While attempting to push a NetFlow configuration script through the FortiManager policy package: an administrator encounters an error stating that an object is unrecognized in line 4. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/FCP_FMG_AD-7.6/page_12_img_1.jpg What must the administrator do to successfully apply the NetFlow configuration script and avoid the object unrecognized error?

Use metadata variables if they use VDOMs in the script.

Make sure the user running the script has full access to the VDOM—AGEUSR.

Run the script on the device database.

Use metadata variables if they use VDOMs in the script.

Create a normalized interface on the policy layer before running the script.

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/FCP_FMG_AD-7.6/page_21_img_1.jpg Which two statements about the output are true? (Choose two.)

The latest revision history for the managed FortiGate does not match the device-level database.

The system template default will override device-level database configurations.

The latest revision history for the managed FortiGate does not match the device-level database.

Configuration changes have been installed on FortiGate, updating policy and device-level database.

The latest revision history for the managed FortiGate does match the FortiManager policy database.

The system template default will override device-level database configurations.

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/FCP_FMG_AD-7.6/page_3_img_1.jpg If the monitored interface for the primary FortiManager device fails, what must you do to maintain high availability (HA)?

The FortiManager HA failover is transparent to administrators and does not require any additional action.

Manually promote one of the working secondary devices to the primary role: and reboot the original primary device to remove the peer IP address of the failed device.

Reconfigure the primary device to remove the peer IP address of the failed device from its configuration.

Check the integrity database of the primary device to force a secondary device to become the new primary with all active interfaces.

View FCP_FMG_AD-7.6 Exam Questions

Q: 1

While attempting to push a NetFlow configuration script through the FortiManager policy package: an administrator encounters an error stating that an object is unrecognized in line 4.

What must the administrator do to successfully apply the NetFlow configuration script and avoid the object unrecognized error?

Options

Correct Answer:

Explanation

The script fails at the line set source-ip $(vdom) because the predefined metadata variable $(vdom) resolves to the name of the Virtual Domain (e.g., "root" or "AGEUSR"), which is a string. The set source-ip command requires a valid IP address, not a string name. The "object unrecognized" error occurs because the FortiGate CLI parser does not recognize the VDOM name as a valid IP address.

To resolve this, the administrator must create a custom metadata variable (e.g., netflow-source-ip) and assign the correct source IP address value to this variable for each specific VDOM. The script should then be modified to use this new variable, for example: set source-ip $(netflow-source-ip).

Why Incorrect

A. A permissions issue would likely generate a "permission denied" error, not an "object unrecognized" error related to an invalid value in a script.

B. Running the script on the device database bypasses the policy package model and does not fix the underlying script error, which is the incorrect use of the $(vdom) variable.

D. Normalized interfaces are used to abstract physical interface names for use in firewall policies within a policy package, and are not relevant to system-level CLI configurations like NetFlow.

References

1. FortiManager Administration Guide 7.4.1

Chapter: Device Manager

Section: Scripts

Subsection: Using variables in scripts.

This section details the use of both predefined variables and custom metadata variables (referred to as Device VDOM variables). It explains that $(vdom) resolves to the VDOM name. It also describes how to create custom variables and assign device-specific or VDOM-specific values

which is the required solution to provide a valid IP address in this scenario. (p. 268-270)

Q: 2

Refer to the exhibit.

Which two statements about the output are true? (Choose two.)

Options

Correct Answer:

A, D

Explanation

The exhibit displays a "Modified" status for "Config Status," "Policy Package Status," and "Provisioning Template Status."

The "Config Status: Modified" indicates that the running configuration on the managed FortiGate has changed and is no longer synchronized with the device-level database stored on FortiManager. This directly supports statement A.

The "Provisioning Template Status: Modified" indicates that the assigned system template has been altered within FortiManager. By design, when changes from a provisioning template are installed, they are pushed to the managed device, overwriting the corresponding device-level settings to enforce a standard configuration. This functional behavior supports statement D.

Why Incorrect

B. The "Modified" status across all categories explicitly indicates that changes are pending and have not been installed. An installation is required to synchronize the device.

C. The "Policy Package Status: Modified" clearly shows that the policy package on FortiManager is different from what is currently implemented on the FortiGate, indicating a mismatch.

