Click here to access our full set of Fortinet FCP_FMG_AD-7.4 exam dumps and practice tests.
Q21. A FortiManager administrator wants to ensure that Policy Packages are installed only when device configuration changes occur. Which installation mode reduces unnecessary installs and speeds up large-scale operations?
A) Reinstall Policy
B) Install Only Policy Changes
C) Install Policy & Device Settings
D) Full Install Mode
Answer: B
Explanation:
Reinstall Policy refers to performing a full policy installation from FortiManager onto a FortiGate device, regardless of whether changes have been made or not. This type of installation replaces the entire policy package on the device with the version stored in FortiManager. While this method ensures that the device receives a complete and consistent configuration, it is more intrusive than necessary when only small or incremental changes have been made. A full reinstall may also temporarily disrupt active sessions or processing on the device, especially if many policies or dependent objects are re-evaluateD) Because of this, reinstalling the full policy is typically reserved for situations where major restructuring has occurred or when a synchronization issue requires a complete refresh.
Install Only Policy Changes is the correct answer because it specifically targets only the modifications that have been made since the last successful installation. This approach minimizes the scope of changes pushed to the FortiGate, reducing the risk of interruption or unexpected behavior. By sending only incremental updates, FortiManager streamlines the installation process, accelerates deployment, and improves operational efficiency. This mode is particularly beneficial in environments with frequent minor adjustments, such as updating objects, modifying rule parameters, or making small adjustments to security profiles. It ensures that administrators maintain tight control over what is being deployed, avoids unnecessary reprocessing of unchanged rules, and reduces installation time. It is the preferred choice for stable environments where only specific configuration updates need to be applieD)
Install Policy and Device Settings extends beyond policy changes to include modifications to device-level configurations such as interfaces, routing parameters, system settings, or virtual domains. While comprehensive, this mode is used when the administrator needs to push both security policies and system configuration changes. It is broader than necessary when only policy updates are intendeD)
Full Install Mode performs an exhaustive installation of all policies, objects, and device settings, even if no changes have occurreD) This is the most intrusive installation type and is generally reserved for major configuration overhauls or recovery scenarios.
Q22. An enterprise wants to enforce a global default-deny rule while allowing each ADOM to add its own exceptions. What feature allows this combination of strict global security and local flexibility?
A) Per-Device Mapping
B) Local Domain Overrides
C) Global ADOM with Local Exceptions
D) Policy Cloning
Answer: C
Explanation:
Global ADOM with Local Exceptions is the correct answer because it provides the ideal balance between centralized governance and localized flexibility in a FortiManager environment. When organizations operate across multiple regions, business units, or security domains, they often want to enforce a consistent baseline policy while still allowing each ADOM to adapt specific elements to meet local requirements. Using a Global ADOM allows administrators to define universal objects, common policies, and standardized security rules that apply to all ADOMs. However, real-world deployments often require certain deviations, such as different web filter settings, region-specific application control rules, or localized address objects. Local exceptions enable administrators within each ADOM to override specific inherited global objects or policies without affecting the global baseline. This approach ensures that governance is maintained while operational flexibility is preserveD) It reduces configuration duplication, enhances manageability, and prevents fragmentation by keeping the core structure centralized while permitting controlled customization at the ADOM level.
Per-device mapping focuses on customizing object values for individual devices within a shared policy package. While useful for device-specific parameters, it does not address the need for ADOM-level customization when inheriting objects from a global ADOM. Its scope is narrower and not intended for cross-domain exceptions.
Local domain overrides provide a mechanism for making adjustments within a specific ADOM but are not directly tied to the structure and inheritance relationship that exists when a global ADOM controls object distribution. They do not replace the hierarchical global-to-local model required in this scenario.
Policy cloning involves making a separate copy of a policy package for each ADOM. Although this allows customization, it destroys the efficiency and consistency benefits of centralized management by creating multiple independent policies that must be maintained individually.
Q23. A device group contains FortiGate units with different interface names for WAN ports. A shared policy package uses a dynamic interface placeholder. What feature resolves these placeholders automatically during installation?
