 6
Which two conditions trigger FortiManager to create a new revision history? (Choose two.)
- A. When FortiManager installs device-level changes on a managed device
- B. When changes to the device-level database are made on FortiManager
- C. When FortiManager is auto-updated with configuration changes made directly on a managed device
- D. When a provisioning template is assigned to a managed device on the device-level database
Answer:
B, C
Explanation:
FortiManager creates a new revision history entry whenever changes are made to the device-level
database on FortiManager.
FortiManager also creates a new revision when it auto-updates its database with configuration
changes detected directly on a managed device.
Question 7
An administrator has assigned a global policy package to a new ADOM named ADOM1.
What will happen if the administrator tries to create a new policy package in ADOM1?
- A. The administrator will be able to select the option to assign the global policy package to the new policy package.
- B. FortiManager will automatically assign the global policy package to the new policy package.
- C. FortiManager will automatically install policies on the policy package in ADOM1.
- D. The administrator will have to assign the global policy package from the global ADOM.
Answer:
A
Explanation:
When a global policy package is assigned to an ADOM, administrators creating new policy packages
within that ADOM have the option to select and assign the global policy package to the new policy
package if desired.
Question 8
Refer to the exhibits.
FortiGate HQ-NGFW-1 downloads and validates FortiGuard databases from FortiManager which acts
as a local FortiGuard Distribution Server (FDS) in a closed network. An administrator pushes a new
firewall policy with an intrusion prevention system (IPS) profile from FortiManager to FortiGate HQ-
NGFW-1 However, FortiGate does not recognize the new IPS signature from FortiManager.
What is the most likely reason why FortiGate HQ-NGFW-1 does not recognize the new IPS signature?
- A. FortiGate must enable rating for the FortiManager IP address, 192.168.1.120, in server list 1.
- B. FortiManager and FortiGate have different IPS database versions.
- C. The administrator must enable IPv6 connections for FortiGuard services on FortiManager.
- D. The administrator must enable the fortiguard-anycast option to correctly download all signatures from the local FDS.
Answer:
B
Explanation:
The most likely reason FortiGate HQ-NGFW-1 does not recognize the new IPS signature is that
FortiManager and FortiGate have different IPS database versions. The FortiManager may have
pushed a signature update that FortiGate has not yet synchronized or validated locally, causing the
signature to be unrecognized.
Question 9
Which is recommended when you are managing a high volume of logs in your network?
- A. Store logs on FortiManager and use FortiView.
- B. Add and manage FortiAnalyzer from FortiManager.
- C. Enable advanced ADOM mode on FortiManager.
- D. Forward logs from FortiAnalyzer to FortiManager daily.
Answer:
B
Explanation:
Adding and managing FortiAnalyzer from FortiManager is recommended for handling a high volume
of logs, as FortiAnalyzer is designed specifically for centralized log management, analysis, and
reporting, which offloads this workload from FortiManager.
Question 10
While attempting to push a NetFlow configuration script through the FortiManager policy package:
an administrator encounters an error stating that an object is unrecognized in line 4.
What must the administrator do to successfully apply the NetFlow configuration script and avoid the
object unrecognized error?
- A. Make sure the user running the script has full access to the VDOM—AGEUSR.
- B. Run the script on the device database.
- C. Use metadata variables if they use VDOMs in the script.
- D. Create a normalized interface on the policy layer before running the script.
Answer:
C
Explanation:
When using scripts that reference VDOM-specific objects, such as interfaces, in FortiManager,
metadata variables must be used to correctly map those objects per VDOM. This prevents "object
unrecognized" errors during script execution.
Question 11
What is the best explanation of how FortiManager helps with mass provisioning?
- A. It upgrades the OS of each FortiGate device.
- B. It provides local FortiGuard Distribution Server (FDS) services to the network.
- C. It uses templates to configure the same settings on many devices simultaneously.
- D. It sends email alerts when new devices connect.
Answer:
C
Explanation:
FortiManager helps with mass provisioning by using templates that allow administrators to configure
the same settings on multiple FortiGate devices simultaneously, streamlining deployment and
management.
Question 12
What is the purpose of ADOM revisions?
- A. ADOM revisions find unused, duplicate, and unnecessary firewall policies and objects.
- B. ADOM revisions show specific changes in a policy package when it is installed.
- C. ADOM revisions compare previous snapshots of the Policy Package and ADOM-level objects with the device-level database.
- D. ADOM revisions save the current state of all policy packages and objects for an ADOM.
Answer:
D
Explanation:
ADOM revisions save the current state of all policy packages and objects within an ADOM, allowing
administrators to track changes over time and revert to previous configurations if needed.
Question 13
Refer to the exhibit.
An administrator assigned a new policy package to FortiGate HQ-NGFW-1. In the installation preview,
they noticed some settings they did not modify and are unsure about the changes.
Based on the exhibit, which two things will happen if they continue with the installation? (Choose
two.)
- A. FortiGate HQ-NGFW-1 can use FortiManager firmware templates to upgrade firmware and ratings.
- B. FortiGate HQ-NGFW-1 can contact the FortiManager acting as FortiGuard Distribution Server (FDS) to download FortiGuard updates.
- C. FortiGate HQ-NGFW-1 will use the root_CA3 certificate in firewall address objects or policies.
- D. FortiManager will install the CA certificate named root_CA3 to authenticate FortiGate-to- FortiManager communication protocol (FGFM) tunnel connections with FortiGate HQ- NGFW-1.
Answer:
B, D
Explanation:
The configuration includes a server-list with server-type set to "update rating," which enables
FortiGate HQ-NGFW-1 to contact FortiManager as a FortiGuard Distribution Server (FDS) for
FortiGuard updates.
The installation includes a root_CA3 certificate, which FortiManager will install on FortiGate HQ-
NGFW-1 to authenticate FGFM tunnel connections between the devices.
Question 14
Refer to the exhibit.
An administrator created two new meta fields in FortiManager.
Which operation can you perform with these parameters?
- A. You can add them to objects as custom attributes.
- B. You can export them to be used in other ADOMs.
- C. You can use them as variables in scripts.
- D. You can invoke them using the $ character.
Answer:
A
Explanation:
Meta fields in FortiManager can be added to objects as custom attributes, allowing administrators to
categorize and add additional information to firewall objects for easier management and
identification.
Question 15
Push updates are failing on a FortiGate device located behind a network address translation (NAT)
device?
Which two settings should the administrator check to correct this problem? (Choose two.)
- A. Make sure the NAT device IP address and the correct ports are configured on FortiManager.
- B. Make sure FortiGuard updates and web service are enabled on the FortiGuard service interface.
- C. Make sure the virtual IP address and the correct ports are configured on the NAT device.
- D. Make sure the Bind to IP address option on the FortiGuard service interface is set to the virtual IP address from the NAT device.
Answer:
A, C
Explanation:
FortiManager must have the NAT device's IP address and correct ports configured to communicate
properly with the FortiGate behind NAT.
The NAT device must have the correct virtual IP address and ports configured to allow push updates
to reach the FortiGate device.