References

1. Fortinet FortiManager Administration Guide 7.2.3

Page 123

"Device Manager pane".

Config Status: "A red M indicates that the device configuration has been modified." This confirms that the device configuration is out of sync with the FortiManager database

validating answer A.

Policy Package Status: "A red M indicates that the policy package has been modified." This confirms a mismatch

invalidating answer C.

2. Fortinet Certified Professional - Network Security Study Guide for FortiManager 7.2

Page 100

"Provisioning Templates".

The guide states

"When you install device settings to a managed device

the settings in the template are installed on the device... This allows you to enforce a standard configuration across multiple devices." This principle confirms that templates are designed to override device-level settings upon installation

validating answer D.

3. Fortinet FortiManager Administration Guide 7.0.1

Page 100

"Device & Groups > Managed Devices > Device Dashboard".

This guide corroborates the meaning of the "Modified" status: "A red M indicates that the device configuration has been modified." This directly contradicts the claim in option B that changes have been installed.

Q: 3

Refer to the exhibit.

FortiManager is operating behind a network address translation (NAT) device, and the administrator configured the FortiManager NATed IP address under the FortiManager system administration settings. What is the expected result during discovery?

Options

Correct Answer:

Explanation

When a FortiManager is deployed behind a Network Address Translation (NAT) device, managed devices on the other side of the NAT boundary must use FortiManager's public IP address to establish a connection. The NATed IP setting, configured under System Settings > Admin > Admin Settings, is specifically designed for this purpose. During the device discovery and authorization process, FortiManager provides this configured NATed IP address (100.65.0.120 in this case) to the FortiGate. The FortiGate then updates its central management settings (config system central-management) to use this public IP for all subsequent management traffic, ensuring successful communication.

Why Incorrect

A. The FortiGate is configured with only one management IP address. Pushing the private, non-routable IP (10.0.13.120) would cause a connection failure.

B. The IP address 100.65.0.101 is not relevant to the configuration shown in the exhibit or the described scenario.

C. The IP address 100.65.0.101 is not configured on the FortiManager and has no role in this management process.

References

1. FortiManager Administration Guide 7.2.0

Page 100

"Admin settings".

The guide states for the NATed IP field: "If FortiManager is behind a NAT device

enter the NATed IP address that FortiGate devices will use to connect to FortiManager." This confirms that the NATed IP is the address provided to the managed devices.

2. Fortinet Cookbook

"Adding a FortiGate to FortiManager (NAT mode)"

Document ID: FD40540.

This official guide details the exact scenario: "When adding the FortiGate

FortiManager will use the NATed IP to configure the central-management settings on the FortiGate. The FortiGate will then use this IP address to connect to the FortiManager." This explicitly confirms that the NATed IP is set on the FortiGate.

Q: 4

An administrator must create a policy and install it on a FortiGate device within an ADOM in backup mode. How can the administrator perform this task?

Options

Correct Answer:

Explanation

When an Administrative Domain (ADOM) is set to backup mode, FortiManager's central management capabilities, such as the Policy & Objects pane, are disabled for that ADOM. The primary purpose is to back up the device's configuration, which is managed locally on the FortiGate. However, FortiManager can still push configuration changes to the device using scripts. A script containing the necessary CLI commands to create a new firewall policy can be created in FortiManager and then run on the target FortiGate, effectively applying the new policy.

Why Incorrect

A. Use the Install Wizard located on the device manager.

The Install Wizard is used to install policy packages and device settings. This functionality is not available for ADOMs in backup mode, as policy packages cannot be managed.

B. Enable workflow mode to allow policy creation and approval.

Workflow mode is a change management feature that requires an approval process. It does not override the fundamental restriction of backup mode, which disables policy package management.

C. Make sure the ADOM and FortiGate firmware versions match and use the ADOM policy package.

Using ADOM policy packages is the standard method for centrally managing devices in Normal or Advanced mode, but this feature is explicitly disabled in backup mode.

References

1. FortiManager Administration Guide 7.2.3

Administrative Domains (ADOMs) > ADOM modes

Page 138.

