Pass the Fortinet Fortinet Network Security Expert FCP_FMG_AD-7.6 Questions and answers with CertsForce

The import process shows that FortiManager will create normalized interfaces named LAN, port4, and port6 at the ADOM layer, mapping them to the corresponding device interfaces based on the import settings.

The correct answers are B and C . The FortiManager 7.6 Administrator Study Guide explicitly states: “Scripts that you run directly on remote devices also cause automatic updates and create a revision history.” This exact extract proves both results: FortiManager creates a new revision history and the device status becomes Auto-Updated , meaning the FortiGate change is automatically reflected in the FortiManager device-level database.

The lab guide also distinguishes this from database-targeted scripts by stating: “You must perform an installation if you run a script on a device database, policy package, or ADOM database.” That wording excludes Remote FortiGate Directly via CLI , so D is incorrect.

A is also incorrect because direct remote execution does not use the install preview workflow; preview and validation are tied to Install Wizard operations, not direct CLI execution.

=========

FortiManager helps with mass provisioning by using templates that allow administrators to configure the same settings on multiple FortiGate devices simultaneously, streamlining deployment and management.

Running the script through the policy package or ADOM database method allows FortiManager to properly interpret object relationships and dependencies in the IPsec configuration, preventing object mismatch errors when pushing complex VPN settings directly via CLI.

When a script is run using Remote FortiGate Directly via CLI , FortiManager sends the commands straight to the FortiGate and does not preview or validate dependent objects first . The study guide also explains that scripts containing ADOM-level objects or dynamic mappings must be executed on the Policy Package or ADOM Database , then installed through the installation workflow. That matches this IPsec error scenario, where phase2-interface is referencing an object relationship that FortiManager cannot properly validate in direct CLI mode. Therefore, the administrator should run the script on the policy package or ADOM database method , then install it.

Option A addresses only one possible syntax issue. B is a valid deployment approach in general, but it is not what the question asks as the direct fix for this script execution error. C is incorrect and would not resolve the object dependency mismatch.

The correct answer is B because FortiManager supports ADOM-level metadata variables in scripts and templates . The study guide explicitly states that meta fields cannot be used as variables in scripts or provisioning templates ; instead, you must use ADOM-level metadata variables . It further says these variables can be used in templates , and their values can be mapped depending on the device where the template is applied.

That makes metadata variables the proper method for handling per-device differences such as whether a FortiGate should use a LAN or WAN source interface for FortiAnalyzer communication. A is wrong because per-device dynamic objects apply to objects like addresses and VIPs, not template interface selection. D is wrong because meta fields are comments/attributes, not template variables. C could work operationally, but it is not the FortiManager feature intended for this use case.

=========

The correct answer is A . This conclusion comes from the HA settings shown in the exhibit plus Fortinet’s HA behavior. In the exhibit, HQ-NGFW-1 has memory-based-failover enabled , memory-failover-threshold 70 , memory-failover-monitor-period 50 , and its memory usage is about 90% , while HQ-NGFW-2 is about 48.7% . Fortinet’s official documentation states that memory-failover-threshold is the memory percentage that triggers failover, and memory-failover-monitor-period is the duration high memory must persist before failover occurs. It also states that if utilization stays above the threshold for the entire monitor period, a failover is triggered , and the peer becomes primary. ( Fortinet Document Library )

Because the condition was observed for 55 seconds , which is longer than the configured 50-second monitor period , the cluster would fail over from HQ-NGFW-1 to HQ-NGFW-2 due to the memory-failover-threshold condition. The priority setting does not explain this result here, because override is disabled , and flip-timeout governs subsequent memory-based failovers, not the initial trigger. ( Fortinet Document Library )

=========

The correct answer is B . The error occurs because the script is being run on the policy package database , but the failing command is config sys interface, which is a device-level configuration command, not a policy-layer command. The lab guide gives the exact relationship: “Because the scripts target the device database, first, you will run the scripts against the device database, and then install the scripts on the managed devices” and “The scripts contain configuration changes related to device-level settings.”

By contrast, the lab guide shows Policy Package or ADOM Database scripts being used for firewall objects and policies in a policy package.

So this NetFlow script must be run on the device database , then installed. The issue is not VDOM permissions, metadata variables, or normalized interfaces.

The command set workspace-mode normal enables Workspace (ALL ADOMs) . The study guide states that in this mode “All ADOMs can be locked” and workspace mode lets administrators lock ADOMs, devices, policy packages, and objects. The lab guide then gives the exact behavior for ungraceful session closure: “If a session is not closed gracefully … FortiManager does not close the administrator session until it times out or the session is deleted. Until this time, the ADOM remains in a locked state.” That directly proves A .

C is also verified by the lab guide statement: “If an administrator locked one or more ADOMs, and then logs out of FortiManager, all of those ADOMs are unlocked.” The phrase “one or more ADOMs” confirms the same administrator can lock multiple ADOMs at once.

D is a workflow mode approval concept, not workspace normal.

Right after moving the ISFW device to a new ADOM, the status typically shows the policy package as never-installed, indicating that the device has been assigned to the new ADOM but no policy package has yet been installed in that ADOM.

Enabling workflow mode along with the ADOM lock feature ensures that all configuration changes go through a centralized review and approval process before installation, allowing controlled and coordinated management of firewall policies by multiple administrators.