FCP_FMG_AD-7.6 Questions and Answers

Limiting ADOM revisions reduces the number of stored historical configurations, which helps avoid performance degradation and slow ADOM upgrades caused by a large volume of revisions.

FortiManager must have the NAT device ' s IP address and correct ports configured to communicate properly with the FortiGate behind NAT.

The NAT device must have the correct virtual IP address and ports configured to allow push updates to reach the FortiGate device.

The exhibit shows diagnose fmupdate view-serverlist fds with Server Override Mode: Strict and the active entry marked with *0 as 10.0.1.50 on port 8890 , with source CLI . In FortiManager, Strict override mode means the system can communicate only with the configured override server list and cannot fall back to public FDS servers. Therefore, FortiManager gets antivirus and IPS updates from 10.0.1.50 , making B correct.

The study guide also explains that antivirus and IPS override addresses are specifically used when a downstream FortiManager must download updates from an upstream FortiManager or another designated server.

So even though FDNI and DEFAULT entries are listed, Strict mode prevents fallback , and only the CLI-defined override server is actually used.

=========

The correct answer is B because FortiManager supports ADOM-level metadata variables in scripts and templates . The study guide explicitly states that meta fields cannot be used as variables in scripts or provisioning templates ; instead, you must use ADOM-level metadata variables . It further says these variables can be used in templates , and their values can be mapped depending on the device where the template is applied.

That makes metadata variables the proper method for handling per-device differences such as whether a FortiGate should use a LAN or WAN source interface for FortiAnalyzer communication. A is wrong because per-device dynamic objects apply to objects like addresses and VIPs, not template interface selection. D is wrong because meta fields are comments/attributes, not template variables. C could work operationally, but it is not the FortiManager feature intended for this use case.

=========

The correct answer is A . This conclusion comes from the HA settings shown in the exhibit plus Fortinet’s HA behavior. In the exhibit, HQ-NGFW-1 has memory-based-failover enabled , memory-failover-threshold 70 , memory-failover-monitor-period 50 , and its memory usage is about 90% , while HQ-NGFW-2 is about 48.7% . Fortinet’s official documentation states that memory-failover-threshold is the memory percentage that triggers failover, and memory-failover-monitor-period is the duration high memory must persist before failover occurs. It also states that if utilization stays above the threshold for the entire monitor period, a failover is triggered , and the peer becomes primary. ( Fortinet Document Library )

Because the condition was observed for 55 seconds , which is longer than the configured 50-second monitor period , the cluster would fail over from HQ-NGFW-1 to HQ-NGFW-2 due to the memory-failover-threshold condition. The priority setting does not explain this result here, because override is disabled , and flip-timeout governs subsequent memory-based failovers, not the initial trigger. ( Fortinet Document Library )

=========

The FortiManager 7.6 Administrator Study Guide states under Copying System Templates Between ADOMs : “The first step is to export the system template from the original ADOM with the execute fmprofile export-profile command” and shows the output file being written to /tmp/Training , described as “File copied in FortiManager tmp folder.”

The key point is that the command exports the system template profile from the original ADOM , while /tmp/Backup_File is only the destination path on FortiManager where the exported file is stored. The same study guide also defines system templates as a “subset of model device configuration—system-level settings” , which means they belong to the device-level side of the ADOM , not the policy database.

So the export source is the ADOM device database , and the file is saved afterward in the FortiManager /tmp folder.

The most strongly supported answer is A . The study guide explicitly states: “In the case of having multiple FortiOS firmware versions on the same ADOM, it is recommended to use separate ADOMs instead.” It also says: “When you organize managed FortiGate devices, it is highly recommended that you group them based on their FortiOS firmware version. This is because valid command syntax varies by firmware version, which affects script compatibility.”

D is the other practical fix supported by FortiManager workflow. The study guide states that FortiManager can run scripts on multiple managed devices at once , and device groups let you run scripts on multiple devices instead of a single device . Combined with the firmware-version compatibility rule above, the correct operational approach is to keep version-specific scripts and apply them only to the matching device sets. B and C are not supported by the uploaded study guide as the recommended fix.