A) Device Interface Sync
B) Per-Device Mapping
C) Dynamic Template Binding
D) Global Mapping Service
Answer: B
Explanation:
Per-device mapping is the correct answer because it provides administrators with a practical and efficient method for assigning device-specific values within a shared policy or template structure. In many FortiManager environments, multiple FortiGate devices share the same policy package or template, but not all devices have identical network layouts, interface names, IP addressing, or local configurations. Per-device mapping allows administrators to define a single logical object, such as an address, interface, or service configuration, while assigning customized values for each device. This ensures consistency in how policies are built and maintained while giving every device the unique configuration it requires. Using per-device mapping eliminates the need to duplicate policies for each device, which reduces configuration drift, improves manageability, and greatly simplifies large-scale deployments. It is especially important in environments with many branch locations where overall security policies remain consistent but local infrastructure varies.
Device interface sync focuses on synchronizing interface configurations between FortiManager and FortiGate. While this is necessary for ensuring accurate device representation, it does not provide a means for assigning device-specific values within shared policies. Its purpose is to maintain interface consistency rather than support dynamic customization.
Dynamic template binding suggests automatic association of templates with devices based on detected characteristics. Although appealing in concept, this option does not offer the structured, administrator-defined customization that per-device mapping provides. Templates alone cannot account for the specific configuration values that vary per device.
Global mapping service implies a centralized mechanism for applying mappings globally, but this does not align with the practical need for per-device customization. Global mappings would enforce uniformity instead of allowing individualized values, making them unsuitable for scenarios requiring flexibility within shared packages.
Per-device mapping remains the most effective approach when unique device values must be integrated into consistent, centrally managed configurations.
Q24. An administrator uses VPN Manager in FortiManager 7.4 to deploy site-to-site tunnels. They need to allow branch offices to modify only the local tunnel interface while keeping crypto settings lockeD) What should they configure?
A) Interface-Level Overrides
B) Template Variable Sets
C) Phase 1 Override Profile
D) Local Device Adjustment Mode
Answer: C
Explanation:
Phase 1 Override Profile is the correct answer because it provides the precise mechanism needed to customize VPN Phase 1 parameters on a per-device basis while still using a shared VPN template or policy package within FortiManager. In many deployments, organizations rely on standardized IPsec templates to maintain consistency across dozens or hundreds of devices. However, VPN Phase 1 settings such as peer IP addresses, authentication methods, local IDs, or interface bindings often differ from one device to another. The Phase 1 Override Profile allows administrators to retain a unified template while selectively overriding key fields for each specific device. This approach eliminates the need to clone templates, reduces administrative overhead, and ensures consistent policy logic across the environment. It also safeguards against configuration drift by keeping only the unique values isolated to the override profile instead of altering the entire template structure. Because of its targeted scope and flexibility, this feature is essential in multi-site VPN deployments where each endpoint must maintain a different Phase 1 configuration.
Interface-Level Overrides enable customization of interface parameters, but they do not provide the VPN-specific granularity required for Phase 1 negotiations. While useful for interface naming or IP assignments, they do not apply to IPsec authentication or Phase 1 exchange parameters.
Template Variable Sets offer a way to define placeholder values within templates, often used for IP addresses, interface names, or routing information. Although variable sets are powerful, they are not specialized for IPsec Phase 1 settings and cannot replace the structured override mechanism provided by a Phase 1 override profile.
Local Device Adjustment Mode suggests a broad device-level customization function, but such a feature is not intended for handling detailed IPsec Phase 1 configurations. It does not provide the fine-tuned control needed for adjusting VPN parameters across multiple devices.
Q25. A new FortiGate appears in FortiManager with mismatched device settings. The admin wants FortiManager to adopt the device’s current configuration. What action should be taken?
A) Reimport Device Settings
B) Force Global Install
C) Factory Reset the Device
D) Change ADOM Mode
Answer: A
Explanation:
Reimport Device Settings is the correct answer because it directly addresses situations in which FortiManager and the managed FortiGate device fall out of sync regarding configuration datA) This issue typically occurs when administrators make changes directly on the FortiGate rather than through FortiManager, or when configuration updates are only partially synchronized due to network delays, version differences, or unexpected device behavior. When FortiManager’s stored configuration differs from what is actually running on the FortiGate, policy installations, object references, and device-level configuration comparisons may fail or produce warnings. Reimporting device settings retrieves the current configuration from the FortiGate and updates the FortiManager database so that both systems share a consistent baseline. This process prevents configuration overwrite conflicts, ensures accurate representation of device settings, and restores normal management operations. It is a safe and efficient corrective action that preserves existing configurations without introducing downtime or major disruption.
