FCP - FortiManager 7.4 Administrator Questions and Answers
Exhibit.
An administrator would like to create three ADOMs on FortiManager with different access levels based on departments. What two conclusions can you draw from the design shown in the exhibit? (Choose two.)
Options:
The FortiManager administrator must set the ADOM device mode to Advanced
Policies and objects databases can be shared between the Financial and HR ADOMs.
An administrator with the super user profile can access all the VDOMs.
The administrator must configure FortiManager in workspace normal mode.
Answer:
A, CExplanation:
Based on the exhibit, the FortiManager administrator is setting up three ADOMs (Administrative Domains) that correspond to different departments (Financial, HR, and IT). Each ADOM has specificFortiGate devices or VDOMs (Virtual Domains) assigned to it, with different administrators managing the ADOMs.
Explanation of Options:
A. The FortiManager administrator must set the ADOM device mode to Advanced.
This istrue. In FortiManager, when there areVDOMs(Virtual Domains) involved, you must set the ADOM toAdvanced modeto manage VDOMs properly. The IT department ADOM includes different VDOMs from FortiGate 4 (VDOM 2 and VDOM 3), which means the ADOM mode must be inAdvancedto support managing VDOMs separately from other ADOMs.
B. Policies and objects databases can be shared between the Financial and HR ADOMs.
This isfalse. By default, ADOMs are separate, and policies and objects cannot be shared between them unless they are specifically designed to do so. The exhibit shows distinct ADOMs for each department, implying no direct sharing of policies and objects between Financial and HR ADOMs.
C. An administrator with the super user profile can access all the VDOMs.
This istrue. A FortiManager administrator with thesuper userprofile hasfull accessto all ADOMs and VDOMs, regardless of how access is restricted for individual administrators. In this case, an admin with the super user profile could access Financial, HR, and IT ADOMs, including all the VDOMs from FortiGate 4.
D. The administrator must configure FortiManager in workspace normal mode.
This isfalse. There is no requirement mentioned in the exhibit or scenario that mandates usingworkspace normal mode. Workspace mode is more related to how configuration changes are managed (locking, editing, etc.), but it doesn’t affect the creation or access control of ADOMs.
Conclusion:
Ais correct becauseAdvanced modeis necessary for managing VDOMs within ADOMs.
Cis correct because asuper usercan access all VDOMs and ADOMs without restrictions.
Refer to the exhibit.
Which two results occur if the script is run using the Device Database option? (Choose two.)
Options:
You must install these changes on a managed device using the Install Wizard.
The successful execution of a script on the Device Database creates a new revision history.
The script history shows successful installation of the script on the remote FortiGate device.
The device Config Status is tagged as Modified.
Answer:
A, DExplanation:
If the script is run using the "Device Database" option on FortiManager, the following occurs:
A.You must install these changes on a managed device using the Install Wizard.
Running the script on the Device Database updates only the configuration in the FortiManager's database, not on the actual FortiGate device. To apply the changes, you need to use the Install Wizard to push these configurations to the managed device.
D.The device Config Status is tagged as Modified.
After running the script on the Device Database, FortiManager tags the device's configuration status as "Modified," indicating that there are pending changes that have not yet been installed on the device.
Options B and C are incorrect because:
Bsuggests a new revision history is created, but this only happens when changes are actually installed on the managed device.
Cimplies the script is directly executed on the FortiGate, which is not the case when using the Device Database option.
FortiManager References:
Refer to FortiManager 7.4 Administrator Guide: Scripting and Configuration Management.
An administrator has assigned a global policy package to custom ADOM1. Then the administrator creates a new policy package. Fortinet. in the custom ADOM1. What happens to the Fortinet policy package when it is created?
Options:
You must assign the global policy package from the global ADOM.
The global policy package is automatically assigned.
You must reapply the global policy package to ADOM1.
You can select the option to assign the global policies.
Answer:
BExplanation:
When a new policy package is created in a custom ADOM that already has a global policy package assigned, the global policy package is automatically assigned to the new policy package. This behavior ensures consistent policy enforcement across different ADOMs.
Options A, C, and D are incorrect because:
A and C incorrectly suggest that manual reassignment or reapplication is needed.
D implies optional assignment, whereas it is automatically done.
FortiManager References:
Refer to FortiManager 7.4 Administrator Guide: Working with Global and Custom ADOM Policy Packages
An administrator has enabled Service Access on FortiManager. What is the purpose of Service Access on the FortiManager interface?
Options:
It allows administrative access to FortiManager.
It allows FortiManager to respond to requests for FortiGuard services from FortiGate devices.
