Click here to access our full set of Fortinet FCP_FMG_AD-7.4 exam dumps and practice tests.
Q101. An admin wants to prevent local admins on FortiGate devices from modifying firewall policies directly, ensuring all changes come through FortiManager. What must be enabled?
A) Policy and Objects Lockdown
B) Central Management Enforcement
C) Workspace Mode
D) Device Template Lock
Answer: B
Explanation:
Policy and Objects Lockdown is a mechanism used to restrict modifications to important configurations such as security policies, network objects, and service definitions. Its primary purpose is to preserve the integrity and consistency of the security environment by preventing unauthorized or accidental adjustments. While it helps maintain stable configurations, this option focuses on safeguarding specific elements rather than enforcing rules across multiple systems or locations. Central Management Enforcement, on the other hand, provides a unified method for applying standardized configurations and policies across an entire network of managed devices. By using a central authority, administrators can ensure consistency, prevent configuration drift, streamline updates, and maintain compliance throughout the organization. This approach is ideal for large or distributed environments where uniform governance is essential, and this makes it the correct answer when enforcement across multiple systems is requireD) Workspace Mode is designed to support administrative workflow by allowing changes to be made and reviewed in an isolated environment before being committeD) Its aim is to reduce errors and improve the clarity of configuration changes, but it does not impose centralized control. Device Template Lock restricts the ability to alter device templates, ensuring that the baseline configuration remains intact. Although it protects the structure of templates, it does not enforce organization-wide policies. Therefore, the correct answer is B)
Q102. A device install fails because an interface referenced in the policy does not exist on the target device. What is the correct solution?
A) Configure Per-Device Interface Mapping
B) Remove the rule
C) Reset interface names
D) Create ADOM override
Answer: A
Explanation:
Configure Per-Device Interface Mapping is a feature used in environments where a central management system oversees multiple devices that do not share identical physical or logical interface structures. In many networks, especially those with diverse hardware models or varying site requirements, interface names and layouts differ from one device to another. Per-Device Interface Mapping allows administrators to associate a standardized, centrally defined interface with the correct local interface on each individual device. This ensures that centrally created policies, routing configurations, and objects apply accurately even when devices have different interface naming conventions. By enabling this mapping, administrators maintain consistent policy deployment without needing to redesign or duplicate rules for every unique hardware configuration. This is why it is the correct answer in scenarios requiring policies to be applied across devices with different interface setups.
Removing the rule would eliminate the policy or configuration entirely, which is typically not the intended solution when the goal is simply to resolve an interface mismatch. Resetting interface names may seem like an option, but it is impractical and potentially disruptive because devices often rely on their native interface structure, and renaming could break existing configurations or services. Creating an ADOM override allows customization within a specific administrative domain but does not address interface discrepancies across different devices. It simply provides a way to modify profiles or objects for a particular ADOM. Since the issue in this case is specifically related to differing device interfaces, ADOM overrides would not resolve the underlying mismatch. Therefore, Configure Per-Device Interface Mapping is the correct and most appropriate option.
Q103. An admin wants to ensure local ADOM administrators cannot modify global address objects. Which configuration enforces this?
A) Admin Profiles
B) Workflow Mode
C) Global ADOM override
D) Object locking
Answer: A
Explanation:
Admin Profiles are used to define and control the permissions granted to administrators within a centralized management environment. These profiles determine what actions an administrator can perform, what areas of the system they can access, and the level of control they are allowed to exercise. By assigning specific privileges through Admin Profiles, organizations can enforce role-based access control, ensuring that each administrator only has the authority appropriate to their responsibilities. This approach enhances security, minimizes misconfigurations, and prevents unauthorized changes by limiting access to sensitive configuration areas. Because Admin Profiles directly manage administrative permissions, this option is the correct answer when the task involves adjusting or restricting what an administrator is allowed to do within the system.
