Click here to access our full set of Fortinet FCP_FMG_AD-7.4 exam dumps and practice tests.
Q161. A policy install fails because the device is in “readonly” mode in FortiManager. What caused this?
A) Device was manually locked by another admin
B) Device template is corrupted
C) Firmware mismatch
D) ADOM version is incorrect
Answer: A
Explanation:
Device was manually locked by another admin refers to a situation in which a device or configuration object has been intentionally reserved by a different administrator within the management system. When a device is locked, it prevents others from making changes until the lock is releaseD) This mechanism is designed to ensure consistency and prevent conflicting edits in environments where multiple administrators may work simultaneously. If one administrator is currently editing device settings, performing a configuration review, or preparing changes for installation, the system marks the device as locked to avoid overlap. As a result, another administrator attempting to edit the same device may encounter restrictions or warnings. To proceed, the second administrator must wait for the lock to be released, request coordination, or follow internal procedures to handle locked resources. This ensures orderly workflow and minimizes the risk of configuration errors.
A device template becoming corrupted would typically cause template-related errors rather than lock warnings. Firmware mismatch may lead to compatibility or installation issues but does not result in device locking. An incorrect ADOM version affects structural compatibility and feature availability, not lock behavior.
For these reasons, the correct choice is that the device was manually locked by another admin, as this directly explains why access or editing is restricteD)
Q162. An admin needs to apply unique static DNS entries per device while using a unified template. What feature provides this flexibility?
A) Template Variables
B) Override Profiles
C) ADOM Nested Templates
D) Script Injection
Answer: A
Explanation:
Template Variables are used within configuration templates to provide flexible, reusable values that can adapt to different devices or environments without requiring separate templates for each case. These variables act as placeholders representing items such as IP addresses, interface names, device identifiers, or other configuration details that may vary from one device to another. When a template containing variables is applied, the management system automatically substitutes the correct values based on the device’s assigned mappings. This approach greatly simplifies large-scale deployments, reduces repetitive manual editing, and helps maintain consistency across multiple devices. Administrators can build a single standardized template while still preserving the ability to introduce device-specific details seamlessly.
Override Profiles focus on customized adjustments applied to specific devices, while ADOM Nested Templates support layered or hierarchical template structures that improve organization. Script Injection refers to executing scripts on devices and is unrelated to variable-driven configuration management.
Among these choices, Template Variables are the most appropriate answer because they provide an adaptable and dynamic foundation for scalable configuration management. By allowing a single template to serve multiple devices with individualized settings, they enhance efficiency, reduce errors, and streamline operations within complex network environments.
Q163. Admin receives an alert that a policy package has become “out-of-synC)” What is the first troubleshooting step?
A) Retrieve Config
B) Reinstall firmware
C) Delete policy package
D) Clone ADOM
Answer: A
Explanation:
Retrieve Config refers to the process of pulling the current configuration from a managed device into the management system so that the system has an up-to-date and accurate representation of the device’s settings. This step is especially important when changes have been made directly on the device rather than through centralized management. By retrieving the configuration, administrators ensure that both the device and the management platform are synchronized, reducing the risk of conflicts, installation errors, or outdated information being used during policy updates. Retrieve Config also helps maintain integrity within administrative domains, allowing the management system to correctly interpret policies, objects, templates, and mappings associated with the device. This action is typically used during initial onboarding, after manual adjustments, or as part of troubleshooting workflows.
Reinstall firmware focuses on upgrading or restoring the operating system of a device, which is unrelated to updating configuration content. Deleting a policy package removes a structured set of rules and configurations from the management system, a drastic step that does not assist in aligning device datA) Cloning an ADOM creates a duplicate administrative domain, useful for testing or migration, but it does not resolve configuration synchronization issues.
Therefore, Retrieve Config is the correct answer because it ensures the management system accurately reflects the device’s current operational setup, enabling reliable management and preventing configuration mismatches.
Q164. Some branch devices reject the newly pushed AV profile due to memory limitations. What should the admin configure?
A) Content Security Optimization
B) Ignore device capabilities
C) Force install
D) Rebuild ADOM
Answer: A
Explanation:
Content Security Optimization refers to improving the performance, accuracy, and efficiency of content awareness and security features within a managed security environment. This typically involves refining how the system inspects traffic, applies filtering rules, and manages resources related to content scanning. When content security is optimized, devices can more effectively analyze data passing through the network, identify threats, and enforce policies without creating unnecessary load or delays. Optimization may include adjusting inspection profiles, fine-tuning antivirus or web filtering settings, enhancing caching mechanisms, or ensuring that the latest security signatures and heuristics are applieD) By focusing on optimization, administrators help maintain strong protection while ensuring that devices operate smoothly and efficiently. This is especially important in environments with high traffic volumes or where multiple security layers must work together without degrading overall system performance.