It allows third-party applications to gain read/write access to FortiManager.
It allows FortiManager to determine the connection status of managed devices.
Answer:
BExplanation:
Option B: It allows FortiManager to respond to requests for FortiGuard services from FortiGate devices.This is the correct answer. When Service Access is enabled on FortiManager, it allows FortiManager to act as a local FortiGuard server for the managed FortiGate devices. This enables the FortiManager to respond to requests for FortiGuard services, such as updates for antivirus, web filtering, and other security services.
Explanation of Incorrect Options:
Option A: It allows administrative access to FortiManageris incorrect because Service Access is specifically for FortiGuard service communication, not for administrative access.
Option C: It allows third-party applications to gain read/write access to FortiManageris incorrect because Service Access does not provide API or third-party access capabilities.
Option D: It allows FortiManager to determine the connection status of managed devicesis incorrect because Service Access does not directly manage or check connectivity status of devices; it is used for FortiGuard service requests.
FortiManager References:
Refer to the "FortiManager Administration Guide," particularly the sections on "Service Access Settings" and "FortiGuard Services."
Refer to the exhibit.
What can you conclude from the failed installation log shown in the exhibit?
Options:
Policy ID 2 is installed in the disabled state.
Policy ID 2 is installed without the remote user student.
Policy ID 2 will not be installed.
Policy ID 2 is installed without a source address.
Answer:
BExplanation:
From the log provided in the exhibit, several conclusions can be drawn regarding the installation of Policy ID 2:
The installation process fails when attempting to set theLDAP user "student". The log shows:
"Attribute 'ldap-server' MUST be set.": This error indicates that when setting up the LDAP user configuration, a mandatory field (ldap-server) is missing. As a result, the configuration could not be completed for the user.
"entry not found in datasource"and"value parse error before 'student'": These errors confirm that the user "student" could not be properly added due to a configuration issue (such as the missing LDAP server).
Because of these errors, while other configuration elements (such as source and destination interfaces, actions, and services) are properly set, the user configuration for"student"isnot applied.
Evaluation of the answer options:
A. Policy ID 2 is installed in the disabled state.
This isfalse. There is no indication in the log that Policy ID 2 is disabled.
B. Policy ID 2 is installed without the remote user student.
This istrue. Due to the failure in setting the"student"user (as indicated by the errors), the policy will be installedwithoutthat user being properly configured.
C. Policy ID 2 will not be installed.
This isfalse. The policy is installed, but the user configuration failed. The rest of the policy configuration appears to have proceeded without critical errors that would prevent the installation.
D. Policy ID 2 is installed without a source address.
This isfalse. The log shows that the source address is properly set to "all" (set srcaddr all), so this is not the cause of the issue.
From the log exhibit, we see errors related to the "ldap-server" attribute not being set and an error with the entry "student" not being found in the datasource. This indicates that Policy ID 2 will not be installed due to missing or incorrect data required for successful installation. The "Command fail. Return code -3" confirms the installation failure, so the correct answer is C.
Options A, B, and D are incorrect because:
A suggests the policy is installed in a disabled state, which isn't supported by the log.
B and D suggest partial installation, but the error messages indicate a complete failure to install Policy ID 2.
FortiManager References:
Refer to FortiManager 7.4 Troubleshooting Guide: Common Errors and Log Interpretation.
What is a characteristic of the FortiManager high availability (HA) feature?
Options:
When a secondary unit is removed, FortiManager updates the managed devices using TCP port 5199.
The primary unit synchronizes all configuration revision with the seconday units.
All secondary units must be in the same network as the primary unit.
Each cluster member must be upgraded manually, starting with the primary unit.
Answer:
BExplanation:
The characteristic of the FortiManager high availability (HA) feature is that the primary unit synchronizes all configuration revisions with the secondary units. This ensures that all devices in the HA cluster are up-to-date with the same configurations, providing redundancy and failover capabilities.
Options A, C, and D are incorrect because:
Arefers to a specific port number (5199), but FortiManager does not specifically use TCP port 5199 to update managed devices when a secondary unit is removed.
Cis incorrect as secondary units do not necessarily have to be in the same network as the primary unit; they just need to be able to communicate with each other.
Dis incorrect because HA upgrades can be automated and do not require manual upgrading, starting with the primary unit.
FortiManager References:
Refer to FortiManager 7.4 High Availability (HA) Guide: HA Synchronization and Configuration.
An administrator configures a new OSPF area on FortiManager and has not yet pushed the changes to the managed FortiGate device. In which database will the configuration be saved?