Workflow Mode is designed to introduce an approval process into configuration changes. When enabled, any proposed modification must follow a structured sequence of submission, review, and approval before being applieD) This improves oversight and reduces the risk of errors but does not directly control or adjust permissions for individual administrators. Global ADOM override allows administrators to modify objects at the global level but customize them within specific administrative domains. While useful for multi-ADOM environments, it does not manage administrator privileges. Object locking is a mechanism used to prevent simultaneous edits by multiple users, ensuring that configuration changes do not conflict. It helps maintain consistency during updates but does not determine what actions administrators are allowed to take. Since only Admin Profiles provide the ability to define and enforce administrator permissions, option A is the correct answer.
Q104. A CLI template contains a variable <branch_id>, but installation fails because the variable isn’t assigned for some devices. How do you fix it?
A) Assign variable values in Per-Device Template Variables
B) Remove the variable
C) Convert variable to static text
D) Recreate the template
Answer: A
Explanation:
Assigning variable values in Per-Device Template Variables is the method used when a template includes placeholders that must resolve differently for each managed device. In many centralized management environments, templates are created to standardize configurations across multiple devices, but not all devices share identical settings such as interface names, IP addresses, or location-specific parameters. Per-Device Template Variables allow administrators to define unique values for each device while still maintaining a single, centrally managed template. This approach preserves consistency in structure while offering flexibility where variations are requireD) Rather than modifying the template itself, administrators simply assign the appropriate value for each device, ensuring that the template expands correctly during deployment. This avoids configuration mismatches and eliminates the need for redundant templates. Because the issue in this scenario relates to missing or undefined variable values, the correct solution is to assign the needed values within the Per-Device Template Variables section.
Removing the variable would not solve the underlying requirement for device-specific customization and might cause the template to break if the variable is referenced in multiple places. Converting the variable to static text would eliminate its dynamic nature and force all devices to use the same configuration, which defeats the purpose of having a shared template designed for diverse environments. Recreating the template is unnecessary and inefficient, especially when the template structure is correct and the only issue is the absence of defined variable values. Creating a new template would increase administrative overhead and introduce the risk of future inconsistencies. For these reasons, assigning values in Per-Device Template Variables is the most appropriate and effective solution, making option A the correct answer.
Q105. A large ADOM is taking too long to load and navigate. What is the best performance optimization?
A) Use ADOM Object Tagging
B) Disable indexing
C) Delete policy package
D) Remove all devices
Answer: A
Explanation:
Using ADOM Object Tagging is an effective method for organizing, identifying, and categorizing objects within an administrative domain. In environments where many policies, addresses, services, or other configuration objects exist, it becomes increasingly important to maintain clarity and structure. ADOM Object Tagging allows administrators to apply descriptive tags to objects so they can be grouped logically, searched more easily, and referenced based on specific characteristics. This reduces time spent navigating large configurations, minimizes the risk of misidentifying objects, and improves overall management efficiency. Tags can also help maintain consistency across teams by ensuring everyone uses the same classifications and organizational methods. When the goal is to enhance object organization or address challenges in locating or categorizing configuration items, ADOM Object Tagging is the appropriate and targeted solution, making it the correct answer.
Disabling indexing would not help with organizing or identifying objects; instead, it would impair search performance, making it harder to find items within the system. Indexing is essential for quick lookups, and turning it off would create inefficiencies rather than resolving organizational needs. Deleting a policy package would remove all related configurations, which is drastic, unnecessary, and potentially harmful, especially when the objective is simply to better manage or label objects. Removing all devices would be even more extreme and completely unrelated to the task. Device removal would disrupt management operations and create significant configuration gaps. None of these alternatives address the underlying requirement to enhance object organization or improve searchability. Therefore, the correct and most appropriate approach is to use ADOM Object Tagging, making option A the valid answer.
Q106. An MSSP wants to enforce different firewall policies per tenant while maintaining a unified baseline security configuration. Which design approach should they use?
