Click here to access our full set of Fortinet FCP_FMG_AD-7.4 exam dumps and practice tests.
Q81. A FortiManager admin needs to apply different static routes for different branches while using a single routing template. What feature supports this?
A) Per-Device Variables
B) ADOM Overrides
C) Policy Analyzer
D) Global Routing Mode
Answer: A
Explanation:
Per-device variables are the most effective solution when administrators need to apply a standardized policy package or template across multiple devices, while still allowing certain configuration values to differ from one device to another. In large or distributed environments, devices often share the same overall policy framework but require unique parameters such as interface names, IP addresses, local subnets, or site-specific identifiers. Per-device variables make it possible to define a single logical variable in the shared configuration and then map different values to each device individually. This ensures that the policy package remains clean, scalable, and consistent while still providing the necessary customization at the device level. It also significantly reduces administrative overhead because changes to the main policy package do not require creating multiple versions or duplicating objects. Instead, administrators simply adjust the mapped values for each device, allowing the centralized policy structure to remain intact while accurately reflecting each device’s unique environment. This approach helps maintain uniform security posture across the network and improves long-term manageability.
ADOM overrides allow modifications to global or shared objects within specific ADOMs, but they do not provide per-device customization within a single ADOM. Policy Analyzer focuses on detecting redundant or shadowed rules and improving policy structure but is not designed to handle device-specific value mappings. Global routing mode affects how routing is handled across administrative domains and is unrelated to assigning individualized configuration values. Compared to these alternatives, per-device variables offer the most flexible, efficient, and scalable method for applying a unified policy set while still supporting unique requirements for each managed device.
Q82. A device import operation shows “VDOM mismatch.” What is the correct administrative action?
A) Fetch the full configuration again
B) Reset all VDOMs on the device
C) Delete ADOM
D) Switch to Normal ADOM mode
Answer: A
Explanation:
Fetching the full configuration again is the most appropriate action when FortiManager displays incomplete, outdated, or partially synchronized configuration data for a device, particularly one operating with multiple VDOMs. In environments where administrators sometimes make changes directly on the FortiGate instead of through FortiManager, discrepancies can arise between the configuration stored in FortiManager and the actual configuration running on the device. These mismatches may include missing VDOM-level settings, incorrect policy references, inconsistent object values, or outdated interface information. By fetching the full configuration again, FortiManager retrieves every part of the active configuration from the device, ensuring that all VDOM configurations, policies, objects, and system settings are accurately reflected in its database. This synchronization is essential for preventing installation failures, ensuring consistent policy application, and maintaining reliable configuration versioning. A fresh configuration fetch also helps identify differences that may have resulted from manual edits, restores alignment, and provides a clean foundation for any subsequent updates or deployments from FortiManager.
Resetting all VDOMs on the device is extremely disruptive and would erase important configurations, creating unnecessary downtime and requiring substantial reconstruction work. Deleting the ADOM would remove all device associations, policies, and objects, offering no benefit while causing major operational impact. Switching to normal ADOM mode simply changes management mode and does not resolve missing or outdated configuration datA) Compared to these alternatives, fetching the full configuration again is the safest, most efficient, and most accurate method for reestablishing synchronization between FortiManager and the managed device.
Q83. Admin wants to apply a unified AntiVirus profile across all ADOMs. Which approach ensures multi-ADOM consistency?
A) Use the Global ADOM
B) Use per-ADOM manual sync
C) Clone AV profile into each ADOM
D) Disable ADOMs
Answer: A
Explanation:
Using the Global ADOM is the most effective solution when an organization needs to share common antivirus profiles, application control signatures, security objects, or policy components across multiple ADOMs. The Global ADOM serves as a centralized management layer that allows administrators to create and maintain standardized security objects that can be inherited by all subordinate ADOMs. This approach greatly reduces duplication of effort, since global objects only need to be created and updated once rather than repeated separately in every ADOM. It also ensures consistency across the entire managed environment, which is especially important for environments with strict compliance requirements or where the same security standards must be applied across multiple customer groups, branches, or administrative divisions. By leveraging the Global ADOM, administrators achieve centralized control while still allowing each ADOM to customize its own local policies when needeD) This balance of shared control and local flexibility makes the Global ADOM an essential tool for large, complex, or multi-tenant deployments.
