Fortinet FCP_FMG_AD-7.4 Practice Questions

Summary:
An ADOM in backup mode is designed for storing and viewing device configurations. It is a read-only mode that does not support the standard workflow of creating policies in the GUI and installing them to managed devices. To make changes to a device in a backup-mode ADOM, you must use a method that works "offline," such as a script that can generate and push configuration commands directly.

Correct Option:

B. The administrator must use a FortiManager script.
This is the correct method. FortiManager scripts can be created and executed even when the ADOM is in backup mode. The script contains the necessary CLI commands to create the policy on the target FortiGate. When the script is run, FortiManager pushes these commands directly to the device, bypassing the need for the standard policy package and installation process used in Normal or Advanced ADOM modes.

Incorrect Option:

A. The administrator must use the Policy & Objects section to create a policy first.
This is incorrect. In backup mode, the Policy & Objects menu and the ability to create or edit policies in a policy package are disabled. The ADOM is in a read-only state for these features.

C. The administrator must disable the FortiManager offline mode first.
This is incorrect terminology. "Offline mode" is not the standard term for this state. The administrator would need to change the ADOM mode from "Backup" to "Normal" or "Advanced," which requires a revision to the FortiManager's deployment model, not just disabling a setting.

D. The administrator must change the ADOM mode to Advanced to bring the FortiManager online.
This is incorrect and based on a misunderstanding. The FortiManager itself is online. The restriction is on the ADOM's operational mode. While changing the ADOM mode is a possible long-term solution, it is not the method to perform the task while the ADOM is in backup mode. The question asks for the method that works within the current (backup mode) constraints.

Reference:
Fortinet Document Library: FortiManager Administration Guide, "ADOM modes" and "Scripts".

Summary:
This question addresses the fundamental data structure of FortiManager. When an administrator makes a configuration change for a managed device within an ADOM, that change is not immediately sent to the device. Instead, it is stored locally on the FortiManager. The change remains in this central storage until the administrator explicitly performs an installation operation to push the changes to the target device.

Correct Option:

B. ADOM-level database:
This is the correct answer. All device configurations managed within a specific ADOM are stored in that ADOM's database on the FortiManager. This includes new configurations, like the OSPF area in the question, that have been created but not yet installed. The ADOM database acts as the central repository for the intended device configuration.

Incorrect Option:

A. Device-level database:
This is incorrect. While the configuration is for a device, it is not stored on the device's own database until it is installed. The term "device-level database" typically refers to the running configuration stored on the FortiGate device itself, not on the FortiManager.

C. Configuration-level database:
This is incorrect. "Configuration-level database" is not a standard term used in the FortiManager architecture to describe where uninstalled changes are stored. The official and precise term is the ADOM-level database.

D. Revision history database:
This is incorrect. The revision history database is used to store snapshots of previous configurations for backup and recovery purposes. It is a log of what was installed, not a working area for new, uninstalled changes.

Reference:
Fortinet Document Library: FortiManager Administration Guide, "ADOMs" and "The installation process".

Summary:
This question tests knowledge of the specific methods used in the FortiManager REST API. Each method has a distinct function for creating, reading, updating, or deleting configuration objects. Understanding the difference between "add," "set," and "update" is crucial for successfully and correctly modifying the configuration via API calls.

Correct Option:

A. Set:
This is the correct answer. The set API method is used to create a new object. If an object with the same unique identifier (like its name) already exists, the set method will overwrite the existing object with the new configuration provided in the API request. It performs a create-or-replace operation.

Incorrect Option:

B. Add:
The add method is used only to create a new object. If an object with the same identifier already exists, the add operation will fail with an error, it will not overwrite the existing object.

C. Exec:
The exec method is not used for creating or modifying configuration objects. It is used to execute a command or function, such as triggering an installation (exec install), running a script, or clearing a session.

D. Update:
The update method is used to modify only the specific parameters included in the API request for an existing object. It will fail if the object does not already exist, and it leaves any parameters not mentioned in the request unchanged.

Reference:
Fortinet Developer Network (FNDN): FortiManager REST API Reference, "API Methods".

Summary:
This question focuses on the core operational characteristics of a FortiManager High Availability (HA) cluster. In an HA setup, one unit acts as the primary (master) and handles all management tasks, while the secondary unit(s) stand by, ready to take over. A fundamental requirement for this to work is that all units share an identical configuration, which is achieved through automatic synchronization from the primary to the secondary units.