A) Global ADOM baseline with Local Overrides
B) Combined ADOM for all tenants
C) Shared policy package
D) Device-level scripts
Answer: A
Explanation:
A global ADOM baseline with local overrides is a method used in multi-tenant or multi-domain environments where a central authority wants to maintain consistency while still allowing individual domains or tenants to customize certain parts of their configuration. The global baseline acts as a master template that defines core policies, objects, and configuration standards that apply across all ADOMs. This ensures uniform security posture, compliance, and operational consistency. Local overrides allow each ADOM or tenant to adjust specific elements that must differ due to unique operational requirements, regional differences, or specialized device setups. This approach provides a strong balance between centralized control and localized flexibility, ensuring that changes made globally do not disrupt tenant-specific needs while still enforcing a shared foundation. Because this structure supports both unity and customization, it is the correct solution when managing multiple tenants under a centrally governed framework.
Using a combined ADOM for all tenants would merge every tenant into a single administrative domain, eliminating necessary separation. This would create significant security risks, reduce isolation, and make it harder to manage tenant-specific requirements. A shared policy package is useful when multiple devices need identical rules, but it does not offer the layered control required in multi-tenant scenarios and lacks the ability to selectively override configurations. Device-level scripts enable automation and per-device customization, but they do not provide the structured hierarchy or centralized governance needed when multiple tenants rely on a standardized baseline. Scripts are typically used for operational tasks rather than architectural policy design. Therefore, the global ADOM baseline with local overrides is the most appropriate and comprehensive solution, making option A the correct answer.
Q107. A FortiGate cluster reports a sync error because one unit has uncommitted local changes. How should the admin fix this?
A) Commit or discard local changes on the FortiGate
B) Reboot cluster
C) Delete secondary unit
D) Reset VDOMs
Answer: A
Explanation:
Committing or discarding local changes on the FortiGate is the appropriate action when a device shows configuration discrepancies between its local settings and those managed from a central system such as FortiManager. Local changes that remain uncommitted or unreviewed can cause the device to appear out of sync, leading to warnings, deployment failures, or mismatches during policy installation. By either committing the changes to finalize them or discarding them to revert to the centrally defined configuration, the administrator restores consistency and ensures that the device aligns with the intended management state. This simple but essential step resolves most synchronization issues without requiring disruptive actions. It helps maintain stability within managed environments and ensures that configuration deployments from the central manager proceed smoothly. Because the scenario involves synchronizing and resolving conflicts between local and centralized configurations, choosing to commit or discard local changes is the correct and most efficient solution.
Rebooting the cluster would force both units to restart, which is unnecessary and could disrupt production traffiC) It would not directly address configuration inconsistencies and may introduce additional downtime risks. Deleting the secondary unit would break the high availability structure and require rejoining the device, which is an extreme action unrelated to resolving local configuration differences. Resetting VDOMs would wipe virtual domain configurations, resulting in major loss of settings, service interruptions, and extensive reconfiguration work. None of these alternatives address the root cause, which is simply uncommitted local changes. Therefore, the correct and most appropriate action is to commit or discard the local changes on the FortiGate, making option A the valid answer.
Q108. A policy install preview shows dynamic addresses resolving incorrectly for branch offices. What must be configured?
A) Per-Device Dynamic Object Mapping
B) Static address objects
C) Template variables
D) HA override mode
Answer: A
Explanation:
Per-Device Dynamic Object Mapping is the correct solution when different devices require unique values for an address or other configuration object, but the organization still wants to maintain a single centrally managed policy or object definition. In large or distributed deployments, it is common for devices at different sites to use different IP addresses, interface identifiers, or service parameters while still relying on a shared policy structure. Dynamic Object Mapping allows administrators to assign individual values for each device while keeping the main object consistent across the system. This ensures that policy installations succeed without forcing administrators to create multiple copies of the same policy package or object. It also greatly simplifies configuration management because updates to the global object propagate correctly, and each device uses its own mapped value. The flexibility offered by Per-Device Dynamic Object Mapping makes it ideal for scenarios where central consistency and local customization must coexist, which is why it is the correct answer.