Using per-ADOM manual sync would require administrators to repeatedly recreate or copy objects across each ADOM, increasing the risk of human error and leading to inconsistent configurations. Cloning antivirus profiles into each ADOM introduces duplication and complicates long-term maintenance, as any update would need to be repeated manually across all ADOMs. Disabling ADOMs entirely removes the benefits of administrative separation and eliminates the organizational structure that many businesses rely on for proper delegation and security boundaries. Compared to these alternatives, using the Global ADOM is the most efficient, scalable, and reliable method for sharing common security components across multiple administrative domains.
Q84. A policy installation preview shows that multiple objects will be deleteD) The admin did not intend this. What should be done first?
A) Cancel the install and check object references
B) Continue the install
C) Disable workspace mode
D) Change ADOM version
Answer: A
Explanation:
Canceling the install and checking object references is the most appropriate action when FortiManager reports errors indicating missing, invalid, or conflicting objects during a policy installation attempt. Installation warnings of this type usually mean that one or more objects referenced within the policy package do not exist on the device, have been deleted or modified, or are mismatched between FortiManager and the firewall. Proceeding with the installation in such a situation can lead to failed policy deployment, unexpected behavior on the device, or incomplete configurations that may disrupt network traffic or weaken security enforcement. By canceling the install, administrators prevent potentially harmful or inconsistent changes from being applieD) Checking object references allows them to identify exactly which objects are missing, incorrectly defined, or improperly synchronizeD) The review process may involve reimporting device objects, correcting object definitions, updating mappings, or removing obsolete references within policies. Once the discrepancies are resolved, the installation can safely proceed without risking configuration issues.
Continuing the install is not recommended because unresolved object errors may cause policy failures or partial installations, which can affect device stability. Disabling workspace mode does not resolve object conflicts and would only affect how configuration changes are reviewed and lockeD) Changing the ADOM version is unrelated to object reference issues and could introduce compatibility problems if done improperly. Compared to all these alternatives, canceling the install and validating object references is the safest and most responsible approach, ensuring that the device receives a complete, correct, and fully validated policy package.
Q85. A FortiManager admin wants to enforce a strict rule where only one active editing session per ADOM is alloweD) What feature achieves this?
A) Workspace Mode
B) Revision Locking
C) Workflow Mode
D) Object Locking
Answer: A
Explanation:
Workspace mode is the most suitable option when administrators need a controlled environment for editing configurations without immediately committing changes to the live database. In FortiManager, workspace mode allows users to create a temporary working area where policy modifications, object adjustments, or structural updates can be made safely. These changes remain isolated until the administrator explicitly submits them for review or installation. This prevents accidental or incomplete edits from affecting other administrators who may be working simultaneously. Workspace mode also helps reduce configuration conflicts by preventing multiple users from overwriting each other’s changes. It offers the ability to save drafts, compare revisions within the workspace, and validate the configuration before it becomes part of the official ADOM data set. By organizing changes into controlled sessions, workspace mode increases operational stability and supports far more predictable policy management in multi-admin environments. This approach is especially beneficial in larger networks where collaborative editing is common and where mistakes could lead to service-impacting misconfigurations.
Revision locking serves a different purpose by preventing revisions from being altered or deleted; it does not provide a workspace for ongoing edits. Workflow mode introduces an approval process for configuration changes, which is valuable for governance but does not isolate edits in the way that workspace mode does. Object locking restricts editing access to specific objects, preventing two administrators from modifying the same item at the same time, but it does not manage full configuration changes or provide session isolation. Compared to these options, workspace mode offers the most effective structure for safely drafting and managing configuration updates before final deployment.
