Click here to access our full set of Fortinet FCP_FMG_AD-7.4 exam dumps and practice tests.
Q61. A FortiManager admin wants to ensure that all WAN-related policies automatically reference the appropriate ISP interface for each device. Which feature enables this?
A) Dynamic Interface Mapping
B) ADOM Variable Sets
C) WAN Auto-Discovery
D) Policy Analyzer
Answer: A
Explanation:
Dynamic interface mapping is the most appropriate solution when a shared policy package needs to accommodate different network interfaces across multiple devices. In multi-device environments, it is common for firewalls to use different interface names or physical layouts even though they share the same overall policy structure. Dynamic interface mapping allows administrators to assign a logical interface referenced in a policy package to different physical or virtual interfaces on each device. This ensures that the policies remain consistent while still applying correctly to the unique interface configurations of each device. By using dynamic mappings, administrators avoid creating separate policy packages or duplicating rules simply because devices use different interface naming conventions. This greatly reduces administrative effort, simplifies long-term maintenance, and keeps policy sets clean, unified, and scalable. It also reduces the risk of errors during policy installation because each device receives the correctly mapped interface definition automatically.
ADOM variable sets are useful for device-specific values such as IP addresses or identifiers but are not intended for mapping interfaces used in policies. WAN auto-discovery assists with identifying WAN links and monitoring connectivity but does not address interface mapping needs inside policy packages. Policy Analyzer is designed to review and optimize policies, detecting redundant or shadowed rules, but it has no role in mapping interfaces between devices. Compared to these alternatives, dynamic interface mapping provides exactly the flexibility required to maintain a consistent policy structure while accommodating device-specific interface differences.
Q62. A newly imported device shows outdated DNS settings in FortiManager even though the device uses new DNS servers. What must the admin do?
A) Perform a configuration fetch
B) Reinstall policy package
C) Reset DNS template
D) Move device to new ADOM
Answer: A
Explanation:
Performing a configuration fetch is the most appropriate action when FortiManager indicates that the device configuration is outdated, mismatched, or inconsistent with what is stored in the management system. A configuration fetch retrieves the current running configuration directly from the device and synchronizes it with FortiManager’s database. This ensures that the manager has an accurate view of all settings, including any local changes made on the device outside of FortiManager. Keeping the configuration synchronized is essential for successful policy installations, template assignments, and revision tracking. Without fetching the updated configuration, FortiManager may attempt to apply policies based on outdated information, which can lead to installation failures, configuration conflicts, or unintended behavior on the managed device. By fetching the configuration proactively, administrators maintain alignment between the device and the manager, creating a stable foundation for future updates and deployments. This step is typically performed whenever configuration drift is suspected or the device shows a status indicating that the local and remote configurations do not match.
Reinstalling the policy package does not address the root cause of mismatches and may push incorrect or incompatible settings onto the device. Resetting the DNS template is unrelated to overall configuration synchronization and does nothing to resolve discrepancies between FortiManager and the device. Moving the device to a new ADOM would disrupt organizational structure and still would not correct the configuration desynchronization. Compared to these alternatives, performing a configuration fetch is the safest and most effective way to ensure consistency and maintain accurate device management.
Q63. A configuration install fails because a referenced service object is missing on the device. What is the correct fix?
A) Reimport device objects
B) Create placeholder service
C) Delete the policy
D) Reset the ADOM
Answer: A
Explanation:
Reimporting device objects is the most appropriate action when FortiManager detects inconsistencies between the objects used in a policy package and the objects that actually exist on the managed device. These mismatches often occur when administrators make changes directly on the device instead of through FortiManager, such as adding new services, modifying existing objects, or removing items that the manager still references. When this happens, FortiManager cannot properly validate or install the policy package because it no longer has an accurate representation of the device’s object database. Reimporting device objects retrieves the complete, up-to-date set of objects directly from the device and aligns them with FortiManager’s internal database. This action ensures that all references in policies and packages point to valid, current objects and restores consistency between the device and the management system. It also prevents installation errors and avoids the risk of pushing outdated or incompatible object definitions back onto the device.
Creating a placeholder service does not resolve the underlying issue because it only addresses a single missing object and may introduce incorrect definitions that lead to further inconsistencies. Deleting the policy can remove important configuration logic and does nothing to correct the mismatch between the device and FortiManager object sets. Resetting the ADOM is an extreme step that would erase all policies, objects, and revisions within that domain, causing significant disruption and requiring an extensive rebuilD) Compared to these options, reimporting device objects is the safest, most efficient, and most practical method to regain synchronization and ensure accurate policy management.
