FCP_FMG_AD-7.4 FCP - FortiManager 7.4 Administrator Question and Answers

Option B: Routingis the correct answer. The ADOM-level database in FortiManager stores configuration settings such as routing, firewall policies, and objects that are shared across multiple devices in the ADOM.

Explanation of Incorrect Options:

Option A: NSX-T Service Templateis incorrect as it is not a FortiGate-specific setting managed at the ADOM level.

Option C: SNMPis incorrect because SNMP settings are typically managed on a per-device basis.

Option D: Security profilesis incorrect because security profiles are generally device-level configurations, not ADOM-level.

FortiManager References:

Refer to "FortiManager Administration Guide" for further details on ADOM-level and device-level configurations.

Option B: It provides the option to preview only the policy package changes before installing them.This is correct. The Quick Install option in FortiManager provides a preview of policy changes before they are applied, allowing administrators to review and confirm the changes.

Option D: It installs device-level changes on the FortiGate device without launching the Install Wizard.This is correct. Quick Install allows for the immediate installation of device-level changes, such as interface or routing configurations, directly onto the FortiGate without going through the full Install Wizard.

Explanation of Incorrect Options:

Option A: It installs provisioning template changes on the FortiGate deviceis incorrect because Quick Install does not specifically deal with provisioning templates.

Option C: It installs all the changes in the device database first and the administrator must reinstall the changes on the FortiGate deviceis incorrect because Quick Install directly applies changes to the FortiGate device, not requiring a separate reinstall step.

FortiManager References:

Refer to "FortiManager Administration Guide" for details on "Quick Install" functionality under "Device Management."

When a FortiGate device, like the ISFW (Internal Segmentation Firewall), is moved from one ADOM to another in FortiManager, the status of the device in the new ADOM will temporarily show some level of inconsistency or unknown state until the ADOM fully syncs and integrates the device.

In the provided options, we are analyzing the FortiManager diagnose dvm device list output for the ISFW device.

Explanation of the Outputs:

Option A:

The output shows that the device has the following status:

dev-db: not modified

conf: in sync

cond: OK

dm: retrieved

The key part here is the pkg: [unknown]. This suggests that the configuration package for the ADOM in the new environment is still in anunknown state, which happens right after moving the device to a new ADOM. FortiManager needs time to process the device's configuration before syncing it properly.

Option B:

This output shows thepkg: [out-of-sync]. This occursaftersome configuration mismatch is identified, but it is not the immediate output after moving a device to a new ADOM.

Option C:

This output showspkg: [never-installed], which indicates that no package was ever installed on the device. This status typically appears when a device is newly added to FortiManager but not immediately after moving it between ADOMs.

Option D:

This output showspkg: [imported], which indicates that the device configuration has been successfully imported into the new ADOM. This would occur after the device is fully synced, but not immediately after moving the device to a new ADOM.

Conclusion:

The output that is displayedimmediately after movingthe ISFW device from one ADOM to another isOption A, where the package status is still unknown (pkg: [unknown]) because FortiManager has not yet fully synchronized the device's configuration in the new ADOM.

In the context of the FortiManager JSON API, thesetmethod is used tocreate new objectsoroverwrite existing ones. The API allows administrators to manage FortiManager and its associated devices by automating tasks like configuration changes, policy updates, and object creation.

Explanation of Options:

A. Set:

This istrue. Thesetmethod is used to create a new object if it does not exist or overwrite an existing object if it already exists. This method is frequently used in API requests to configure settings and apply changes on FortiManager.

B. Add:

This isfalse. Theaddmethod is used to add new objects without overwriting any existing ones. It is used when you want to create a new entry and ensure it doesn't conflict with or replace an existing object.

C. Exec:

This isfalse. Theexecmethod is used to execute specific actions or commands, rather than creating or modifying objects. This is typically used for actions like running scripts or executing operational commands on FortiManager or FortiGate.

D. Update:

This isfalse. While "update" might seem relevant, FortiManager's API does not specifically use an "update" method for modifying or creating objects. Thesetmethod serves that function by both creating new objects and overwriting existing ones.