Static address objects cannot adapt to different device requirements and would force the creation of separate objects for every device, increasing administrative burden and causing policy duplication. Template variables are useful in template-based configurations, but they are not designed for dynamic runtime mapping of objects within shared policies. They require template structures and do not provide device-specific mappings within policy objects. HA override mode is related to high availability behavior and has no connection to per-device addressing or object customization. It governs which unit in an HA cluster takes priority but does not resolve object differences across multiple managed devices. Therefore, the proper approach is to use Per-Device Dynamic Object Mapping, making option A the correct and most suitable solution.
Q109. A FortiManager admin wants to track which admin changed a specific firewall rule. What feature provides this visibility?
A) Revision History
B) Policy Analyzer
C) Hit Counter
D) Object Merge Tool
Answer: A
Explanation:
Revision History is an important feature used to track configuration changes over time, allowing administrators to review, compare, and restore previous versions of system configurations. In environments where multiple administrators make updates or where frequent adjustments occur, it becomes essential to maintain clear visibility into what was changed, when it was changed, and by whom. Revision History provides this level of transparency, making it possible to audit modifications, troubleshoot unexpected behavior, and revert to a stable configuration if issues arise. It serves as both a diagnostic and a governance tool, supporting accountability and ensuring that configuration changes follow organizational policies. Because the purpose of the question involves identifying which option provides visibility and restoration capabilities for past configurations, Revision History is the correct answer.
Policy Analyzer is designed to help administrators identify redundant rules, shadowed policies, or inconsistencies within the policy set. While useful for optimization and cleanup, it does not provide historical records or change-tracking capabilities. The Hit Counter provides information on how often a policy has been matched by traffic, which helps with troubleshooting and refining rules, but it does not relate to configuration revisions or historical changes. The Object Merge Tool assists in reducing object duplication by combining similar or identical objects, improving efficiency within large configurations. However, it does not offer any historical tracking or rollback features. Since none of these options provide the version tracking and restoration functions associated with configuration history, Revision History is the only correct and relevant answer.
Q110. A FortiGate reports “unauthorized changes detected” after a manual CLI configuration on the firewall. How does FortiManager resolve this?
A) Retrieve Config
B) Reinstall policy package
C) Delete device
D) Reset ADOM
Answer: A
Explanation:
Retrieving the configuration is the correct action when a device’s stored configuration within the management system is out of sync with the actual configuration running on the device. In centralized management environments, the manager relies on an accurate copy of the device’s configuration to compare changes, deploy policies, and maintain consistency. If the configuration becomes outdated or inaccurate, retrieving the current configuration from the device ensures that the manager has the most recent and correct information. This process does not overwrite anything on the device; instead, it updates the management system’s internal record so that future policy installations and comparisons function properly. Retrieve Config is therefore a safe and non-disruptive method to restore alignment between the device and the manager, making it the appropriate answer in situations where the central system needs an updated copy of the actual device configuration.
Reinstalling the policy package pushes configurations from the manager to the device, which can result in overwriting device settings. This is risky if the manager’s stored version is already incorrect, because it may apply outdated or unwanted changes. Deleting the device removes it from management entirely, which is unnecessary and harmful, causing the loss of monitoring, logs, and stored configurations. Resetting the ADOM affects the entire administrative domain, potentially impacting many devices and configurations, making it far too drastic for a simple configuration sync issue. None of these options address the core requirement of updating the manager’s record of the device’s configuration. Therefore, Retrieve Config is the correct and most appropriate solution.
Q111. An admin wants to enforce a strict two-step approval system for all firewall changes. What feature must be turned on?