Q64. An MSSP wants to give auditors read-only access to multiple ADOMs. How is this achieved?
A) Create read-only admin profiles with multi-ADOM access
B) Enable Workflow Mode
C) Clone ADOMs
D) Disable Global ADOM
Answer: A
Explanation:
Creating read-only admin profiles with multi-ADOM access is the most suitable solution when administrators need visibility across several Administrative Domains but should not be permitted to modify any configurations. This type of profile allows users to view policies, objects, logs, and device information within multiple ADOMs while ensuring that their access remains strictly observational. Such read-only profiles are critical in organizations where oversight, auditing, compliance verification, or managerial review must occur without risking accidental or unauthorized changes. By assigning these profiles, administrators can maintain secure segmentation between ADOMs while still providing the necessary visibility to users who require broader insight into the overall environment. This approach also enforces the principle of least privilege, ensuring that users receive only the exact level of access needed to fulfill their duties. Additionally, using multi-ADOM read-only profiles reduces the burden on administrators by eliminating the need to repeatedly switch accounts or request temporary permissions.
Enabling Workflow Mode introduces structured approval processes for configuration changes, but it does not provide read-only visibility or help manage multi-ADOM access requirements. Cloning ADOMs duplicates entire administrative domains, which creates unnecessary redundancy and does not address access control needs. Disabling the Global ADOM affects shared object and policy distribution across ADOMs and is unrelated to granting read-only access. Compared to these alternatives, creating read-only admin profiles with multi-ADOM access is the most direct, efficient, and secure method for granting broad visibility while protecting configuration integrity.
Q65. A policy installation report indicates “zone member mismatch.” What caused this?
A) The policy references interfaces not included in the zone
B) ADOM version mismatch
C) Cluster not synced
D) Variable not mapped
Answer: A
Explanation:
When a policy references interfaces that are not included in the assigned zone, installation errors or validation warnings typically occur because the policy package cannot correctly map the traffic direction or interface relationships. Zones are used to group interfaces logically so that policies can be written in a simplified and consistent manner. However, for a policy referencing a specific interface to work correctly, that interface must actually be part of the zone defined within the policy package. If an administrator assigns an interface directly in the policy or includes it in a traffic rule while the zone contains different or incomplete interfaces, the system identifies a configuration conflict. As a result, the installation process stops and prompts the administrator to correct the mismatch. Ensuring that all interfaces used in the policy are properly added to the zone maintains consistency, prevents routing or security gaps, and helps avoid unintended behavior on the firewall. Correcting the zone membership is typically the fastest and most reliable solution for addressing such errors.
An ADOM version mismatch would cause broader compatibility issues across the entire ADOM rather than pointing specifically to interface or zone configuration errors. A cluster not being synced relates to HA synchronization problems and does not directly affect zone-to-interface mapping in policy packages. A variable not being mapped would cause issues related to device-specific values, but it would not cause validation failures tied specifically to zone membership or interface assignments. Compared to these alternatives, the most accurate explanation for the issue is that the policy references interfaces not included in the zone.
Q66. An admin needs to deploy a custom banner to all managed devices. What mechanism applies global device-level settings?
A) Device Templates
B) Policy Packages
C) Global ADOM
D) CLI Scripts only
Answer: A
Explanation:
Device templates are the most appropriate choice when the goal is to standardize configuration settings across multiple devices while still maintaining centralized and consistent management. These templates allow administrators to define a baseline set of configurations such as system parameters, DNS information, NTP settings, interface configurations, routing basics, and other foundational elements that must be applied uniformly across the network. By creating and applying device templates, organizations can ensure that every new device added to the environment adheres to the same configuration standards, reducing the risk of misconfigurations and ensuring compliance with organizational requirements. This approach significantly streamlines deployment processes and reduces administrative workload, as changes made to the template can be easily pushed to multiple devices without requiring manual adjustment on each one. Device templates also help maintain long-term consistency, making troubleshooting and audits more efficient because the configuration across devices remains predictable and controlleD)
Policy packages are focused on defining and maintaining security policies, firewall rules, and related policy objects. While crucial for traffic control and rule enforcement, they do not manage system-level or infrastructure-level configuration templates. The Global ADOM is used for sharing common objects or global policies across multiple ADOMs but is not intended for device-level configuration standardization. Using CLI scripts alone may offer flexibility for advanced administrators, but this method lacks structured management, increases the chance of errors, and does not provide the repeatability and scalability that templates offer. Compared to these options, device templates are the most effective and efficient way to achieve consistent configuration deployment across multiple devices in a managed environment.
