While attempting to push a NetFlow configuration script through the FortiManager policy package: an administrator encounters an error stating that an object is unrecognized in line 4. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/FCP_FMG_AD-7.6/page_12_img_1.jpg What must the administrator do to successfully apply the NetFlow configuration script and avoid the object unrecognized error?

Use metadata variables if they use VDOMs in the script.

Make sure the user running the script has full access to the VDOM—AGEUSR.

Run the script on the device database.

Use metadata variables if they use VDOMs in the script.

Create a normalized interface on the policy layer before running the script.

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/FCP_FMG_AD-7.6/page_21_img_1.jpg Which two statements about the output are true? (Choose two.)

The latest revision history for the managed FortiGate does not match the device-level database.

The system template default will override device-level database configurations.

The latest revision history for the managed FortiGate does not match the device-level database.

Configuration changes have been installed on FortiGate, updating policy and device-level database.

The latest revision history for the managed FortiGate does match the FortiManager policy database.

The system template default will override device-level database configurations.

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/FCP_FMG_AD-7.6/page_3_img_1.jpg If the monitored interface for the primary FortiManager device fails, what must you do to maintain high availability (HA)?

The FortiManager HA failover is transparent to administrators and does not require any additional action.

Manually promote one of the working secondary devices to the primary role: and reboot the original primary device to remove the peer IP address of the failed device.

Reconfigure the primary device to remove the peer IP address of the failed device from its configuration.

Check the integrity database of the primary device to force a secondary device to become the new primary with all active interfaces.

View FCP_FMG_AD-7.6 Exam Questions

Q: 1

While attempting to push a NetFlow configuration script through the FortiManager policy package: an administrator encounters an error stating that an object is unrecognized in line 4. FCP FMG AD 7 question

What must the administrator do to successfully apply the NetFlow configuration script and avoid the object unrecognized error?

Options

Discussion

OliviaF Feb 22, 2026 1:06 am

C. not D this time. The error comes from using a VDOM name as an IP address variable and only custom metadata with the actual IP will work for source-ip. If we were talking interface names, D might fit, but that's not what this script is doing. Makes sense?

Karan N. Feb 22, 2026 2:24 pm

C . The key is that $(vdom) just gives you the VDOM name, not a real IP, so using custom metadata variables to assign the correct source IP per VDOM fixes it. Not 100% if there's a sneaky scenario but that's how it usually works.

Drew Q. Mar 3, 2026 9:31 am

I don't think it's D, pretty sure C is right here. D's a trap if you assume it's interface related but the issue is with variable resolution for the IP. If anyone disagrees, let me know.

Jamie Y. Feb 26, 2026 2:23 pm

Its D in some cases if the object was an interface, not a variable.

Luna Z. Feb 18, 2026 6:47 am

C for this one. The main problem is the variable type in the script, since using $(vdom) won't work as an IP address. You need a metadata variable mapped to the actual IP for each VDOM to avoid the unrecognized object error. Pretty sure that's what it's getting at, but correct me if you see it differently.

Drew Feb 27, 2026 7:42 am

If the script referenced an interface name instead of source-ip, wouldn't D actually be right for that scenario since the metadata IP variable fix in C wouldn't help?

Kevin Feb 16, 2026 2:25 am

C tbh, I've seen similar NetFlow config issues in practice exams where using the wrong metadata variable gives that unrecognized error. Official Fortinet docs and lab work help here if you're not sure about metadata types.

Neha Z. Feb 20, 2026 12:07 am

Morgan Feb 18, 2026 11:08 pm

Yeah, it's C here.

MethodicalCandidate3594 Mar 4, 2026 8:30 pm

C , since the script needs a metadata variable for the actual IP.

Be respectful. No spam.

Correct Answer:

Explanation

The script fails at the line set source-ip $(vdom) because the predefined metadata variable $(vdom) resolves to the name of the Virtual Domain (e.g., "root" or "AGEUSR"), which is a string. The set source-ip command requires a valid IP address, not a string name. The "object unrecognized" error occurs because the FortiGate CLI parser does not recognize the VDOM name as a valid IP address.

To resolve this, the administrator must create a custom metadata variable (e.g., netflow-source-ip) and assign the correct source IP address value to this variable for each specific VDOM. The script should then be modified to use this new variable, for example: set source-ip $(netflow-source-ip).

Why Incorrect

A. A permissions issue would likely generate a "permission denied" error, not an "object unrecognized" error related to an invalid value in a script.

B. Running the script on the device database bypasses the policy package model and does not fix the underlying script error, which is the incorrect use of the $(vdom) variable.

D. Normalized interfaces are used to abstract physical interface names for use in firewall policies within a policy package, and are not relevant to system-level CLI configurations like NetFlow.

References

1. FortiManager Administration Guide 7.4.1

Chapter: Device Manager

Section: Scripts

Subsection: Using variables in scripts.

This section details the use of both predefined variables and custom metadata variables (referred to as Device VDOM variables). It explains that $(vdom) resolves to the VDOM name. It also describes how to create custom variables and assign device-specific or VDOM-specific values

which is the required solution to provide a valid IP address in this scenario. (p. 268-270)

Q: 2

Refer to the exhibit.

Which two statements about the output are true? (Choose two.)