Ignoring device capabilities bypasses compatibility checks, which can cause installation or operational issues. Force install pushes a configuration regardless of mismatches, potentially leading to errors if important prerequisites are not met. Rebuilding an ADOM restructures an administrative domain but does not specifically address content security.
Among the available choices, Content Security Optimization is the most appropriate answer because it directly targets improving how security features function, ensuring both strong protection and reliable system behavior.
Q165. A device import displays multiple orphaned VDOMs that no longer exist on the actual FortiGate. What should the admin do?
A) Retrieve Config to refresh the VDOM structure
B) Delete ADOM
C) Reboot device
D) Clone ADOM
Answer: A
Explanation:
Retrieve Config to refresh the VDOM structure refers to the process of pulling the most current configuration from a managed device so that the management system can accurately rebuild and update its internal view of the device’s virtual domains. When changes are made directly on the device, especially structural modifications such as adding, renaming, or removing VDOMs, the management platform may no longer reflect the correct layout. This mismatch can lead to errors when installing policies, creating mappings, or assigning objects. By retrieving the configuration, the management system re-synchronizes itself with the device and updates the VDOM structure accordingly. This ensures that all related features, such as per-VDOM configurations, policy packages, and templates, reference the correct and current environment. It is an essential step in maintaining consistency after any manual or external modifications.
Deleting an ADOM would remove an entire administrative domain, which is unnecessary and disruptive when the goal is simply to refresh structure. Rebooting the device may resolve hardware or runtime issues but does not update the management platform’s understanding of the configuration. Cloning an ADOM creates a duplicate environment but does not address the need to pull updated VDOM information.
Therefore, retrieving the configuration is the correct and appropriate action because it accurately updates the management system and ensures that all VDOM-related operations proceed without conflict.
Q166. Admin wants to enforce a naming standard where all address objects must begin with “ADDR_”. How can this be validated prior to installation?
A) Policy Analyzer
B) Hit Counter
C) Revision Diff
D) Log View
Answer: A
Explanation:
Policy Analyzer is a tool designed to help administrators evaluate and understand the effectiveness, structure, and potential issues within a policy set. It examines firewall rules, security policies, and related configurations to identify overlaps, shadowed rules, redundancies, and inconsistencies that may impact network behavior. By reviewing these relationships, administrators can streamline rule sets, improve performance, and ensure that policies behave as intendeD) Policy Analyzer also assists in identifying potential security gaps, such as overly permissive rules or policies that are unintentionally bypassed due to higher-priority entries. This makes it an essential tool for maintaining a clean, efficient, and secure policy framework, especially in large or complex environments where policies evolve over time. Regular use of Policy Analyzer helps organizations maintain best practices by ensuring that configurations remain optimized and aligned with operational requirements.
Hit Counter provides statistics on how often each policy is triggered, offering insight into traffic patterns but not analyzing structural rule quality. Revision Diff focuses on comparing two versions of configurations to understand changes rather than reviewing policy logiC) Log View displays system and traffic logs for diagnostic and monitoring purposes but does not assess rule interactions.
Among these choices, Policy Analyzer is the most appropriate answer because it directly evaluates the correctness and efficiency of policy rules, helping maintain a well-managed and secure configuration environment.
Q167. A policy installation suddenly stopped and never completeD) Job status shows “stalleD)” What is the correct action?
A) Cancel the job and reinitiate installation
B) Reboot FortiGate
C) Clear ADOM
D) Force override
Answer: A
Explanation:
Cancel the job and reinitiate installation refers to stopping a currently running or stuck installation process and then starting it again from the management system in a controlled manner. This action is especially useful when an installation job is frozen, has been queued for an unusually long time, or encountered a transient error such as a temporary network issue, session timeout, or minor synchronization problem. By canceling the problematic job, the system clears the pending task and releases any locks or resources associated with it. Reinitiating the installation then allows the manager and the device to start fresh, using the latest configuration and a clean communication session. This often resolves temporary glitches without requiring drastic actions on the device or the administrative domain.