Q67. A FortiManager admin wants to identify firewall rules with zero hits. What tool should be used?
A) Hit Counter
B) Object Usage Monitor
C) Policy Analyzer
D) Interface Mapping Tool
Answer: A
Explanation:
The hit counter is a valuable diagnostic tool used to determine how often individual firewall policies are triggered by live traffiC) By monitoring these counters, administrators gain clear visibility into which rules are actively being used and which ones may be redundant, misordered, or unnecessary. The hit counter updates dynamically as traffic flows through the device, showing how frequently each policy matches packets. This helps identify policies that are never used, which might indicate misconfigurations or outdated rules that can be safely removeD) It also allows administrators to detect policies that are receiving unexpectedly high traffic, which may suggest potential security issues, misrouted traffic, or performance bottlenecks. Additionally, the hit counter supports optimization efforts by helping administrators reorder policies, ensuring that frequently matched rules are placed earlier in the rule set to improve processing efficiency. With this information, policy management becomes more efficient, accurate, and aligned with real network behavior.
The object usage monitor focuses on tracking where objects such as addresses or services are referenced, but it does not analyze traffic or show how often rules are triggereD) Policy Analyzer examines rule logic to find conflicts, shadowed policies, or redundant entries but does not measure runtime traffic statistics. The interface mapping tool is used to map logical interfaces to device-specific interfaces in multi-device policy packages and has no relation to traffic-based rule activity. Compared to these options, the hit counter is the tool that specifically provides real-time insight into how frequently policies are used, making it the correct choice in this context.
Q68. A device install fails due to a conflict in SSL inspection profiles. The FortiGate uses an older SSL engine. What must the admin do?
A) Adjust SSL profile to match firmware compatibility
B) Reinstall firmware
C) Remove SSL inspection entirely
D) Move device to new ADOM
Answer: A
Explanation:
Adjusting the SSL profile to match firmware compatibility is the most appropriate action when policy installation fails or warnings appear because the SSL inspection profile being used is not supported by the device’s current firmware version. SSL inspection profiles rely on specific capabilities within the device firmware, such as supported encryption algorithms, certificate handling methods, or inspection modes. When firmware and SSL profile versions do not align, the device may reject the policy package or produce errors during installation. By adjusting the SSL profile to a version or configuration that matches the firmware, administrators ensure that the device can properly interpret and apply the inspection settings. This may involve selecting a simpler inspection mode, updating certificates, removing unsupported ciphers, or replacing deprecated settings. Resolving the compatibility issue prevents installation failures, maintains secure traffic inspection, and ensures consistent policy enforcement across all managed devices. Aligning SSL configurations with firmware requirements is also a best practice, as it minimizes operational disruptions and improves long-term policy stability.
Reinstalling firmware is more disruptive and unnecessary unless the device is severely outdated or malfunctioning. Firmware changes can impact other configurations and should not be used as a first response to a simple SSL profile mismatch. Removing SSL inspection entirely would weaken security posture, reducing visibility into encrypted traffic and exposing the network to potential threats. Moving the device to a new ADOM does not address SSL profile compatibility and would only create administrative confusion without resolving the core problem. Compared to these alternatives, adjusting the SSL profile to ensure firmware compatibility is the most direct, efficient, and reliable solution.
Q69. Admin wants an ADOM to replicate its policy package into another ADOM without linking changes afterwarD) What action achieves this?
A) Clone Policy Package
B) Use Global Policy
C) Use Local Override
D) Export/Import Revision
Answer: A
Explanation:
Cloning a policy package is the most appropriate option when an administrator needs to create a separate, customized version of an existing policy structure while preserving the original configuration. This approach is often used when different devices or ADOMs require similar but not identical policy sets. By cloning the existing package, administrators obtain a complete copy of all policies, objects, and settings, which can then be modified independently without affecting the original version. This ensures that any changes made for a specific environment, customer, or device group do not introduce unintended alterations to other systems. Cloning also accelerates the deployment process because it eliminates the need to build a policy package from scratch. Instead, administrators can leverage a well-tested and functional baseline, then adjust only the elements that require customization. This method supports scalability, reduces human error, and maintains consistency across multiple deployments.