Q86. An IPS profile fails to install due to memory limitations on a branch firewall. Which FortiManager feature prevents this issue?
A) Content Security Optimization
B) Object Merge
C) Policy Analyzer
D) Template Variables
Answer: A
Explanation:
Content security optimization is the most suitable approach when administrators aim to fine-tune or enhance the performance and efficiency of security inspection processes such as antivirus scanning, intrusion prevention, web filtering, or application control. In large or high-traffic environments, deep content inspection can introduce noticeable processing overhead if not configured appropriately. Content security optimization focuses on adjusting how security engines operate, prioritizing certain inspection methods, enabling lightweight scanning options where appropriate, and ensuring that resources are not unnecessarily consumeD) This optimization can involve refining inspection profiles, tuning performance settings, adjusting file scanning thresholds, excluding trusted categories, or enabling cooperative mode between security engines to reduce redundancy. The goal is to maintain strong security coverage while ensuring that traffic inspection does not degrade device performance or create bottlenecks. By regularly optimizing content security features, administrators can achieve a balance between protection and speed, improving user experience and system responsiveness without compromising on threat prevention.
Object merge addresses redundant configuration objects but does nothing to improve content inspection performance. Policy Analyzer evaluates rule efficiency and detects conflicts within the policy but does not manage or optimize security scanning behaviors. Template variables are used for customizing deployments across devices, but they have no relevance to performance tuning or content inspection processes. Compared to these alternatives, content security optimization directly targets the engines responsible for inspecting traffic and offers the most meaningful improvements in both efficiency and security operation.
Q87. The admin wants to compare a device’s running configuration with the FortiManager database. What tool is used?
A) Configuration Status Diff
B) Hit Counter
C) Object Usage
D) Policy Analyzer
Answer: A
Explanation: C
Configuration Status Diff is the most appropriate choice when administrators need to compare the current configuration stored on FortiManager with the live configuration running on a managed device. Over time, differences often arise due to emergency changes made directly on the device, unsynchronized updates, or partial configuration installations. These discrepancies can create uncertainty about whether the version in FortiManager accurately represents the device’s true operational state. Configuration Status Diff provides a clear, structured comparison that highlights mismatched elements, missing entries, or modifications made outside of FortiManager. This helps administrators identify configuration drift quickly, avoid overwriting important local changes, and ensure that any forthcoming policy installations are performed using accurate and validated datA) The tool is especially useful in environments with multiple administrators or where urgent on-device troubleshooting may occur. By reviewing the differences, administrators can choose to fetch updated configurations, reconcile conflicts, or correct errors before pushing any new installations. This prevents configuration corruption, reduces operational risk, and helps maintain consistent management across the network.
The hit counter focuses on monitoring real-time policy usage and does not address configuration mismatches. Object usage displays where objects are referenced but does not compare configuration states. Policy Analyzer evaluates rule logic to detect redundancy or conflicts, not configuration differences between device and manager. Compared to these alternatives, Configuration Status Diff is the only tool specifically designed to analyze and reveal discrepancies between the stored and active configurations, making it the correct solution in scenarios involving configuration drift or synchronization concerns.
Q88. An admin accidentally removed a policy rule. What’s the fastest way to restore it?
A) Use Revision Restore
B) Reinstall entire ADOM
C) Create ADOM backup
D) Use Object Merge
Answer: A
Explanation:
Using revision restore is the most appropriate solution when an administrator needs to revert a policy package, object database, or entire configuration within an ADOM back to a previously known working state. FortiManager automatically creates revisions whenever major configuration changes or policy installations occur, allowing administrators to maintain a detailed history of configuration evolution. When an unexpected error, misconfiguration, or unintended change disrupts device operations or introduces inconsistencies, restoring from a previous revision provides a safe and efficient way to recover. This action allows administrators to return the ADOM’s configuration to a stable version without manually troubleshooting or trying to undo individual modifications. Revision restore also supports audit requirements and change-tracking workflows, making it easier to maintain accountability and preserve configuration integrity. Because each revision is stored as a complete snapshot, restoring ensures that all related objects, policies, and structural elements are reverted in a consistent, predictable manner. This minimizes downtime, reduces risk, and helps administrators confidently troubleshoot complex issues.
