Fortinet FCP_FMG_AD-7.6 Exam Questions Instant Access

Question 1

Which FortiGate configuration settings is part of an ADOM-level database on FortiManager?

ANSX-T service template

BSecurity template

CRouting

DSNMP

Answer : B

The best verified answer is B. The FortiManager 7.6 Administrator Study Guide shows that the ADOM Layer contains Policy and Objects, and specifically states: ''Policy & Objects: Centralize the management of firewall policies, objects, and security profiles, among others.'' Because security-related policy settings belong to the Policy and Objects layer, they are part of the ADOM-level database.

By contrast, Routing and SNMP are treated as device-level settings. The lab guide shows Routing under the device/network configuration view, and SNMP as a setting in the system template that ''pushes configuration changes to the device level.''

Also, provisioning templates such as NSX-T service are listed as having precedence over device-layer configurations, which further indicates they are not the Policy and Objects ADOM database answer here.

=========

Question 2

Refer to the exhibits.

What can you conclude, based on the configuration shown in the exhibit? Choose one answer

AThe administrator needs to retrieve the Local-FortiGate configuration to sync with the Security Fabric group, Training.

BPolicy sequence #1 will be installed on the internal segmentation firewall ISFW device root NAT and Trainer NAT VDOMs.

CPolicy sequence #3 must have devices or VDOMs listed in the Install On column; otherwise, it will cause errors.

DThe global policy package will be added to the top of the ISFW policy package.

Answer : A

The best conclusion is A. From the exhibit, B is clearly incorrect because policy sequence #1 Ping_Access is targeted to ISFW root and ISFW Student, not to root NAT and Trainer NAT. Also, C is incorrect because FortiManager allows a rule to inherit Installation Targets. The study guide explains that a policy package can target one or more devices or VDOMs, and the Install On column is used only for per-rule exceptions in a shared policy package. A rule does not need explicit devices listed if it is meant to apply to the package's installation targets.

D is also incorrect because global header policies are created in the Global Database ADOM and placed at the top only when a global package is assigned. The exhibit shows a shared policy package, not a global ADOM header-policy assignment.

=========

Question 3

Refer to the following configuration. FortiManager # config system global global# set workspace-mode normal global# end FortiManager # What are two results from the configuration shown in the exhibit? Choose two answers

AThe same administrator can lock more than one ADOM at the same time.

BMultiple administrators can lock and work on separate ADOMs at the same time.

CAll changes must be approved before they can be installed on a device.

DConcurrent read-write access to an ADOM is disabled.

Answer : B, D

The command set workspace-mode normal enables Workspace (ALL ADOMs). In this mode, FortiManager uses ADOM locking to prevent configuration conflicts. The study guide explains that workspace mode is used to prevent concurrent ADOM access, and once an ADOM is locked, only the administrator who locked it has read-write access while all others have read-only access. That makes D correct.

B is also correct because locking is applied per ADOM, so different administrators can work at the same time on different ADOMs without conflicting with each other. This is consistent with the design goal of workspace mode and ADOM locking.

C describes workflow mode, not workspace normal. Approval before installation is required only with set workspace-mode workflow.

=========

Question 4

Refer to the exhibits.

Which IP/netmask will be present in the LAN firewall address object on the Remote-Firewall?

A172.16.0.0/255.255.255.0

B10.0.0.0/255.255.255.0

C192.168.1.0/255.255.255.0

D172.16.10.0/255.255.255.0

Answer : B

The correct answer is B. The LAN address object shown in the exhibit has a default value of 10.0.0.0/255.255.255.0, and it has per-device mappings only for BR1-FGT-1, HQ-NGFW-1, and Local-Firewall. There is no per-device mapping entry for Remote-Firewall.

The FortiManager 7.6 Administrator Study Guide gives the exact rule for this behavior: ''The devices in the ADOM that do not have a dynamic mapping for LAN have a default value''. The same page also explains that dynamic objects let you map one logical object to unique values per device, but devices without a mapping use the object's default definition.

Since Remote-Firewall is not listed in the Per-Device Mapping table, it inherits the default LAN value: 10.0.0.0/255.255.255.0.

=========

Question 5

Refer to the exhibit.

An administrator assigned a new policy package to FortiGate HQ-NGFW-1. In the installation preview, they noticed some settings they did not modify and are unsure about the changes.

Based on the exhibit, which two things will happen if they continue with the installation? (Choose two.)

AFortiGate HQ-NGFW-1 can use FortiManager firmware templates to upgrade firmware and ratings.

BFortiGate HQ-NGFW-1 can contact the FortiManager acting as FortiGuard Distribution Server (FDS) to download FortiGuard updates.

CFortiGate HQ-NGFW-1 will use the root_CA3 certificate in firewall address objects or policies.

DFortiManager will install the CA certificate named root_CA3 to authenticate FortiGate-to-FortiManager communication protocol (FGFM) tunnel connections with FortiGate HQ- NGFW-1.

Answer : B, D

The configuration includes a server-list with server-type set to 'update rating,' which enables FortiGate HQ-NGFW-1 to contact FortiManager as a FortiGuard Distribution Server (FDS) for FortiGuard updates.

The installation includes a root_CA3 certificate, which FortiManager will install on FortiGate HQ-NGFW-1 to authenticate FGFM tunnel connections between the devices.

Question 6

Refer to the exhibit.

An administrator created two new meta fields in FortiManager.

Which operation can you perform with these parameters?

AYou can add them to objects as custom attributes.

BYou can export them to be used in other ADOMs.

CYou can use them as variables in scripts.

DYou can invoke them using the $ character.

Answer : A

Meta fields in FortiManager can be added to objects as custom attributes, allowing administrators to categorize and add additional information to firewall objects for easier management and identification.

Question 7

Which two statements about the integrity of databases on FortiManager are correct? Choose two answers.

AScheduled backups run database integrity commands automatically.

BThe diagnose dvm check-integrity command attempts to fix a corrupted file system.

CThe diagnose cdb check adom-integrity command can correct issues related to locked devices.

DYou should fix all database integrity issues before performing a script.

ENot following the correct upgrade path may cause inconsistencies in the databases.

Answer : A, E

The correct answers are A and E. The study guide explicitly states under Database Integrity that scheduled backups ''Automatically executes database integrity commands'' and ''Does not automatically make corrections''. That exactly verifies A.

It also states in Best Practices---Database Integrity: ''Always follow the proper upgrade path'' and ''If you don't, it may cause inconsistencies in the database.'' That exactly verifies E.

B is incorrect because diagnose dvm check-integrity verifies and corrects device manager database issues such as device states, memberships, lock statuses, and duplicate VDOM entries, not a corrupted file system. C is incorrect because locked device status issues are listed under diagnose dvm check-integrity, not diagnose cdb check adom-integrity. D is not a stated FortiManager best practice in the uploaded guide.

Fortinet NSE 5 - FortiManager 7.6 Administrator FCP_FMG_AD-7.6 Exam Questions