Force Global Install attempts to push all global objects and settings back to the device, regardless of whether they are already synchronizeD) While this can sometimes reestablish consistency, it is risky if the device contains valid configuration changes that FortiManager has not yet learned about. It may override important local modifications and is not the recommended first step for addressing synchronization issues.
Factory Reset the Device is an unnecessarily severe action. Resetting the device wipes all configuration data, disconnects it from FortiManager, and forces a complete re-provisioning process. This is only appropriate in rare cases of corruption or unrecoverable misconfiguration, not for normal sync discrepancies.
Change ADOM Mode affects the administrative domain structure and how devices and policies are groupeD) It does not resolve mismatches between the device’s actual configuration and FortiManager’s stored version.
Q26. A managed firewall cluster shows “Conflict Detected” in the Device Manager. The cluster nodes have different VDOM configurations. How should the administrator fix this?
A) Force HA Resynchronization
B) Delete all VDOMs
C) Switch to Non-VDOM Mode
D) Promote the secondary unit
Answer: A
Explanation:
Force HA Resynchronization is the correct answer because it directly addresses the core issue that occurs when configuration discrepancies arise between members of a FortiGate high availability cluster. In an HA environment, the primary unit maintains the authoritative configuration, and subordinate units are expected to synchronize with it automatically. However, situations such as network latency, manual configuration changes, firmware mismatches, or temporary cluster instability can cause the subordinate device to drift out of synC) When this happens, FortiManager may detect inconsistencies, fail to install policies, or report mismatch errors. Forcing an HA resynchronization ensures that the subordinate unit receives a complete update of the current primary configuration, restoring alignment across the cluster. This action is safe, non-disruptive to network traffic, and specifically designed to rebuild synchronization without affecting operational availability. Once the sync is complete, both devices share the same configuration baseline, allowing FortiManager to continue policy management without errors.
Delete all VDOMs is an extreme and inappropriate option. Removing VDOMs would wipe significant portions of configuration data, disrupt routing and segmentation, and break existing policies. It does not relate in any way to synchronization issues between HA members.
Switch to Non-VDOM Mode is not suitable because changing VDOM mode fundamentally alters how the FortiGate handles multi-tenancy and configuration segmentation. Such a change is highly disruptive and unrelated to HA synchronization problems. It also risks losing configuration information tied to existing VDOM structures.
Promote the secondary unit is not advisable when the secondary is the device suspected of having a synchronization problem. Promoting an out-of-sync unit could introduce further inconsistencies across the cluster and may lead to service disruption. Promotion should only occur when both units are healthy and synchronizeD)
Q27. An MSSP uses FortiManager 7.4 multi-tenancy. They want to ensure that shared objects are never visible across customer ADOMs. What configuration guarantees isolation?
A) Disable Workspace Mode
B) Delete the Global ADOM
C) Use Read-Only Admin Profiles
D) Enable ADOM Auto-Split
Answer: B
Explanation:
Delete the Global ADOM is the correct answer because it directly resolves situations in which inherited global objects or policies are causing conflicts, confusion, or administrative limitations within individual ADOMs. When a Global ADOM is enabled, FortiManager distributes shared objects and global policy packages across all subordinate ADOMs. This is useful in environments where centralized governance is required, but it can become problematic if different ADOMs need fully independent configurations or if local administrators are restricted by global overrides they cannot modify. Removing the Global ADOM removes the hierarchical inheritance layer entirely, giving each ADOM complete autonomy. This allows local teams to define their own objects, manage their own policy packages, and operate without restrictions imposed by global configurations. It also eliminates issues such as object naming conflicts, forced global policies, or limitations on customizing web filters, application control profiles, or interface objects. Removing the Global ADOM simplifies administration in decentralized environments and ensures that each ADOM can function as a fully independent management domain.
Disable Workspace Mode does not address problems associated with global object inheritance. Workspace mode only controls how configuration changes are staged, reviewed, and committeD) Turning it off would alter the workflow process but would not remove global object dependencies or conflicts.
Use Read-Only Admin Profiles limits what administrators can modify but does not solve issues caused by global ADOM inheritance. Read-only profiles prevent unauthorized changes but do not provide independence to ADOMs that require their own configuration flexibility.
Enable ADOM Auto-Split creates independent ADOMs by dividing devices based on firmware versions, but this does not remove the influence of a Global ADOM. Auto-split is designed for version management, not for eliminating global configuration inheritance.
Q28. A global enterprise uses FortiManager to manage all firewall logging configurations. They want to maintain consistent log forwarding to FortiAnalyzer across all devices. What is the best way to do this?