A) Workflow Mode
B) Workspace Mode
C) Object Lock
D) Device Sync Mode
Answer: A
Explanation:
Workflow Mode is a feature designed to introduce structured oversight and approval processes into configuration management. When multiple administrators work within the same environment, changes must be controlled to prevent accidental misconfigurations, unauthorized updates, or conflicts between contributors. Workflow Mode provides a controlled sequence where one administrator creates or modifies a configuration item, another administrator reviews the proposed change, and a final approval step confirms whether the change should be implementeD) This ensures that all modifications follow organizational standards and that experienced personnel validate changes before they affect the live environment. Workflow Mode is particularly valuable in larger organizations or regulated industries where accountability and traceability are essential. Because the question involves selecting an option that ensures changes go through an approval process, Workflow Mode is the correct answer.
Workspace Mode, while useful, functions differently. It allows administrators to work in an isolated environment where changes can be staged, edited, and reviewed before being committeD) Although it helps reduce mistakes, it does not enforce a required multi-step approval process. Object Lock prevents multiple administrators from editing the same object simultaneously, ensuring that configuration conflicts do not occur, but it does not provide any approval workflow. Device Sync Mode deals with synchronizing device configurations and ensuring consistency between management systems and devices, but it is unrelated to approval-based change control. Since none of these alternatives provide the structured, multi-stage process required for controlled configuration review and authorization, Workflow Mode is the only correct choice, making option A the appropriate answer.
Q112. A policy package installation fails because it references a VPN interface that doesn’t exist on a branch device. What resolves this?
A) Per-Device VPN Mapping
B) Change ADOM version
C) Rewrite VPNTunnel object
D) Delete policy
Answer: A
Explanation:
Per-Device VPN Mapping is the correct solution when a centrally managed VPN configuration must be applied across multiple devices that use different local tunnel interfaces, gateway addresses, or phase-1 and phase-2 parameters. In large or distributed networks, it is common for branches or remote sites to have unique WAN interfaces or distinct tunnel settings while still relying on a standardized VPN policy structure created in the manager. Per-Device VPN Mapping allows administrators to assign device-specific values to VPN objects so that each device receives the correct tunnel configuration without requiring separate policy packages or duplicated VPN definitions. This approach ensures accuracy, reduces administrative overhead, and maintains alignment between local device requirements and centralized configuration designs. It also prevents policy installation errors caused by mismatched interface names or differing endpoint parameters. Because the goal is to adapt a shared VPN configuration to multiple devices with differing tunnel details, Per-Device VPN Mapping is the appropriate and effective answer.
Changing the ADOM version does not address VPN configuration mismatches and would only affect the feature set available within the administrative domain. It would not correct device-specific VPN settings. Rewriting the VPNTunnel object forces creation of a new tunnel structure but does nothing to solve per-device parameter differences and could introduce further inconsistencies. Deleting the policy is unnecessary, disruptive, and unrelated to correcting tunnel mapping issues. None of these alternatives provide the mechanism required to apply VPN settings uniquely across multiple devices. Therefore, Per-Device VPN Mapping is the correct and most suitable choice, making option A the correct answer.
Q113. An admin wants to detect all disabled or shadowed policy rules. Which tool provides this?
A) Policy Analyzer
B) Hit Counter
C) Revision Diff
D) Unused Object Cleanup
Answer: A
Explanation:
Policy Analyzer is the correct option when the goal is to identify issues such as policy conflicts, duplicated rules, shadowed policies, or rule ordering problems within a policy set. In large environments with many security rules, it becomes difficult to manually detect policies that overlap or contradict each other. Policy Analyzer performs automated analysis to highlight these issues so administrators can optimize the rulebase, improve performance, and ensure security policies are functioning as intendeD) It helps identify redundant entries, ensures rules are properly ordered, and reveals conditions where a policy is never triggered because it is overshadowed by another. This tool is extremely valuable for maintaining a clean, efficient, and logically correct policy structure. Because it is specifically designed to evaluate the quality and consistency of policies, it is the correct answer in scenarios where policy verification or optimization is requireD)
The Hit Counter provides information on how often each firewall policy is matched by traffiC) Although useful for understanding traffic patterns or determining whether a rule is actively used, it does not analyze policy conflicts or structural issues within the rulebase. Revision Diff is used to compare different configuration revisions, highlighting what has changed between two versions, but it does not evaluate how policies interact or whether any rules are problematiC) Unused Object Cleanup identifies address objects, services, or groups that are no longer referenced by any policy. This helps reduce clutter but does not analyze policy logiC) Since none of these alternatives identify policy conflicts or optimization opportunities, Policy Analyzer is the only tool that satisfies the requirement, making option A the correct and most appropriate answer.