=========

The command set workspace-mode normal enables Workspace (ALL ADOMs) . In this mode, FortiManager uses ADOM locking to prevent configuration conflicts. The study guide explains that workspace mode is used to prevent concurrent ADOM access , and once an ADOM is locked, only the administrator who locked it has read-write access while all others have read-only access. That makes D correct.

B is also correct because locking is applied per ADOM, so different administrators can work at the same time on different ADOMs without conflicting with each other. This is consistent with the design goal of workspace mode and ADOM locking.

C describes workflow mode , not workspace normal. Approval before installation is required only with set workspace-mode workflow.

=========

Enabling workflow mode along with the ADOM lock feature ensures that all configuration changes go through a centralized review and approval process before installation, allowing controlled and coordinated management of firewall policies by multiple administrators.

The correct answer is B . The error occurs because the script is being run on the policy package database , but the failing command is config sys interface, which is a device-level configuration command, not a policy-layer command. The lab guide gives the exact relationship: “Because the scripts target the device database, first, you will run the scripts against the device database, and then install the scripts on the managed devices” and “The scripts contain configuration changes related to device-level settings.”

By contrast, the lab guide shows Policy Package or ADOM Database scripts being used for firewall objects and policies in a policy package.

So this NetFlow script must be run on the device database , then installed. The issue is not VDOM permissions, metadata variables, or normalized interfaces.

The correct answer is C . The FortiManager 7.6 Administrator Study Guide gives the exact extract: “If you need to move a device from one ADOM to another, run the Import Configuration wizard to import the policy package into the new ADOM.” It also states: “When you move devices from one ADOM to another ADOM, shared policy packages and objects do not move to the new ADOM. You will need to import policy packages from managed devices.”

That is exactly why the administrator cannot see the policy and object configuration after the move: the device itself moved, but its shared policy package and objects did not automatically move with it. The required corrective action is to manually import the policy package into the new ADOM using Import Configuration . Options A , B , and D are not the documented remedy in the uploaded FortiManager sources.

=========

The exhibit shows Remote-FortiGate with a green closed lock icon , which indicates a locked policy package . The FortiManager 7.6 Administrator Study Guide states: “Policy locking is available in workspace normal and per-ADOM modes” and “Policy locking allows administrators to work on and lock a single policy package instead of locking the whole ADOM.” This confirms that a package such as Local-FortiGate_root can also be locked, so A is correct.

B is incorrect because the study guide and lab guide describe snapshots as ADOM revisions , not policy package snapshots: “An ADOM revision creates a snapshot of the policy and object configuration for the ADOM.”

D is incorrect because in workflow mode, sessions and approval are required before installation. The exhibit shows a normal save/lock state, not a workflow session state.

=========

The correct answer is B . The FortiManager 7.6 Administrator Study Guide gives the exact extract: “Performing a revert operation followed by an installation only reverts device-level changes and does not revert policy packages. To achieve full synchronization, you must run the Import Configuration tool on FortiManager to synchronize the policy package.”

The guide also states: “After every retrieve, auto-update, or revert operation, you must use Import Configuration to ensure the policy information is synchronized.”

In the exhibit, the missing unset comment for policy ID 1 is a policy package issue, not just a device-level revert issue. Reinstalling the existing policy package does not automatically rebuild it from the reverted revision. The administrator must import the firewall policies again so the policy package reflects the reverted policy state. That is why the comment was not removed.

=========

The correct answer is C . The uploaded FortiManager 7.6 Administrator Lab Guide gives the exact extract: “FortiManager will update the universally unique identifiers (UUID) without deleting other configurations” and “UUIDs on both FortiGate and FortiManager are critical for ensuring the unique identification, consistency, and correct management of firewall policies across multiple devices and configurations. They provide a reliable and immutable reference for policies.”

The same source also shows administrators enabling UUIDs in Traffic Log on FortiGate log settings, which supports the logging and policy-correlation use case with FortiAnalyzer/FortiManager.

So the attribute that improves policy identification and logging correlation is the Universally Unique Identifier , not Policy ID, Log ID, or Sequence ID.

=========