A) Use a Log Forwarding Script
B) Configure a Device Template for Logging
C) Edit each device manually
D) Use CLI-only installation
Answer: B
Explanation:
Configure a Device Template for Logging is the correct answer because it provides the most efficient and scalable method for applying consistent logging settings across multiple FortiGate devices managed by FortiManager. In large deployments, administrators often need to ensure that all devices send logs to the correct destinations, whether that is FortiAnalyzer, a syslog server, or a cloud logging platform. Configuring a device template allows these logging parameters to be defined once and then automatically applied to any device associated with the template. This approach maintains uniformity, reduces administrative effort, and minimizes the risk of misconfiguration. Templates can include detailed settings such as log levels, log formats, encryption requirements, and specific log forwarding targets. When a device is added to or synchronized with a template, FortiManager ensures that all logging configurations remain aligned with organizational standards. This centralization is essential for security auditing, compliance reporting, and maintaining reliable log flow across distributed environments.
Use a Log Forwarding Script suggests a custom or manual method for pushing log-related commands to devices. While scripting can be useful in limited circumstances, it lacks the structured management, consistency, and integration provided by templates. Scripts are also more prone to errors and are harder to maintain over time.
Edit each device manually is the least efficient option, especially in environments with numerous devices. Manual configuration increases the likelihood of inconsistency and requires repetitive work every time logging standards change. This approach is difficult to scale and does not align with centralized management principles.
Use CLI-only installation implies pushing configurations entirely through command-line scripts during installation. Although CLI installations can apply logging commands, they do not provide ongoing configuration synchronization or template-driven management. It is more suitable for one-time adjustments than for maintaining consistent logging configurations across multiple devices.
Q29. While installing a policy package, FortiManager reports missing address objects used in rules. The administrator knows these objects exist on the device but not in the policy package. What should they do next?
A) Remove the rules containing missing objects
B) Reimport the device configuration
C) Force Policy Install
D) Create placeholder objects manually
Answer: B
Explanation:
Reimport the device configuration is the correct answer because it directly resolves issues that occur when FortiManager detects missing or mismatched objects during policy installation. This problem commonly arises when administrators make changes directly on the FortiGate rather than through FortiManager, or when a previous sync operation failed to update the FortiManager database fully. As a result, FortiManager may attempt to install policies that reference objects it believes exist but that are no longer present or have been modified on the device. Reimporting the device configuration fetches the current, authoritative configuration from the FortiGate and updates FortiManager’s internal database so that all objects, references, and settings match the actual state of the device. This process ensures accurate synchronization, prevents policy installation errors, and restores consistent management control. Reimporting is a safe and reliable approach that avoids accidental overwrites and maintains the integrity of the ADOM while resolving object discrepancies.
Remove the rules containing missing objects would technically eliminate the installation error, but it is not a recommended approach. Removing rules can disrupt security posture and may unintentionally remove policies that are still necessary for network functionality. This method treats the symptom rather than fixing the underlying cause of the mismatch.
Force Policy Install forces the policy package onto the FortiGate, even when objects are missing or mismatcheD) This can lead to configuration corruption, policy failures, or loss of important rule logiC) It is a risky action and should never be used when missing objects indicate a genuine synchronization issue.
Create placeholder objects manually may temporarily satisfy FortiManager’s requirement for object references, but it introduces artificial objects that may not match what the FortiGate actually needs. This approach can lead to long-term configuration confusion, object sprawl, and increased administrative complexity.d
Q30. A FortiManager admin needs to push different DNS server settings to various branch offices while using a single template. Which feature supports this?
A) Per-Device Template Variables
B) Global ADOM
C) DNS Override Profile
D) Template Cloning
Answer: A
Explanation:
Per-device template variables is the correct answer because it provides a flexible and scalable method to customize configuration values for individual devices while still using a shared template within FortiManager. Large deployments often rely on templates to maintain consistent configurations across multiple FortiGate units, but not all devices share identical settings. Common differences include DNS servers, interface IP addresses, hostnames, routing details, and authentication parameters. Per-device template variables allow administrators to define placeholder values within a template and then assign unique values for each device without modifying the template itself. This prevents unnecessary duplication of templates and ensures that only the specific variable fields differ per device. It also simplifies long-term management because administrators can update the template structure once and apply it to all devices while still preserving individual configurations. The approach enhances control, reduces human error, prevents template proliferation, and supports clean, centralized management of device-specific attributes.
