FCP_FMG_AD-7.4 Questions and Answers

In the exhibit, there is aPer-Device MappingforLocal-FortiGatewith an IP/Netmask of192.168.1.0/24. This means that when the firewall address objectLOCAL_SUBNETis installed onLocal-FortiGate, the per-device mapping will override the general address object value of10.0.5.0/24. Therefore, the IP/Netmask installed onLocal-FortiGatewill be192.168.1.0/24.

To create and install a policy on a FortiGate device in an ADOM (Administrative Domain) that is in backup mode, the administrator must use a FortiManager script. This is because backup mode restricts direct configuration changes, and scripts can be used to push specific configuration changes without altering the ADOM mode.

Options A, C, and D are incorrect because:

A requires the ADOM to be in normal or advanced mode to create policies directly in the Policy & Objects section.

C suggests disabling offline mode, which is irrelevant to the backup mode configuration.

D implies changing the ADOM mode, which is unnecessary if using a script to perform the task.

FortiManager References:

Refer to FortiManager 7.4 Administrator Guide: Working with ADOMs and Using Scripts for managing policies in backup mode.

Option A: Policy seq.S will be installed on all managed devices and VDOMs that are listed under Installation Targets.This is correct. The "Install On" column indicates that the policy is targeted for installation on all listed managed devices and VDOMs under Installation Targets.

Option D: Policy seq.# 1 will be installed on the ISFW device root[NAT] and Student[NAT] VDOMs only.This is correct. Policy sequence #1 specifies that it will be installed only on the ISFW device and the VDOMs 'root[NAT]' and 'Student[NAT]' as indicated by the "Install On" column.

Explanation of Incorrect Options:

Option B: Policy seq.# 3 will be skipped because no installation targets are specifiedis incorrect because it is clearly listed under "Installation Targets," which means it will be installed according to the specified configuration.

Option C: Policy seq.# 2 will not be installed on the Local-FortiGate root VDOM because there is no root VDOM in the Installation Targetis incorrect as the exhibit does not show any specific exclusion for seq.# 2 on the Local-FortiGate root VDOM.

FortiManager References:

Refer to the FortiManager Administration Guide sections on "Policy Packages" and "Policy Installation Targets" for more details.

When operating in workspace mode on FortiManager 7.4, the administrator must understand how object references and deletions work:

Option C- "FortiManager will not allow the administrator to delete a referenced address object until they lock the ADOM":In workspace mode, all changes are managed within an Administrative Domain (ADOM) scope. When an object (like an address object) is referenced in a policy, FortiManager prevents its deletion to maintain configuration integrity. The ADOM must be locked by the administrator to make changes to any referenced objects. This locking mechanism ensures that no unintended deletions or changes occur that could disrupt the policies or configuration.

FortiManager Reference: "In workspace mode, changes to objects or policies require the ADOM to be locked. If an object is referenced, you must lock the ADOM before deleting or modifying the object." (FortiManager 7.4 Administration Guide, Section on Workspace Mode and ADOM Management)

Option D- "FortiManager will replace the deleted address object with the none address object in the referenced firewall policy":If the administrator attempts to delete an address object that is currently referenced by a firewall policy, FortiManager will replace the deleted object with the 'none' address object. This is done to maintain the policy structure and avoid policy corruption due to a missing reference. This behavior ensures that the firewall policy remains syntactically correct, even though the specific address object is no longer in use.

FortiManager Reference: "When a referenced object is deleted, FortiManager will replace it with a 'none' object in the policy. This behavior is to ensure the integrity and continuity of the policy configurations." (FortiManager 7.4 Administration Guide, Object Management and Policy Handling in Workspace Mode)

This command is used to retrieve the current running configuration from the specified FortiGate device and updates the FortiManager's device database accordingly.

Option C: It will modify the device-level database.This is correct. Reverting to a previous revision version in the revision history affects the device-level database by restoring it to the state saved in the selected revision. This ensures that any changes made after the selected revision are discarded, and the device configuration is returned to the earlier state.

Explanation of Incorrect Options:

Option A: It will install configuration changes to managed devices automaticallyis incorrect because reverting a revision does not automatically push changes to the devices; it merely reverts the configuration on the FortiManager.

Option B: It will tag the device settings status as Auto-Updateis incorrect because "Auto-Update" is not a status related to the revision history mechanism.

Option D: It will generate a new version ID and remove all other revision history versionsis incorrect as reverting to a previous revision does not delete all other versions; it creates a new revision point for tracking.

FortiManager References:

Refer to the "Revision Management" section in the FortiManager Administration Guide, which provides an overview of how revisions are managed and utilized for restoring configurations.

Meta fields in FortiManager can be used to add additional metadata or custom attributes to various objects, such as firewall addresses or other configuration objects. These meta fields help in organizing and identifying objects with custom information that is not part of the standard configuration. They are particularly useful for categorizing or tagging objects in large environments.

Based on the exhibit, the FortiManager administrator is setting up three ADOMs (Administrative Domains) that correspond to different departments (Financial, HR, and IT). Each ADOM has specific FortiGate devices or VDOMs (Virtual Domains) assigned to it, with different administrators managing the ADOMs.

Explanation of Options:

A. The FortiManager administrator must set the ADOM device mode to Advanced.

This istrue. In FortiManager, when there areVDOMs(Virtual Domains) involved, you must set the ADOM toAdvanced modeto manage VDOMs properly. The IT department ADOM includes different VDOMs from FortiGate 4 (VDOM 2 and VDOM 3), which means the ADOM mode must be inAdvancedto support managing VDOMs separately from other ADOMs.

B. Policies and objects databases can be shared between the Financial and HR ADOMs.

This isfalse. By default, ADOMs are separate, and policies and objects cannot be shared between them unless they are specifically designed to do so. The exhibit shows distinct ADOMs for each department, implying no direct sharing of policies and objects between Financial and HR ADOMs.

C. An administrator with the super user profile can access all the VDOMs.

This istrue. A FortiManager administrator with thesuper userprofile hasfull accessto all ADOMs and VDOMs, regardless of how access is restricted for individual administrators. In this case, an admin with the super user profile could access Financial, HR, and IT ADOMs, including all the VDOMs from FortiGate 4.

D. The administrator must configure FortiManager in workspace normal mode.

This isfalse. There is no requirement mentioned in the exhibit or scenario that mandates usingworkspace normal mode. Workspace mode is more related to how configuration changes are managed (locking, editing, etc.), but it doesn’t affect the creation or access control of ADOMs.

Conclusion:

Ais correct becauseAdvanced modeis necessary for managing VDOMs within ADOMs.

Cis correct because asuper usercan access all VDOMs and ADOMs without restrictions.