Rebooting the FortiGate may disrupt live traffic, cause unnecessary downtime, and is typically not required for a simple installation job issue. Clearing the ADOM would remove or reset a larger administrative structure, which is excessive and could lead to loss of configuration context. Forcing an override may push changes despite mismatches or warnings, risking configuration inconsistency or errors on the device.
Therefore, canceling the job and reinitiating installation is the most appropriate response. It addresses the immediate issue in a targeted way, preserves stability, and avoids unnecessary disruption to the broader environment.
Q168. An admin wants to ensure each ADOM uses a specific default policy package. Where is this configured?
A) ADOM Settings
B) System Settings
C) Policy Package Options
D) Workspace Mode
Answer: A
Explanation:
ADOM Settings refers to the configuration parameters that control how an Administrative Domain operates within the management platform. These settings define the structure, behavior, and boundaries of each ADOM, allowing administrators to segment devices, policies, and workflows into logically separated areas. Adjusting ADOM Settings can influence how objects are shared, how versioning works, how policy packages are organized, and how devices are groupeD) This is especially important in environments where multiple teams, departments, or customers are managed under the same system. Properly configured ADOM Settings ensure that each administrative area remains isolated, consistent, and manageable. They also support smooth policy deployment, prevent object conflicts, and help maintain clear operational separation.
System Settings govern global platform-level configuration such as network access, certificates, user accounts, and performance parameters. These settings operate outside the scope of individual ADOMs. Policy Package Options focus on behaviors tied to specific policy packages rather than the administrative domain as a whole. Workspace Mode provides structured change control, allowing administrators to create, review, and commit changes in a controlled workflow but does not directly influence the fundamental structure of an ADOM.
For these reasons, ADOM Settings is the correct answer because it directly impacts how an administrative domain functions and is the appropriate area to adjust when managing ADOM-specific behavior or structure.
Q169. A policy package fails installation due to an unknown application signature referenced in App Control. What should the admin do?
A) Update application signatures on FortiManager
B) Remove AppControl entirely
C) Force install
D) Disable app profile
Answer: A
Explanation:
Update application signatures on FortiManager refers to refreshing the database of application identifiers used for Application Control and related security features. These signatures allow the system to accurately recognize and classify traffic based on specific applications, behaviors, and protocols. When signatures become outdated, the FortiManager and managed devices may fail to correctly identify new applications, updated versions of existing ones, or emerging traffic patterns. This can lead to mismatches, warnings during policy installation, or reduced accuracy in enforcement. Updating the application signatures ensures that the management system is synchronized with the most recent database, allowing policies to be validated properly and applied without errors. It also strengthens security by enabling the detection of newer or modified applications that may otherwise bypass controls.
Removing AppControl entirely would eliminate the functionality rather than correct signature issues, which is unnecessary and counterproductive. Force install pushes changes regardless of signature mismatches, potentially introducing errors or incorrect behavior on the device. Disabling an app profile would simply stop enforcement for that profile and does not address the root issue of outdated or missing signatures.
Therefore, updating application signatures on FortiManager is the appropriate and effective action. It resolves validation issues, maintains accuracy in policy checks, and ensures that application-based security features operate as intendeD)
Q170. Admin wants to track when an object was changed and by whom. Which feature provides this?
A) Object Revision History
B) Job Queue
C) Hit Counter
D) Policy Analyzer
Answer: A
Explanation:
Object Revision History refers to the record of changes made to individual configuration objects within the management system. This includes information such as what was modified, when the change occurred, and who performed the modification. By reviewing the revision history, administrators gain insight into how an object has evolved over time, which is invaluable when troubleshooting issues, tracking unintended modifications, or validating compliance requirements. It provides transparency and accountability, allowing teams to identify whether a recent change may have introduced a configuration problem or whether an earlier version of the object was more stable. Object Revision History is particularly useful in environments with multiple administrators or frequent updates, ensuring that every modification is documented and recoverable if needeD) It also assists in maintaining a clean and controlled configuration environment by helping decision-makers understand the context of each change.
Job Queue tracks installation jobs, tasks, or other queued operations but does not provide detailed change logs for individual objects. Hit Counter displays policy usage statistics, helping administrators understand traffic trends, but it does not track configuration edits. Policy Analyzer evaluates rule structure to identify overlaps or inconsistencies but does not provide historical modification datA)
Therefore, Object Revision History is the correct answer because it directly addresses the need to view past modifications and understand the progression of changes made to configuration objects.
