Click here to access our full set of Fortinet FCP_FMG_AD-7.4 exam dumps and practice tests.
Q141. Admin wants to ensure that no policy package can be installed without mandatory approval from the security leaD) What must be enabled?
A) Workflow Mode
B) Workspace Mode
C) ADOM Lock
D) Object Lock
Answer: A
Explanation:
Workflow Mode is a structured operational approach that ensures configuration changes follow a controlled and traceable process. When this mode is enabled, administrators must submit their changes for review and approval before they can be applied to the live environment. This creates a multi-step workflow that clearly defines who initiates, reviews, and authorizes each modification. Such a system is especially valuable in organizations where multiple administrators work simultaneously or where regulatory standards require detailed documentation of all configuration activities. By ensuring every change is assessed and approved, Workflow Mode helps prevent accidental disruptions, unauthorized modifications, and inconsistencies across the system. It provides stability, transparency, and accountability throughout the entire configuration lifecycle.
Workspace Mode functions as an isolated editing environment that allows administrators to create and test configuration changes without affecting current operations. The changes remain separate until they are reviewed and committed, which reduces the risk of service interruptions and supports careful planning. ADOM Lock serves as a mechanism that restricts access to a specific Administrative Domain so only one administrator can make changes at a time. This avoids conflicting edits and ensures consistency within that domain. Object Lock operates at a more granular level by locking individual configuration objects, preventing simultaneous modifications by different users. These mechanisms support safe, organized, and conflict-free administrative work. The correct answer is A)
Q142. A device shows “import conflict” because multiple objects share the same IP but different names. What tool resolves this safely?
A) Object Merge Tool
B) Revision Restore
C) Policy Analyzer
D) Hit Counter
Answer: A
Explanation:
The Object Merge Tool is a feature designed to simplify the consolidation of duplicate or overlapping configuration objects within a system. Over time, especially in environments managed by multiple administrators, it is common for similar or identical objects to be created unintentionally. This can lead to clutter, confusion, and inefficiencies in policy management. The Object Merge Tool identifies these redundant objects and allows administrators to combine them into a single, clean, and unified entry. By doing so, it reduces configuration complexity, helps maintain consistency, and minimizes the chance of errors caused by referencing outdated or duplicated objects. This tool is especially useful during system clean-ups, migrations, or large-scale policy restructuring, where maintaining organized and accurate object databases is essential.
Revision Restore is a feature that allows administrators to revert the configuration to an earlier saved version. This is helpful when a recent change causes issues or unexpected behavior. Policy Analyzer, on the other hand, is used to compare policies, identify differences, and detect conflicts or overlaps between rules. It is valuable for optimization and troubleshooting. The Hit Counter provides visibility into how often each policy rule is triggered, helping administrators understand rule usage and effectiveness.
Based on the context of the question, the correct answer is A)
Q143. An admin creates a new IPS profile but it won’t install on some smaller devices. The profile uses advanced signatures. What is the correct action?
A) Enable Content Security Optimization
B) Remove IPS entirely
C) Clone ADOM
D) Force install
Answer: A
Explanation:
Enable Content Security Optimization is a feature designed to improve the efficiency and performance of security-related inspection processes. In environments where multiple security profiles are applied, such as antivirus, web filtering, intrusion prevention, and application control, the system may experience increased resource usage due to repeated scanning or overlapping functionality. Content Security Optimization streamlines these processes by coordinating how different security engines analyze traffic, reducing redundant scanning tasks and improving throughput. This helps ensure that inspection remains effective without placing unnecessary load on the system. By activating this option, administrators can achieve a balance between strong security enforcement and optimal performance, particularly in networks with high traffic volume or complex security configurations. It is often recommended when performance issues arise due to multiple content security features running concurrently.
Remove IPS entirely refers to the complete deletion or disabling of Intrusion Prevention System features. This is generally not advisable because IPS is a critical layer of security that detects and blocks malicious activity. Clone ADOM is an option that allows administrators to duplicate an Administrative Domain for testing, migration, or backup purposes, but it is unrelated to optimizing security performance. Force install is used to push configurations even when errors or conflicts exist, which is typically reserved for troubleshooting scenarios.
Given the context, the correct answer is A)
Q144. A FortiGate reports “config sync error” but the admin confirms the cluster is synceD) FortiManager still shows an issue. How do you fix it?
