Free Practice Questions for Fortinet FCP_FMG_AD-7.6 Exam

The correct answers are A and C . The FortiManager 7.6 Administrator Study Guide states: “An ADOM revision creates a snapshot of all policy and object configurations for the ADOM” . The lab guide says the same thing in practical terms: “An ADOM revision creates a snapshot of the policy and object configuration for the ADOM” and that these revisions are useful for comparing differences and reverting to a previous revision .

Because the revision is a snapshot of the ADOM’s policy-and-object state, it saves the current ADOM policy/object state, which supports A and directly proves C . B is false because the study guide warns: “ADOM revisions can significantly increase the size of the configuration backup files.” D is not supported by the uploaded sources.

=========

The configuration includes a server-list with server-type set to " update rating, " which enables FortiGate HQ-NGFW-1 to contact FortiManager as a FortiGuard Distribution Server (FDS) for FortiGuard updates.

The installation includes a root_CA3 certificate, which FortiManager will install on FortiGate HQ-NGFW-1 to authenticate FGFM tunnel connections between the devices.

The exhibit shows diagnose fmupdate view-serverlist fds with Server Override Mode: Strict and the active entry marked with *0 as 10.0.1.50 on port 8890 , with source CLI . In FortiManager, Strict override mode means the system can communicate only with the configured override server list and cannot fall back to public FDS servers. Therefore, FortiManager gets antivirus and IPS updates from 10.0.1.50 , making B correct.

The study guide also explains that antivirus and IPS override addresses are specifically used when a downstream FortiManager must download updates from an upstream FortiManager or another designated server.

So even though FDNI and DEFAULT entries are listed, Strict mode prevents fallback , and only the CLI-defined override server is actually used.

=========

The correct answer is C . The FortiManager 7.6 Administrator Study Guide explicitly says: “You must explicitly assign global policy packages to specific ADOMs” and “you can even pick specific policy packages in individual ADOMs that you want to apply the global policies to.” The study guide also explains the assignment workflow: “This slide shows the steps to assign a global policy package to an ADOM policy package” and “First, add the required ADOMs as targets. Second, assign the global policy package to the ADOMs.”

Because Remotes is a newly created policy package, it does not inherit the earlier assignment automatically. The administrator must explicitly assign the Training global policy package to the Remotes policy package. Automatic install does not create that assignment, and unassigning all packages is unnecessary.

The correct answer is B . The FortiManager 7.6 Administrator Study Guide gives the exact extract: “Performing a revert operation followed by an installation only reverts device-level changes and does not revert policy packages. To achieve full synchronization, you must run the Import Configuration tool on FortiManager to synchronize the policy package.”

The guide also states: “After every retrieve, auto-update, or revert operation, you must use Import Configuration to ensure the policy information is synchronized.”

In the exhibit, the missing unset comment for policy ID 1 is a policy package issue, not just a device-level revert issue. Reinstalling the existing policy package does not automatically rebuild it from the reverted revision. The administrator must import the firewall policies again so the policy package reflects the reverted policy state. That is why the comment was not removed.

=========

Running the script through the policy package or ADOM database method allows FortiManager to properly interpret object relationships and dependencies in the IPsec configuration, preventing object mismatch errors when pushing complex VPN settings directly via CLI.

When a script is run using Remote FortiGate Directly via CLI , FortiManager sends the commands straight to the FortiGate and does not preview or validate dependent objects first . The study guide also explains that scripts containing ADOM-level objects or dynamic mappings must be executed on the Policy Package or ADOM Database , then installed through the installation workflow. That matches this IPsec error scenario, where phase2-interface is referencing an object relationship that FortiManager cannot properly validate in direct CLI mode. Therefore, the administrator should run the script on the policy package or ADOM database method , then install it.

Option A addresses only one possible syntax issue. B is a valid deployment approach in general, but it is not what the question asks as the direct fix for this script execution error. C is incorrect and would not resolve the object dependency mismatch.

Limiting ADOM revisions reduces the number of stored historical configurations, which helps avoid performance degradation and slow ADOM upgrades caused by a large volume of revisions.

The command set workspace-mode normal enables Workspace (ALL ADOMs) . In this mode, FortiManager uses ADOM locking to prevent configuration conflicts. The study guide explains that workspace mode is used to prevent concurrent ADOM access , and once an ADOM is locked, only the administrator who locked it has read-write access while all others have read-only access. That makes D correct.

B is also correct because locking is applied per ADOM, so different administrators can work at the same time on different ADOMs without conflicting with each other. This is consistent with the design goal of workspace mode and ADOM locking.

C describes workflow mode , not workspace normal. Approval before installation is required only with set workspace-mode workflow.

=========

The FortiManager 7.6 Administrator Study Guide is explicit for the scenario where both FortiManager and FortiGate are behind NAT . It states that FortiManager can discover FortiGate through the FortiGate NATed IP address , which makes A correct. It also explains that in this scenario, the FortiManager NATed IP address is not configured on FortiGate by default under central management , which makes B correct.

C is incorrect because FortiGate must use the FortiManager NATed IP address , not the non-NATed IP, if it needs to announce itself or reestablish the FGFM tunnel. D is also incorrect because in this NAT scenario, if the tunnel is torn down, only FortiGate attempts to reestablish the connection ; FortiManager does not automatically do so.

=========