Q114. Some failed install jobs show “unsupported inspection profile” errors. The devices are older FortiGates. What should the admin do?
A) Replace unsupported profiles with compatible ones
B) Force install
C) Remove SSL inspection globally
D) Recreate the ADOM
Answer: A
Explanation:
Replacing unsupported profiles with compatible ones is the correct approach when a policy package fails to install due to features or profile types that the target device cannot interpret or does not support. In environments where multiple FortiGate models or firmware versions are managed centrally, it is common for certain security profiles, such as advanced SSL inspection, antivirus settings, or intrusion prevention configurations, to vary in availability or capability across devices. When a device encounters an unsupported profile during installation, the policy push will fail, resulting in errors and incomplete deployments. The appropriate action is to review the profiles referenced in the policy package and replace them with versions that are compatible with the model and firmware of the target device. This preserves security functionality while ensuring successful installation. By aligning profile capabilities with what the device supports, administrators maintain both operational stability and consistent protection across the environment, which is why this is the correct answer.
Forcing the install may attempt to override compatibility issues but does not resolve the underlying conflict and can lead to partial configurations or device instability. Removing SSL inspection globally would strip essential security functionality across all devices, which is unnecessary and could reduce protection in environments where SSL inspection is supporteD) Recreating the ADOM is an extreme and unrelated action that would require rebuilding configuration structures and reassigning devices, causing significant administrative overhead without addressing incompatible security profiles. Because only replacing unsupported profiles with compatible ones directly solves the problem without introducing new risks or excessive changes, option A is the correct and most appropriate solution.
Q115. A device template pushes DNS settings to all branch devices, but one branch needs different DNS servers. How can this be done without creating a new template?
A) Override template values using Per-Device Variables
B) Clone the template
C) Disable template for the branch
D) Manually edit the branch device
Answer: A
Explanation:
Overriding template values using Per-Device Variables is the correct approach when a centrally managed template needs to be applied across multiple branch devices that do not share identical configuration details. In large or distributed environments, it is common for devices at each branch to have unique interface names, IP addresses, routing parameters, or location-specific settings. A single global template cannot directly accommodate these differences without introducing conflicts or inconsistencies. Per-Device Variables solve this by allowing administrators to keep one unified template while still assigning individualized values for each device. These variables act as placeholders in the template, and each device receives the specific value required for its local environment. This ensures policy consistency, reduces administrative workload, and prevents the duplication of templates for every branch location. It also maintains clean configuration management because any future updates to the template automatically apply to all devices, while their unique variable values ensure that the deployed configuration remains accurate. For these reasons, overriding template values through Per-Device Variables is the most effective and scalable solution.
Cloning the template would create unnecessary copies that need separate maintenance, leading to configuration fragmentation and increased labor. Disabling the template for the branch defeats the purpose of centralized management and forces manual configuration, which introduces a higher risk of errors. Manually editing the branch device is possible, but it bypasses centralized control and causes future synchronization issues because local edits may conflict with template-based management. None of these alternatives offer the balance of consistency and customization required in multi-branch environments. Therefore, the correct answer is to override template values using Per-Device Variables, making option A the most appropriate and efficient solution.
Q116. An admin must verify if a certain firewall rule has ever been useD) What tool should they use?