Correct Option:

B. The primary unit synchronizes all configuration revision with the secondary units.
This is correct. This is a defining characteristic of FortiManager HA. The primary unit automatically and continuously synchronizes its entire configuration, including all ADOM data, policy packages, and script revisions, to the secondary units. This ensures that a secondary unit can seamlessly take over management with an up-to-date configuration if the primary fails.

Incorrect Option:

A. When a secondary unit is removed, FortiManager updates the managed devices using TCP port 5199.
This is incorrect. The communication between FortiManager and managed FortiGates uses other ports (such as 541 for FortiGuard distribution). Port 5199 is used for inter-cluster communication between the FortiManager HA units themselves, not for notifying managed devices.

C. All secondary units must be in the same network as the primary unit.
This is incorrect. While it is a recommended best practice for latency and reliability, FortiManager HA supports geographically distributed clusters where secondary units can be in different networks, connected via a WAN link.

D. Each cluster member must be upgraded manually, starting with the primary unit.
This is incorrect. FortiManager supports a coordinated HA upgrade process. The administrator initiates the upgrade on the primary unit, which then automatically upgrades the secondary units in the correct sequence, ensuring minimal downtime and service continuity.

Reference:
Fortinet Document Library: FortiManager Administration Guide, "High Availability (HA)".

Summary:
A FortiManager backup is designed to preserve its management configuration and data, allowing for recovery in case of failure. This includes all the settings, objects, and structural data created within the FortiManager itself. It does not include very large binary files or databases that can be re-downloaded, nor does it include the full configuration of managed devices, as those are stored separately within the ADOMs.

Correct Option:

B. Firmware images:
This is correct. Firmware images that have been uploaded to the FortiManager for distribution to managed devices are included in the backup file. This ensures you can restore the FortiManager and immediately have access to the necessary firmware versions for your devices.

D. Flash configuration:
This is correct. The "flash configuration" refers to the core operating system and application settings of the FortiManager unit itself. This includes network settings, admin accounts, HA configuration, and other system-level parameters necessary for the appliance to function.

Incorrect Option:

A. All devices:
This is incorrect and ambiguous. The managed devices themselves (the physical or virtual FortiGates) are not included in the backup. However, the configurations of those devices, which are stored within the ADOMs on the FortiManager, are backed up. Since "All devices" could be misinterpreted as the devices' own file systems or full state, it is not a precise correct answer.

C. FortiGuard database:
This is incorrect. The FortiGuard antivirus and IPS databases are very large and are dynamically updated from FortiGuard servers. They are not included in a FortiManager configuration backup. After a restore, the FortiManager will reconnect to the FortiGuard network and download the latest databases.

Reference:
Fortinet Document Library: FortiManager Administration Guide, "Backup and Restore".

Option B: It allows FortiManager to respond to requests for FortiGuard services from FortiGate devices.This is the correct answer. When Service Access is enabled on FortiManager, it allows FortiManager to act as a local FortiGuard server for the managed FortiGate devices. This enables the FortiManager to respond to requests for FortiGuard services, such as updates for antivirus, web filtering, and other security services.

Explanation of Incorrect Options:

Option A: It allows administrative access to FortiManageris incorrect because Service Access is specifically for FortiGuard service communication, not for administrative access.

Option C: It allows third-party applications to gain read/write access to FortiManageris incorrect because Service Access does not provide API or third-party access capabilities.

Option D: It allows FortiManager to determine the connection status of managed devicesis incorrect because Service Access does not directly manage or check connectivity status of devices; it is used for FortiGuard service requests.

FortiManager References:

Refer to the "FortiManager Administration Guide," particularly the sections on "Service Access Settings" and "FortiGuard Services."

Option A: To assign another global policy package later to the same ADOM, you must unassign this policy first.This is correct. FortiManager does not allow multiple global policy packages to be assigned to a single ADOM simultaneously. If you want to assign a different global policy package, the existing one must be unassigned first.

Option C: You can edit or delete all the global objects in the global ADOM.This is correct. Once a global policy package is assigned, you have the flexibility to edit or delete global objects in the global ADOM, affecting all ADOMs to which this package is assigned.

Explanation of Incorrect Options:

Option B: After you assign the global policy package to an ADOM, the impacted policy packages become hidden in that ADOMis incorrect because the policy packages do not become hidden; they are modified according to the global policies.

Option D: You must manually move the header and footer policies after the policy assignmentis incorrect because header and footer policies are automatically applied when assigned.

FortiManager References:

See the "Global Policy and ADOM Management" section in the FortiManager Administration Guide.