The configuration shown in the exhibit sets theworkspace-mode to normal. The workspace mode in FortiManager defines how configuration changes and administrative tasks are handled, specifically regarding locking and collaboration in ADOMs (Administrative Domains).

Understanding the workspace modes:

Normal Mode:In this mode, only one administrator at a time can lock and edit an ADOM. The changes made by one administrator must be completed and saved before another administrator can make changes. It prevents concurrent read-write access within the same ADOM.

Workflow Mode:This mode allows multiple administrators to work on different tasks within the same ADOM, but changes still need to be approved before being committed.

Explanation of Options:

A. You can validate administrator login attempts through external servers.

This option is unrelated to the workspace mode. External authentication servers can be used for administrator logins, but that is a different configuration setting (not related to workspace-mode).

B. The same administrator can lock more than one ADOM at the same time.

This istrue. InNormal mode, an administrator can lock multiple ADOMs, meaning they can work on more than one ADOM simultaneously, but each ADOM can only be accessed by one administrator at a time for read-write purposes.

C. Two or more administrators can make configuration changes at the same time, in the same ADOM.

This isfalse. InNormal mode, onlyone administratorcan have read-write access to an ADOM at a time. If another administrator attempts to make changes, they must wait until the ADOM is unlocked by the first administrator.

D. Concurrent read-write access to an ADOM is disabled.

This istrue. InNormal mode, concurrent read-write access is disabled. This means only one administrator at a time can make changes to an ADOM. Other administrators can view the ADOM in read-only mode but cannot make changes until the ADOM is unlocked.

To create and install a policy on a FortiGate device in an ADOM (Administrative Domain) that is in backup mode, the administrator must use a FortiManager script. This is because backup mode restricts direct configuration changes, and scripts can be used to push specific configuration changes without altering the ADOM mode.

Options A, C, and D are incorrect because:

A requires the ADOM to be in normal or advanced mode to create policies directly in the Policy & Objects section.

C suggests disabling offline mode, which is irrelevant to the backup mode configuration.

D implies changing the ADOM mode, which is unnecessary if using a script to perform the task.

FortiManager References:

Refer to FortiManager 7.4 Administrator Guide: Working with ADOMs and Using Scripts for managing policies in backup mode.

Ungraceful closed sessions will keep the ADOM in a locked state until the administrator session times out.

In normal workspace mode, if an administrator closes the session without unlocking the ADOM properly, the ADOM remains locked until the session times out.

The same administrator can lock more than one ADOM at the same time.

In normal workspace mode, an administrator can lock more than one ADOM simultaneously for editing. Each ADOM operates independently in terms of locking and editing.

Meta fields in FortiManager can be used to add additional metadata or custom attributes to various objects, such as firewall addresses or other configuration objects. These meta fields help in organizing and identifying objects with custom information that is not part of the standard configuration. They are particularly useful for categorizing or tagging objects in large environments.

Option A: Policy seq.S will be installed on all managed devices and VDOMs that are listed under Installation Targets.This is correct. The "Install On" column indicates that the policy is targeted for installation on all listed managed devices and VDOMs under Installation Targets.

Option D: Policy seq.# 1 will be installed on the ISFW device root[NAT] and Student[NAT] VDOMs only.This is correct. Policy sequence #1 specifies that it will be installed only on the ISFW device and the VDOMs 'root[NAT]' and 'Student[NAT]' as indicated by the "Install On" column.

Explanation of Incorrect Options:

Option B: Policy seq.# 3 will be skipped because no installation targets are specifiedis incorrect because it is clearly listed under "Installation Targets," which means it will be installed according to the specified configuration.

Option C: Policy seq.# 2 will not be installed on the Local-FortiGate root VDOM because there is no root VDOM in the Installation Targetis incorrect as the exhibit does not show any specific exclusion for seq.# 2 on the Local-FortiGate root VDOM.

FortiManager References:

Refer to the FortiManager Administration Guide sections on "Policy Packages" and "Policy Installation Targets" for more details.

When a root FortiGate device is added to a specific ADOM (like Training), the downstream devices (those that are part of the Security Fabric) will not automatically be authorized in that ADOM. They will typically appear as unauthorized until explicitly authorized by an administrator.