"In Backup mode

FortiManager is used to back up FortiGate configurations. You cannot use FortiManager to provision or manage the devices. The Policy & Objects and AP Manager panes are not available." This statement confirms that options A and C

which rely on policy packages

are incorrect.

2. FortiManager Administration Guide 7.2.3

Scripts > About scripts

Page 578.

"You can use scripts to deliver configuration files and CLI commands to a managed device or to multiple devices." This confirms that scripts are a valid method for applying CLI-based configuration changes

which is the mechanism required to create a policy on a device in a backup mode ADOM.

Q: 5

You want to let multiple administrators work in the same ADOM without creating configuration conflicts. What is the best and the most effective solution to apply?

Options

Correct Answer:

Explanation

Workspace mode is a feature specifically designed to prevent configuration conflicts when multiple administrators are working within the same Administrative Domain (ADOM). When an administrator starts making changes in an ADOM with workspace mode enabled, the ADOM is locked. This locking mechanism prevents other administrators from making concurrent changes, thus avoiding overwrites and conflicts. Administrators can see who has locked the ADOM and must wait until it is unlocked before they can make their own modifications. This provides a clear and effective method for managing simultaneous administrative access.

Why Incorrect

A. Configure RADIUS authentication to assign ADOM roles to each user.

RADIUS is an authentication protocol; while it can assign roles and permissions, it does not inherently manage or prevent concurrent configuration conflicts between authorized users.

B. Enable workflow mode, which is the only way to prevent concurrent configuration conflicts.

Workflow mode enforces a change management process (submit, approve, deploy) but does not prevent concurrent editing. Workspace mode is the primary feature for this, making the claim "only way" incorrect.

C. Assign administrators with JSON API access to the FortiManager.

Using the API is a method of interaction, not a conflict resolution mechanism. Multiple API users could still attempt to modify the same object simultaneously, leading to conflicts.

References

1. Fortinet FortiManager Administration Guide 7.4.1

Page 218

Section: "Workspace mode".

The guide states

"Workspace mode prevents administrators from simultaneously making configuration changes to the same ADOM

device

or policy package. When an administrator is working in an ADOM

the ADOM is locked

and other administrators cannot make changes to the ADOM." This directly supports the function of workspace mode for conflict prevention.

2. Fortinet FortiManager Administration Guide 7.2.1

Page 211

Section: "Workspace mode".

This version of the guide provides the same explanation: "Workspace mode prevents administrators from simultaneously making configuration changes to the same ADOM

device

or policy package."

3. Fortinet FortiManager Administration Guide 7.0.1

Page 208

Section: "Workspace mode".

The documentation for this version also confirms

"In workspace mode

you can prevent two or more administrators from simultaneously editing the same ADOM

device

or policy package." It also contrasts this with Workflow mode

which is described on page 210 as a process for "approving and deploying configuration changes."

Q: 6

A service provider administrator has assigned a global policy package to a managed customer ADOM named My_ADOM. The customer administrator has access only to My_ADOM. How can the customer administrator edit the global header policy of the global policy package?

Options

Correct Answer:

Explanation

Global policy packages are managed centrally within the global ADOM by a superadmin or an administrator with appropriate permissions, such as a service provider administrator. When a global policy package is assigned to a customer ADOM, its header and footer policies are inherited and are strictly read-only for administrators confined to that customer ADOM. This hierarchical design ensures consistent, top-down policy enforcement across multiple ADOMs, preventing local administrators from overriding or altering the centrally mandated security rules. The customer administrator can only create and manage policies between the global header and footer policies.

Why Incorrect

A. The customer administrator is explicitly restricted to MyADOM and does not have the necessary permissions or access to log in to or operate within the global ADOM.

B. Workflow mode facilitates a change management process but does not override fundamental ADOM access permissions. The customer administrator still cannot access the global ADOM to initiate any changes.

C. There is no feature in FortiManager that allows a service provider administrator to "unlock" a global policy for editing by a local ADOM administrator. Global policies are exclusively managed from the global ADOM.

References

1. Fortinet FortiManager Administration Guide 7.2.0

Page 518

Section: "Global policy packages".

The guide states: "When a global policy package is assigned to an ADOM

the policies in the global policy package are inherited by the ADOM. The policies are read-only in the ADOM." This directly confirms that the customer administrator cannot edit the inherited global policies.