A) Policy Hit Counter
B) Policy Analyzer
C) Object Merge Tool
D) Revision History
Answer: A
Explanation:
A Policy Hit Counter is used to determine how often individual firewall policies are being matched by live traffiC) This feature provides valuable operational insight by showing which rules are actively used, which ones rarely see traffic, and which may no longer be necessary. Administrators rely on hit count data to optimize policy sets, remove outdated rules, and identify potential misconfigurations. For example, if a rule that should be heavily used shows zero hits, this may indicate that traffic is not flowing as expected or is being matched by a more general rule above it. Conversely, policies with extremely high hit counts may reveal bottlenecks or areas where rules need refining. Because the purpose of the question relates to identifying which tool provides visibility into actual traffic usage across policies, the Policy Hit Counter is the correct and most relevant answer.
The Policy Analyzer serves a different function by identifying overlapping, shadowed, or redundant rules. Although it assists in improving the structure and efficiency of the policy set, it does not provide real-time or historical traffic usage datA) The Object Merge Tool is designed to eliminate duplicate objects by merging those with similar definitions, which helps maintain a clean configuration but does not offer any insight into how policies behave during operation. Revision History, meanwhile, is focused on tracking configuration changes, allowing administrators to compare previous versions, audit modifications, or restore earlier states. It is useful for change control but unrelated to monitoring policy usage. Since none of these alternatives reveal how often policies are triggered by traffic, the Policy Hit Counter stands out as the correct answer and the most appropriate tool for understanding real-world policy activity.
Q117. After a failed installation, FortiManager reports “invalid certificate reference.” What should the admin do?
A) Reimport certificates from device
B) Remove certificate inspection
C) Change ADOM version
D) Disable HTTPS scanning
Answer: A
Explanation:
Reimporting certificates from the device is the correct solution when a management system shows missing, outdated, or mismatched certificate information for a managed firewall. Certificates often play a critical role in SSL inspection, authentication, and secure communication between systems. If the central manager’s record is incomplete or inaccurate, it can lead to errors during policy installation, SSL inspection failures, or warnings about unsupported certificate configurations. By reimporting certificates directly from the device, the manager retrieves the most accurate, up-to-date certificate data, ensuring proper synchronization and preventing deployment conflicts. This action is safe, nondisruptive, and specifically designed to fix discrepancies between what the device actually uses and what the management database believes is installeD) It resolves the issue without altering security policies or breaking existing services, which makes it the most appropriate and effective choice.
Removing certificate inspection would disable functionality that many networks rely on for visibility and threat detection. This would reduce security and does not address the underlying synchronization problem. Changing the ADOM version is unrelated to certificate management and may introduce compatibility issues or require additional adjustments that have nothing to do with the missing certificate datA) Disabling HTTPS scanning would eliminate encrypted traffic inspection entirely, which is a significant reduction in security and unnecessary when the issue is simply about certificate mismatch. None of these alternatives solve the root cause in a targeted or safe way. The correct approach is to reimport certificates from the device so the manager and firewall remain aligned, making option A the right answer.
Q118. A FortiGate device is reachable but shows “config status: out-of-synC)” What should be done first?
A) Retrieve Config from the device
B) Force Install the policy
C) Delete the device
D) Promote a different revision
Answer: A
Explanation:
Retrieving the configuration from the device is the correct action when the management system detects a mismatch between its stored configuration data and what is actually running on the managed device. In centralized management environments, it is essential that the manager maintains an accurate and up-to-date version of the device configuration so that policy installations, comparisons, and synchronization checks work correctly. Over time, administrators may make urgent local changes directly on the device, or certain operations may cause the manager’s copy to fall out of synC) Using the Retrieve Config option safely pulls the current live configuration from the device and updates the manager’s stored version without modifying anything on the device itself. This makes it the least risky and most appropriate method to resolve out-of-sync conditions. By ensuring that the management system has the latest and most accurate information, administrators can prevent installation errors and misalignment in future deployments. For this reason, Retrieve Config is the correct answer.