Options:
Device-level database
ADOM-level database
Configuration-level database
Revision history database
Answer:
AExplanation:
When an administrator configures a new OSPF area on FortiManager but has not yet pushed the changes to the managed FortiGate device, the configuration is saved in theDevice-level database.
Explanation of Options:
A. Device-level database:
This istrue. When changes are made to a device's configuration on FortiManager, they are saved in theDevice-level database. This database stores the configuration for individual managed devices. The configuration changes remain here until they are pushed to the actual FortiGate device.
B. ADOM-level database:
This isfalse. The ADOM-level database holds configurations related to the entire ADOM (Administrative Domain), such as global settings that apply to all devices within the ADOM, rather than configurations specific to individual devices.
C. Configuration-level database:
This isfalse. The term "Configuration-level database" is not typically used in FortiManager terminology. Changes are stored in the device-level database and are applied when pushed to the FortiGate.
D. Revision history database:
This isfalse. The revision history database keeps track of previous versions of configurations after they have been pushed to the FortiGate device. It does not store unsaved or pending configurations that have not yet been applied to the device.
Which statement about the upgrade of ADOMs on FortiManager is true?
Options:
To ensure database consistency, you must upgrade an ADOM before you upgrade the devices in it.
Upgrading the FortiManager version upgrades all existing ADOMs automatically.
You cannot import policies from a device until its FortiOS version matches the ADOM version.
ADOMs using global objects can be upgraded before or after upgrading the global database ADOM.
Answer:
AExplanation:
Option A: To ensure database consistency, you must upgrade an ADOM before you upgrade the devices in it.This is the correct answer. When upgrading ADOMs on FortiManager, the ADOM must be upgraded first to match the FortiOS version of the devices it manages. This is necessary to ensure compatibility and consistency between the ADOM's database schema and the FortiGate's configuration.
Explanation of Incorrect Options:
Option B: Upgrading the FortiManager version upgrades all existing ADOMs automaticallyis incorrect because the ADOMs must be upgraded manually or individually after upgrading the FortiManager.
Option C: You cannot import policies from a device until its FortiOS version matches the ADOM versionis incorrect because while version matching is important, it is not strictly necessary for policy import.
Option D: ADOMs using global objects can be upgraded before or after upgrading the global database ADOMis incorrect as the order of upgrade matters to maintain compatibility.
FortiManager References:
Refer to "FortiManager Upgrade Guide" for detailed procedures on upgrading ADOMs and devices.
Which two items are included in the FortiManager backup? (Choose two.)
Options:
All devices
Firmware images
FortiGuard database
Flash configuration
Answer:
A, DExplanation:
FortiManager backups include:
A. All devices— This includes all device configurations managed by FortiManager, such as firewall policies, objects, and other settings.
D. Flash configuration— This consists of local FortiManager configurations stored in flash memory, such as system settings, scripts, and other locally-stored configurations.
Options B and C are incorrect because:
B (Firmware images)are not typically included in a FortiManager backup. Firmware images are usually stored separately and managed through a different process.
C (FortiGuard database)is incorrect as the FortiGuard database, which contains threat intelligence and security signatures, is not part of the standard FortiManager backup.
FortiManager References:
Refer to FortiManager 7.4 Administrator Guide: Backup and Restore Processes.
Refer to the exhibit.
You are using the Quick Install option to install configuration changes on the managed FortiGate.
Which two statements correctly describe the result? (Choose two.)
Options:
It installs provisioning template changes on the FortiGate device.
It provides the option to preview only the policy package changes before installing them.
It installs all the changes in the device database first and the administrator must reinstall the changes on the FortiGate device.
It installs device-level changes on the FortiGate device without launching the Install Wizard
Answer:
B, DExplanation:
Option B: It provides the option to preview only the policy package changes before installing them.This is correct. The Quick Install option in FortiManager provides a preview of policy changes before they are applied, allowing administrators to review and confirm the changes.
Option D: It installs device-level changes on the FortiGate device without launching the Install Wizard.This is correct. Quick Install allows for the immediate installation of device-level changes, such as interface or routing configurations, directly onto the FortiGate without going through the full Install Wizard.
Explanation of Incorrect Options:
Option A: It installs provisioning template changes on the FortiGate deviceis incorrect because Quick Install does not specifically deal with provisioning templates.
Option C: It installs all the changes in the device database first and the administrator must reinstall the changes on the FortiGate deviceis incorrect because Quick Install directly applies changes to the FortiGate device, not requiring a separate reinstall step.
FortiManager References:
Refer to "FortiManager Administration Guide" for details on "Quick Install" functionality under "Device Management."