2. Fortinet FortiManager Administration Guide 7.4.1

Page 581

Section: "Global policy packages".

This section details the structure: "The global policy package contains two sections: Header policies and Footer policies. Header policies are inserted before the ADOM policies

and Footer policies are inserted after the ADOM policies." This illustrates the hierarchy where the ADOM administrator works between the unchangeable global policies.

3. Fortinet FortiManager Administration Guide 7.4.1

Page 101

Section: "Administrative Domains (ADOMs)".

The documentation explains the purpose of ADOMs: "ADOMs enable the superadmin to create groupings of devices for administrators to monitor and manage." This reinforces the principle of administrative segregation

where a customer administrator's scope is intentionally limited to their assigned ADOM.

Q: 7

Refer to the exhibit.

An administrator added a FortiGate device to FortiManager with the default object settings at the ADOM layer. What can you conclude from the import policy package process of the HQ-NGFW- 1 device?

Options

Correct Answer:

Explanation

The exhibit displays the "Import Policy Package" wizard in FortiManager. During this process, FortiManager analyzes the FortiGate's configuration, including interfaces used in policies. If these interfaces do not already exist as objects in the ADOM's database, the wizard prompts the administrator to map them. The "Mapping" column set to "Create New" and the "Type" column set to "Normalized Interface" for lan, port4, and port6 indicate that FortiManager is proposing to automatically create these three interfaces as new normalized interface objects at the ADOM level. This allows for the creation of reusable policies within the ADOM.

Why Incorrect

A. Per Platform mapping is used to map a single normalized interface to different physical ports on different FortiGate models; it is not required to detect interfaces.

B. The wizard automates the creation of the interface objects, as shown by the "Create New" option. Manual creation prior to import is not required to avoid errors.

D. This is a general statement about configuration management. The exhibit specifically illustrates the interface mapping step, not the consequences of an incomplete object import.

References

1. Fortinet FortiManager Administration Guide 7.0.0

Page 383

"Importing a policy package".

The guide states: "When you import a policy package

you can also import the interface mappings

which creates normalized interfaces in the ADOM... In the Interface Mapping section

map the device interfaces to the normalized interfaces. You can create new normalized interfaces

or map to existing normalized interfaces." This directly supports the action shown in the exhibit.

2. Fortinet FortiManager Administration Guide 7.0.0

Page 384

"Import Policy Package dialog box" table.

This table defines the "Mapping" option: "Create New: Create a new normalized interface." This confirms the conclusion that FortiManager will create the interfaces as new objects.

3. Fortinet FortiManager Administration Guide 7.0.0

Page 184

"Per-platform mapping".

The documentation explains: "You can use per-platform mapping to map a normalized interface to a different physical interface for a specific platform." This clarifies that option A is an incorrect interpretation of the feature's purpose.

Q: 8

Refer to the exhibit.

If the monitored interface for the primary FortiManager device fails, what must you do to maintain high availability (HA)?

Options

Correct Answer:

Explanation

In a FortiManager High Availability (HA) cluster, specific interfaces can be monitored for connectivity. If a monitored interface on the primary unit fails, the unit is considered to have failed. The secondary units, which constantly monitor the primary via heartbeat signals over these interfaces, will detect the failure. Upon detection, the cluster automatically initiates a failover process. A secondary unit is elected to become the new primary based on priority and uptime, and it takes over all management tasks. This entire process is designed to be automatic and transparent to administrators to ensure service continuity without requiring manual intervention.

Why Incorrect

B. Manual promotion is not required. The failover process is automatic when a monitored interface fails, which is a primary feature of the HA design.

C. Reconfiguring the primary device is incorrect. The primary unit is in a failed state, and the failover is initiated by the secondary units detecting the failure.

D. A database integrity check is not the trigger for a failover in this scenario. The failover is triggered by the loss of heartbeat signals due to the interface failure.

References

1. Fortinet FortiManager Administration Guide 7.0

Chapter: "High Availability"

Section: "HA failover"

Page 131.