Reinstalling the entire ADOM is an extreme measure that would erase or overwrite all existing configurations, potentially causing widespread service disruption. Creating an ADOM backup is useful for safeguarding data but does not directly resolve configuration issues or restore previous states. Using object merge is designed to consolidate duplicate objects, not to recover large-scale configurations or undo problematic changes. Compared to these alternatives, revision restore is the safest, most efficient, and most targeted method for restoring stability when recent configuration updates have introduced problems.
Q89. A FortiGate device upgraded its firmware, but FortiManager still operates under the old version’s ADOM. How can compatibility be restored?
A) Upgrade the ADOM version
B) Delete the device
C) Downgrade the device firmware
D) Recreate the ADOM
Answer: A
Explanation:
Upgrading the ADOM version is the most appropriate action when a managed device is running a firmware version that is newer than the ADOM assigned to it. ADOM versions in FortiManager are designed to match the feature set, syntax, and configuration structure of specific FortiOS firmware versions. When a device is upgraded but the ADOM remains on an older version, FortiManager may be unable to interpret new configuration elements, additional security features, updated object formats, or modified policy structures introduced by the newer firmware. This mismatch typically results in installation errors, unsupported settings, or incomplete parsing of the device configuration. By upgrading the ADOM version, administrators ensure that FortiManager fully understands the device’s newer firmware capabilities and can correctly manage policies, objects, and templates without encountering compatibility issues. Upgrading the ADOM also allows access to updated management features in FortiManager that correspond to the new firmware and ensures long-term stability when deploying changes or synchronizing configurations.
Deleting the device is unnecessarily destructive and does not address the underlying ADOM version mismatch. Removing the device would erase all associated policies, mappings, and historical data, requiring a complete re-addition and configuration rebuilD) Downgrading the device firmware simply to match an outdated ADOM is inefficient, risky, and counterproductive, especially when firmware updates are usually performed for security improvements, bug fixes, or new features. Recreating the ADOM would result in losing all policy packages, objects, and revisions, forcing administrators to rebuild the environment from scratch. Compared to these alternatives, upgrading the ADOM version is the safest, most efficient, and most logical method for ensuring compatibility between FortiManager and the device.
Q90. A policy install fails due to a duplicate IP pool. What should the admin do?
A) Merge duplicate objects
B) Reset ADOM
C) Replace IP pool with variable
D) Disable NAT
Answer: A
Explanation:
Merging duplicate objects is the most appropriate action when an ADOM becomes cluttered with multiple versions of the same address, service, or IP pool objects. Over time, especially in environments with multiple administrators or frequent policy modifications, it is common for duplicate or nearly identical objects to accumulate. These duplicates create confusion, increase the chance of selecting the wrong object during policy creation, and make the overall configuration harder to maintain. By using object merge, administrators can identify objects that share identical values or serve the same functional purpose and consolidate them into a single, unified entry. This reduces unnecessary clutter, simplifies policy management, and ensures that all references point to a consistent, accurate object. Merging duplicates also improves efficiency by streamlining searches, reducing the total number of objects FortiManager must manage, and eliminating inconsistencies that could eventually lead to policy installation warnings or failures. Overall, this action helps maintain a clean, organized, and scalable configuration environment.
Resetting the ADOM is an extremely disruptive step that clears all policy packages, objects, and revisions, which is unnecessary when the issue only involves duplicated objects. Replacing an IP pool with a variable may help in cases involving per-device customization but does not address database clutter or object duplication. Disabling NAT has no relevance to object management and would adversely impact traffic handling. Compared to these alternatives, merging duplicate objects is the safest, most efficient, and most direct solution for cleaning up the object database while preserving the integrity and functionality of existing configurations.