Forcing the installation of a policy package is not advisable when the manager’s stored configuration is already inaccurate. Doing so may overwrite valid local settings and cause service interruptions or unintended behavior. Deleting the device would remove it from centralized management entirely, leading to loss of revision history, monitoring, and policy association, which is unnecessary and harmful for such a simple issue. Promoting a different revision changes the configuration revision stored within the manager but does not address the core problem of outdated or mismatched device datA) None of these alternatives resolve the underlying need to update the manager’s view to match the device. Therefore, retrieving the configuration from the device is the most appropriate and effective solution, making option A the correct answer.
Q119. An admin wants to remove all ADOM revisions older than 90 days automatically. Which feature performs this task?
A) Revision Pruning Policy
B) ADOM Compression
C) Global Cleanup Script
D) Workflow Auto-Delete
Answer: A
Explanation:
A revision pruning policy is used to manage the growth of stored configuration revisions within an administrative domain. Over time, every configuration change, installation, or update can create a new revision. Although keeping revision history is useful for auditing and rollback purposes, allowing revisions to accumulate indefinitely can lead to excessive storage usage, slower system performance, and difficulty navigating old revisions. A revision pruning policy provides a structured method to automatically remove older or unnecessary revisions based on defined criteria such as age, number of revisions retained, or the type of revision. By applying this policy, administrators ensure that the system keeps only meaningful or recent revision points while discarding outdated versions that are no longer relevant. This preserves system efficiency, maintains clarity when reviewing history, and prevents the ADOM from becoming cluttereD) Since the goal is to reduce revision storage growth and maintain a manageable revision set, implementing a revision pruning policy is the correct solution.
ADOM compression is intended to compress ADOM-level data to reduce storage consumption, but it does not selectively manage or remove revisions. It simply compresses content and does not address revision accumulation or revision lifecycle control. A global cleanup script could be used for mass cleanup tasks, but it is not targeted, standardized, or safe for managing revision inventories, and it risks removing important data without structured rules. Workflow auto-delete relates to workflow operations and approval processes but has no connection to revision retention or pruning. It would not resolve the issue of excessive revisions in an ADOM. Therefore, the proper approach to managing revision growth and maintaining a clean, efficient ADOM structure is to apply a revision pruning policy, making option A the correct answer.
Q120. A device cannot install policies because its firmware is too old for the ADOM version. What is the correct solution?
A) Downgrade the ADOM or upgrade the device firmware
B) Force install
C) Rebuild ADOM
D) Disable policy version check
Answer: A
Explanation:
Downgrading the ADOM or upgrading the device firmware is the correct approach when there is a version mismatch between the ADOM and the managed device. In centralized management environments, the ADOM version defines which features, syntax structures, and policy capabilities are supported If the ADOM is set to a higher version than the device firmware, the manager may attempt to push configurations that include features the device cannot interpret. This results in installation errors, unsupported settings, or partial deployments. By aligning the versions through either downgrading the ADOM to match the device or upgrading the device firmware to match the ADOM, administrators ensure compatibility and maintain a stable management relationship. This step is essential for proper synchronization, policy installation, and accurate configuration rendering. It also prevents recurring errors and eliminates the risk of inconsistent behavior caused by version differences. Because the issue directly relates to compatibility, adjusting the ADOM or device version is the only correct and safe solution.
Forcing installation does not resolve the version mismatch and may push unsupported commands to the device, potentially causing operational problems or policy failures. Rebuilding the ADOM is unnecessary and excessive, as it affects all configurations stored within that ADOM and does not inherently fix the version conflict. Disabling policy version check is not a recommended practice because it bypasses important safeguards designed to ensure compatibility between the manager and the device. Ignoring version warnings can create significant long-term issues, including unstable policies and incorrect system behavior. The only proper and reliable solution is to align versions by downgrading the ADOM or upgrading the device firmware, making option A the correct answer.