Global ADOM provides centralized management for shared objects and policies across multiple ADOMs. Although useful for enforcing enterprise-wide standards, it does not address the need for device-level customization within templates. It focuses on centralized inheritance rather than individualized configuration.
DNS Override Profile sounds like a feature used to control DNS settings for devices, but such a profile does not exist as a primary mechanism in FortiManager. Even if DNS adjustments were required, they would not cover the broader need to customize multiple types of values per device.
Template cloning allows administrators to create separate template copies for each device or group. While this provides full customization, it leads to template redundancy, increased administrative workload, and difficulty maintaining consistency across many templates. Cloning is inefficient when only a few fields differ among devices.
Q31. An admin sees a policy package installation queued for over an hour because another admin has the ADOM lockeD) How can they safely proceed?
A) Reboot FortiManager
B) Force Unlock the ADOM
C) Disable Workspace Mode
D) Delete the lock file via CLI
Answer: B
Explanation:
Force unlock the ADOM is the correct answer because it directly addresses situations in which an ADOM becomes locked due to an unfinished or abandoned administrative session. In FortiManager, ADOM locking occurs whenever an administrator enters a workspace or begins modifying configuration elements within that ADOM. If the session ends unexpectedly due to a browser timeout, network interruption, or user oversight, the ADOM may remain locked and prevent other administrators from performing necessary tasks. This can halt policy installations, template edits, object modifications, or device synchronization. Using the force unlock option from the Administrator panel allows a privileged user to manually release the lock without disturbing ongoing system operations. It is a safe and controlled method that restores access immediately while preserving the integrity of the ADOM. Force unlocking ensures that no one has to wait for a session timeout or restart services, and it avoids unnecessary workflow interruptions in multi-admin environments.
Reboot FortiManager is an unnecessarily disruptive option. Restarting the entire management system to clear an ADOM lock would cause temporary downtime, interrupt scheduled tasks, and potentially delay device communication. It resolves the symptom by resetting all sessions, but it is far too broad for what is essentially a simple administrative lock issue.
Disable workspace mode changes how configuration edits are processed globally for all ADOMs. Turning it off removes structured change handling and could cause conflicts between administrators editing the same configuration. Disabling workspace mode does not unlock an ADOM and is not intended as a remedy for stuck locks.
Delete the lock file via CLI is not recommended because FortiManager does not require or encourage manual file manipulation to manage locks. Editing system files directly risks corruption, unintended side effects, or loss of important session datA) Force unlock is the officially supported and safe method for resolving ADOM lock issues.
Q32. A device configuration installation fails due to an invalid interface reference. The issue is caused by an object referencing an interface that doesn’t exist on that device. What FortiManager mechanism prevents this?
A) Interface Mapping Preview
B) Per-Device Mapping
C) Global Interface Table
D) Dynamic Interface Engine
Answer: B
Explanation:
Per-device mapping is the correct answer because it is the feature designed to handle situations in which multiple devices share a common policy package or template but require different interface assignments, IP addresses, or other device-specific parameters. In real-world deployments, especially those involving many branch offices or distributed networks, it is common for the underlying network topology to vary from one device to another. Even though the security policies themselves may be identical, the interfaces used for WAN, LAN, DMZ, or VPN connections are often different. Per-device mapping solves this challenge by allowing administrators to define logical interface names or objects within a shared policy package and then map those logical objects to actual physical interfaces for each individual device. This makes it possible to maintain consistent policies across all devices while still supporting unique hardware configurations or network layouts. Per-device mapping significantly reduces configuration duplication, prevents errors caused by mismatched interface names, and ensures that policy installation runs smoothly across devices with differing interface structures.
Interface Mapping Preview provides a visual or informational display of how interfaces will be mapped during installation, but it does not allow administrators to customize those mappings or assign device-specific values. It is a verification tool rather than a configuration mechanism.
Global Interface Table attempts to standardize interface names at a global level, but this does not help when individual devices have unique naming conventions or interface structures. It enforces uniformity instead of offering customization, making it unsuitable for environments where interface differences are expecteD)
Dynamic Interface Engine suggests an automated system that detects and assigns interface mappings automatically. While appealing in concept, such a feature does not provide the deliberate, administrator-controlled mapping required for accurate policy deployment. Automatic processes may misinterpret interface roles or create inconsistent mappings.
Per-device mapping remains the most reliable and precise method for aligning shared policies with unique device interfaces.