Q91. A FortiManager admin wants to block admins from editing global objects but allow them to create local ADOM objects. What feature enforces this?
A) Admin Profiles
B) Local Override
C) Workflow Constraints
D) Object Locking
Answer: A
Explanation:
Admin profiles are the most appropriate solution when the goal is to define, control, and enforce what each administrator is permitted to do within FortiManager. These profiles allow organizations to tailor access permissions based on roles, responsibilities, and security policies. By configuring admin profiles properly, administrators can grant or restrict capabilities such as editing policies, modifying objects, managing devices, performing installations, or accessing ADOMs. This ensures that users only have the level of access required for their tasks, reducing the risk of accidental misconfigurations or unauthorized changes. Admin profiles also help maintain strong internal governance by clearly separating duties among network, security, and audit teams. For example, some profiles may be limited to read-only visibility, while others may allow full configuration control. In larger environments where multiple teams interact with FortiManager, granular access control through admin profiles becomes essential for maintaining operational stability and compliance. Properly configured profiles also help avoid conflicts when multiple administrators are working simultaneously, further supporting secure and efficient management workflows.
Local override controls how certain device-specific settings can differ from the shared policy package but does not address access management. Workflow constraints apply to approval processes for configuration changes but do not determine what a user is allowed to modify. Object locking prevents simultaneous edits on specific objects but does not define user privileges or access scopes. Compared to these alternatives, admin profiles provide the most comprehensive and structured method for managing administrative permissions and ensuring that each user operates within appropriate boundaries.
Q92. The admin must deploy a new DNS filter profile to 300 devices but only after approval from the security team. What mechanism ensures proper approval flow?
A) Workflow Mode
B) Workspace Mode
C) Revision Pruning
D) ADOM Lock
Answer: A
Explanation:
Workflow mode is the most appropriate choice when an organization wants to implement a structured approval process for configuration changes within FortiManager. This mode is particularly valuable in environments where multiple administrators contribute to policy maintenance, object creation, or device configuration updates. Workflow mode introduces a controlled sequence in which changes must be submitted, reviewed, and approved before they can be installed on managed devices. This reduces the risk of accidental changes, prevents unauthorized modifications, and ensures that every update undergoes proper oversight. By incorporating mandatory approval steps, workflow mode supports compliance requirements, change-management policies, and audit trails. It helps maintain accountability by clearly recording who proposed a change, who reviewed it, and when it was approveD) This is especially important in organizations with strict governance mandates or where network stability is paramount. Workflow mode also eliminates configuration conflicts by ensuring that changes are processed in an orderly manner rather than simultaneously by multiple administrators.
Workspace mode, although useful for isolating edits before committing them, does not enforce a formal approval process and lacks the structured governance found in workflow mode. Revision pruning is a maintenance function designed to manage the number of stored revisions and does not influence how changes are approved or controlleD) ADOM lock prevents others from editing an ADOM during a session, but it does not establish a review or approval procedure. Compared to these alternatives, workflow mode provides the highest level of structured oversight, ensuring that configuration changes are safe, authorized, and documenteD)
Q93. A device fails policy installation because it is offline. What action should the admin take to avoid repeating manual retries?