A) Refresh Device Configuration
B) Reboot device
C) Delete subordinate
D) Disable HA
Answer: A
Explanation:
Refresh Device Configuration is an option used when the system needs to retrieve the most up-to-date configuration from a connected device. In environments where devices are centrally managed, it is possible for changes to be made directly on the device instead of through the management platform. When this occurs, the configuration stored in the manager may no longer match what the device is currently using. Refresh Device Configuration collects the latest settings from the device and updates the management system accordingly. This ensures accuracy, prevents configuration mismatches, and reduces the risk of deploying outdated or conflicting settings during future installations. It is particularly important in scenarios where multiple administrators interact with the system or when urgent troubleshooting leads to direct device-level adjustments. By keeping both sides synchronized, operations remain smooth and consistent.
Reboot device is a basic maintenance action used when a device needs to restart to apply certain updates or to resolve operational issues, but it does not address configuration alignment. Delete subordinate refers to removing another device that depends on a primary device, which is unrelated to refreshing or synchronizing configurations. Disable HA involves turning off high availability mode in a cluster, typically used for troubleshooting or reconfiguration, but again has no direct role in updating configuration records.
Q145. A device needs a custom static route that should NOT be overwritten by FortiManager installation. What must the admin do?
A) Add the route into FortiManager’s device settings
B) Disable central routing
C) Delete all routes
D) Use route exclusion mode
Answer: A
Explanation:
Add the route into FortiManager’s device settings is the correct action when FortiManager needs to recognize or manage specific routing information for a device. In many network environments, FortiManager relies on the routing entries defined in its device database to properly validate configurations, push policies, and maintain accurate communication paths. If a route exists on the managed device but is not reflected in FortiManager’s stored configuration, inconsistencies may occur during installations or policy checks. Adding the route directly into FortiManager’s device settings ensures that both the management system and the device share a synchronized understanding of the network topology. This reduces the chance of errors during configuration deployment and helps maintain a stable and predictable management workflow. It is particularly important when static routes or additional networks have been introduced directly on the device, as FortiManager must mirror these changes to remain fully aware of the connectivity landscape.
Disable central routing would remove the centralized routing approach, which is not necessary unless there is a structural redesign of the networking model. Delete all routes would cause major disruption and is never an appropriate response to a simple synchronization issue. Use route exclusion mode is a specialized option that prevents certain routes from being managed or validated, but it does not replace the need to ensure accurate routing information within FortiManager.
Q146. Admin wants to see how many hits a specific rule has had in the last week. What provides this data?
A) Hit Counter
B) Policy Analyzer
C) Revision Diff
D) Object Cleanup
Answer: A
Explanation:
Hit Counter is a feature used to monitor how frequently individual firewall policies are triggered within a device or management system. By displaying the number of times each policy has been matched by network traffic, the Hit Counter provides valuable insight into how policies are being used in real time. Administrators can identify which rules are actively contributing to traffic handling, which ones may be redundant, and which policies are never hit at all. This information is extremely helpful when optimizing rule bases, removing unnecessary entries, and improving overall network performance. The Hit Counter also assists with troubleshooting, as it allows administrators to verify whether traffic is reaching the intended policy or being directed elsewhere due to incorrect rule order or configuration mistakes. By reviewing these counts, a clearer understanding of how traffic moves through the firewall can be gained, leading to more efficient maintenance and cleaner policy sets.
Policy Analyzer serves a different purpose by comparing policies and identifying conflicts or inconsistencies. Revision Diff is used to compare two configuration versions to highlight what has changed between them. Object Cleanup focuses on removing unused or duplicate objects from the configuration database. While these tools are valuable, they do not provide real-time visibility into policy usage. For this reason, the correct answer is A)
Q147. A security policy references a certificate that has been deleted locally on the device. Installation fails. What should the admin do?
A) Reimport certificates from the device
B) Disable certificate inspection
C) Force install
D) Remove the policy
Answer: A
Explanation:
Reimport certificates from the device is the correct action when there is a mismatch, missing entry, or synchronization issue involving certificates between a managed device and the management system. Certificates play an essential role in secure communication, deep inspection processes, and encrypted traffic handling. When certificates are added, renewed, or modified directly on the device, the management platform may not automatically detect these changes. As a result, the stored certificate inventory within the management system may become outdated or incomplete. Reimporting certificates ensures that the management system retrieves the latest certificate information from the device, updates its internal database, and restores full alignment. This prevents installation errors, avoids inspection failures, and ensures that all certificate-based features continue to function reliably. This action is especially important after certificate renewals, deployments of new inspection rules, or troubleshooting scenarios where the management system cannot validate or reference the correct certificate set.
