Fortinet FCP_FMG_AD-7.6 Fortinet NSE 5 - FortiManager 7.6 Administrator Exam Practice Test

The correct answer is B . The FortiManager 7.6 Administrator Study Guide explicitly states: “CLI scripts use the FGFM tunnel and the FGFM tunnel is authenticated using the FortiManager and FortiGate serial numbers.” It also states: “Tcl scripts do not run through the FGFM tunnel like CLI scripts do. Tcl scripts use SSH to tunnel through FGFM and they require SSH authentication to do so.”

This is the exact reason CLI scripts can run without prompting for SSH authentication every time: they use the existing secure FGFM management tunnel , not a separate interactive SSH login. The FGFM section of the study guide also confirms that this is a secure communication tunnel established between FortiManager and managed FortiGate devices.

So the enabler is not legacy login, script location, or the “Remote FortiGate Directly” option by itself. It is the FGFM secure management tunnel .

The FortiManager 7.6 Administrator Study Guide is explicit for the scenario where both FortiManager and FortiGate are behind NAT . It states that FortiManager can discover FortiGate through the FortiGate NATed IP address , which makes A correct. It also explains that in this scenario, the FortiManager NATed IP address is not configured on FortiGate by default under central management , which makes B correct.

C is incorrect because FortiGate must use the FortiManager NATed IP address , not the non-NATed IP, if it needs to announce itself or reestablish the FGFM tunnel. D is also incorrect because in this NAT scenario, if the tunnel is torn down, only FortiGate attempts to reestablish the connection ; FortiManager does not automatically do so.

=========

The correct answer is B because FortiManager supports ADOM-level metadata variables in scripts and templates . The study guide explicitly states that meta fields cannot be used as variables in scripts or provisioning templates ; instead, you must use ADOM-level metadata variables . It further says these variables can be used in templates , and their values can be mapped depending on the device where the template is applied.

That makes metadata variables the proper method for handling per-device differences such as whether a FortiGate should use a LAN or WAN source interface for FortiAnalyzer communication. A is wrong because per-device dynamic objects apply to objects like addresses and VIPs, not template interface selection. D is wrong because meta fields are comments/attributes, not template variables. C could work operationally, but it is not the FortiManager feature intended for this use case.

=========

The correct answers are A and C . The FortiManager 7.6 Administrator Study Guide states: “An ADOM revision creates a snapshot of all policy and object configurations for the ADOM” . The lab guide says the same thing in practical terms: “An ADOM revision creates a snapshot of the policy and object configuration for the ADOM” and that these revisions are useful for comparing differences and reverting to a previous revision .

Because the revision is a snapshot of the ADOM’s policy-and-object state, it saves the current ADOM policy/object state, which supports A and directly proves C . B is false because the study guide warns: “ADOM revisions can significantly increase the size of the configuration backup files.” D is not supported by the uploaded sources.

=========

The correct conclusion is D . The FortiManager 7.6 Administrator Study Guide defines Never Installed as a state where the policy package was never created and was never imported for a managed device . That means FortiManager may already know the device itself at the device layer, but the firewall policy layer has not yet been built for that device.

The lab guide confirms this behavior directly: when you choose Import Later in the Add Device wizard, the policy package status becomes Never Installed because there is still no policy package created for the added FortiGate devices.

So this is not a revision-history issue, and it does not mean ADOM policy changes are merely waiting for first install. It means the policies still exist only on the managed device side until they are imported into a FortiManager policy package.

=========

The correct answer is A . This conclusion comes from the HA settings shown in the exhibit plus Fortinet’s HA behavior. In the exhibit, HQ-NGFW-1 has memory-based-failover enabled , memory-failover-threshold 70 , memory-failover-monitor-period 50 , and its memory usage is about 90% , while HQ-NGFW-2 is about 48.7% . Fortinet’s official documentation states that memory-failover-threshold is the memory percentage that triggers failover, and memory-failover-monitor-period is the duration high memory must persist before failover occurs. It also states that if utilization stays above the threshold for the entire monitor period, a failover is triggered , and the peer becomes primary. ( Fortinet Document Library )

Because the condition was observed for 55 seconds , which is longer than the configured 50-second monitor period , the cluster would fail over from HQ-NGFW-1 to HQ-NGFW-2 due to the memory-failover-threshold condition. The priority setting does not explain this result here, because override is disabled , and flip-timeout governs subsequent memory-based failovers, not the initial trigger. ( Fortinet Document Library )

=========

The correct answer is D . The FortiManager 7.6 Administrator Study Guide gives the exact extract under Web Filter and Email Filter : “fgdlinkd — Responsible for downloading web filter and email filter databases” . The same study guide section explains that the execute top command displays real-time CPU and RAM usage, and the %MEM column shows the memory percentage used by each process.

In the exhibit, the line for fgdlinkd shows %MEM 2.9 . Therefore, the process responsible for downloading the web and email filter databases is using 2.9% of RAM. That matches option D exactly. The other values belong to different processes, such as fgdsvr and other FortiGuard-related daemons, but not the downloader process identified in the study guide.