Q171. A device logs show FortiManager attempting to push an IPsec tunnel that the device does not support. What is the root cause?
A) Incorrect device assignment to VPN template
B) Outdated ADOM
C) Firmware mismatch
D) Invalid route
Answer: A
Explanation:
Incorrect device assignment to a VPN template refers to a situation where a device has been linked to a template that does not match its intended configuration, topology, or network role. VPN templates are designed to streamline deployment of tunnel settings, authentication parameters, address objects, routing requirements, and other related components. When a device is assigned to the wrong VPN template, the expected configuration does not align with the device’s actual environment. This can cause routing confusion, mismatched addresses, failed tunnel establishment, or incorrect phase settings. Fixing the assignment ensures that the device receives the proper parameters and can successfully establish the intended VPN connectivity.
Outdated ADOM may cause general compatibility issues but does not specifically indicate a problem related to template assignment. Firmware mismatch can create installation errors or feature limitations, yet it does not directly lead to incorrect VPN template relationships. Invalid route can disrupt traffic flow through a VPN but does not affect the template assignment process itself.
Among the listed choices, incorrect device assignment to a VPN template is the most accurate explanation for template-related conflicts or deployment issues. Ensuring the correct assignment guarantees that all VPN configurations align with the device’s role, enabling smooth tunnel creation and stable communication.
Q172. Admin wants to identify which objects are unused for more than 90 days. What should they run?
A) Unused Objects Cleanup Analysis
B) Revision Diff
C) Global Override Scan
D) Hit Counter
Answer: A
Explanation:
Unused Objects Cleanup Analysis refers to the process of scanning configuration databases to identify objects that are not currently referenced by any policies, templates, or mappings. In large or long-running environments, configuration objects such as addresses, services, groups, and dynamic entries accumulate over time. Many of these become obsolete after policy changes, device removals, or structural updates. If left unmanaged, unused objects can clutter the database, increase administrative complexity, and make policy sets harder to review and maintain. Cleanup analysis helps administrators locate these unreferenced items so they can be reviewed and safely removed when no longer needeD) This improves overall configuration hygiene, reduces potential confusion, and ensures that the management system remains organized and efficient. Performing such an analysis regularly is considered a best practice for keeping the configuration environment clean and preventing long-term buildup of redundant items.
Revision Diff focuses on comparing two versions of configuration data to identify differences, which is useful for auditing but unrelated to identifying unused objects. Global Override Scan would address override conflicts across domains or templates, not object usage. Hit Counter measures policy traffic activity and does not provide information about unused configuration objects.
Therefore, Unused Objects Cleanup Analysis is the correct answer because it directly deals with identifying and helping manage unreferenced objects in the configuration database.
Q173. A device is managed in FortiManager but still allows local policy modifications. What setting must be enforced?
A) Enable “Central Management Only” mode
B) Workflow Mode
C) Override Profiles
D) Install Hooks
Answer: A
Explanation:
Enable “Central Management Only” mode refers to a configuration approach in which all device-related changes must be performed strictly through the central management platform rather than directly on the individual device. When this mode is enabled, the device is prevented from accepting local configuration edits, ensuring that the management system remains the single source of truth for all policies, objects, and structural settings. This approach is particularly useful in large, distributed, or tightly controlled environments where consistency and compliance are critical. By restricting local modifications, administrators avoid configuration drift, reduce the risk of conflicting changes, and maintain full visibility into the state of every device under management. It also ensures that policy installations and updates follow a predictable workflow, minimizing errors caused by unapproved or undocumented local adjustments.
Workflow Mode introduces a structure for reviewing and approving changes but does not enforce centralized-only control. Override Profiles allow device-specific configuration adjustments and are unrelated to restricting local edits. Install Hooks perform automated actions during installation sequences but do not govern how or where changes can be made.
For these reasons, enabling “Central Management Only” mode is the appropriate answer. It ensures full administrative control from the management platform, maintains configuration consistency, and prevents unauthorized or accidental changes made directly on the device.
Q174. Admin wants to enforce a security baseline globally, but allow each ADOM to override only device interfaces. What approach is correct?
A) Global Policy + ADOM Overrides
B) Local Clone
C) Separate Templates per ADOM
D) Full ADOM isolation
Answer: A
Explanation:
Global Policy + ADOM Overrides refers to a management approach that combines centrally maintained global policies with the flexibility to apply specific adjustments within individual Administrative Domains. This method allows an organization to enforce consistent, high-level security or compliance rules across all ADOMs while still permitting variations required by particular environments, device roles, or operational needs. The global policy ensures that foundational rules, such as mandatory security controls or baseline traffic restrictions, remain uniform and cannot be unintentionally bypasseD) Meanwhile, ADOM overrides provide a controlled mechanism for refining or customizing portions of the configuration at the local level. This structure is especially valuable in multi-tenant setups, managed service environments, or large enterprises with multiple departments that share common standards but still require individual tuning.
Local Clone creates a copy of a configuration for use only within a specific ADOM but does not provide the same coordinated global governance. Separate Templates per ADOM can guarantee individuality but sacrifice the benefits of centralized consistency. Full ADOM isolation restricts sharing or inheritance between ADOMs entirely, which is often unnecessary unless environments must remain completely separated for strict compliance reasons.
Among the choices, the most balanced and effective approach is Global Policy + ADOM Overrides because it maintains centralized control while still supporting needed customization at the domain level.
Q175. Installation fails because the FortiGate’s disk is full. What should the admin do?
A) Free disk space on the device
B) Delete ADOM
C) Reinstall firmware
D) Force install
Answer: A
Explanation:
Free disk space on the device refers to clearing storage on the managed unit so it has enough capacity to perform required operations such as logging, configuration updates, policy installations, and system processes. When a device runs out of disk space, it may fail to accept new configurations, stop generating logs, or encounter errors during installations and updates. In severe cases, system performance can degrade, and key features may stop functioning properly. By freeing disk space, administrators restore the device’s ability to operate normally and ensure that management tasks proceed without interruption. This may involve clearing old logs, removing outdated files, cleaning temporary directories, or adjusting log quota settings. Restoring available storage is often the most direct and least disruptive solution to problems caused by insufficient disk space.
Deleting an ADOM removes an entire administrative domain from the management system, which is unnecessary and unrelated to resolving storage issues on a device. Reinstalling firmware is a major action that should only be considered for system corruption or functional failure, not basic space limitations. Force install attempts to push configurations regardless of warnings, which may cause further errors when the device lacks adequate disk space.
For these reasons, freeing disk space on the device is the most appropriate and effective action, as it directly resolves the underlying issue and restores normal operational capacity.
Q176. A policy rule references a service object that was deleted accidentally. Installation cannot proceeD) What should the admin do?
A) Restore from Revision History
B) Force install
C) Manually recreate service
D) Reset ADOM
Answer: A
Explanation:
Restore from Revision History refers to using previously saved configuration snapshots to bring an object, policy, or system component back to a known working state. Management platforms maintain revision histories so administrators can review past versions, identify changes, and revert when necessary. This feature is especially helpful when a configuration error has been introduced, when an object becomes corrupted, or when an unexpected behavior emerges after recent modifications. Restoring from revision history provides a safe, controlled, and reliable method to undo problematic changes without requiring a full system reset. It also ensures that administrators revert only what is necessary, preserving the rest of the configuration environment. This approach minimizes downtime, reduces the risk of error, and helps maintain operational continuity.
Force install pushes policies to devices despite warnings or mismatches, which may worsen the issue rather than fix it. Manually recreating a service can work in some cases but introduces the possibility of human error and may not fully restore the original configuration. Resetting an ADOM is a drastic step that affects the entire administrative domain and is unnecessary for resolving a single misconfiguration or object-level issue.
For these reasons, restoring from revision history is the most appropriate and efficient choice. It provides a clean rollback path, ensures accuracy, and allows administrators to quickly recover a stable version of the configuration.
Q177. After upgrading FortiManager, IPS profiles no longer install on older devices. What must be done?
A) Enable backward compatibility mode
B) Reinstall ADOM
C) Remove IPS
D) Reset Global ADOM
Answer: A
Explanation:
Enable backward compatibility mode refers to allowing an Administrative Domain or management system to temporarily operate in a mode that supports older configuration structures, legacy feature sets, or device versions that may not fully align with the most recent management database format. This mode is particularly helpful when certain devices are still running older firmware versions or when configuration objects were created under a previous schema that the current environment no longer handles natively. By enabling backward compatibility, the system interprets and processes these older configurations correctly, reducing validation errors, installation failures, and feature mismatches. It provides administrators the flexibility to continue managing older devices while planning upgrades or restructuring configurations at a controlled pace. This reduces downtime, prevents forced migrations, and maintains operational stability across mixed-version deployments.
Reinstalling an ADOM is a major operation that resets administrative structures, which is unnecessary if the issue simply involves format or version compatibility. Removing IPS eliminates an essential security feature and does not address configuration interpretation problems. Resetting the Global ADOM impacts all globally applied settings and would be disruptive without solving backward compatibility concerns.
Therefore, enabling backward compatibility mode is the correct answer because it directly addresses issues arising from older configurations or devices while preserving system functionality and avoiding unnecessary large-scale changes.
Q178. Admin wants newly created address objects to be automatically tagged based on their type. What can achieve this?
A) Object Tagging Rules
B) Workflow Mode
C) Dynamic Objects
D) Template Variables
Answer: A
Explanation:
Object Tagging Rules refer to the practice of assigning descriptive tags or labels to configuration objects within a management environment. These tags help categorize, sort, and identify objects based on their function, location, purpose, or administrative ownership. As networks grow and configurations become more complex, maintaining clear organization becomes essential. Tagging provides a structured method to group related objects, making it easier for administrators to locate them, apply filters, or perform bulk operations. This improves efficiency, reduces the risk of selecting incorrect objects, and enhances clarity when reviewing configuration sets or audit logs. Tagging rules may also support automation by allowing scripts or templates to reference objects dynamically based on their assigned tags, ensuring smoother workflows and reducing manual errors.
Workflow Mode introduces a controlled change approval process but does not assist with object categorization. Dynamic Objects allow flexible, variable-based addressing but are unrelated to categorization or labeling. Template Variables help customize configuration templates but do not provide organizational tagging.
Among these choices, Object Tagging Rules is the correct answer because it directly addresses the need to organize, classify, and manage configuration objects effectively. It enhances clarity, supports large-scale administration, and ensures that objects remain easy to identify and work with as the configuration database grows.
Q179. A device shows “configuration locked” message in FortiManager. What caused this state?
A) Another admin is editing configuration under Workspace Mode
B) Device in HA failover
C) Firmware is outdated
D) ADOM is corrupted
Answer: A
Explanation:
Another admin is editing configuration under Workspace Mode refers to a situation where the management system has locked certain configuration areas because another administrator is actively making changes within a workspace session. Workspace Mode is designed to prevent conflicting edits by ensuring that only one person at a time can modify specific configuration sections. When an admin opens a workspace, the system reserves those configuration elements until the changes are committed or discardeD) As a result, other administrators attempting to make edits during this time may encounter warnings or be unable to access particular settings. This controlled workflow helps maintain configuration integrity, prevents accidental overwrites, and ensures that all changes follow an orderly commit process.
A device in HA failover affects system synchronization and redundancy but does not cause configuration locks tied to workspace sessions. Outdated firmware can lead to compatibility issues or installation failures, but it does not result in management-side configuration locking. A corrupted ADOM can cause broader system problems, such as missing objects or failed policy installations, yet it does not produce the specific condition where configuration edits are blocked due to an active workspace session.
Therefore, the correct answer is that another administrator is editing configuration under Workspace Mode, as this directly explains why access is restricted and why the system indicates a locked or in-use configuration state.
Q180. Admin wants to export a full backup of selected ADOM revisions. What tool allows this?
A) ADOM Export
B) Revision Pruning
C) Policy Analyzer
D) Global Settings
Answer: A
Explanation:
ADOM Export refers to the process of generating a complete backup or transferable package of an Administrative Domain so it can be stored, migrated, or imported into another system when needed This export typically contains policy packages, objects, templates, mappings, and all other data associated with the ADOM. Administrators rely on ADOM Export for multiple operational reasons, such as creating offline backups, moving configurations between FortiManager instances, archiving important environments before major changes, or preparing identical setups for lab, testing, or staging systems. Exporting an ADOM ensures that the structural organization of policies and objects remains intact, reducing the effort required to recreate large or complex environments. This method also helps maintain consistency across parallel infrastructures and acts as a safeguard in case an ADOM needs to be restored to a previous state.
Revision Pruning is used to reduce the number of stored revisions but does not capture a full ADOM for migration or backup. Policy Analyzer reviews rules for overlap and efficiency but does not handle exporting administrative datA) Global Settings define system-level behavior and do not relate to transferring ADOM content.
For these reasons, ADOM Export is the correct answer. It provides a comprehensive way to package and preserve an ADOM’s structure and configuration, supporting backup, migration, and continuity needs within managed environments.