Disable certificate inspection would stop encrypted traffic inspection entirely, which is not advisable unless required for troubleshooting and certainly does not resolve a certificate synchronization issue. Force install pushes the configuration even when mismatches exist, but it does not fix missing certificate data and can lead to further inconsistencies. Removing the policy is unnecessary and does not address the root problem related to certificate alignment.
Q148. Admin wants all new devices to automatically appear in a specific ADOM after authorization. What should they configure?
A) Automatic ADOM Assignment Rules
B) Workspace Mode
C) Global ADOM
D) Revision Templates
Answer: A
Explanation:
Automatic ADOM Assignment Rules are used to streamline and simplify the process of placing devices into the correct Administrative Domains within a management system. In environments where many devices are added over time, manually assigning each one to its appropriate ADOM can become slow, repetitive, and prone to mistakes. Automatic assignment rules solve this by applying predefined criteria such as device model, serial number patterns, firmware versions, geographic identifiers, or naming conventions. When a new device is discovered or added, the system evaluates it against these rules and automatically places it into the correct ADOM without requiring any manual intervention. This improves consistency across the management environment, ensures that devices are organized correctly from the beginning, and helps administrators maintain cleaner, more logical structures. It also prevents the risk of misplacing devices, which could complicate configuration management, policy deployment, or administrative access control. These rules are especially beneficial for large organizations, service providers, or deployments where new devices regularly come online.
Workspace Mode is a configuration editing method that provides isolated workspaces but does not handle ADOM assignments. Global ADOM is used for managing shared objects across multiple ADOMs, not for placing devices. Revision Templates relate to standardized configuration revision practices and offer no functionality for automatic device placement. Therefore, the correct answer is A)
Q149. A policy contains a dynamic service object unsupported by older firmware. How should the admin resolve installation failure?
A) Replace the dynamic service with a static equivalent
B) Recreate ADOM
C) Reset device
D) Adjust HA priority
Answer: A
Explanation:
Replace the dynamic service with a static equivalent is the correct action when a configuration issue arises due to the use of dynamic service objects that are not properly recognized or supported in a given context. Dynamic services are often tied to predefined, automatically updated service definitions that depend on system-level data or external updates. In some scenarios, the management platform may not fully interpret these dynamic entries, especially during policy validation or installation. This can lead to errors, warnings, or failed deployments. Replacing the dynamic service with a static equivalent resolves the problem because static services are explicitly defined, consistently stored, and universally recognized across devices and management systems. A static definition ensures predictable behavior, eliminates ambiguity, and allows policies to be installed without conflict. By substituting the dynamic object for a static one that mirrors the needed ports or protocols, administrators maintain the intended security control while ensuring compatibility and stability.
Recreate ADOM is an extreme and unnecessary step, involving significant reconfiguration work that does not address a simple service object mismatch. Reset device would restore the device to default settings, causing major disruption and loss of configuration, making it inappropriate for resolving an issue related to a single service entry. Adjust HA priority affects the role of devices within a high availability cluster and has no relationship to service object compatibility or policy validation.
Q150. Admin needs to compare the last installed configuration with the currently edited configuration. What should they use?
A) Revision Diff
B) Hit Counter
C) Template Diff
D) Policy Analyzer
Answer: A
Explanation:
Revision Diff is a feature designed to compare two different configuration revisions and clearly display the changes between them. When administrators make updates to device settings, policies, or system configurations over time, it becomes important to track what has been modified, added, or removeD) Revision Diff provides a structured and readable comparison by highlighting differences line by line or object by object, depending on the platform. This allows administrators to review historical changes, verify whether recent edits were made correctly, or identify the source of unexpected behavior after a configuration update. It is especially useful during troubleshooting, audits, or compliance reviews, where clear documentation of configuration evolution is requireD) By enabling a transparent view of differences between revisions, this tool helps maintain accountability, reduce mistakes, and ensure that configuration changes follow organizational standards. Revision Diff supports safe operational practices by allowing administrators to confirm the impact of changes before deploying them further or restoring an earlier revision if necessary.