Options

Discussion

Meera J. Feb 15, 2026 2:41 am

If they're asking about current status, then A and D fit. The "Modified" highlights the DB mismatch (A), and the template override logic (D) is default FMG behavior. But if they'd specified after install, C could flip in. Anyone else catch that fine print?

Jamie J. Feb 22, 2026 10:56 pm

Had something like this in a mock. Pretty sure it's A and D. "Modified" shows the config isn't matching the device DB (A), and applying a provisioning template will override device-level configs (D). That's usually what they're testing with that status output. If anyone disagrees, let me know.

Arjun I. Feb 14, 2026 1:30 am

I see why you might question C/D, but for this one A and D fit better. "Config Status: Modified" points to a mismatch between FortiGate and the device-level DB (A), and if there's a template change, it'll overwrite device-level settings (D). Pretty sure that's what they're after here, unless I'm missing something subtle in the exhibit.

Grace S. Mar 5, 2026 9:37 pm

A and D tbh. B is a trap since "Modified" means out-of-sync, not that config changes were installed yet.

Riley D. Feb 25, 2026 7:10 am

A and D imo. The "Modified" status means the config on the FortiGate isn't matching what's in the device-level DB (so A), and FortiManager templates overwrite device settings by design (D). B would only be true if changes were installed, but this just shows they're out of sync. Not totally sure but leaning that way, let me know if I missed something with the status meanings.

Chloe V. Feb 28, 2026 4:13 am

C/D? But looking at the output again, B seems tempting since you'd think 'Modified' could mean config changes were pushed. Still, 'Modified' here means the device and database aren't matching (so A), not that install happened yet. D is about how templates will override device-level settings, which matches FortiManager's approach. So I really think it's A and D, but open to other takes if someone interprets 'Modified' differently.

Riley K. Feb 20, 2026 10:43 am

Option A and D. The current output reflects out-of-sync status and template override behavior but I could be missing something obvious so correct me if you see it differently.

ChloeH Mar 2, 2026 4:56 am

I remember a similar scenario from labs on a practice exam, it's A and D.

Parker V. Mar 1, 2026 6:59 am

C/D? I don't think B is right here since 'Modified' just means things are out of sync, not that a change was actually installed yet. I've seen similar questions where A is easy to miss but it's correct. D's standard when templates are used. Open to other views, but A and D both line up with the FortiManager behavior in the output.

Aisha L. Mar 3, 2026 7:27 am

Not A, B and D. Personally, I think "Config Status: Modified" might suggest config changes were installed, so B seems likely at first glance. But A feels like a trap since the output shows 'Modified' but doesn't necessarily prove the revision history is out of sync with device-level DB right now. D about template override is fair though, that's standard FortiManager behavior. If anyone disagrees or has more on how the status reflects real sync state, jump in.

Be respectful. No spam.

Correct Answer:

A, D

Explanation

The exhibit displays a "Modified" status for "Config Status," "Policy Package Status," and "Provisioning Template Status."

The "Config Status: Modified" indicates that the running configuration on the managed FortiGate has changed and is no longer synchronized with the device-level database stored on FortiManager. This directly supports statement A.

The "Provisioning Template Status: Modified" indicates that the assigned system template has been altered within FortiManager. By design, when changes from a provisioning template are installed, they are pushed to the managed device, overwriting the corresponding device-level settings to enforce a standard configuration. This functional behavior supports statement D.

Why Incorrect

B. The "Modified" status across all categories explicitly indicates that changes are pending and have not been installed. An installation is required to synchronize the device.

C. The "Policy Package Status: Modified" clearly shows that the policy package on FortiManager is different from what is currently implemented on the FortiGate, indicating a mismatch.

References

1. Fortinet FortiManager Administration Guide 7.2.3

Page 123

"Device Manager pane".

Config Status: "A red M indicates that the device configuration has been modified." This confirms that the device configuration is out of sync with the FortiManager database

validating answer A.

Policy Package Status: "A red M indicates that the policy package has been modified." This confirms a mismatch

invalidating answer C.

2. Fortinet Certified Professional - Network Security Study Guide for FortiManager 7.2

Page 100

"Provisioning Templates".

The guide states

"When you install device settings to a managed device

the settings in the template are installed on the device... This allows you to enforce a standard configuration across multiple devices." This principle confirms that templates are designed to override device-level settings upon installation

validating answer D.

3. Fortinet FortiManager Administration Guide 7.0.1

Page 100

"Device & Groups > Managed Devices > Device Dashboard".

This guide corroborates the meaning of the "Modified" status: "A red M indicates that the device configuration has been modified." This directly contradicts the claim in option B that changes have been installed.

Q: 3

Refer to the exhibit.

FortiManager is operating behind a network address translation (NAT) device, and the administrator configured the FortiManager NATed IP address under the FortiManager system administration settings. What is the expected result during discovery?

Options

Discussion

SharpEngineer2787 Feb 17, 2026 1:30 pm

Always with the NAT questions... D is what matches similar practice exams. When a NATed IP is set in FortiManager, FortiGate learns that public 100.65.0.120 for central management-not both, not internal. Pretty sure that's right, correct me if you see it working differently.

