FCP_FMG_AD-7.6 Fortinet NSE 5 - FortiManager 7.6 Administrator Question and Answers

The FortiManager 7.6 Administrator Study Guide states under Copying System Templates Between ADOMs : “The first step is to export the system template from the original ADOM with the execute fmprofile export-profile command” and shows the output file being written to /tmp/Training , described as “File copied in FortiManager tmp folder.”

The key point is that the command exports the system template profile from the original ADOM , while /tmp/Backup_File is only the destination path on FortiManager where the exported file is stored. The same study guide also defines system templates as a “subset of model device configuration—system-level settings” , which means they belong to the device-level side of the ADOM , not the policy database.

So the export source is the ADOM device database , and the file is saved afterward in the FortiManager /tmp folder.

The FortiManager 7.6 Administrator Study Guide is explicit for the scenario where both FortiManager and FortiGate are behind NAT . It states that FortiManager can discover FortiGate through the FortiGate NATed IP address , which makes A correct. It also explains that in this scenario, the FortiManager NATed IP address is not configured on FortiGate by default under central management , which makes B correct.

C is incorrect because FortiGate must use the FortiManager NATed IP address , not the non-NATed IP, if it needs to announce itself or reestablish the FGFM tunnel. D is also incorrect because in this NAT scenario, if the tunnel is torn down, only FortiGate attempts to reestablish the connection ; FortiManager does not automatically do so.

=========

The correct answer is C . The FortiManager 7.6 Administrator Study Guide explicitly says: “You must explicitly assign global policy packages to specific ADOMs” and “you can even pick specific policy packages in individual ADOMs that you want to apply the global policies to.” The study guide also explains the assignment workflow: “This slide shows the steps to assign a global policy package to an ADOM policy package” and “First, add the required ADOMs as targets. Second, assign the global policy package to the ADOMs.”

Because Remotes is a newly created policy package, it does not inherit the earlier assignment automatically. The administrator must explicitly assign the Training global policy package to the Remotes policy package. Automatic install does not create that assignment, and unassigning all packages is unnecessary.

Using the Install Wizard is the recommended method to reinstall the central policy package on the BR1-FGT-1 firewall, ensuring all settings, installation targets, and dependencies are correctly processed during installation.

Limiting ADOM revisions reduces the number of stored historical configurations, which helps avoid performance degradation and slow ADOM upgrades caused by a large volume of revisions.

Running the script through the policy package or ADOM database method allows FortiManager to properly interpret object relationships and dependencies in the IPsec configuration, preventing object mismatch errors when pushing complex VPN settings directly via CLI.

When a script is run using Remote FortiGate Directly via CLI , FortiManager sends the commands straight to the FortiGate and does not preview or validate dependent objects first . The study guide also explains that scripts containing ADOM-level objects or dynamic mappings must be executed on the Policy Package or ADOM Database , then installed through the installation workflow. That matches this IPsec error scenario, where phase2-interface is referencing an object relationship that FortiManager cannot properly validate in direct CLI mode. Therefore, the administrator should run the script on the policy package or ADOM database method , then install it.

Option A addresses only one possible syntax issue. B is a valid deployment approach in general, but it is not what the question asks as the direct fix for this script execution error. C is incorrect and would not resolve the object dependency mismatch.

FortiManager global policies and objects are shared across ADOMs, but they are not applied automatically to every package . The study guide states that when you create a global policy package, you can choose the ADOMs you want to apply it to, and you can even pick specific policy packages in individual ADOMs . That directly validates B .

A is also correct because the lab guide explicitly says you can promote ADOM objects to global objects by right-clicking an ADOM object and selecting Promote to Global .

C is incorrect because when Automatically Install Policies to ADOM Devices is enabled, FortiManager installs without giving you a preview/accept step first; the lab warns to use it only when you are sure of the changes.

D is incorrect because FortiManager imports device policies into an ADOM policy package, not into the global package for synchronization.

The error occurs because the FortiToken used (FTKM0B4A9AC5C56D) must already exist and be registered on the FortiGate device HQ-NGFW-1. FortiManager cannot push or create new FortiTokens on the device; the token must be valid and present on the FortiGate before it can be assigned to a user.