Using a global policy is intended for distributing shared rules across multiple ADOMs but does not provide isolated customization of an entire policy package. A local override allows modification of specific settings at the device level but cannot replace the flexibility or isolation provided by a full policy package clone. Exporting and importing revisions is useful for backup or migration purposes but does not offer the ability to create a separately editable copy of an existing policy structure. Compared to these alternatives, cloning a policy package is the most effective way to create a new, independent version of an existing configuration that can be safely customized without impacting other environments.
Q70. A FortiGate device changed its hostname but FortiManager still displays the old one. What must be done?
A) Refresh Device Information
B) Reinstall policy package
C) Reset hostname in CLI
D) Change ADOM name
Answer: A
Explanation:
Refreshing device information is the correct action when FortiManager displays outdated, incomplete, or inconsistent details about a managed device, such as hostname, firmware version, interface list, or configuration status. This situation commonly occurs when changes are made directly on the firewall instead of through FortiManager, causing the manager’s stored information to fall out of sync with the actual device. By performing a refresh, FortiManager queries the device and updates its internal database with the current, accurate information. This ensures that administrators are working with the latest device data when performing tasks such as policy installation, configuration comparison, or device monitoring. Without refreshing device information, FortiManager may continue showing stale details, which can lead to confusion, validation errors, or incorrect assumptions about the device’s configuration state. Regularly refreshing device information is considered good practice to maintain alignment and avoid operational issues, especially in environments where administrators sometimes perform direct CLI updates on the firewall.
Reinstalling the policy package does not fix outdated device information and could potentially introduce errors if FortiManager is working from incorrect datA) Resetting the hostname in the CLI is unnecessary and unrelated to synchronization, and it does not guarantee that FortiManager will automatically update its records. Changing the ADOM name only affects organizational structure within FortiManager and does not correct mismatches between stored and actual device information. Compared to these alternatives, refreshing device information is the most direct, safe, and effective way to ensure accurate synchronization between FortiManager and the managed device.
Q71. A new admin user must only manage CLI Templates, not policy packages. How is this controlled?
A) Admin Profile Permissions
B) ADOM Settings
C) Workspace Locks
D) Global Overrides
Answer: A
Explanation:
Admin profile permissions are the most appropriate area to adjust when an administrator requires specific access rights, limited privileges, or expanded visibility within the management system. Admin profiles define what each user is allowed to view, modify, or manage, covering areas such as policy editing, device configuration, object creation, log access, and administrative tasks. By correctly configuring these permissions, organizations can enforce the principle of least privilege, ensuring that each administrator has access only to the functions necessary for their responsibilities. This helps prevent accidental changes, enhances security, and supports compliance requirements by restricting sensitive operations to authorized personnel. Adjusting admin profile permissions is also essential in multi-team environments where different groups need distinct levels of access across various ADOMs. Properly configured profiles maintain a clear separation of duties while still enabling efficient workflow and oversight.
ADOM settings control how administrative domains are created, assigned, and managed but do not determine individual user privileges within those domains. Workspace locks deal with preventing concurrent edits during configuration changes and do not address access rights or authorization levels. Global overrides allow modifications to global policies or objects but are unrelated to defining who can perform administrative tasks. Compared to these other options, adjusting admin profile permissions is the correct and most effective method for controlling user capabilities and ensuring secure, appropriate access.
Q72. A FortiManager installation fails due to missing routing configuration. The administrator wants FortiManager to manage routing. What should they configure?
A) Routing Template in Device Manager
B) Policy Package
C) Global VDOM
D) Revision Rollback
Answer: A
Explanation:
A routing template in Device Manager is the most appropriate option when the goal is to deploy consistent routing configurations across multiple devices while still allowing flexibility for device-specific adjustments. Routing templates allow administrators to standardize settings such as static routes, default gateways, dynamic routing protocols, and redistribution behaviors. These templates ensure that all devices receive a unified and predictable routing configuration, which is especially important in larger networks where maintaining consistency helps prevent routing loops, misconfigurations, or mismatched path selections. By configuring routing parameters within a template, administrators can efficiently push updates to many devices without manually editing each one. This approach not only saves time but also reduces the likelihood of human error. Furthermore, routing templates can incorporate per-device variables, enabling customization where necessary while preserving a unified routing framework. Using routing templates also improves scalability, making it easier to onboard new devices and maintain stable routing behavior across the network.