Hit Counter is a feature used to track how often firewall policies are triggered, but it does not compare revisions. Template Diff focuses on identifying differences between configuration templates rather than actual device revisions. Policy Analyzer compares policies to detect conflicts or redundancies. None of these alternatives provide the detailed historical comparison that Revision Diff offers.
Q151. Admin wants to remove unused policies but ensure they truly have zero traffiC) What tool verifies this?
A) Hit Counter
B) Revision History
C) Object Merge
D) Template Variables
Answer: A
Explanation:
Hit Counter is a feature that provides valuable visibility into how frequently individual firewall policies are matched by network traffiC) When traffic flows through a device, each packet is evaluated against a sequence of rules, and the Hit Counter records the number of times each policy is triggereD) This information allows administrators to understand which rules are actively being used, which ones may no longer serve a purpose, and whether the rule order is functioning as intendeD) By reviewing these counts, administrators can determine whether traffic is reaching the correct policy or being filtered by an earlier rule that unintentionally intercepts it. The Hit Counter is especially helpful during troubleshooting, optimization, and cleanup activities. For example, if a policy has a zero count, it may indicate redundancy or misconfiguration. Similarly, if a rule receives a high number of hits unexpectedly, it may reveal traffic patterns that require further analysis. This makes the Hit Counter a practical and essential tool for managing and maintaining efficient security policies in a dynamic network environment.
Revision History, while useful, focuses on tracking past configuration versions rather than revealing how policies are used in real time. Object Merge is intended for consolidating duplicate objects, and Template Variables are used to standardize configuration templates across multiple devices. None of these functions provide traffic usage insights.
Q152. A device fails installation because the SD-WAN interface name doesn’t match the policy package. What resolves this?
A) Per-Device SD-WAN Mapping
B) Create static interface
C) Disable SD-WAN
D) Change ADOM
Answer: A
Explanation:
Per-Device SD-WAN Mapping is the correct option when different devices require their own specific SD-WAN interface assignments based on physical or logical differences in their network layouts. In large or distributed environments, devices may not share identical interface names, WAN links, or transport types. When SD-WAN rules or templates are applied uniformly, these differences can cause mismatches or configuration errors. Per-Device SD-WAN Mapping allows administrators to override the generic template settings and specify exactly which interfaces each device should use for its SD-WAN members. This ensures that every device receives a functional and accurate SD-WAN configuration, even when hardware or naming conventions differ. It is commonly used in deployments where template-based configuration is essential but device-level flexibility is also needed for stable operation. By defining these mappings individually, administrators maintain consistent policy logic while ensuring proper interface alignment per device, preventing installation failures and connectivity issues.
Create static interface does not address mapping variations across devices and is not a solution for SD-WAN configuration mismatches. Disable SD-WAN would remove the entire SD-WAN structure, which is unnecessary and counterproductive for resolving simple mapping issues. Change ADOM would shift the device into a different administrative domain but would not fix interface assignment problems within the SD-WAN configuration.
Q153. Admin wants to review all previous installation results across the last month. What provides this information?
A) Job History
B) Revision Diff
C) Workflow Queue
D) Object Cleanup
Answer: A
Explanation:
ob History refers to the detailed record of tasks or processes that a system has executed over time. This history typically includes information such as when a job started, how long it ran, whether it succeeded or failed, and any messages or logs generated during its execution. Having access to this information is essential for understanding how a system behaves during daily operations. It allows users and administrators to verify that routine jobs were completed correctly, identify any issues that may have occurred, and track patterns that could indicate deeper problems. Job History is also useful for auditing purposes, helping teams demonstrate that required processes ran as scheduled and met operational standards.
Revision Diff, on the other hand, is focused on comparing different versions of files or configurations to show what has changeD) Workflow Queue deals with tasks that are waiting to be processed, helping systems organize future work. Object Cleanup involves removing unused or outdated items to maintain system efficiency.
Among these choices, Job History stands out because it provides insights into past performance, assists with diagnosing errors, and supports long-term monitoring. It gives a clear picture of what has actually happened in the system, making it the most directly valuable answer in this context.
Q154. A VPN template includes multiple Phase 2 selectors that differ per branch. How does FortiManager support this?