The correct answer is D . In FortiManager HA manual mode, the study guide explains what happens when members change: if the primary fails, you must manually promote a secondary and repoint the others, but that is not this scenario. For a failed secondary , the relevant exact extract is: “if you remove a secondary member from the HA configuration, the primary FortiManager removes the secondary serial number from the central management configuration of FortiGate, and updates the managed FortiGate devices immediately.”

Operationally, in the HA configuration, removing that failed secondary means deleting its HA peer entry from the primary, which corresponds to removing the failed device’s peer IP . A is false because manual HA is not transparent in this case. B is only a diagnostic detail. C applies when the primary fails, not a secondary.

=========

The correct answers are A and C . The FortiManager 7.6 Administrator Study Guide gives the exact extract: “FortiManager creates a configuration revision when: FortiGate is added to FortiManager, Device changes are installed from FortiManager, FortiGate configuration is retrieved from FortiManager, A local change on FortiGate causes an automatic update” .

This exactly proves A , because device changes are installed from FortiManager , and C , because a local change on FortiGate causes an automatic update . The guide also states: “By default, all changes made on a managed FortiGate device are automatically updated on FortiManager and reflected in revision history” .

B and D only modify the FortiManager device-level database status to Modified . They do not, by themselves, create a new revision history until an install, retrieve, or auto-update occurs.

The FortiManager 7.6 Administrator Study Guide states that global policies must be explicitly assigned : “ You must explicitly assign global policy packages to specific ADOMs ,” and FortiManager can also target specific policy packages in individual ADOMs . The lab guide confirms that assignment is performed from the Global Database ADOM : the administrator selects Global Database ADOM , clicks Assignment , adds the ADOM, chooses Specify Policy Packages To Assign , selects the target package, and then clicks Assign .

So creating a new policy package inside ADOM1 does not automatically inherit the existing global package assignment. It also does not automatically install policies. The administrator must go back to the global ADOM and assign the global policy package to that new local policy package.

The correct answer is C . The installation log explicitly says: “Dynamic interface ‘LAN’ mapping undefined for device HQ-NGFW-1” . That means the policy is using a normalized interface , but FortiManager has no valid mapping for that device. The FortiManager 7.6 Administrator Study Guide states that “Interfaces are mapped per device, per platform, or both” and “When the normalized interface is used in a policy, the per-device mappings have higher priority than per-platform mappings.”

The lab guide also shows that during import or policy mapping fixes, the administrator can set the Mapping Type to Per-Device for interfaces.

So the correct fix is to create a per-device mapping for the normalized interface LAN for that FortiGateRugged-70F. Hardcoding lan1 in the policy is not the best FortiManager method because interface mapping is designed specifically to avoid that.

=========

The correct answer is C . The uploaded FortiManager 7.6 Administrator Lab Guide gives the exact extract: “FortiManager will update the universally unique identifiers (UUID) without deleting other configurations” and “UUIDs on both FortiGate and FortiManager are critical for ensuring the unique identification, consistency, and correct management of firewall policies across multiple devices and configurations. They provide a reliable and immutable reference for policies.”

The same source also shows administrators enabling UUIDs in Traffic Log on FortiGate log settings, which supports the logging and policy-correlation use case with FortiAnalyzer/FortiManager.

So the attribute that improves policy identification and logging correlation is the Universally Unique Identifier , not Policy ID, Log ID, or Sequence ID.

=========

The error occurs because the FortiGate HQ-NGFW device with ID 262 is a newly added model device and has not yet been fully synchronized or installed with a configuration package, which causes the reload configuration command to fail.

The correct answer is B . The LAN address object shown in the exhibit has a default value of 10.0.0.0/255.255.255.0 , and it has per-device mappings only for BR1-FGT-1 , HQ-NGFW-1 , and Local-Firewall . There is no per-device mapping entry for Remote-Firewall .

The FortiManager 7.6 Administrator Study Guide gives the exact rule for this behavior: “The devices in the ADOM that do not have a dynamic mapping for LAN have a default value” . The same page also explains that dynamic objects let you map one logical object to unique values per device , but devices without a mapping use the object’s default definition.

Since Remote-Firewall is not listed in the Per-Device Mapping table, it inherits the default LAN value: 10.0.0.0/255.255.255.0 .

=========