Mason Y. Feb 23, 2026 4:58 pm

C . Sometimes FortiManager just pushes the internal IP (100.65.0.101), especially if something about the NAT config isn't synced right. Not totally sure, but that's what I've seen in labs.

Parker Z. Feb 22, 2026 1:41 am

C tbh

ThoughtfulTester3509 Feb 28, 2026 3:42 pm

Pretty sure D is correct here. FortiManager behind NAT gives the FortiGate its configured NATed IP (100.65.0.120), not both internal and external addresses. Option B is a trap since you only get the NATed one.

Mason R. Feb 24, 2026 3:54 pm

Why do they still make us memorize NAT behavior, it barely changes. D

Ajay Feb 17, 2026 11:30 pm

Had something like this in a mock, is D correct for just the NATed management IP during discovery?

Luna T. Feb 24, 2026 7:54 am

D imo, it's a trap to pick A. Only the NATed IP goes on FortiGate during discovery stage.

Jordan J. Feb 23, 2026 9:24 pm

Its D here, since FortiManager behind NAT sets the public 100.65.0.120 on FortiGate for management.

Chris G. Feb 26, 2026 9:56 pm

Maybe C. The private IP sometimes sticks around in config after discovery, so I could see FortiManager setting just 100.65.0.101 on FortiGate, especially if NAT rules aren't mapped right.

PreciseEngineer8038 Feb 25, 2026 3:51 pm

This just comes down to which address FortiGate will use after discovery. Since FMG is behind NAT, only the NATed IP (100.65.0.120) gets pushed to the FortiGate, not both public and private. So D makes sense here. If I'm missing something subtle in the exhibit, let me know.

Be respectful. No spam.

Correct Answer:

Explanation

When a FortiManager is deployed behind a Network Address Translation (NAT) device, managed devices on the other side of the NAT boundary must use FortiManager's public IP address to establish a connection. The NATed IP setting, configured under System Settings > Admin > Admin Settings, is specifically designed for this purpose. During the device discovery and authorization process, FortiManager provides this configured NATed IP address (100.65.0.120 in this case) to the FortiGate. The FortiGate then updates its central management settings (config system central-management) to use this public IP for all subsequent management traffic, ensuring successful communication.

Why Incorrect

A. The FortiGate is configured with only one management IP address. Pushing the private, non-routable IP (10.0.13.120) would cause a connection failure.

B. The IP address 100.65.0.101 is not relevant to the configuration shown in the exhibit or the described scenario.

C. The IP address 100.65.0.101 is not configured on the FortiManager and has no role in this management process.

References

1. FortiManager Administration Guide 7.2.0

Page 100

"Admin settings".

The guide states for the NATed IP field: "If FortiManager is behind a NAT device

enter the NATed IP address that FortiGate devices will use to connect to FortiManager." This confirms that the NATed IP is the address provided to the managed devices.

2. Fortinet Cookbook

"Adding a FortiGate to FortiManager (NAT mode)"

Document ID: FD40540.

This official guide details the exact scenario: "When adding the FortiGate

FortiManager will use the NATed IP to configure the central-management settings on the FortiGate. The FortiGate will then use this IP address to connect to the FortiManager." This explicitly confirms that the NATed IP is set on the FortiGate.

Q: 4

An administrator must create a policy and install it on a FortiGate device within an ADOM in backup mode. How can the administrator perform this task?

Options

Discussion

Nathan P. Feb 23, 2026 11:21 pm

Option D is correct, based on what I've read in practice questions. In backup mode you lose central management so can't use the policy package or install wizard. Scripts are basically the only supported method to push changes directly to FortiGate. Fortinet docs and official admin guide both mention this limitation. Let me know if anyone saw anything different in the official exam.

Aaron Feb 17, 2026 5:44 pm

Yeah, it's D here.

CuriousAuditor2811 Mar 5, 2026 5:24 am

Pretty sure it's D since backup mode disables using policy packages, only scripts can push changes out. Happened to me in a lab. If I'm missing some trick with firmware or ADOM, let me know!

Luke Q. Feb 15, 2026 11:32 am

Its D since backup mode disables normal policy installs, but scripts still work for config pushes. Pretty sure policy package options (C) don't apply here.

Hannah X. Feb 26, 2026 9:34 pm

D , since ADOM in backup mode disables policy package and push so scripts are the only supported way to apply changes. The question says "within backup mode" so pretty sure that's the key point. Disagree?

Sanjay C. Mar 3, 2026 11:40 pm

Definitely D

Chris Feb 21, 2026 9:46 am

Why not C if you could switch the ADOM out of backup mode first? Otherwise, isn't D just the only option left?

Meera V. Feb 14, 2026 11:56 pm

I get why some pick C, but with ADOM in backup mode, policy package install isn't possible. Only scripts (D) can actually push changes in that state. Ran into this on a similar question before, so I'm pretty sure that's the catch here.

Luke W. Feb 22, 2026 1:56 am

Not sure C works if policy install is blocked in backup mode, wouldn't that limit you to D?

PriyaP Feb 24, 2026 9:00 pm

D tbh, C trips people up but policy package install is blocked in backup mode from what I’ve seen in practice tests.

Be respectful. No spam.