A) Override Profiles
B) Global ADOM
C) ADOM Cloning
D) DNS Templates
Answer: A
Explanation:
Override Profiles refers to the ability to customize or adjust predefined settings within a management system so that specific devices, groups, or environments can operate with configurations different from the defaults. This feature is particularly important in large or diverse networks where not all devices share identical requirements. By using Override Profiles, administrators can apply tailored security policies, performance parameters, or operational rules without disrupting the baseline configuration used across the broader infrastructure. This creates a flexible and controlled approach to handling exceptions. It also ensures that unique device roles or environmental needs are addressed while preserving the consistency and stability of standard system-wide configurations. Override Profiles help reduce manual work by providing a structured method for making adjustments, and they lower the risk of misconfigurations by keeping overrides organized and traceable.
Global ADOM represents a centralized administrative domain used for broad configurations and device oversight. ADOM Cloning allows duplication of administrative domains for easier setup or testing. DNS Templates provide predefined DNS-related configurations for faster deployment across multiple systems.
Among these listed choices, Override Profiles stands out because it directly supports customization within a controlled framework. It ensures that deviations from standard settings are deliberate, documented, and manageable, making it the most fitting answer in this context.
Q155. An admin wants to ensure scripts run automatically after each installation. Which feature supports post-install automation?
A) Install Hooks
B) Workflow Mode
C) ADOM Variables
D) Event Logging
Answer: A
Explanation:
Install Hooks refers to mechanisms that allow specific actions or scripts to run automatically before, during, or after the installation of configurations or updates within a management system. These hooks act as checkpoints that can be customized to support various operational needs. For example, an administrator may use an install hook to validate configuration settings before pushing them to devices, ensuring that no conflicting or incomplete entries are applieD) Another use might involve triggering automated backups, sending notifications, or performing cleanup tasks immediately after an installation completes. This structured approach helps reduce errors, maintain consistency, and improve the reliability of deployment processes. Install Hooks are especially valuable in complex or large-scale environments where manual verification is impractical and automated safeguards significantly improve operational efficiency.
Workflow Mode focuses on guided approval processes for configuration changes, ensuring that multiple stakeholders participate in reviewing and authorizing updates. ADOM Variables provide reusable placeholders that simplify configuration templates across multiple administrative domains. Event Logging tracks system activities, making it easier to monitor performance, identify issues, and maintain audit trails.
The most fitting answer among the listed items is Install Hooks because it directly supports enhanced control, customization, and automation during the installation process. It offers a flexible way to ensure that deployments are consistent, validated, and aligned with organizational procedures.
Q156. Admin needs to block local admins from changing device hostname from the CLI. What must be configured?
A) Central Management Enforcement
B) Static Templates
C) Workspace Mode
D) Variable Locking
Answer: A
Explanation:
Central Management Enforcement refers to the ability of a management system to apply and maintain consistent policies, configurations, and operational rules across all connected devices from a centralized location. This feature ensures that devices follow organizational standards without allowing unauthorized or inconsistent changes at the local level. When central management is enforced, administrators can define security policies, system parameters, update schedules, and other operational rules once and distribute them uniformly. This approach significantly reduces configuration drift, which occurs when devices gradually become misaligned due to isolated adjustments or manual edits. It also strengthens compliance by ensuring that all managed devices adhere to required internal or regulatory guidelines. By enforcing centralized control, organizations gain improved oversight, reduce the risk of errors, and streamline the overall management of large or distributed networks.
Static Templates provide predefined configurations that can be applied to devices but do not dynamically adjust based on context. Workspace Mode creates a controlled environment where changes can be drafted, reviewed, and committed in a structured process. Variable Locking helps prevent accidental modification of key configuration variables that are shared among multiple objects or templates.
Among these items, Central Management Enforcement best reflects a system designed to maintain uniformity, reduce administrative burden, and ensure that all devices operate under a consistent configuration framework. This makes it the most appropriate answer.
Q157. A policy installation fails because a device-level override object has invalid values. What should the admin do?
A) Fix the override in Per-Device Mapping
B) Delete the override
C) Clone the policy package
D) Disable override mode
Answer: A
Explanation:
Fix the override in Per-Device Mapping refers to addressing configuration mismatches or conflicts that occur when certain settings are customized for individual devices rather than being inherited from the main policy package. Per-Device Mapping is often used when specific devices require slight adjustments due to unique network roles, hardware differences, or operational requirements. However, these localized overrides can sometimes fall out of sync with the primary configuration. Fixing the override ensures that the device-specific settings properly align with the intended structure of the policy while still retaining the necessary customization. This step helps maintain consistency across the environment and prevents potential deployment errors during installation or updates. Fixing the override also helps administrators verify that the mapping reflects the correct objects, interfaces, and values for each device, ensuring reliable and predictable behavior.