Q33. An admin wants to track how frequently firewall rules are triggered to optimize policy ordering. Which tool provides this information?
A) Policy Analyzer
B) Policy Hit Counter
C) Object Usage Monitor
D) Revision History
Answer: B
Explanation:
Policy Hit Counter is the correct answer because it provides direct visibility into how often individual firewall policies are being matched by traffic on the FortiGate. When enabled and synchronized with FortiManager, the hit counter feature allows administrators to identify which rules are actively being used, which ones are rarely triggered, and which may no longer serve a meaningful purpose. This information is valuable for optimizing the rulebase, improving performance, and enhancing overall security posture. Policies that show no hits over a long period may be candidates for removal, consolidation, or reclassification. Similarly, policies with unusually high hit counts may require refinement, reordering, or additional inspection to ensure they are functioning as intendeD) The hit counter helps administrators make data-driven decisions about policy optimization and cleanup, reducing complexity and improving efficiency within the firewall configuration. Its usefulness extends to troubleshooting traffic flows, verifying expected behavior, and validating newly deployed rules.
Policy Analyzer is designed to detect policy conflicts, overlaps, shadowed rules, and other logical inconsistencies within the rulebase. While useful for improving structural correctness, it does not measure real traffic usage and therefore cannot determine which rules are actively in use.
Object Usage Monitor provides insight into how objects such as addresses, groups, and services are referenced throughout the configuration. Although helpful for cleaning up unused or redundant objects, it does not track live traffic hitting policy rules.
Revision History records configuration changes over time and allows administrators to review, compare, and potentially roll back revisions. While important for auditing and change control, it does not provide visibility into how frequently policies are matcheD)
Q34. The admin notices that policy packages contain unused address and service objects. Which FortiManager tool finds and removes these?
A) Object Analyzer
B) Unused Object Cleanup
C) Object Merge Tool
D) Policy Analyzer
Answer: B
Explanation:
Unused Object Cleanup is the correct answer because it is specifically designed to identify and remove objects within FortiManager that are no longer referenced by any policy, profile, or configuration element. Over time, as administrators modify firewall rules, retire older configurations, or import devices, objects such as address groups, service definitions, interfaces, and schedules may remain in the database even though they are no longer requireD) These unused objects contribute to configuration clutter, increase administrative complexity, and can lead to confusion during policy maintenance. The Unused Object Cleanup feature scans the ADOM for objects that are not referenced anywhere in the active configuration and presents them for review. Administrators can then safely delete them to maintain a clean and efficient configuration environment. This improves system organization, reduces the risk of accidental misuse of outdated objects, and enhances long-term manageability. It is especially valuable in large deployments where thousands of objects accumulate over years of device imports, policy revisions, and administrative activity.
Object Analyzer is helpful for evaluating object relationships and identifying potential inconsistencies, but it does not specifically target unreferenced or redundant objects. Its purpose is more analytical than cleanup focuseD)
Object Merge Tool consolidates duplicate objects that have similar or identical definitions. Although valuable for reducing redundancy, it does not identify objects that are completely unused within the configuration.
Policy Analyzer evaluates the rulebase for logical issues such as shadowed policies, overlapping rules, or ordering conflicts. It focuses on policy correctness, not object maintenance or cleanup.
Q35. When attempting to install a global policy, a regional ADOM reports that local override conflicts exist. What is the best troubleshooting step?
A) Remove all local objects
B) View override details in the Global ADOM
C) Disable inheritance entirely
D) Reinstall all policy packages
Answer: B
Explanation:
View override details in the Global ADOM is the correct answer because it provides a clear and structured way to understand how local ADOMs modify or override objects and policies inherited from the Global ADOM. In environments where a Global ADOM is used to maintain shared objects, templates, or policy packages, individual ADOMs may need to adjust certain elements to suit local operational requirements. These overrides can involve changes to address objects, service definitions, security profiles, or other configuration items. Viewing override details from within the Global ADOM allows administrators to see which ADOMs have applied local modifications, what those modifications are, and how they differ from the inherited global versions. This visibility helps ensure consistent governance, prevents accidental misconfigurations, and allows organizations to audit deviations from global standards. It also assists in troubleshooting by helping administrators quickly identify why a device or ADOM behaves differently from the global configuration. This capability supports strong configuration oversight and ensures that global policies remain authoritative while still accommodating localized adjustments.