A) Enable auto-install retry
B) Remove the device
C) Disable HA on the device
D) Recreate policy package
Answer: A
Explanation:
Enabling auto-install retry is the most suitable solution when scheduled or automated policy installations occasionally fail due to temporary network interruptions, brief device unavailability, or short-lived synchronization delays. In many deployments, policy updates are scheduled during maintenance windows or distributed to large groups of devices simultaneously. If a device becomes unreachable for even a few seconds during the scheduled time—perhaps because it is rebooting, handling heavy CPU load, or experiencing a minor connectivity glitch—the installation may fail. Without auto-install retry, administrators must manually requeue the installation, which can be time-consuming and increases operational overheaD) By enabling auto-install retry, FortiManager automatically attempts the installation again within a defined interval, significantly improving the success rate of scheduled deployments. This reduces administrative workload, ensures more reliable delivery of security policies, and helps maintain consistent enforcement across all managed devices. Auto-retry also minimizes the risk of devices remaining out of compliance due to failed installations that go unnoticeD)
Removing the device is overly disruptive and does nothing to address the root cause of intermittent installation failure. Disabling HA on the device is unrelated to policy installation reliability and could negatively impact redundancy and failover. Recreating the policy package is unnecessary and would not solve temporary connectivity or timing issues. Compared to these alternatives, enabling auto-install retry is the most efficient, low-risk, and practical method to ensure that scheduled policy installations complete successfully even in fluctuating network conditions.
Q94. A newly added device has its hostname and serial number mismatched in FortiManager. What corrects this?
A) Refresh Device Information
B) Delete device
C) Rename ADOM
D) Install template
Answer: A
Explanation:
Refreshing device information is the most appropriate action when FortiManager displays outdated system details, incorrect interface lists, mismatched configuration status, or inconsistent device metadatA) These discrepancies often occur when changes are made directly on the FortiGate device rather than through FortiManager. When this happens, the information stored in FortiManager no longer accurately represents the device’s real configuration. As a result, administrators may encounter policy installation errors, template mismatches, or misleading warnings about configuration drift. By refreshing device information, FortiManager retrieves the latest system data from the device, including interface names, routing details, firmware version, and VDOM structure. This process aligns the device’s live configuration with what FortiManager expects, ensuring that all management operations—such as policy deployment, object synchronization, and template application—operate correctly and reliably. Keeping device information up to date is essential for maintaining accurate oversight, preventing accidental overwrites, and ensuring the integrity of centralized management.
Deleting the device is unnecessarily destructive and would erase all associated mappings, policies, and history. It would also require re-adding and reconfiguring the device, which does not solve the simple issue of outdated information. Renaming the ADOM provides no benefit in resolving configuration mismatches and only changes organizational labeling. Installing a template may push new settings to the device but does not address the underlying problem of FortiManager having inaccurate system datA) Compared to these alternatives, refreshing device information is the safest, most efficient, and most logical method for restoring proper synchronization.
Q95. A FortiManager admin wants to restrict access so that one team only manages VPN configurations. What is required?
A) Custom Admin Profile with limited module permissions
B) Workflow Mode
C) Revision restore
D) Global ADOM Override
Answer: A
Explanation:
A custom admin profile with limited module permissions is the most effective option when an organization needs to control exactly what an administrator can view or modify within FortiManager. In environments with multiple teams or varying levels of responsibility, granting full administrative access to every user increases the risk of accidental misconfigurations, unauthorized changes, or inconsistent policy management. By creating a custom admin profile, administrators can restrict specific modules such as policy packages, device manager functions, global settings, script execution, or log access. This allows each user to perform only the tasks relevant to their role while preventing them from accessing or modifying sensitive areas of the system. Custom profiles also help enforce separation of duties, a critical requirement for compliance frameworks and internal governance. They provide a flexible and scalable approach to permission management, making it easy to adjust access levels as team structures or responsibilities evolve. With a tailored profile in place, organizations gain enhanced operational security and clearer accountability for all configuration changes.
Workflow mode adds an approval process for configuration changes but does not provide granular control over module access. Revision restore is used to revert configurations to previous states and has no relation to user access permissions. Global ADOM override allows adjustments to global objects within specific ADOMs but does not restrict what functions a user can access. Compared to these alternatives, implementing a custom admin profile with limited module permissions provides the most precise and secure method for ensuring that each administrator operates only within authorized boundaries.
Q96. A device configuration contains unauthorized changes made locally on the FortiGate. The admin wants FortiManager to detect and adopt these changes. What action should they use?