Deleting the override removes the device-specific customization altogether, reverting it to the main inherited configuration. Cloning the policy package creates a new, separate copy that may be used for testing or alternate environments. Disabling override mode stops the use of device-level customizations across the policy package, which could limit flexibility in complex setups.
Among these choices, fixing the override in Per-Device Mapping is the most appropriate action because it resolves the configuration inconsistency while preserving device-specific requirements.
Q158. A device is reachable but FortiManager shows old interface information. What action updates it?
A) Refresh Device
B) Reinstall policy
C) Change ADOM version
D) Restore revision
Answer: A
Explanation:
Refresh Device refers to the process of updating the management system with the most current information from a connected device. This action ensures that the manager accurately reflects the device’s existing configuration, status, interface details, firmware information, and any changes that may have occurred directly on the device. In environments where administrators occasionally make adjustments locally or where devices undergo modifications outside the central management platform, refreshing the device becomes essential. It synchronizes both sides, reduces discrepancies, and prevents issues that may arise from outdated or incorrect data stored in the management system. By performing a refresh, administrators gain clarity on the device’s current state, enabling better decision making during policy updates, troubleshooting, or configuration adjustments.
Reinstall policy pushes a policy package back to the device but does not necessarily update the manager’s understanding of changes made directly on that device. Changing the ADOM version affects compatibility and structural settings across the administrative domain and is not related to retrieving updated information from a specific device. Restoring a revision brings back a previous configuration snapshot but does not address the need to capture the device’s present state.
For these reasons, Refresh Device is the correct answer because it ensures accurate synchronization and prevents conflicts between stored configurations and real-time device settings.
Q159. Admin wants to prevent accidental deletion of critical zones in a policy package. What should they use?
A) Object Locking
B) Workflow Mode
C) ADOM Split
D) Manual Backup
Answer: A
Explanation:
Object Locking refers to the mechanism used in management systems to prevent multiple administrators from modifying the same configuration object at the same time. When an object is locked, it becomes reserved for the user who initiated the edit, ensuring that no one else can make conflicting or overlapping changes until the lock is releaseD) This approach is crucial in multi-administrator environments where several people may be working on similar policy sets, device objects, or shared configuration items. Without object locking, simultaneous edits could lead to inconsistencies, corrupted configurations, or overwritten work. By locking objects, the management platform maintains order, reduces the possibility of human error, and preserves the integrity of the system’s configuration structure. It also helps administrators track who is making changes, providing accountability and improving workflow transparency.
Workflow Mode introduces an approval-based change process, where updates require review and authorization before being applieD) ADOM Split separates an administrative domain into smaller segments to isolate management responsibilities or workloads. Manual Backup is the process of creating a configuration backup on demanD)
Among these selections, Object Locking is the most suitable answer because it directly addresses the need to control simultaneous modifications, safeguard shared resources, and maintain a stable multi-user configuration environment.
Q160. A firewall uses special IP pools not present in the policy package. Installation tries to delete them. What is the correct action?
A) Import device objects into FortiManager
B) Force install
C) Delete IP pools
D) Change NAT mode
Answer: A
Explanation:
Import device objects into FortiManager refers to the process of retrieving all relevant configuration objects from a managed device and bringing them into the FortiManager database. These objects may include address entries, service definitions, IP pools, routing information, interfaces, policies, and other configuration components that the device currently uses. Importing these objects is necessary when a device is newly added to FortiManager or when its configuration has changed outside the manager and needs to be synchronized Without this import step, FortiManager may display outdated or incomplete information, leading to issues when editing policies, applying updates, or performing installations. By importing device objects, administrators ensure that FortiManager has an accurate and complete set of data, allowing centralized management to function correctly and consistently.
Force install pushes the currently stored configuration to the device regardless of mismatches, which can lead to conflicts if objects are not properly synceD) Deleting IP pools removes specific address ranges but does not address synchronization issues. Changing NAT mode alters how traffic is translated, which is unrelated to ensuring that FortiManager has the correct configuration datA)
Therefore, the most appropriate answer is importing device objects into FortiManager, because it establishes proper alignment between the device and the management system, reduces errors during policy deployment, and maintains an accurate configuration database.
