Pass the Fortinet Fortinet Network Security Expert FCP_FMG_AD-7.6 Questions and answers with CertsForce

Limiting ADOM revisions reduces the number of stored historical configurations, which helps avoid performance degradation and slow ADOM upgrades caused by a large volume of revisions.

Using the Install Wizard is the recommended method to reinstall the central policy package on the BR1-FGT-1 firewall, ensuring all settings, installation targets, and dependencies are correctly processed during installation.

ADOM revisions save the current state of all policy packages and objects within an ADOM, allowing administrators to track changes over time and revert to previous configurations if needed.

The correct answer is C . The installation log explicitly says: “Dynamic interface ‘LAN’ mapping undefined for device HQ-NGFW-1” . That means the policy is using a normalized interface , but FortiManager has no valid mapping for that device. The FortiManager 7.6 Administrator Study Guide states that “Interfaces are mapped per device, per platform, or both” and “When the normalized interface is used in a policy, the per-device mappings have higher priority than per-platform mappings.”

The lab guide also shows that during import or policy mapping fixes, the administrator can set the Mapping Type to Per-Device for interfaces.

So the correct fix is to create a per-device mapping for the normalized interface LAN for that FortiGateRugged-70F. Hardcoding lan1 in the policy is not the best FortiManager method because interface mapping is designed specifically to avoid that.

=========

When FortiManager is behind a NAT device, setting the NATed IP address (100.65.0.120) in the system admin settings causes FortiManager to use that NATed IP address for communication and configuration with FortiGate during discovery and management operations.

This point is not covered in the uploaded FortiManager 7.6 study guide , so the answer is based on Fortinet’s official FSSO documentation. Fortinet documents that in FSSO Collector Agent deployments, the FortiGate connects to the Collector Agent on TCP port 8000 by default , and if a different port is not configured, that is the port that must be reachable. Fortinet also explains that the DC agents monitor user logon events and pass the information to the Collector Agent, which stores the information and sends it to the FortiGate .

So, when login events are not reaching FortiGate, the most effective first troubleshooting step is to verify connectivity on TCP 8000 between the Collector Agent and FortiGate. Options A, B, and C are less direct and do not test the actual transport path used by the Collector Agent to send FSSO information to FortiGate.

The correct answer is B . The FortiManager 7.6 Administrator Study Guide gives the exact extract: “Also note when you upgrade the FortiManager firmware version the existing ADOMs are not automatically upgraded.” This directly explains why the administrator saw the FortiManager upgrade complete while the ADOM versions remained unchanged.

The same section also explains that ADOM upgrades are a separate action: “You can upgrade an ADOM in System Settings > ADOMs” and “Can upgrade to one version higher at a time.” In addition, the guide recommends: “upgrade all devices first, and then upgrade the ADOM.”

So the issue is not workspace mode, locked ADOMs, or a stuck task. The ADOMs simply require their own manual upgrade step after the FortiManager firmware upgrade.

The FortiManager 7.6 Administrator Study Guide states that global policies must be explicitly assigned : “ You must explicitly assign global policy packages to specific ADOMs ,” and FortiManager can also target specific policy packages in individual ADOMs . The lab guide confirms that assignment is performed from the Global Database ADOM : the administrator selects Global Database ADOM , clicks Assignment , adds the ADOM, chooses Specify Policy Packages To Assign , selects the target package, and then clicks Assign .

So creating a new policy package inside ADOM1 does not automatically inherit the existing global package assignment. It also does not automatically install policies. The administrator must go back to the global ADOM and assign the global policy package to that new local policy package.

The correct answer is B . The FortiManager 7.6 Administrator Study Guide explicitly states: “CLI scripts use the FGFM tunnel and the FGFM tunnel is authenticated using the FortiManager and FortiGate serial numbers.” It also states: “Tcl scripts do not run through the FGFM tunnel like CLI scripts do. Tcl scripts use SSH to tunnel through FGFM and they require SSH authentication to do so.”

This is the exact reason CLI scripts can run without prompting for SSH authentication every time: they use the existing secure FGFM management tunnel , not a separate interactive SSH login. The FGFM section of the study guide also confirms that this is a secure communication tunnel established between FortiManager and managed FortiGate devices.

So the enabler is not legacy login, script location, or the “Remote FortiGate Directly” option by itself. It is the FGFM secure management tunnel .