=========

The correct answer is B . The error occurs because the script is being run on the policy package database , but the failing command is config sys interface, which is a device-level configuration command, not a policy-layer command. The lab guide gives the exact relationship: “Because the scripts target the device database, first, you will run the scripts against the device database, and then install the scripts on the managed devices” and “The scripts contain configuration changes related to device-level settings.”

By contrast, the lab guide shows Policy Package or ADOM Database scripts being used for firewall objects and policies in a policy package.

So this NetFlow script must be run on the device database , then installed. The issue is not VDOM permissions, metadata variables, or normalized interfaces.

The correct answer is B . The LAN address object shown in the exhibit has a default value of 10.0.0.0/255.255.255.0 , and it has per-device mappings only for BR1-FGT-1 , HQ-NGFW-1 , and Local-Firewall . There is no per-device mapping entry for Remote-Firewall .

The FortiManager 7.6 Administrator Study Guide gives the exact rule for this behavior: “The devices in the ADOM that do not have a dynamic mapping for LAN have a default value” . The same page also explains that dynamic objects let you map one logical object to unique values per device , but devices without a mapping use the object’s default definition.

Since Remote-Firewall is not listed in the Per-Device Mapping table, it inherits the default LAN value: 10.0.0.0/255.255.255.0 .

=========

The exhibit shows Remote-FortiGate with a green closed lock icon , which indicates a locked policy package . The FortiManager 7.6 Administrator Study Guide states: “Policy locking is available in workspace normal and per-ADOM modes” and “Policy locking allows administrators to work on and lock a single policy package instead of locking the whole ADOM.” This confirms that a package such as Local-FortiGate_root can also be locked, so A is correct.

B is incorrect because the study guide and lab guide describe snapshots as ADOM revisions , not policy package snapshots: “An ADOM revision creates a snapshot of the policy and object configuration for the ADOM.”

D is incorrect because in workflow mode, sessions and approval are required before installation. The exhibit shows a normal save/lock state, not a workflow session state.

=========

The correct answer is D . The FortiManager 7.6 Administrator Study Guide states: “You can revert to a previous configuration revision” and “Reverts only the device database to the previous revision” . It also states “Does not revert policies and objects—you must import them” and “You must install reverted changes on FortiGate.”

This exactly means a revert operation changes the device-level database on FortiManager, not the policy layer database. The guide further clarifies: “Performing a revert operation followed by an installation only reverts device-level changes and does not revert policy packages.”

So C is incorrect because both layers are not reverted together. A and B are also incorrect because the documented and verified effect is specifically a modification of the device database , followed by install and, if needed, policy re-import for synchronization.

=========

The import process shows that FortiManager will create normalized interfaces named LAN, port4, and port6 at the ADOM layer, mapping them to the corresponding device interfaces based on the import settings.

FortiManager helps with mass provisioning by using templates that allow administrators to configure the same settings on multiple FortiGate devices simultaneously, streamlining deployment and management.

The FortiManager 7.6 Administrator Study Guide states under Copying System Templates Between ADOMs : “The first step is to export the system template from the original ADOM with the execute fmprofile export-profile command” and shows the output file being written to /tmp/Training , described as “File copied in FortiManager tmp folder.”

The key point is that the command exports the system template profile from the original ADOM , while /tmp/Backup_File is only the destination path on FortiManager where the exported file is stored. The same study guide also defines system templates as a “subset of model device configuration—system-level settings” , which means they belong to the device-level side of the ADOM , not the policy database.

So the export source is the ADOM device database , and the file is saved afterward in the FortiManager /tmp folder.

If a BGP template is assigned to the FortiGate device on FortiManager, device-level BGP configurations made directly in the device-level database are overridden by the template settings, so the changes do not get pushed to the device.

When FortiManager is behind a NAT device, setting the NATed IP address (100.65.0.120) in the system admin settings causes FortiManager to use that NATed IP address for communication and configuration with FortiGate during discovery and management operations.

The exhibit shows diagnose fmupdate view-serverlist fds with Server Override Mode: Strict and the active entry marked with *0 as 10.0.1.50 on port 8890 , with source CLI . In FortiManager, Strict override mode means the system can communicate only with the configured override server list and cannot fall back to public FDS servers. Therefore, FortiManager gets antivirus and IPS updates from 10.0.1.50 , making B correct.

The study guide also explains that antivirus and IPS override addresses are specifically used when a downstream FortiManager must download updates from an upstream FortiManager or another designated server.

So even though FDNI and DEFAULT entries are listed, Strict mode prevents fallback , and only the CLI-defined override server is actually used.

=========

The command set workspace-mode normal enables Workspace (ALL ADOMs) . The study guide explicitly states that with this mode, “Workspace (ALL ADOMs): All ADOMs can be locked” and that enabling workspace mode “Disables concurrent read/write access to locked items” with “Read/write access for only one administrator—all others have read-only access.” That directly proves D .

A is also verified by the lab guide, which states: “If an administrator locked one or more ADOMs, and then logs out of FortiManager, all of those ADOMs are unlocked.” The phrase “one or more ADOMs” confirms that the same administrator can lock more than one ADOM at the same time.

C is incorrect because approval is required only in workflow mode , not in workspace normal.

=========

Right after moving the ISFW device to a new ADOM, the status typically shows the policy package as never-installed, indicating that the device has been assigned to the new ADOM but no policy package has yet been installed in that ADOM.