A) Retrieve Config
B) Force Install
C) Reset Device
D) Promote revision
Answer: A
Explanation:
Retrieving the configuration is the most appropriate action when FortiManager indicates that the stored configuration does not match the device’s actual running configuration, or when recent changes have been made directly on the device instead of through FortiManager. In many operational environments, administrators may perform emergency modifications on the firewall using the CLI or GUI, bypassing FortiManager. When this happens, the configuration stored in FortiManager becomes outdated, leading to synchronization issues, policy installation failures, validation warnings, or mismatches involving objects, interfaces, or policy structures. By retrieving the configuration, FortiManager pulls the full, current running configuration from the device and updates its internal database. This ensures that both systems are aligned and allows administrators to work confidently knowing that the policies, objects, and device settings in FortiManager accurately reflect the real environment. This step is essential for maintaining centralized management efficiency, preventing overwrites of valid changes, and enabling reliable future policy installations or template deployments. Retrieving the configuration also helps identify unauthorized or undocumented changes, supporting audit and compliance efforts.
Forcing an install is risky because it can overwrite legitimate changes on the device and may push outdated policy configurations, potentially causing operational disruptions. Resetting the device is extreme and unnecessary for resolving simple synchronization problems, and it would erase all local configurations. Promoting a revision restores an earlier configuration version but does not correct discrepancies between the current device state and FortiManager’s stored datA) Compared to these alternatives, retrieving the configuration is the safest, most accurate, and most efficient method for reestablishing proper synchronization.
Q97. A policy package installation alert indicates that a dynamic address object is not supported on the target device model. What should be done?
A) Replace the dynamic object with a static entry
B) Change ADOM type
C) Force install
D) Export and reimport object
Answer: A
Explanation:
Replacing a dynamic object with a static entry is the most appropriate action when a policy installation fails because a device does not support the use of dynamic objects, or when the object mapping cannot be resolved properly by FortiManager. Dynamic objects are designed to provide flexibility by allowing different devices to use different values for the same logical object. However, not all devices or configurations support dynamic object resolution, especially in environments where specific interfaces, IP addresses, or local settings must be explicitly defineD) When a dynamic object has no valid mapping, the installation process typically halts to prevent deploying an incomplete or invalid configuration to the firewall. Replacing the dynamic object with a static entry ensures that the device receives a clear, fully defined value that it can understand without requiring additional mapping logiC) This approach eliminates ambiguity, reduces installation errors, and ensures that traffic rules operate as intendeD) Using a static object also simplifies troubleshooting, because administrators can see exactly which address or value is being applied without relying on variable mappings.
Changing the ADOM type does not address object mapping issues and would introduce unnecessary structural changes without solving the specific problem. Forcing the install risks pushing an incomplete or unsupported configuration to the device, which may lead to unexpected behavior or policy failure. Exporting and reimporting the object merely recreates the same problematic dynamic structure and does not resolve the need for a clear, device-specific value. Compared to these alternatives, replacing the dynamic object with a static entry is the most direct and reliable method to resolve installation conflicts caused by unsupported or unmapped dynamic objects.
Q98. A device in an HA cluster shows “out of sync” in FortiManager but the cluster CLI says it’s synchronizeD) What should the admin do?
A) Refresh Device in FortiManager
B) Break HA
C) Delete primary device
D) Change cluster priority
Answer: A
Explanation:
Refreshing the device in FortiManager is the most appropriate action when the system shows outdated cluster information, incorrect HA status, mismatched interface roles, or inconsistent configuration data for a managed HA pair. These discrepancies often occur when changes are made directly on the FortiGate cluster or when the HA units undergo failover, firmware upgrades, configuration adjustments, or role changes that FortiManager has not yet synchronizeD) When FortiManager’s recorded information becomes outdated, policy installation may fail, templates may not apply correctly, and administrative visibility becomes unreliable. By refreshing the device, FortiManager reconnects to the cluster, retrieves the latest HA details, updates device roles, and synchronizes configuration and status information. This ensures that both the primary and secondary units are properly recognized and that FortiManager can safely manage the cluster. Refreshing the device is a non-disruptive operation and is considered best practice whenever the HA topology changes or appears incorrect in the management system. It helps restore alignment between the actual cluster state and the FortiManager database, preventing errors and ensuring consistent management operations.