The document states

"You can configure the cluster to monitor one or more FortiManager interfaces. If any of the monitored interfaces fail on the primary unit

the primary unit is considered to have failed and a failover occurs." This confirms that the failover is a direct and automatic consequence of the monitored interface failure.

2. Fortinet FortiManager Administration Guide 7.2

Chapter: "High Availability"

Section: "HA failover"

Page 141.

This guide reiterates the same principle: "A failover occurs when the primary unit is no longer detected by the other cluster units... You can configure the cluster to monitor one or more FortiManager interfaces. If any of the monitored interfaces fail on the primary unit

the primary unit is considered to have failed and a failover occurs." The automatic nature of this process makes it transparent to administrators.

Q: 9

After correcting a policy package configuration issue, you want to prevent administrators from repeating the mistake that caused the issue. Which FortiManager approach best meets this need?

Options

Correct Answer:

Explanation

The most effective method to prevent the recurrence of configuration mistakes is to implement a formal change control process. FortiManager's workflow mode is designed for this exact purpose. By enabling a workflow, changes made by an administrator must be submitted for review and explicitly approved by another, typically more senior, administrator before they can be installed onto a FortiGate. This mandatory review step provides a crucial checkpoint to catch potential errors, enforce best practices, and ensure configuration integrity, directly addressing the need to prevent repeated mistakes.

Why Incorrect

A. A TCL script is a custom automation tool. While it could validate a specific known mistake, it is not a comprehensive solution for preventing various potential human errors and lacks the oversight of a formal review process.

B. Restricting access to revision history is counterproductive. It removes the ability to audit past changes and learn from them, and it does nothing to prevent an administrator from making a new mistake.

C. Requiring a change note is a good documentation practice for accountability and auditing. However, it does not prevent an administrator from saving and installing an incorrect configuration.

References

1. FortiManager Administration Guide 7.4.1

Page 103

"Workspace and Workflow" section: "When workflow mode is enabled

administrators must create a new session

make changes

and submit the changes for approval. A senior administrator can then review the changes and approve or reject them. After the changes are approved

the administrator can install the changes to the managed device." This directly supports the use of a workflow for review and approval to prevent errors.

2. FortiManager Administration Guide 7.4.1

Page 104

"Workflow mode" section: "Workflow mode is a feature that allows you to create a workflow for device configuration and policy changes... This allows you to control changes in your network." This highlights that the feature's primary purpose is to control changes

which is central to preventing mistakes.

Q: 10

Refer to the exhibit.

An administrator has created a firewall address object that is used in multiple policy packages for multiple FortiGate devices in an ADOM. After the installation operation is performed, which IP/netmask will be installed on Remote-Firewall [VDOM1] for the LAN firewall address object?

Options

Correct Answer:

Explanation

The exhibit displays a firewall address object named LAN configured in FortiManager with "Per-Device Mapping" enabled. This feature allows a single object to have different values on different managed devices. The default value is 10.10.10.5/32, but the mapping table specifies unique values for individual devices. For the device Remote-Firewall [VDOM1], the IP/netmask is explicitly mapped to 21.21.2.5/255.255.255.255. When FortiManager installs the policy package to Remote-Firewall [VDOM1], it will substitute the default object value with this specific mapped value.

Why Incorrect

B. 172.16.5.20/255.255.255.255 is the mapped value for the Local-FortiGate [root] device, not the Remote-Firewall [VDOM1].

C. 172.16.5.0/255.255.255.0 is an incorrect value that does not appear in the object's configuration or its per-device mappings.

D. 10.10.10.5/255.255.255.255 is the default value for the object, which is overridden by the specific mapping for Remote-Firewall [VDOM1].

References

1. FortiManager Administration Guide 7.2.3

Chapter: "Policy and Objects"

Section: "Dynamic objects". The guide states

"You can map a dynamic object to a different value for each device... When you install the policy package to a device

the per-device mapping is used for the device." This confirms that the specific mapping for Remote-Firewall will be used.

2. Fortinet Certified Professional - Network Security 7.2 Study Guide - FortiManager

Chapter: "Policy and Objects"

Section: "Dynamic Objects". This section explains that per-device mapping allows an administrator to define a single object that resolves to a unique value on each managed device

which is the exact functionality shown in the exhibit.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE