Click here to access our full set of Fortinet FCP_FMG_AD-7.4 exam dumps and practice tests.
Q181: A policy install fails due to a missing security profile referenced by a policy. The profile exists on the FortiGate but not on FortiManager. What must be done?
A. Retrieve Config from the device
B. Force install
C. Delete the security profile
D. Disable profile check
Answer: A. Retrieve Config from the device
Explanation:
When configuring FortiGate devices through FortiManager, consistency between the two is essential. In this case, the policy installation fails because FortiManager cannot find the referenced security profile in its database, even though the profile exists on the FortiGate device. This mismatch can prevent successful installation, as FortiManager doesn’t have the required profile.
The best solution is to retrieve the configuration from the device. This process involves pulling the current configuration from the FortiGate device back into FortiManager, which will include all objects (such as security profiles, firewall policies, etc.) that exist on the device but not in FortiManager’s database. This action synchronizes the configurations between the two, resolving any discrepancies. It ensures that all referenced profiles are included in the configuration, allowing the policy to be successfully installed.
Using other methods, such as force-install or disabling the profile check, could lead to further configuration inconsistencies or security risks. Thus, retrieving the configuration is the safest and most efficient approach.
Q182: Admin needs to create multiple IPsec tunnels for many branch offices, each with unique local IDs. How can this be automated?
A. Use Template Variables in VPN Manager
B. Create separate ADOMs
C. Clone each tunnel manually
D. Use local scripts per device
Answer: A. Use Template Variables in VPN Manager
Explanation:
Creating multiple IPsec tunnels for numerous branch offices can be a complex and time-consuming task, especially when each tunnel requires a unique local ID. Manually configuring each tunnel not only introduces the potential for human error but also consumes a significant amount of time and effort, particularly in larger environments with numerous branch offices. However, this process can be greatly simplified and automated using Template Variables in the VPN Manager. For example, a network administrator could create a template with a variable for the local ID field. When the template is applied to different branch offices, the variable dynamically pulls the unique local ID for each location, making the configuration process much faster and less prone to mistakes. This is especially advantageous when deploying a large number of tunnels across multiple sites because the same template can be reused, with each instance customized automatically for the relevant branch. This method provides several key benefits over traditional manual approaches. First, it ensures consistency across all tunnels since the configuration parameters are derived from a single template. There is no need to manually adjust settings for each tunnel, which not only saves time but also reduces the likelihood of misconfigurations. Second, it improves scalability. As the network expands, additional branch offices can be added quickly by simply applying the template with the correct local ID variable, rather than configuring each tunnel from scratch. In contrast, other methods like cloning tunnels manually or using local scripts per device are not only inefficient but also error-prone. Manual cloning can lead to inconsistencies across tunnels, and local scripts require additional maintenance and management, which can quickly become unmanageable as the network grows. Creating separate ADOMs (Administrative Domains) might help with organizing the devices, but it does not address the need for automation in tunnel creation. By leveraging Template Variables in the VPN Manager, administrators can ensure a more streamlined and automated deployment process. This approach significantly reduces the administrative burden, improves efficiency, and ensures the accuracy of configurations, particularly in large-scale networks. It also helps maintain flexibility, as the same template can be adapted for future requirements without the need for extensive manual reconfiguration. In conclusion, using Template Variables for IPsec tunnel creation is a highly effective solution that enhances both the speed and reliability of network deployments.
Q183: Admin wants to allow read-only access to Policy Packages but full control over CLI Templates. Which configuration enables it?
A. Custom Admin Profile
B. ADOM Assignment
C. Workflow Mode
D. Device Claiming Rules
Answer: A. Custom Admin Profile
Explanation:
In FortiManager, managing user permissions effectively is crucial to maintaining security and ensuring that users can only access the features and settings relevant to their roles. A Custom Admin Profile is an excellent tool for administrators who need granular control over user access to different parts of the system. For example, if an administrator needs to allow a user to have read-only access to Policy Packages, it means the user can view the policies but cannot make any modifications or changes. At the same time, the same user may need full control over other areas, such as CLI Templates, where they should be able to edit and configure settings. By creating a Custom Admin Profile, the administrator can assign specific permissions to different areas of FortiManager, ensuring that the user’s access is tailored to the requirements of their role. This level of customization is particularly important for role-based access control, which is critical in larger organizations where different users may have varying responsibilities and require different levels of access. While ADOM Assignment, Workflow Mode, and Device Claiming Rules provide broader organizational and operational structures, they are not designed for this kind of granular access control. The ADOM (Administrative Domain) feature helps segregate devices into logical groups, and Workflow Mode is used to define the process of configuration changes and approvals, but neither of these features offers the fine-tuned control that a Custom Admin Profile provides for user access. Similarly, Device Claiming Rules are used for assigning devices to specific administrators, but they do not manage permissions at the individual feature level. Therefore, Custom Admin Profiles are the most effective method for setting up detailed permissions, ensuring that users have access only to the necessary components of FortiManager, thereby enhancing both security and operational efficiency.
Q184: A FortiGate has local changes that conflict with FortiManager’s version. Admin wants FortiManager to override local changes. What should they do?
A. Force Install
B. Retrieve Config
C. Change ADOM version
D. Disable HA
Answer: A. Force Install
Explanation:
In FortiManager, when there are local changes on a FortiGate device that conflict with the configuration stored in FortiManager, the Force Install option provides the most effective solution to ensure consistency and resolve the conflict. When an administrator initiates a Force Install, it instructs FortiManager to push its configuration to the FortiGate device, overwriting any local changes that may have been made directly on the device. This action ensures that the device is fully aligned with the centralized configuration stored in FortiManager, making FortiManager the authoritative source for device settings. This is particularly important in environments where multiple FortiGate devices are being centrally managed, as it guarantees that all devices have a consistent configuration, reducing the risk of errors or misconfigurations that could arise from manual or local changes.
The Force Install function is vital in situations where it is crucial to enforce the configuration that FortiManager has, especially when the device configuration has drifted from the expected or approved settings. In large-scale deployments, where managing multiple devices from a central location is common, ensuring consistency across devices is essential for effective network management and security. In such cases, local changes made directly on FortiGate devices could lead to discrepancies or security risks if those changes are not synchronized with the broader network strategy. By using Force Install, the administrator effectively resets the FortiGate device configuration to match the central configuration, ensuring uniformity across all devices. In contrast, the Retrieve Config action simply synchronizes the device’s current configuration with the FortiManager database. This action ensures that FortiManager is aware of the current state of the device but does not necessarily resolve conflicts where local changes differ from the configuration in FortiManager. If there are any local changes on the FortiGate device that conflict with the FortiManager configuration, the Retrieve Config option would not automatically overwrite these changes. This could lead to inconsistent configurations and potential network issues, as FortiManager may still reference outdated or conflicting settings. Additionally, other methods, such as changing the ADOM version or disabling HA (High Availability), do not address the core issue of conflicting configurations. The ADOM versioning is used to manage and maintain consistent versions of configurations within FortiManager, but it does not resolve conflicts between the device’s local settings and the centralized configuration. Similarly, disabling HA would not resolve the conflict, as it primarily deals with synchronization and failover settings between devices in a high-availability setup, rather than enforcing configuration consistency. In summary, the Force Install option is the most effective tool for ensuring that a FortiGate device is fully synchronized with the configuration in FortiManager. It guarantees that any conflicting local changes on the FortiGate device are overwritten, thereby maintaining configuration consistency across all devices under centralized management. This approach helps maintain network stability, reduces configuration errors, and ensures that security policies and other critical settings are uniformly applied.
Q185: Admin wants all new objects created in an ADOM to follow a naming convention automatically. What feature helps enforce this?
A. Policy Analyzer Naming Checks
B. Hit Counter
C. Workspace Mode
D. Template Enforcement
Answer: A. Policy Analyzer Naming Checks
Explanation:
Ensuring consistent naming conventions across various objects in FortiManager is essential for managing large-scale networks. The Policy Analyzer Naming Checks feature allows administrators to enforce naming conventions automatically.
When enabled, the Policy Analyzer scans new objects (such as firewall policies, address groups, or security profiles) as they are created in an ADOM. It validates that the object names adhere to a predefined naming convention, which helps maintain organization and prevent errors. This feature is especially useful in environments where multiple administrators are working on the same ADOM, as it enforces consistency without requiring manual intervention.
Hit Counters, Workspace Mode, and Template Enforcement are not specifically designed for enforcing naming conventions. Hit Counters track the usage of specific policies, while Workspace Mode and Template Enforcement provide a different set of functionalities that do not directly address naming conventions.
Q186: A policy using a VIP object fails installation because the external IP is not supported on the branch device. What must the admin do?
A. Adjust the VIP object per device using overrides
B. Delete the VIP
C. Move the device to another ADOM
D. Force install
Answer: A. Adjust the VIP object per device using overrides
Explanation:
In FortiManager, when a policy using a Virtual IP (VIP) object fails installation due to an unsupported external IP on a branch device, the issue can be resolved by using per-device overrides. VIP objects map external IP addresses to internal resources, and different devices may require different mappings to align with their network configurations.
Using overrides allows you to customize the VIP object settings for each individual device within the same policy. By doing this, you can adjust the external IP mapping specific to the branch device, ensuring the policy is compatible with that device’s configuration. This prevents conflicts and allows the VIP object to be correctly applied to each device in your network.
Deleting the VIP object or moving the device to another ADOM would not resolve the issue, and forcing the installation might result in an incorrect configuration being pushed to the device.
Q187: A device shows “HA failover detected” in FortiManager. What should the admin do first?
A. Refresh Device Information
B. Remove HA group
C. Promote secondary
D. Reinstall firmware
Answer: A. Refresh Device Information
Explanation:
Refresh Device Information refers to updating the management system’s understanding of a device’s current configuration, status, hardware details, and operational settings. When FortiManager displays mismatches, outdated data, or inconsistencies regarding interfaces, firmware levels, HA roles, or feature availability, refreshing the device information forces the system to retrieve the latest details directly from the device. This action helps correct issues caused by stale or incomplete data that may have accumulated over time due to network interruptions, partial sync attempts, or changes made directly on the device. By refreshing the information, FortiManager can accurately compare configurations, validate compatibility, and ensure that subsequent policy installations or synchronization operations proceed smoothly. This makes it the safest, most direct, and least disruptive step when the system appears out of sync with the device’s actual state.
Removing the HA group is unnecessary and disruptive, as it breaks the High Availability structure and forces a complete reconfiguration of clustered devices. Promoting the secondary unit artificially changes HA roles and does not resolve data synchronization inaccuracies within FortiManager. Reinstalling firmware is a major operation that should only be considered when dealing with severe software corruption or version-specific bugs, and it has no direct connection to correcting outdated device information in the management database. For these reasons, the most appropriate and efficient choice is A. Refresh Device Information.
Q188: A dynamic address object resolves correctly on some devices but not others. What configuration is missing?
A. Per-Device Dynamic Mapping
B. Template Variables
C. Global Override
D. Workspace Session
Answer: A. Per-Device Dynamic Mapping
Explanation:
Per-Device Dynamic Mapping refers to assigning device-specific values to configuration elements that are shared across multiple devices within a centrally managed environment. This feature is especially important when a single policy package, template, or object definition must be reused across different devices that do not share identical interface names, IP addresses, routing details, or other hardware-dependent characteristics. Dynamic mappings allow each device to receive the correct value for its own environment while still benefiting from a standardized configuration structure. This reduces administrative workload, lowers the chance of configuration errors, and ensures that large-scale deployments remain consistent even when individual devices require unique parameters. The approach is widely used for interface assignments, address objects, SD-WAN members, and other elements that depend on the specific attributes of each device.
Template Variables provide customizable placeholders within templates, but they differ from dynamic mapping because they require manual assignment and do not automatically adjust based on each device’s characteristics. Global Override is used to intentionally modify global policies for specific Administrative Domains, but it does not address per-device customization needs. Workspace Session controls how configuration changes are staged and committed within the management system, offering organizational control but not device-specific value assignments. Considering all of these differences, the correct choice for ensuring that shared configuration objects adapt properly to individual devices is A. Per-Device Dynamic Mapping.
Q189: An admin wants to merge two ADOMs containing related devices. What is the correct approach?
A. Use ADOM Migration
B. Copy policy package manually
C. Delete one ADOM and re-add devices
D. Export revision only
Answer: A. Use ADOM Migration
Explanation:
Use ADOM Migration refers to the built-in mechanism within FortiManager that allows administrators to move policy packages, objects, settings, and associated devices from one Administrative Domain to another in a controlled and consistent manner. This process preserves the policy structure, object references, mappings, and relationships that already exist within the source ADOM, ensuring that the migrated configuration remains intact and functional once placed in the target ADOM. ADOM Migration is specifically designed to support reorganizations, restructuring of management domains, and transitions to different ADOM versions without requiring administrators to manually rebuild complex configurations. It reduces the risk of errors, ensures compatibility between ADOM environments, and provides a clean, reliable method for shifting managed content between domains. By leveraging this feature, organizations save significant time and avoid misconfigurations that often occur when large policy sets must be recreated or copied by hand.
Copying a policy package manually is far less efficient and prone to mistakes, because it does not automatically carry over all dependent objects, references, or device bindings. Deleting one ADOM and re-adding devices is an extreme option that disrupts the environment and forces administrators to rebuild policy structures from scratch. Exporting a revision only provides a snapshot of configuration changes but does not offer a full migration path between ADOMs. Considering these factors, the most appropriate and reliable method is A. Use ADOM Migration.
Q190: Admin wants to prevent unapproved changes in large teams. All changes must undergo formal review. What feature should be used?
A. Workflow Mode
B. Notation Comments
C. Workspace Only
D. Revision Labels
Answer: A. Workflow Mode
Explanation:
Workflow Mode refers to a structured change-management process within FortiManager that allows configuration updates to follow a controlled approval path before they are committed. In this mode, changes made by administrators do not take effect immediately; instead, they enter a workflow where they can be reviewed, approved, or rejected by designated personnel. This provides a higher level of governance, ensuring that policy modifications, object updates, or system adjustments are thoroughly evaluated for accuracy, security impact, and compliance with operational standards. Workflow Mode is especially valuable in larger environments where multiple administrators contribute to configuration management, as it helps prevent accidental changes, unauthorized updates, and configuration drift. By enforcing a defined approval chain, it improves accountability, tracking, and overall configuration integrity.
Notation Comments provide a way to annotate policies or objects with descriptive notes, but they do not control or approve configuration changes. Workspace Only mode allows administrators to stage changes before committing them, yet it lacks the formal approval process that defines Workflow Mode. Revision Labels help identify and categorize configuration snapshots for documentation and rollback purposes, but they do not regulate how changes are reviewed or approved. Considering these distinctions, the correct answer is A. Workflow Mode.
Q191: A device install fails stating that SNMPv3 authentication type is unsupported. What must be configured?
A. Per-Device SNMP Mapping
B. Disable SNMP globally
C. Install anyway
D. Recreate SNMP template
Answer: A. Per-Device SNMP Mapping
Explanation:
Per-Device SNMP Mapping refers to assigning the correct SNMP settings to each individual device so that the configuration pushed from the management system accurately aligns with the device’s specific SNMP requirements. In many environments, SNMP configurations are created as part of a shared template or policy package. However, not all devices use the same community strings, interface indexes, trap hosts, or SNMP versions. Because of these differences, a universal SNMP template may not apply cleanly to every device. Per-device SNMP mapping allows administrators to customize the necessary SNMP parameters for each unit while still maintaining a centralized configuration structure. This ensures that monitoring tools, network management systems, and alerting platforms receive accurate information from each device. It also prevents installation failures caused by mismatched or unsupported SNMP settings. In practice, per-device mapping is the safest and most efficient way to tailor SNMP configurations without abandoning template-based management.
Disabling SNMP globally would remove monitoring and alerting capabilities for all devices, causing operational blind spots and defeating the purpose of SNMP management. Choosing to install the configuration anyway ignores the underlying mismatch and may result in failed installs or nonfunctional SNMP monitoring on certain devices. Recreating the SNMP template is unnecessary unless the template itself is severely flawed, and even then it would not solve device-specific differences that still require individualized mapping. For these reasons, the most appropriate answer is A. Per-Device SNMP Mapping.
Q192: A policy package installation preview shows multiple address objects marked for deletion. The admin did not intend this. What caused the issue?
A. Objects are not referenced anywhere in the package
B. ADOM corruption
C. Device firmware mismatch
D. Wrong global policy
Answer: A. Objects are not referenced anywhere in the package
Explanation:
In FortiManager, when a policy package is prepared for installation, it analyzes which objects are being used within the policies. If an address object is not referenced in any active policy, the system will mark it for deletion, assuming that it is no longer necessary. This can happen unintentionally if the address object was used in the past but is no longer referenced in the current policy package.
To prevent this, administrators should ensure that all relevant objects are properly referenced within the policy package or explicitly protected from deletion. FortiManager removes unreferenced objects automatically unless they are manually protected or mapped to a specific policy.
ADOM corruption or a device firmware mismatch are less likely to cause this issue, and while a wrong global policy may cause issues, it would not specifically lead to objects being marked for deletion. The issue is primarily related to object references in the policy.
Q193: Administrator must update SD-WAN rules across 300 devices, each with different interface names. What should they configure?
A. SD-WAN Per-Device Interface Mapping
B. Override Profiles
C. Template Variables
D. Workspace Mode
Answer: A. SD-WAN Per-Device Interface Mapping
Explanation:
SD-WAN Per-Device Interface Mapping refers to the process of assigning the correct physical or logical interfaces on each individual device to the SD-WAN interface definitions created within the centralized management system. In SD-WAN deployments, the controller or manager uses abstract interface names or roles, such as WAN1, WAN2, or specific performance-based members. However, each managed device may have different interface labels, hardware layouts, or port assignments. Per-device interface mapping ensures that every device correctly associates its actual interfaces with the SD-WAN interface objects defined in the policy package. Without these mappings, the SD-WAN configuration cannot be applied properly because the system would not know which real interface corresponds to each SD-WAN member. This step is essential for accurate traffic steering, link monitoring, failover behavior, and overall SD-WAN functionality.
Override Profiles allow adjustments to specific configuration elements for certain devices, but they do not specifically solve the problem of linking SD-WAN interface objects to physical ports. Template Variables are used to give flexible values to shared templates, but they are not designed specifically for SD-WAN interface mapping. Workspace Mode controls how configuration changes are tracked and committed within FortiManager and has no relation to SD-WAN interface assignment. For these reasons, the correct answer is A. SD-WAN Per-Device Interface Mapping.
Q194: A device displays “device model mismatch” on import. What is the cause?
A. The device’s model does not match the configuration FortiManager expects
B. ADOM is corrupted
C. Policy package is wrong
D. Too many VDOMs
Answer: A. The device’s model does not match the configuration FortiManager expects
Explanation:
The device’s model does not match the configuration FortiManager expects refers to a situation in which the hardware or virtual model of a managed device is different from the model that the management system believes it is configuring. FortiManager relies on accurate device identification to ensure that all configuration elements, feature sets, interface mappings, and capabilities align with the device’s actual specifications. When there is a mismatch, the system may attempt to push configurations that the device cannot support, resulting in installation errors, feature incompatibility, or failures during synchronization. This kind of discrepancy often appears when a device is replaced with a different model, when a virtual appliance has been licensed or upgraded in a way that changes its model type, or when the device was incorrectly added to FortiManager. Correcting the model information ensures that FortiManager generates the proper configuration syntax and supports the correct features for that specific hardware or virtual platform.
An ADOM being corrupted is a far less common issue and would typically cause broader operational problems, not a specific model mismatch error. A policy package being wrong might create installation failures, but it would not trigger a message indicating that the device model is incorrect. Too many VDOMs relates to resource limitations or structural constraints within the device but does not explain an error about the device model itself. Considering these points, the correct answer is A. The device’s model does not match the configuration FortiManager expects.
Q195: A policy installation shows “unsupported NAT configuration” on older devices. What is the recommended fix?
A. Adjust NAT objects to simpler mode
B. Force install
C. Install firmware update
D. Disable NAT
Answer: A. Adjust NAT objects to simpler mode
Explanation:
Adjust NAT objects to simpler mode refers to modifying how Network Address Translation objects are structured so they can be processed and installed without conflict or complexity. In many management environments, NAT rules may become overly detailed, layered, or dependent on advanced configurations that are not compatible with certain devices or policy modes. When NAT objects are simplified, the system can interpret them more clearly, avoid ambiguous translations, and reduce the likelihood of installation failures. This adjustment often resolves issues related to mismatched NAT rule formats, unsupported configurations, or conflicts arising during policy deployment. Simplifying NAT objects helps maintain consistency across devices, improves policy readability, and reduces troubleshooting time, especially in environments where multiple devices inherit the same configuration set.
Forcing an install may temporarily push the configuration but does not fix the underlying structural problem in the NAT rules, potentially resulting in repeated failures or unexpected behavior. Installing a firmware update is an unrelated task that addresses system software rather than specific translation rules, and it is unlikely to resolve NAT object issues unless the problem is explicitly version-related. Disabling NAT altogether would severely impact network functionality, as NAT is essential for routing traffic between internal and external networks. Given these considerations, the most appropriate solution is A. Adjust NAT objects to simpler mode.
Q196: A device remains “Out-of-Sync” even after a configuration fetch. What should the admin check next?
A. Unauthorized local changes
B. ADOM rebuild
C. Global policy conflict
D. HA override
Answer: A. Unauthorized local changes
Explanation:
Unauthorized local changes refer to configuration modifications made directly on a device rather than through the centralized management system, and these changes often create inconsistencies between the expected configuration and the actual running settings. In managed network environments, any local adjustment performed outside the approved management workflow can cause synchronization issues, warnings, or conflicts when the system attempts to push updates. These unauthorized changes may occur unintentionally when an administrator adjusts a setting during troubleshooting and forgets to revert it, but they can also happen deliberately without proper approval, creating risks for security, compliance, and operational stability. In contrast, an ADOM rebuild involves restructuring or refreshing an Administrative Domain and typically does not create unexpected configuration mismatches unless another underlying issue exists. A global policy conflict arises from overlapping or contradictory policies within the management system, affecting rule enforcement rather than indicating a discrepancy between local and centralized configurations. HA override pertains to behavior in High Availability clusters where one device forces its configuration or operational state over another, which may affect synchronization inside the cluster but does not usually create wider management conflicts. Considering these explanations, the most accurate answer is A. Unauthorized local changes.
Q197: Admin needs to generate a detailed report of all policy changes over the last quarter. What feature provides this?
A. Revision History Export
B. Job Queue
C. Policy Analyzer
D. ADOM Cleanup
Answer: A. Revision History Export
Explanation:
Revision History Export refers to the ability to extract, view, and store the historical record of configuration changes made within a managed environment. This feature allows administrators to track when changes occurred, who initiated them, and what specific modifications were applied. By exporting the revision history, teams gain clear visibility into the evolution of policies and configurations, which is valuable for auditing, compliance verification, troubleshooting, and understanding the sequence of events that led to the current system state. This function is especially helpful when multiple administrators are involved or when an organization must maintain strict change-control documentation. Since the purpose of this feature is directly related to reviewing and preserving change records, it aligns closely with activities that involve examining configuration timelines or validating past adjustments.
The Job Queue option typically displays scheduled or ongoing tasks within a management system, such as installations, updates, or synchronization operations. While useful for monitoring system activity and ensuring workflows are progressing correctly, it does not relate to exporting historical configuration data. Policy Analyzer is aimed at identifying rule conflicts, redundancies, or inefficiencies within policy sets, focusing on optimization and error detection rather than historical documentation. ADOM Cleanup involves maintenance operations that streamline or remove unused elements within an Administrative Domain but does not provide functionality for exporting configuration change histories. Therefore, the correct answer is A. Revision History Export.
Q198: A policy installation fails due to unresolved variables. What should the admin configure?
A. Per-Device Variable Assignment
B. Remove variables
C. Add new ADOM
D. Use static values only
Answer: A. Per-Device Variable Assignment
Explanation:
Per-Device Variable Assignment refers to the capability within a centralized management system to assign unique values to specific devices while still using a shared or templated configuration structure. This feature is especially important in environments where many devices share similar policies or templates but require individualized parameters such as IP addresses, hostnames, interface identifiers, or location-specific details. By using per-device variables, administrators can maintain a single, consistent policy package while allowing each device to automatically populate its own required values during deployment or updates. This approach reduces manual configuration work, minimizes the risk of errors, and ensures that large-scale rollouts remain both efficient and scalable. It also supports better version control and easier troubleshooting because policies remain standardized, with only the variable values differing from one device to another.
The option to remove variables simply clears variable definitions but does not provide a method for assigning tailored values to individual devices. Adding a new ADOM relates to creating a new Administrative Domain, which is a structural change in the management system rather than a mechanism for device-specific customization within existing policies. Using static values only eliminates the flexibility offered by variables and forces administrators to manually enter the same information for each device, increasing workload and reducing consistency. For these reasons, the correct answer is A. Per-Device Variable Assignment.
Q199: A FortiGate cluster displays inconsistent checksum data between master and slave nodes in FortiManager. What resolves this?
A. Trigger HA resync on the device
B. Delete secondary
C. Reset HA
D. Force install
Answer: A. Trigger HA resync on the device
Explanation:
Trigger HA resync on the device refers to initiating a synchronization process within a High Availability cluster to ensure that all units share the same configuration and operating state. In an HA environment, one unit typically functions as the primary while others serve as secondary units. Over time, discrepancies may develop due to configuration drift, unexpected failures, or communication issues between the devices. Triggering an HA resync allows the system to compare both units and push the correct, authoritative configuration from the primary to the secondary, restoring full consistency and stability. This action is often used when an HA pair shows out-of-sync alerts, mismatched settings, or when recent configuration updates seem not to have been replicated correctly. It is a safe and controlled way to reestablish harmony between the cluster members without introducing unnecessary disruptions.
Deleting the secondary unit is a far more drastic step that removes the backup device from the cluster entirely, which is rarely an appropriate first response to synchronization problems. Resetting HA involves reconfiguring the entire High Availability setup from scratch, causing downtime and requiring a full rebuild of cluster relationships, making it unsuitable unless the environment is severely corrupted. Forcing an install pushes configuration changes directly to devices but does not address HA synchronization issues and can even worsen discrepancies if used improperly in a clustered setup. Given these considerations, the option that directly and safely resolves synchronization concerns is A. Trigger HA resync on the device.
Q200: A device flags certain objects as “conflicting global overrides.” What should the admin do?
A. Review and correct Global ADOM Overrides
B. Delete all overrides
C. Reset global policy
D. Change ADOM version
Answer: A. Review and correct Global ADOM Overrides
Explanation:
Review and correct Global ADOM Overrides refers to examining the customized settings that have been applied to specific Administrative Domains when they differ from the standard global policy configuration. In a centralized management environment, global policies are designed to provide consistent rules and settings across multiple ADOMs, ensuring uniformity and reducing administrative overhead. However, there are occasions when an ADOM requires specialized adjustments, resulting in overrides that intentionally diverge from the global baseline. Over time, these overrides may become outdated, misapplied, or conflicting with newer global standards. Reviewing and correcting them allows administrators to identify discrepancies, validate whether the customizations are still necessary, and adjust them to align with current policy requirements. This process helps maintain policy integrity, ensures consistent enforcement, and prevents conflicts that could cause deployment failures or unexpected security behavior.
Deleting all overrides would remove every custom adjustment across the ADOMs, which may break critical environment-specific configurations and introduce widespread issues. Resetting the global policy is an extreme measure that would revert the entire policy structure, affecting all ADOMs and creating significant operational disruption. Changing the ADOM version focuses on compatibility between different policy or firmware versions, and while important, it does not address the root cause when specific ADOM overrides are responsible for inconsistencies. With these considerations in mind, the most appropriate action is A. Review and correct Global ADOM Overrides.