Breaking HA should only be considered in severe troubleshooting scenarios and would cause major disruption, as it dissolves the cluster structure entirely. Deleting the primary device is harmful and unnecessary, as it removes all associated policies, mappings, and historical data, requiring a complete re-setup. Changing cluster priority alters failover behavior but does not correct mismatched information in FortiManager. Compared to these alternatives, refreshing the device is the safest, most efficient, and most practical method for restoring accurate HA cluster information within the management system.
Q99. An ADOM has thousands of unused objects accumulated over years. What’s the best cleanup approach?
A) Run Unused Object Cleanup
B) Delete ADOM
C) Compress database
D) Disable indexing
Answer: A
Explanation:
Running unused object cleanup is the most appropriate and efficient action when an ADOM becomes cluttered with address objects, service entries, or other configuration components that are no longer referenced by any policies. Over time, especially in environments where frequent policy changes occur, objects may be created for temporary use, left behind after policy modifications, or duplicated during troubleshooting. These unused objects accumulate and contribute to configuration bloat, making the object database harder to navigate and increasing the likelihood of selecting the wrong object when building or editing policies. By running the unused object cleanup function, FortiManager automatically scans the object database, identifies items not referenced in any policies, and provides administrators with a safe mechanism to remove them. This keeps the ADOM organized, reduces unnecessary complexity, and improves long-term manageability. Cleaning up unused objects also enhances performance by reducing the number of entries the system must process during searches, validation checks, and policy installations. Additionally, maintaining a clean object database contributes to better auditing clarity and supports consistent policy design across the environment.
Deleting the entire ADOM is far too drastic for addressing unused objects and would lead to substantial data loss, requiring a complete rebuild of policies, objects, and device relationships. Compressing the database may slightly reduce storage usage but does not remove unnecessary objects or improve configuration clarity. Disabling indexing would negatively impact performance by slowing searches and making object management more difficult. Compared to these alternatives, running unused object cleanup is the safest, simplest, and most effective way to maintain a clean and efficient object database.
Q100. Admin wants to enforce different SD-WAN SLA targets per region while maintaining a global SD-WAN strategy. What enables this?
A) Global ADOM with Local Overrides
B) Per-Device Variables
C) Device Templates
D) Service Objects
Answer: A
Explanation:
Using the Global ADOM with local overrides is the most appropriate choice when an organization needs to maintain a consistent baseline configuration across multiple ADOMs while still allowing certain settings to be customized within each individual ADOM. The Global ADOM serves as a central repository for shared objects, policies, profiles, and common security components that apply to the entire environment. This approach is especially useful in large enterprises or service-provider networks where standardization is essential for maintaining uniform security posture, reducing administrative overhead, and ensuring consistency across multiple customer groups or departments. By placing core policies and shared objects in the Global ADOM, administrators only need to define essential components once, significantly simplifying ongoing management. Local overrides provide the necessary flexibility by allowing each ADOM to adapt the inherited global objects or policies to its own unique operational needs. This may include modifying certain addresses, adjusting service definitions, or refining security profiles to match the specific requirements of individual devices or business units. This balance of global consistency with local customization makes the Global ADOM with local overrides a powerful and scalable management model.
Per-device variables are helpful for assigning different values to shared configurations across devices, but they do not facilitate cross-ADOM inheritance. Device templates focus on system-level configuration standardization but do not address sharing policies or objects across multiple ADOMs. Service objects represent individual configuration items and cannot provide structural policy inheritance between administrative domains. Compared to these alternatives, the Global ADOM with local overrides offers the most efficient, scalable, and controlled method for managing shared configurations across multiple ADOMs while still supporting necessary customization.