Remove all local objects would eliminate every locally created or overridden object within an ADOM, which is disruptive and unnecessary. This action can break policies, disconnect devices, and lead to significant configuration loss. It does not solve the core need to understand overrides.
Disable inheritance entirely prevents ADOMs from receiving global objects or policies. While it eliminates overrides by removing the hierarchical relationship, it defeats the purpose of using a Global ADOM and results in inconsistent management and additional administrative burden.
Reinstall all policy packages indiscriminately pushes configuration to managed devices but does not help administrators understand which overrides exist or why differences occur. This approach risks overwriting valid local adjustments without solving the visibility problem.
Q36. A scheduled backup of the FortiManager configuration fails due to insufficient space. What should the administrator do first?
A) Delete old revisions
B) Increase disk allocation
C) Switch to external storage
D) Reduce logging levels
Answer: A
Explanation:
Delete old revisions is the correct answer because ADOM revisions can accumulate rapidly in environments where administrators frequently update policies, objects, or device settings. Each revision stores a snapshot of the configuration at a specific point in time, and while these snapshots are valuable for auditing and rollback purposes, they also consume storage space on FortiManager. Over months or years, especially in large deployments with many ADOMs and frequent configuration changes, the number of revisions can grow significantly. This leads to increased disk usage, slower revision browsing, and potential performance degradation. Deleting old revisions is the most direct and efficient way to free space because it removes historical snapshots that are no longer needeD) Administrators can retain only important revisions, such as those preceding major policy changes or upgrades, while removing outdated or redundant ones. This method preserves operational efficiency without impacting active configurations or log datA) It is also fully supported by FortiManager’s built-in revision management tools, making it a safe and straightforward maintenance task.
Increase disk allocation may sound helpful but is not always feasible. Physical or virtual FortiManager systems have limits on available storage, and expanding disk capacity often requires downtime, reconfiguration, or hardware changes. It is not a practical or immediate solution to revision bloat.
Switch to external storage is not supported for storing ADOM revisions. External storage may be used for certain log-related tasks, but revision data is tied to FortiManager’s internal database structure and cannot be relocated externally.
Reduce logging levels affects how FortiGate devices generate logs and has no connection to ADOM revision storage. Changing log levels may impact security visibility and should not be used as an attempt to manage configuration revision space.
Q37. After upgrading FortiManager, administrators want to ensure all devices are still reachable. Which tool verifies device connectivity and status?
A) Device Connectivity Checker
B) Status Monitor
C) Device Manager Dashboard
D) ADOM Health Scanner
Answer: C
Explanation:
Device Manager Dashboard is the correct answer because it provides the most complete and centralized view of all managed FortiGate devices within FortiManager. This dashboard consolidates critical information such as device connectivity status, configuration synchronization state, firmware versions, policy package assignments, and system health indicators. It serves as the primary monitoring interface for administrators who need immediate visibility into the operational condition of their managed environment. From the Device Manager Dashboard, administrators can quickly identify issues such as devices that are out of sync, unreachable, using outdated configurations, or in need of policy reinstallation. It also provides access to detailed device-specific information, enabling fast troubleshooting and ensuring that potential problems are addressed before they affect network security or performance. Because it centralizes status, configuration, and management details in one place, the Device Manager Dashboard is considered an essential tool for maintaining operational awareness and smooth device management across all ADOMs.
Device Connectivity Checker offers basic reachability tests but provides limited insight into configuration health, policy compliance, or overall device status. It is useful for confirming connectivity but does not deliver the broader management visibility offered by the Device Manager DashboarD)
Status Monitor tracks certain system-level conditions or event logs but is not designed to present a full operational overview for all managed devices. It is more focused on monitoring rather than active device management.
ADOM Health Scanner suggests a tool that would analyze ADOM-level conditions, but such a feature is not typically used for monitoring individual device health or configuration state. It does not replace the role of a centralized device management dashboarD)
Q38. An admin wants to ensure that policy changes cannot be installed without proper review. What FortiManager feature enforces this requirement?
A) Workspace Mode
B) Workflow Mode
C) Policy Analyzer
D) Revision Locking
Answer: B
Explanation:
Workflow Mode is the correct answer because it introduces a structured and controlled change-management process within FortiManager, which is essential for environments where multiple administrators oversee policy and configuration updates. When workflow mode is enabled, changes cannot be committed directly; instead, they must go through a formal submission and approval sequence. This ensures that modifications are reviewed by designated approvers before being applied, reducing the risk of misconfigurations, accidental changes, or unauthorized activity. Workflow mode supports role-based approval groups, allowing organizations to assign responsibilities based on internal policies, compliance requirements, or operational roles. This separation of duties strengthens governance and provides an audit trail of who proposed, reviewed, and approved each change. It is especially valuable in large enterprises or regulated industries where accountability, oversight, and strict change-control procedures are requireD) Workflow mode enhances consistency and helps ensure that each policy update aligns with organizational security standards before deployment.
