Fortinet FCP_FMG_AD-7.6 - Fortinet NSE 5 - FortiManager 7.6 Administrator

The correct answer is C . The FortiManager 7.6 Administrator Study Guide states that after adding the root FortiGate of a Security Fabric, all downstream devices in the fabric are automatically added as Unauthorized in the root ADOM . That directly matches option C.

This is important because the administrator created a FortiGate-only ADOM named Training, not a Fabric ADOM. The lab guide explains that a FortiGate ADOM is intended for FortiGate devices, while the Fabric type is the special ADOM type that allows FortiGate and other device types together.

So the downstream members are not automatically authorized, and they do not immediately appear as managed devices inside the Training ADOM. They first appear as unauthorized devices in the root ADOM , where the administrator can review and authorize them.

=========

The exhibits are directly supported by the lab guide’s troubleshooting section. It states: “The only profile that can be replaced is the Firewall Profile-Protocol-Options profile, because the only difference is a change in the comment field.” It then explains that for the other two profiles, “Whether you accept the value from BR1-FGT-1 or FortiManager, it will cause changes on different devices.”

That exactly matches C . The conflict window is not primarily showing a firmware mismatch, and the guide does not say BR1-FGT-1 lacks HTTPS 443 support. It also does not describe this as a FortiGuard database mismatch for QUIC. Instead, the key point is that only the default Firewall Profile-Protocol-Options conflict is minor enough to safely take from FortiManager because the difference is only in the comment field . The web filter and SSL/SSH profiles would cause real configuration differences if replaced.

The configuration includes a server-list with server-type set to " update rating, " which enables FortiGate HQ-NGFW-1 to contact FortiManager as a FortiGuard Distribution Server (FDS) for FortiGuard updates.

The installation includes a root_CA3 certificate, which FortiManager will install on FortiGate HQ-NGFW-1 to authenticate FGFM tunnel connections between the devices.

The correct answer is C . The installation log explicitly says: “Dynamic interface ‘LAN’ mapping undefined for device HQ-NGFW-1” . That means the policy is using a normalized interface , but FortiManager has no valid mapping for that device. The FortiManager 7.6 Administrator Study Guide states that “Interfaces are mapped per device, per platform, or both” and “When the normalized interface is used in a policy, the per-device mappings have higher priority than per-platform mappings.”

The lab guide also shows that during import or policy mapping fixes, the administrator can set the Mapping Type to Per-Device for interfaces.

So the correct fix is to create a per-device mapping for the normalized interface LAN for that FortiGateRugged-70F. Hardcoding lan1 in the policy is not the best FortiManager method because interface mapping is designed specifically to avoid that.

=========

The exhibit shows diagnose fmupdate view-serverlist fds with Server Override Mode: Strict and the active entry marked with *0 as 10.0.1.50 on port 8890 , with source CLI . In FortiManager, Strict override mode means the system can communicate only with the configured override server list and cannot fall back to public FDS servers. Therefore, FortiManager gets antivirus and IPS updates from 10.0.1.50 , making B correct.

The study guide also explains that antivirus and IPS override addresses are specifically used when a downstream FortiManager must download updates from an upstream FortiManager or another designated server.

So even though FDNI and DEFAULT entries are listed, Strict mode prevents fallback , and only the CLI-defined override server is actually used.

=========

This point is not covered in the uploaded FortiManager 7.6 study guide , so the answer is based on Fortinet’s official FSSO documentation. Fortinet documents that in FSSO Collector Agent deployments, the FortiGate connects to the Collector Agent on TCP port 8000 by default , and if a different port is not configured, that is the port that must be reachable. Fortinet also explains that the DC agents monitor user logon events and pass the information to the Collector Agent, which stores the information and sends it to the FortiGate .

So, when login events are not reaching FortiGate, the most effective first troubleshooting step is to verify connectivity on TCP 8000 between the Collector Agent and FortiGate. Options A, B, and C are less direct and do not test the actual transport path used by the Collector Agent to send FSSO information to FortiGate.

The correct answer is B . The FortiManager 7.6 Administrator Study Guide explicitly states: “CLI scripts use the FGFM tunnel and the FGFM tunnel is authenticated using the FortiManager and FortiGate serial numbers.” It also states: “Tcl scripts do not run through the FGFM tunnel like CLI scripts do. Tcl scripts use SSH to tunnel through FGFM and they require SSH authentication to do so.”

This is the exact reason CLI scripts can run without prompting for SSH authentication every time: they use the existing secure FGFM management tunnel , not a separate interactive SSH login. The FGFM section of the study guide also confirms that this is a secure communication tunnel established between FortiManager and managed FortiGate devices.

So the enabler is not legacy login, script location, or the “Remote FortiGate Directly” option by itself. It is the FGFM secure management tunnel .

The most strongly supported answer is A . The study guide explicitly states: “In the case of having multiple FortiOS firmware versions on the same ADOM, it is recommended to use separate ADOMs instead.” It also says: “When you organize managed FortiGate devices, it is highly recommended that you group them based on their FortiOS firmware version. This is because valid command syntax varies by firmware version, which affects script compatibility.”

D is the other practical fix supported by FortiManager workflow. The study guide states that FortiManager can run scripts on multiple managed devices at once , and device groups let you run scripts on multiple devices instead of a single device . Combined with the firmware-version compatibility rule above, the correct operational approach is to keep version-specific scripts and apply them only to the matching device sets. B and C are not supported by the uploaded study guide as the recommended fix.

=========

The correct answer is C . The uploaded FortiManager 7.6 Administrator Lab Guide gives the exact extract: “FortiManager will update the universally unique identifiers (UUID) without deleting other configurations” and “UUIDs on both FortiGate and FortiManager are critical for ensuring the unique identification, consistency, and correct management of firewall policies across multiple devices and configurations. They provide a reliable and immutable reference for policies.”

The same source also shows administrators enabling UUIDs in Traffic Log on FortiGate log settings, which supports the logging and policy-correlation use case with FortiAnalyzer/FortiManager.

So the attribute that improves policy identification and logging correlation is the Universally Unique Identifier , not Policy ID, Log ID, or Sequence ID.

=========