Correct Answer:

Explanation

When an Administrative Domain (ADOM) is set to backup mode, FortiManager's central management capabilities, such as the Policy & Objects pane, are disabled for that ADOM. The primary purpose is to back up the device's configuration, which is managed locally on the FortiGate. However, FortiManager can still push configuration changes to the device using scripts. A script containing the necessary CLI commands to create a new firewall policy can be created in FortiManager and then run on the target FortiGate, effectively applying the new policy.

Why Incorrect

A. Use the Install Wizard located on the device manager.

The Install Wizard is used to install policy packages and device settings. This functionality is not available for ADOMs in backup mode, as policy packages cannot be managed.

B. Enable workflow mode to allow policy creation and approval.

Workflow mode is a change management feature that requires an approval process. It does not override the fundamental restriction of backup mode, which disables policy package management.

C. Make sure the ADOM and FortiGate firmware versions match and use the ADOM policy package.

Using ADOM policy packages is the standard method for centrally managing devices in Normal or Advanced mode, but this feature is explicitly disabled in backup mode.

References

1. FortiManager Administration Guide 7.2.3

Administrative Domains (ADOMs) > ADOM modes

Page 138.

"In Backup mode

FortiManager is used to back up FortiGate configurations. You cannot use FortiManager to provision or manage the devices. The Policy & Objects and AP Manager panes are not available." This statement confirms that options A and C

which rely on policy packages

are incorrect.

2. FortiManager Administration Guide 7.2.3

Scripts > About scripts

Page 578.

"You can use scripts to deliver configuration files and CLI commands to a managed device or to multiple devices." This confirms that scripts are a valid method for applying CLI-based configuration changes

which is the mechanism required to create a policy on a device in a backup mode ADOM.

Q: 5

You want to let multiple administrators work in the same ADOM without creating configuration conflicts. What is the best and the most effective solution to apply?

Options

Discussion

Daniel Feb 17, 2026 5:38 am

D. seen similar in practice sets. Workspace mode is what actually locks the ADOM so you won't get config overlaps, way more direct than workflow mode for this use case. Pretty sure D fits what they're after here, but I'd double-check if the question was about approvals instead.

Noah Mar 6, 2026 3:58 am

Workspace mode (D) makes sense here since it's specifically built to prevent admins from overwriting each other in the same ADOM. I've seen this called out in Fortinet's official docs and in a few practice exams. Not 100% sure if workflow (B) could also count, but workspace is usually what's expected for conflict prevention. Anyone using lab environments will see this in action.

Nina Feb 21, 2026 4:28 am

D , workflow mode (B) is an approval process but only workspace mode locks out conflicts directly.

Luke D. Feb 24, 2026 3:23 am

B . Workflow mode gives you change approval and can help avoid admins stepping on each other's configs if they're following the process. I think it's more about structured changes than pure conflict locking, but isn't that still effective against config mistakes? Open to other takes.

Sam H. Feb 21, 2026 3:03 pm

D , workspace mode is tailor-made for avoiding config conflicts when multiple admins are in the same ADOM. It locks the session so only one person can make changes at a time, which just isn’t the case with B. Not 100% but this matches how FortiManager usually handles teamwork. Disagree?

Nathan N. Feb 28, 2026 2:53 am

Honestly Fortinet always overcomplicates this, but D imo.

LunaK Feb 20, 2026 10:13 am

Option D

Casey O. Mar 4, 2026 11:57 pm

D imo, workspace mode directly prevents admins from stepping on each other’s toes in the same ADOM. Nothing else here really addresses config conflicts so simply. Pretty sure this lines up with what’s recommended.

Drew Feb 20, 2026 5:31 am

Yeah, D. Workspace mode is built for this exact use case in FortiManager.

Luke Feb 15, 2026 2:58 am

Option B, just because Fortinet's workflow mode always gets mentioned in exam reports for config changes. I figure if you want to stop conflicts, structured approvals do the job. Anyone else think workflow is overlooked here?

Be respectful. No spam.

Correct Answer:

Explanation

Workspace mode is a feature specifically designed to prevent configuration conflicts when multiple administrators are working within the same Administrative Domain (ADOM). When an administrator starts making changes in an ADOM with workspace mode enabled, the ADOM is locked. This locking mechanism prevents other administrators from making concurrent changes, thus avoiding overwrites and conflicts. Administrators can see who has locked the ADOM and must wait until it is unlocked before they can make their own modifications. This provides a clear and effective method for managing simultaneous administrative access.

Why Incorrect

A. Configure RADIUS authentication to assign ADOM roles to each user.

RADIUS is an authentication protocol; while it can assign roles and permissions, it does not inherently manage or prevent concurrent configuration conflicts between authorized users.

B. Enable workflow mode, which is the only way to prevent concurrent configuration conflicts.

Workflow mode enforces a change management process (submit, approve, deploy) but does not prevent concurrent editing. Workspace mode is the primary feature for this, making the claim "only way" incorrect.

C. Assign administrators with JSON API access to the FortiManager.

Using the API is a method of interaction, not a conflict resolution mechanism. Multiple API users could still attempt to modify the same object simultaneously, leading to conflicts.

References

1. Fortinet FortiManager Administration Guide 7.4.1

Page 218

Section: "Workspace mode".