Workspace Mode, although related to managing configuration edits, focuses primarily on enabling administrators to work in private workspaces before committing changes. It does not provide the structured review and approval process required for controlled change management.
Policy Analyzer is a diagnostic tool that identifies rule conflicts, shadowed policies, and structural inefficiencies within policy packages. While useful for improving policy quality, it does not introduce any approval workflow or enforce review processes.
Revision Locking ensures that configuration revisions are protected from modification but does not manage how changes are proposed or approveD) It is intended to preserve configurations rather than control how updates move through an approval cycle.
Q39. A FortiGate device becomes unreachable from FortiManager after an IP change. What action restores management without deleting historical revisions?
A) Remove and re-add the device
B) Update the device IP under Device Manager
C) Rebuild the device database
D) Run a full reinstall
Answer: B
Explanation:
Update the device IP under Device Manager is the correct answer because it directly addresses the situation in which a FortiGate device’s management IP has changed and FortiManager can no longer communicate with it. When a device’s IP address is updated on the FortiGate itself, FortiManager must be made aware of the new address so it can continue performing tasks such as configuration retrieval, policy installation, and status monitoring. Updating the IP in Device Manager ensures that FortiManager reconnects using the correct network path, restoring all management functions without disrupting the device’s configuration or its association with existing ADOMs, policies, or objects. This is a simple, non-intrusive adjustment that aligns FortiManager’s connection data with the current state of the managed device. Once the IP is updated, the system can proceed with synchronization and resume normal management operations without requiring unnecessary changes.
Remove and re-add the device is far more disruptive than necessary. Doing this breaks historical data, deletes associated mappings, and forces administrators to rebuild many relationships between the device and its assigned policies, templates, and ADOM settings. It is an extreme measure appropriate only in situations where the device has fundamentally changed or become corrupted, not for a simple IP update.
Rebuild the device database is also unnecessarily drastiC) This action reconstructs the device’s internal configuration representation within FortiManager and is typically used when inconsistencies or corruption are detecteD) It is not required when the only issue is a management IP mismatch.
Run a full reinstall pushes the entire configuration from FortiManager back to the device. This is inappropriate when the problem is simply communication failure due to an IP change. A reinstall does not fix connectivity and may introduce needless configuration changes.
Q40. A large ADOM contains hundreds of revisions, making it slow to load and manage. What maintenance task improves performance without losing configuration history?
A) Delete all revisions
B) Compress ADOM Revisions
C) Reset ADOM State
D) Move devices to a new ADOM
Answer: B
Explanation:
Compress ADOM Revisions is the correct answer because FortiManager automatically stores configuration snapshots, known as revisions, each time changes are committed within an ADOM. Over time, especially in environments with frequent policy updates, template adjustments, or multi-admin workflows, the number of revision files can grow significantly. Each individual revision consumes storage space and contributes to the expansion of the ADOM database. Compressing ADOM revisions allows FortiManager to reduce the size of these stored snapshots without deleting them, preserving historical configuration data while optimizing storage utilization. This compression process helps maintain system performance, prevents disk-space warnings, and ensures that administrators retain access to past revisions for audit trails, troubleshooting, or rollback purposes. Compressing revisions is a safe, effective way to manage long-term revision growth without compromising data integrity or losing valuable configuration history. It is especially helpful in large enterprise environments where retaining a substantial revision history is important for compliance or operational oversight.
Delete all revisions would free up space but is not a practical or responsible solution. Removing all revision history eliminates rollback capability, removes audit evidence, and erases important historical configuration data that may be required for compliance or troubleshooting in the future.
Reset ADOM State is a drastic action that restores the ADOM to a baseline condition, potentially wiping settings, mapping data, and critical configuration structures. This approach is far too disruptive for managing revision storage issues and poses unnecessary risk to operational stability.
Move devices to a new ADOM does not address the underlying issue of revision size or storage usage. Moving devices introduces additional overhead, requires new policy mappings, and can complicate management. It is not related to controlling revision growth.