A policy package is used for firewall rules, security profiles, and policy-related configurations, and does not manage routing settings. A global VDOM refers to a shared virtual domain configuration but is not designed for managing routing templates for multiple standalone devices. Revision rollback restores previous configurations but is intended for reverting changes rather than deploying consistent routing structures. It provides no mechanism for building standardized routing logic across a fleet of devices. Compared to these other options, using a routing template in Device Manager is the correct and most efficient way to centrally manage routing configurations while ensuring consistency and reliability across all managed devices.
Q73. A policy package contains duplicate objects with slightly different names. The admin wants to merge them automatically. What tool is used?
A) Object Merge Tool
B) Object Cleanup
C) Revision Diff
D) Policy Analyzer
Answer: A
Explanation:
The object merge tool is the most suitable option when multiple objects within a configuration serve the same purpose or contain duplicate values, leading to unnecessary complexity and object bloat. Over time, as different administrators create address objects, service entries, or other configuration elements, it is common for duplicates or near-duplicates to accumulate. These redundant objects can cause confusion during policy editing, increase the risk of selecting the wrong object, and make the policy set harder to maintain. The object merge tool analyzes these objects, compares their values, and identifies candidates for consolidation. By merging duplicates, administrators can streamline the configuration, reduce clutter, and ensure that shared policies reference a consistent set of objects. This results in a cleaner, more manageable configuration environment and helps prevent future inconsistencies. Moreover, merging objects improves performance in searches, policy installations, and auditing processes because the system no longer needs to evaluate multiple redundant entries that serve the same function.
Object cleanup is useful for removing unused objects, but it does not analyze whether existing objects can be merged or consolidateD) Revision diff compares configuration differences between revisions and is valuable for tracking changes but does not address object duplication or consolidation. Policy Analyzer focuses on traffic rules, detecting redundant or shadowed policies, but it does not analyze the object database for duplicates. Compared to these alternatives, the object merge tool is the only option specifically designed to identify and combine redundant configuration objects, making it the most effective and appropriate choice in this context.
Q74. A FortiGate HA cluster shows “import error” because the secondary unit is not responding. What must be done first?
A) Ensure HA cluster communication is functional
B) Promote secondary to primary
C) Remove secondary unit
D) Reboot FortiManager
Answer: A
Explanation:
Ensuring that HA cluster communication is functional is the most important and appropriate action when a FortiManager HA setup begins to exhibit synchronization issues, role confusion, or inconsistent status reporting between the primary and secondary units. High availability clusters rely on continuous communication between members to exchange heartbeat messages, configuration updates, and state information. If this communication link becomes unstable, blocked, or misconfigured, the cluster cannot operate correctly. Problems such as split-brain conditions, stale configuration data, or unexpected failover behavior may occur. By verifying and restoring proper HA communication, administrators ensure that heartbeat interfaces are reachable, synchronization channels are active, and both units can reliably share datA) This may involve checking physical cabling, verifying interface configurations, confirming IP settings, and ensuring that no firewall rules or network changes are interfering with HA traffiC) Restoring proper communication helps the cluster maintain accurate primary and secondary roles and ensures consistent configuration replication across all units. This prevents service interruptions and keeps the HA environment stable and predictable.
Promoting the secondary to primary should not be done until communication is restored because promoting a unit while links are down can worsen role conflicts or cause database inconsistencies. Removing the secondary unit from the cluster is far too drastic and should only be considered when the unit is permanently failing or being decommissioneD) Rebooting FortiManager may temporarily clear certain states but does not fix broken HA communication paths or address root causes. Compared to these other options, ensuring that HA cluster communication is fully functional is the most direct and effective way to stabilize the environment and restore proper HA operations.
Q75. A FortiManager admin wants to compare two different policy revisions side by side. What feature allows this?