The guide states

"Workspace mode prevents administrators from simultaneously making configuration changes to the same ADOM

device

or policy package. When an administrator is working in an ADOM

the ADOM is locked

and other administrators cannot make changes to the ADOM." This directly supports the function of workspace mode for conflict prevention.

2. Fortinet FortiManager Administration Guide 7.2.1

Page 211

Section: "Workspace mode".

This version of the guide provides the same explanation: "Workspace mode prevents administrators from simultaneously making configuration changes to the same ADOM

device

or policy package."

3. Fortinet FortiManager Administration Guide 7.0.1

Page 208

Section: "Workspace mode".

The documentation for this version also confirms

"In workspace mode

you can prevent two or more administrators from simultaneously editing the same ADOM

device

or policy package." It also contrasts this with Workflow mode

which is described on page 210 as a process for "approving and deploying configuration changes."

Q: 6

A service provider administrator has assigned a global policy package to a managed customer ADOM named My_ADOM. The customer administrator has access only to My_ADOM. How can the customer administrator edit the global header policy of the global policy package?

Options

Discussion

Morgan E. Feb 15, 2026 3:23 am

D , these global header bits are always locked unless you're the service provider admin. Seen similar on other practice sets, and it's frustrating how little flexibility customer admins have. Would love to hear if anyone's actually managed to edit from My_ADOM though.

Mason D. Feb 21, 2026 8:48 am

SkepticalReviewer2891 Feb 25, 2026 7:22 am

Actually, I'd say C here. If the service provider admin unlocks from the global ADOM, customer admin could make changes.

Jamie A. Feb 25, 2026 1:34 pm

I don’t think it’s D. B.

CalmAnalyst8562 Mar 1, 2026 6:00 am

D, The trap is option C since unlocking from global ADOM isn't something a customer admin can trigger. This restriction comes up a lot in exam reports, so pretty sure D is best.

Alex Z. Mar 3, 2026 2:38 pm

Hard to say, D. Customer admin can't edit those global header policies, only the service provider admin has that level of access. I think that's right but happy if someone has seen a different scenario.

Neha Mar 3, 2026 3:57 am

Its D, customer admins can't touch the global header policy. Option C sounds tempting but it's really a trap since only the service provider admin can actually make those changes. Seen this in other exam reports too.

Layla Feb 15, 2026 8:45 am

Had something similar in a practice set-it's D. Customer admin is stuck with read-only for global header unless they're given higher rights, which isn't the case here. Anyone seen different behavior on real systems?

Jamie Mar 4, 2026 3:25 pm

I don't think it's C. D is correct here since customer admin is limited to My_ADOM, global header stays locked for them.

Rowan P. Mar 2, 2026 8:21 am

D imo, had something like this in a mock and only the service provider admin can change global header.

Be respectful. No spam.

Correct Answer:

Explanation

Global policy packages are managed centrally within the global ADOM by a superadmin or an administrator with appropriate permissions, such as a service provider administrator. When a global policy package is assigned to a customer ADOM, its header and footer policies are inherited and are strictly read-only for administrators confined to that customer ADOM. This hierarchical design ensures consistent, top-down policy enforcement across multiple ADOMs, preventing local administrators from overriding or altering the centrally mandated security rules. The customer administrator can only create and manage policies between the global header and footer policies.

Why Incorrect

A. The customer administrator is explicitly restricted to MyADOM and does not have the necessary permissions or access to log in to or operate within the global ADOM.

B. Workflow mode facilitates a change management process but does not override fundamental ADOM access permissions. The customer administrator still cannot access the global ADOM to initiate any changes.

C. There is no feature in FortiManager that allows a service provider administrator to "unlock" a global policy for editing by a local ADOM administrator. Global policies are exclusively managed from the global ADOM.

References

1. Fortinet FortiManager Administration Guide 7.2.0

Page 518

Section: "Global policy packages".

The guide states: "When a global policy package is assigned to an ADOM

the policies in the global policy package are inherited by the ADOM. The policies are read-only in the ADOM." This directly confirms that the customer administrator cannot edit the inherited global policies.

2. Fortinet FortiManager Administration Guide 7.4.1

Page 581

Section: "Global policy packages".

This section details the structure: "The global policy package contains two sections: Header policies and Footer policies. Header policies are inserted before the ADOM policies

and Footer policies are inserted after the ADOM policies." This illustrates the hierarchy where the ADOM administrator works between the unchangeable global policies.

3. Fortinet FortiManager Administration Guide 7.4.1

Page 101

Section: "Administrative Domains (ADOMs)".

The documentation explains the purpose of ADOMs: "ADOMs enable the superadmin to create groupings of devices for administrators to monitor and manage." This reinforces the principle of administrative segregation

where a customer administrator's scope is intentionally limited to their assigned ADOM.

Q: 7

Refer to the exhibit.

An administrator added a FortiGate device to FortiManager with the default object settings at the ADOM layer. What can you conclude from the import policy package process of the HQ-NGFW- 1 device?

Options

Discussion

PracticalEngineer9222 Feb 17, 2026 2:37 am

C . If the wizard actually shows 'Create New' for LAN, port4, and port6, then FortiManager is going to add those as normalized interfaces in the ADOM. That's standard behavior in the import process. Pretty sure that's what they're asking here, but open to corrections.

NehaW Feb 27, 2026 12:33 pm

Option C The trap is thinking manual steps are needed (like B), but FortiManager creates those missing interfaces during import if mapping is set to "Create New". Seen this on practice exams, pretty sure it's C.

Ishaan H. Mar 6, 2026 6:42 am

C . FortiManager's import wizard auto-creates normalized interfaces at the ADOM layer when it shows 'Create New' for each interface, so LAN, port4, and port6 get added. Trap is D, but that's only an issue if objects aren't imported at all, which doesn't match the exhibit here. If anyone thinks otherwise let me know, but pretty sure it's C.

Taylor Mar 6, 2026 6:42 am

C . The trap is thinking B (manual creation needed), but as long as the wizard shows 'Create New' for LAN, port4, and port6, FortiManager auto-generates those as normalized interfaces in the ADOM layer. Pretty sure that's what's happening here but happy to hear opposing views.

Zoe Feb 25, 2026 12:00 pm

Don't think B works here-C is correct. FortiManager auto-creates LAN, port4, and port6 as normalized interfaces when mapping is set to 'Create New', so no need for manual intervention unless mapping fails. Pretty sure that's what the screenshot implies but correct me if I missed something.

Priya N. Feb 16, 2026 1:46 am

Its C, the real trap is B but FortiManager auto-creates normalized interfaces if 'Create New' is selected in the import.

Piya C. Mar 3, 2026 11:09 pm

C/D? Had something like this in a mock before and it pointed to C, but I could see D in some weird cases. Not 100% sure here, open to pushback.

Emma Feb 14, 2026 12:57 pm

Nora Feb 15, 2026 5:05 am

I don’t think it's B. C fits because FortiManager auto-creates any missing interfaces like LAN, port4, and port6 as normalized objects when importing the policy package. You only need to create them manually if something fails or isn’t detected, but here the mapping says "Create New" by default. Pretty sure that's how it works but open to corrections.

FocusedLead2863 Feb 26, 2026 10:06 am

Doesn't B make more sense if port4 wasn't mapped automatically? Feels like C is a trap if you miss how FortiManager handles interfaces that aren't pre-existing. Anyone else see this kind of confusion in the interface mapping step?

Be respectful. No spam.

Correct Answer:

Explanation

The exhibit displays the "Import Policy Package" wizard in FortiManager. During this process, FortiManager analyzes the FortiGate's configuration, including interfaces used in policies. If these interfaces do not already exist as objects in the ADOM's database, the wizard prompts the administrator to map them. The "Mapping" column set to "Create New" and the "Type" column set to "Normalized Interface" for lan, port4, and port6 indicate that FortiManager is proposing to automatically create these three interfaces as new normalized interface objects at the ADOM level. This allows for the creation of reusable policies within the ADOM.

Why Incorrect

A. Per Platform mapping is used to map a single normalized interface to different physical ports on different FortiGate models; it is not required to detect interfaces.

B. The wizard automates the creation of the interface objects, as shown by the "Create New" option. Manual creation prior to import is not required to avoid errors.

D. This is a general statement about configuration management. The exhibit specifically illustrates the interface mapping step, not the consequences of an incomplete object import.

References

1. Fortinet FortiManager Administration Guide 7.0.0

Page 383

"Importing a policy package".

The guide states: "When you import a policy package

you can also import the interface mappings

which creates normalized interfaces in the ADOM... In the Interface Mapping section

map the device interfaces to the normalized interfaces. You can create new normalized interfaces

or map to existing normalized interfaces." This directly supports the action shown in the exhibit.

2. Fortinet FortiManager Administration Guide 7.0.0

Page 384

"Import Policy Package dialog box" table.

This table defines the "Mapping" option: "Create New: Create a new normalized interface." This confirms the conclusion that FortiManager will create the interfaces as new objects.

3. Fortinet FortiManager Administration Guide 7.0.0

Page 184

"Per-platform mapping".

The documentation explains: "You can use per-platform mapping to map a normalized interface to a different physical interface for a specific platform." This clarifies that option A is an incorrect interpretation of the feature's purpose.

Q: 8

Refer to the exhibit.

If the monitored interface for the primary FortiManager device fails, what must you do to maintain high availability (HA)?

Options

Discussion

Neha Feb 24, 2026 9:56 pm

Option A. saw this type in a practice exam before and HA failover is just automatic if config is good.

Kevin Mar 4, 2026 6:46 am

A, I remember a similar question from labs and it's always automatic unless HA config is broken.

PiyaT Feb 19, 2026 7:40 am

B , but only if there's some split-brain or the heartbeat link also fails. The question doesn't mention that, so maybe A is still right. I've seen edge cases on exams where manual promotion is needed, though.

Layla H. Feb 16, 2026 7:53 am

Probably A, unless they mention the cluster is misconfigured or heartbeat fails too. Edge case would flip it.

Amelia K. Feb 15, 2026 8:16 am

A tbh. Normally FortiManager HA is designed to auto fail over when a monitored interface goes down, no admin actions needed. Only exception would be if the HA config itself is messed up or there's a rare cluster sync issue, but that's not mentioned here. Always seen A as correct in these types of questions, but not 100% sure if some weird scenario could pop up.

Liam R. Feb 22, 2026 6:17 pm

A over B here since FortiManager HA is built for hands-off failover if a monitored interface fails. Manual promotion (B) feels like a red herring unless HA is misconfigured, which the question doesn't say. Pretty sure it's A but if anyone's seen different in production let me know.

NinaI Feb 13, 2026 4:57 pm

A is right. FortiManager HA failover happens automatically when a monitored interface fails-no need for manual promotion or config changes unless the cluster itself is malfunctioning. Pretty sure that's what they're after here, but open to other opinions if you see it differently.

Nora Feb 23, 2026 6:36 pm

A no extra steps needed, FortiManager HA does automatic failover when a monitored interface fails.

Maya E. Mar 6, 2026 6:42 am

C is wrong, it's A. FortiManager HA handles failover automatically if a monitored interface fails, so you don't have to do anything unless there's some config problem (which isn't mentioned). Pretty sure that's what the question wants here. If I'm missing a weird HA scenario let me know.

Owen D. Feb 22, 2026 11:24 am

A (not C). . Automatic HA failover covers this, nothing manual required in normal scenarios.

Be respectful. No spam.

Correct Answer:

Explanation

In a FortiManager High Availability (HA) cluster, specific interfaces can be monitored for connectivity. If a monitored interface on the primary unit fails, the unit is considered to have failed. The secondary units, which constantly monitor the primary via heartbeat signals over these interfaces, will detect the failure. Upon detection, the cluster automatically initiates a failover process. A secondary unit is elected to become the new primary based on priority and uptime, and it takes over all management tasks. This entire process is designed to be automatic and transparent to administrators to ensure service continuity without requiring manual intervention.

Why Incorrect

B. Manual promotion is not required. The failover process is automatic when a monitored interface fails, which is a primary feature of the HA design.

C. Reconfiguring the primary device is incorrect. The primary unit is in a failed state, and the failover is initiated by the secondary units detecting the failure.

D. A database integrity check is not the trigger for a failover in this scenario. The failover is triggered by the loss of heartbeat signals due to the interface failure.

References

1. Fortinet FortiManager Administration Guide 7.0

Chapter: "High Availability"

Section: "HA failover"

Page 131.

The document states

"You can configure the cluster to monitor one or more FortiManager interfaces. If any of the monitored interfaces fail on the primary unit

the primary unit is considered to have failed and a failover occurs." This confirms that the failover is a direct and automatic consequence of the monitored interface failure.

2. Fortinet FortiManager Administration Guide 7.2

Chapter: "High Availability"

Section: "HA failover"

Page 141.

This guide reiterates the same principle: "A failover occurs when the primary unit is no longer detected by the other cluster units... You can configure the cluster to monitor one or more FortiManager interfaces. If any of the monitored interfaces fail on the primary unit

the primary unit is considered to have failed and a failover occurs." The automatic nature of this process makes it transparent to administrators.

Q: 9

After correcting a policy package configuration issue, you want to prevent administrators from repeating the mistake that caused the issue. Which FortiManager approach best meets this need?

Options

Discussion

EmmaS Feb 19, 2026 11:47 am

Makes sense to pick D here. Workflow approval actually blocks the same misconfig from being applied again. Pretty confident on this one.

Leo F. Feb 16, 2026 6:48 am

Option D but does "best" here mean totally prevents or just reduces risk? If repeat mistakes aren't critical, C might work too.

PracticalConsultant3227 Feb 17, 2026 3:31 am

Honestly I'd go with C, since requiring change notes at least flags when configs are updated for review.

Grace P. Mar 3, 2026 10:08 pm

D , workflow approval actually stops repeat errors while C is just documentation. A is a distractor here.

HelpfulEngineer8067 Feb 24, 2026 4:01 am

Anyone tried implementing workflow approval in a real FortiManager lab? Official docs and hands-on labs explain this approach well, as it really blocks repeat misconfigs. I think D makes sense here but open to other experiences.

Mason Feb 16, 2026 6:35 pm

Makes sense to me that D is the best fit. Workflow approval adds a real checkpoint before any policy changes get pushed, so mistakes can't slip through as easily. Change notes (C) just capture what happened, but don't actually prevent someone from making the same config error again. Pretty sure workflow is what you'd want here, agree?

Layla N. Feb 15, 2026 7:08 pm

Why not workflow (D), since change notes (C) just document instead of actually stopping the same config mistake happening again?

LunaF Mar 1, 2026 5:44 am

D imo, saw a similar question in practice and workflow approval is what actually prevents repeat mistakes. Confident that's what they're testing.

Ryan Q. Feb 28, 2026 4:41 pm

Tricky one but I'd go with D since workflow adds an approval layer. Not 100% sure though.

Be respectful. No spam.

Correct Answer:

Explanation

The most effective method to prevent the recurrence of configuration mistakes is to implement a formal change control process. FortiManager's workflow mode is designed for this exact purpose. By enabling a workflow, changes made by an administrator must be submitted for review and explicitly approved by another, typically more senior, administrator before they can be installed onto a FortiGate. This mandatory review step provides a crucial checkpoint to catch potential errors, enforce best practices, and ensure configuration integrity, directly addressing the need to prevent repeated mistakes.