A) Revision Diff
B) Policy Analyzer
C) Object Checker
D) Hit Counter
Answer: A
Explanation:
Revision Diff is the most appropriate option when an administrator needs to compare different configuration versions to identify what changes were made, when they occurred, and how they affect system behavior. In complex environments, configurations evolve continuously as policies are updated, objects are modified, and system parameters are adjusteD) Over time, it becomes difficult to track exactly which changes were introduced between revisions, especially when multiple administrators contribute to ongoing updates. Revision Diff allows precise comparison between two configuration versions stored in revision history. It highlights additions, deletions, and modifications, making it easy to understand how the configuration has progresseD) This tool is especially valuable for troubleshooting, as it helps pinpoint the exact change that may have caused an issue. It also supports audit and compliance requirements by providing a clear, transparent view of configuration evolution. Using Revision Diff helps administrators maintain clarity, reduces guesswork, and speeds up problem resolution by offering a reliable and structured way to examine differences.
Policy Analyzer focuses on evaluating firewall rules to identify shadowed, redundant, or misordered policies but does not compare historical revisions. Object Checker identifies missing, inconsistent, or conflicting objects but does not review full configuration changes over time. The hit counter provides information about how often policies are used in real traffic and is unrelated to configuration comparison. Compared to these alternatives, Revision Diff is the only tool specifically designed to compare revisions and expose configuration changes in a detailed and organized manner.
Q76. A scheduled policy installation fails during off-hours because a device is powered off. How can FortiManager retry automatically?
A) Enable auto-retry for scheduled installs
B) Use forced installation
C) Create duplicate schedule
D) Change ADOM version
Answer: A
Explanation:
Enabling auto-retry for scheduled installs is the most appropriate action when scheduled policy installations occasionally fail due to temporary connectivity issues, device unavailability, or brief synchronization delays. In many environments, scheduled installs are used to deploy policies during maintenance windows or low-traffic periods. However, if the target device becomes momentarily unreachable or is busy processing other tasks, the installation may fail at the scheduled time. By enabling auto-retry, FortiManager automatically attempts the installation again within a defined retry interval, significantly increasing the chances of successful deployment without requiring manual intervention. This reduces the administrative burden of monitoring scheduled installs and resubmitting them when failures occur. It also ensures that important policy updates are not missed simply because of a short-lived communication problem or temporary device condition. Auto-retry helps maintain operational consistency and supports reliable policy rollout across distributed environments where connectivity may fluctuate.
Using forced installation should be reserved for specific cases where mismatched configurations must be overwritten, and it does not address the problem of scheduling reliability. Creating duplicate schedules introduces unnecessary complexity and increases the chance of conflicting installations, while failing to address the root cause of intermittent installation failure. Changing the ADOM version has no relevance to scheduled install behavior and would only create additional compatibility considerations without solving the underlying issue. Compared to these alternatives, enabling auto-retry provides a practical, low-risk, and efficient solution that directly improves the success rate of scheduled installations.
Q77. A FortiManager admin wants to standardize IPsec encryption settings globally while allowing each site to choose its own local interface. What should they configure?
A) VPN Manager with Override Profiles
B) ADOM Variables
C) Device Scripts
D) Policy Overrides
Answer: A
Explanation:
VPN Manager with override profiles is the most effective solution when administrators need to deploy standardized VPN configurations across multiple devices while still allowing certain parameters to vary per device. VPN Manager provides a centralized framework for creating, managing, and monitoring IPsec VPNs, enabling consistent deployment of tunnel structures, security proposals, routing behavior, and phase settings. By incorporating override profiles, administrators gain the flexibility to adjust device-specific attributes such as local addresses, interface names, peer identifiers, or unique pre-shared keys. This hybrid approach combines the efficiency of centralized configuration with the adaptability needed in distributed or multi-site networks. Using VPN Manager with override profiles reduces manual work, minimizes configuration errors, and speeds up implementation for organizations managing large numbers of VPN tunnels. It also ensures that changes to the core VPN template propagate consistently across all devices while still respecting the individual requirements of each site.
ADOM variables provide per-device customization but are more suited for general configuration values rather than structured VPN deployments. Device scripts offer powerful flexibility but require manual execution and do not provide the same centralized management or monitoring benefits as VPN Manager. Policy overrides allow policy adjustments at the device level but are unrelated to building or managing VPN infrastructure. Compared to these options, VPN Manager with override profiles offers the most comprehensive, scalable, and efficient method for deploying VPN configurations that maintain both consistency and individualized customization.
Q78. Admin notices install jobs frequently fail due to outdated session datA) Which action resolves this?
A) Refresh the device configuration
B) Reinstall the firmware
C) Delete ADOM
D) Disable workspace mode
Answer: A
Explanation:
Refreshing the device configuration is the most appropriate action when FortiManager displays outdated information, inconsistent settings, or mismatched configuration data for a managed device. Over time, it is common for administrators to make changes directly on the device through the CLI or GUI, especially during troubleshooting or urgent maintenance. When these updates occur outside of FortiManager, the manager’s stored configuration no longer reflects the current state of the device. This discrepancy can lead to installation failures, validation errors, or policy inconsistencies. By refreshing the device configuration, FortiManager retrieves the most recent running configuration from the device and synchronizes it with the database. This ensures that all policies, objects, and system settings shown in FortiManager match the actual live configuration. Keeping this information current is essential for accurate policy management, clean revision tracking, and successful installations. It also helps prevent accidental overwrites of valid device configurations, thereby protecting the network from unintended disruptions caused by outdated data being pushed back onto the device.
Reinstalling the firmware is far too invasive for a mere configuration mismatch and can introduce unnecessary downtime and potential risk. Deleting the ADOM would remove all associated devices, objects, and policies, causing significant operational disruption and offering no benefit for addressing configuration desynchronization. Disabling workspace mode does not affect the underlying issue of outdated device data and is unrelated to synchronization problems. Compared to these alternatives, refreshing the device configuration is the safest, most efficient, and most direct method to restore accuracy and maintain proper management alignment.
Q79. FortiManager needs to periodically delete unused revisions to keep storage stable. What feature accomplishes this automatically?
A) Revision Pruning Schedule
B) Revision Diff
C) Rebuild Database
D) Forced Compression
Answer: A
Explanation:
A revision pruning schedule is the most appropriate solution when an Administrative Domain begins accumulating a large number of configuration revisions over time, leading to increased storage usage and slower performance when browsing or comparing revisions. Every time an administrator installs a policy package or makes a significant change, FortiManager automatically creates a new revision. While these revisions are valuable for audit trails, rollback capability, and troubleshooting, they can eventually become too numerous, causing the system to use more disk space and potentially slowing down revision operations. By enabling a revision pruning schedule, administrators can automate the cleanup process so that older or unnecessary revisions are removed according to defined retention rules. This ensures that the system maintains only the most relevant and recent revisions while eliminating stale entries that are unlikely to be needeD) Automated pruning also reduces manual workload, supports long-term system health, and keeps the revision history manageable without compromising the ability to trace important configuration changes.
Revision Diff helps compare differences between revisions but does nothing to reduce the number of revisions or address storage concerns. Rebuilding the database is a drastic operation intended for corruption or serious system issues, not for routine revision maintenance. Forced compression can reduce the size of stored revisions but does not control how many revisions exist or manage long-term revision growth. Compared to these alternatives, implementing a revision pruning schedule is the most efficient and sustainable way to automatically manage revision accumulation and maintain system performance.
Q80. An ADOM contains over 500 address objects, making navigation slow. What improves efficiency?
A) Tagging and grouping objects
B) Moving objects to Global ADOM
C)Deleting and recreating ADOM
D) Disabling search index
Answer: A
Explanation:
Tagging and grouping objects is the most effective approach when administrators need a clearer way to organize large numbers of address objects, services, user groups, or other configuration elements within FortiManager. As environments grow, the object database can become cluttered with numerous entries created by different teams or inherited from older configurations. This makes it increasingly difficult to locate objects quickly, maintain consistency, or understand how objects relate to specific policies or device groups. By using tags, administrators can assign meaningful labels to objects based on function, location, department, application, or any other organizational category. Grouping objects further enhances clarity by combining related items into logical collections that can simplify policy creation and ongoing management. Together, tagging and grouping significantly improve navigation, reduce time spent searching through long object lists, and support cleaner policy designs. This approach also helps ensure that administrators maintain better oversight of object usage and reduces the risk of mistakenly editing or selecting the wrong item in a busy configuration environment.
Moving objects to the Global ADOM is only appropriate when multiple ADOMs truly require shared objects, and it does not address the challenge of internal organization within a specific ADOM. Deleting and recreating the ADOM is far too drastic and unnecessary, as it would erase all existing configurations and require a complete rebuild Disabling the search index would negatively impact system performance and make locating objects even more difficult, directly contradicting the goal of improving organization. Compared to these alternatives, tagging and grouping objects offer the safest, most practical, and most efficient way to enhance clarity and maintainability in complex configuration environments.