Why Incorrect

A. A TCL script is a custom automation tool. While it could validate a specific known mistake, it is not a comprehensive solution for preventing various potential human errors and lacks the oversight of a formal review process.

B. Restricting access to revision history is counterproductive. It removes the ability to audit past changes and learn from them, and it does nothing to prevent an administrator from making a new mistake.

C. Requiring a change note is a good documentation practice for accountability and auditing. However, it does not prevent an administrator from saving and installing an incorrect configuration.

References

1. FortiManager Administration Guide 7.4.1

Page 103

"Workspace and Workflow" section: "When workflow mode is enabled

administrators must create a new session

make changes

and submit the changes for approval. A senior administrator can then review the changes and approve or reject them. After the changes are approved

the administrator can install the changes to the managed device." This directly supports the use of a workflow for review and approval to prevent errors.

2. FortiManager Administration Guide 7.4.1

Page 104

"Workflow mode" section: "Workflow mode is a feature that allows you to create a workflow for device configuration and policy changes... This allows you to control changes in your network." This highlights that the feature's primary purpose is to control changes

which is central to preventing mistakes.

Q: 10

Refer to the exhibit.

An administrator has created a firewall address object that is used in multiple policy packages for multiple FortiGate devices in an ADOM. After the installation operation is performed, which IP/netmask will be installed on Remote-Firewall [VDOM1] for the LAN firewall address object?

Options

Discussion

Chloe N. Feb 28, 2026 5:48 am

A . C is tempting for the subnet but per-device mapping overrides default every time.

RobinM Feb 19, 2026 6:06 pm

Option A is correct for this. With per-device mapping enabled, FortiManager pushes the mapped value (21.21.2.5/255.255.255.255) to Remote-Firewall [VDOM1], not the default address object value. Pretty sure that's how object overrides work, but open if someone sees it differently.

AishaL Feb 24, 2026 8:24 pm

I remember a similar scenario from labs, in some exam reports and it matched A for Remote-Firewall when per-device mapping was set.

Taylor Feb 26, 2026 2:56 am

C or A. I get why some say C for the subnet, but with per-device mapping set for Remote-Firewall, I think it'd be A (21.21.2.5/32) that actually gets installed. Still possible to misread the intent here, so open to correction.

Zoe M. Mar 3, 2026 12:08 pm

A is wrong, A. Official docs and FortiManager labs both point to per-device mapping taking precedence in this case.

Nathan X. Feb 28, 2026 1:36 am

A imo. Had something like this in a mock-per-device mapping always overrides the default address object, so Remote-Firewall [VDOM1] gets 21.21.2.5/32 that's shown in the mapping table. Not 100% if there's a gotcha but I'm pretty sure that's right.

Priya Z. Mar 2, 2026 8:15 pm

Ben Y. Feb 21, 2026 1:15 am

Per-device mapping wins here, so it's A. Seen this in the official guide and some FortiManager demos, per-device overrides always take priority for specific installations. If I'm missing something let me know.

Piya Z. Feb 20, 2026 10:21 am

A. Per-device mapping should override the default, so Remote-Firewall gets 21.21.2.5/32 not the default value. Pretty sure that's how FortiManager handles it, but happy for a second opinion if anyone disagrees.

QuickSec5215 Feb 15, 2026 6:28 am

C/D? The per-device mapping trips people up. If you just looked at the default address you'd say D, but since Remote-Firewall [VDOM1] has its own entry (21.21.2.5/32) that's what actually gets pushed by FortiManager. I'm 90% sure it's A for this scenario, unless I missed something subtle in the exhibit.

Be respectful. No spam.

Correct Answer:

Explanation

The exhibit displays a firewall address object named LAN configured in FortiManager with "Per-Device Mapping" enabled. This feature allows a single object to have different values on different managed devices. The default value is 10.10.10.5/32, but the mapping table specifies unique values for individual devices. For the device Remote-Firewall [VDOM1], the IP/netmask is explicitly mapped to 21.21.2.5/255.255.255.255. When FortiManager installs the policy package to Remote-Firewall [VDOM1], it will substitute the default object value with this specific mapped value.

Why Incorrect

B. 172.16.5.20/255.255.255.255 is the mapped value for the Local-FortiGate [root] device, not the Remote-Firewall [VDOM1].

C. 172.16.5.0/255.255.255.0 is an incorrect value that does not appear in the object's configuration or its per-device mappings.

D. 10.10.10.5/255.255.255.255 is the default value for the object, which is overridden by the specific mapping for Remote-Firewall [VDOM1].

References

1. FortiManager Administration Guide 7.2.3

Chapter: "Policy and Objects"

Section: "Dynamic objects". The guide states

"You can map a dynamic object to a different value for each device... When you install the policy package to a device

the per-device mapping is used for the device." This confirms that the specific mapping for Remote-Firewall will be used.

2. Fortinet Certified Professional - Network Security 7.2 Study Guide - FortiManager

Chapter: "Policy and Objects"

Section: "Dynamic Objects". This section explains that per-device mapping allows an administrator to define a single object that resolves to a unique value on each managed device

which is the exact functionality shown in the exhibit.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE