Fortinet FCP_FMG_AD-7.6 Dumps

FortiManager must have the NAT device ' s IP address and correct ports configured to communicate properly with the FortiGate behind NAT.

The NAT device must have the correct virtual IP address and ports configured to allow push updates to reach the FortiGate device.

The most strongly supported answer is A . The study guide explicitly states: “In the case of having multiple FortiOS firmware versions on the same ADOM, it is recommended to use separate ADOMs instead.” It also says: “When you organize managed FortiGate devices, it is highly recommended that you group them based on their FortiOS firmware version. This is because valid command syntax varies by firmware version, which affects script compatibility.”

D is the other practical fix supported by FortiManager workflow. The study guide states that FortiManager can run scripts on multiple managed devices at once , and device groups let you run scripts on multiple devices instead of a single device . Combined with the firmware-version compatibility rule above, the correct operational approach is to keep version-specific scripts and apply them only to the matching device sets. B and C are not supported by the uploaded study guide as the recommended fix.

=========

Running the script through the policy package or ADOM database method allows FortiManager to properly interpret object relationships and dependencies in the IPsec configuration, preventing object mismatch errors when pushing complex VPN settings directly via CLI.

When a script is run using Remote FortiGate Directly via CLI , FortiManager sends the commands straight to the FortiGate and does not preview or validate dependent objects first . The study guide also explains that scripts containing ADOM-level objects or dynamic mappings must be executed on the Policy Package or ADOM Database , then installed through the installation workflow. That matches this IPsec error scenario, where phase2-interface is referencing an object relationship that FortiManager cannot properly validate in direct CLI mode. Therefore, the administrator should run the script on the policy package or ADOM database method , then install it.

Option A addresses only one possible syntax issue. B is a valid deployment approach in general, but it is not what the question asks as the direct fix for this script execution error. C is incorrect and would not resolve the object dependency mismatch.

The import process shows that FortiManager will create normalized interfaces named LAN, port4, and port6 at the ADOM layer, mapping them to the corresponding device interfaces based on the import settings.

The correct answer is B . The FortiManager 7.6 Administrator Study Guide gives the exact extract: “Performing a revert operation followed by an installation only reverts device-level changes and does not revert policy packages. To achieve full synchronization, you must run the Import Configuration tool on FortiManager to synchronize the policy package.”

The guide also states: “After every retrieve, auto-update, or revert operation, you must use Import Configuration to ensure the policy information is synchronized.”

In the exhibit, the missing unset comment for policy ID 1 is a policy package issue, not just a device-level revert issue. Reinstalling the existing policy package does not automatically rebuild it from the reverted revision. The administrator must import the firewall policies again so the policy package reflects the reverted policy state. That is why the comment was not removed.

=========

The correct answer is C . The installation log explicitly says: “Dynamic interface ‘LAN’ mapping undefined for device HQ-NGFW-1” . That means the policy is using a normalized interface , but FortiManager has no valid mapping for that device. The FortiManager 7.6 Administrator Study Guide states that “Interfaces are mapped per device, per platform, or both” and “When the normalized interface is used in a policy, the per-device mappings have higher priority than per-platform mappings.”

The lab guide also shows that during import or policy mapping fixes, the administrator can set the Mapping Type to Per-Device for interfaces.

So the correct fix is to create a per-device mapping for the normalized interface LAN for that FortiGateRugged-70F. Hardcoding lan1 in the policy is not the best FortiManager method because interface mapping is designed specifically to avoid that.

=========

The correct answer is D . The exact extract from the study guide says a revert operation “Reverts only the device database to the previous revision” and “Does not revert policies and objects—you must import them.” It further states: “Performing a revert operation followed by an installation only reverts device-level changes and does not revert policy packages.”

That exactly matches the CLI output. The device shows the device manager portion as installed and synchronized, while the policy package appears as unknown, which indicates the revert and installation affected the device-level configuration only . It did not reinstall or synchronize the policy package. Therefore B is incorrect. A is unsupported by the source, and C is unrelated because the firmware version is already shown in the device list output. The study guide also states that after revert you must use Import Configuration to synchronize policy information.

The correct answer is D . The FortiManager 7.6 Administrator Study Guide states: “You can revert to a previous configuration revision” and “Reverts only the device database to the previous revision” . It also states “Does not revert policies and objects—you must import them” and “You must install reverted changes on FortiGate.”

This exactly means a revert operation changes the device-level database on FortiManager, not the policy layer database. The guide further clarifies: “Performing a revert operation followed by an installation only reverts device-level changes and does not revert policy packages.”

So C is incorrect because both layers are not reverted together. A and B are also incorrect because the documented and verified effect is specifically a modification of the device database , followed by install and, if needed, policy re-import for synchronization.

=========

The import report shows that a new policy package named Remote-FortiGate_root will be created in the FortiManager ADOM database, but some firewall addresses and policies failed to import due to interface binding conflicts.

The correct answer is B . The FortiManager 7.6 Administrator Study Guide gives the exact extract: “Also note when you upgrade the FortiManager firmware version the existing ADOMs are not automatically upgraded.” This directly explains why the administrator saw the FortiManager upgrade complete while the ADOM versions remained unchanged.

The same section also explains that ADOM upgrades are a separate action: “You can upgrade an ADOM in System Settings > ADOMs” and “Can upgrade to one version higher at a time.” In addition, the guide recommends: “upgrade all devices first, and then upgrade the ADOM.”

So the issue is not workspace mode, locked ADOMs, or a stuck task. The ADOMs simply require their own manual upgrade step after the FortiManager firmware upgrade.

The correct answer is D . The lab guide explains that when an installation fails, the installation log shows the commands that the managed device received and accepted, as well as the commands that the managed device did not accept .

From the exhibit, FortiGate accepted the policy creation commands for policy ID 2 such as set srcintf port3, set dstintf port1, set srcaddr all, set dstaddr all, set action accept, and set schedule always. However, the line set users student failed with “entry not found in datasource” and “value parse error before ' student ' ” . That shows the user reference was not accepted, while the rest of the policy commands were processed. Therefore, policy ID 2 is still created, but without the remote user student . This rules out A , B , and C .

=========

Using the Install Wizard is the recommended method to reinstall the central policy package on the BR1-FGT-1 firewall, ensuring all settings, installation targets, and dependencies are correctly processed during installation.

The correct answers are B and C . The FortiManager 7.6 Administrator Study Guide explicitly states: “Scripts that you run directly on remote devices also cause automatic updates and create a revision history.” This exact extract proves both results: FortiManager creates a new revision history and the device status becomes Auto-Updated , meaning the FortiGate change is automatically reflected in the FortiManager device-level database.

The lab guide also distinguishes this from database-targeted scripts by stating: “You must perform an installation if you run a script on a device database, policy package, or ADOM database.” That wording excludes Remote FortiGate Directly via CLI , so D is incorrect.

A is also incorrect because direct remote execution does not use the install preview workflow; preview and validation are tied to Install Wizard operations, not direct CLI execution.

=========

The correct answer is C . The uploaded FortiManager 7.6 Administrator Lab Guide gives the exact extract: “FortiManager will update the universally unique identifiers (UUID) without deleting other configurations” and “UUIDs on both FortiGate and FortiManager are critical for ensuring the unique identification, consistency, and correct management of firewall policies across multiple devices and configurations. They provide a reliable and immutable reference for policies.”

The same source also shows administrators enabling UUIDs in Traffic Log on FortiGate log settings, which supports the logging and policy-correlation use case with FortiAnalyzer/FortiManager.

So the attribute that improves policy identification and logging correlation is the Universally Unique Identifier , not Policy ID, Log ID, or Sequence ID.

=========

Enabling a workflow with approval ensures that any policy package changes must be reviewed and approved before installation, preventing administrators from repeating configuration mistakes and enforcing change control.

The FortiManager 7.6 Administrator Study Guide states under Copying System Templates Between ADOMs : “The first step is to export the system template from the original ADOM with the execute fmprofile export-profile command” and shows the output file being written to /tmp/Training , described as “File copied in FortiManager tmp folder.”

The key point is that the command exports the system template profile from the original ADOM , while /tmp/Backup_File is only the destination path on FortiManager where the exported file is stored. The same study guide also defines system templates as a “subset of model device configuration—system-level settings” , which means they belong to the device-level side of the ADOM , not the policy database.

So the export source is the ADOM device database , and the file is saved afterward in the FortiManager /tmp folder.

The correct answer is B . The error occurs because the script is being run on the policy package database , but the failing command is config sys interface, which is a device-level configuration command, not a policy-layer command. The lab guide gives the exact relationship: “Because the scripts target the device database, first, you will run the scripts against the device database, and then install the scripts on the managed devices” and “The scripts contain configuration changes related to device-level settings.”

By contrast, the lab guide shows Policy Package or ADOM Database scripts being used for firewall objects and policies in a policy package.

So this NetFlow script must be run on the device database , then installed. The issue is not VDOM permissions, metadata variables, or normalized interfaces.

The correct answer is B . The LAN address object shown in the exhibit has a default value of 10.0.0.0/255.255.255.0 , and it has per-device mappings only for BR1-FGT-1 , HQ-NGFW-1 , and Local-Firewall . There is no per-device mapping entry for Remote-Firewall .

The FortiManager 7.6 Administrator Study Guide gives the exact rule for this behavior: “The devices in the ADOM that do not have a dynamic mapping for LAN have a default value” . The same page also explains that dynamic objects let you map one logical object to unique values per device , but devices without a mapping use the object’s default definition.

Since Remote-Firewall is not listed in the Per-Device Mapping table, it inherits the default LAN value: 10.0.0.0/255.255.255.0 .

=========

The correct answer is C . The FortiManager 7.6 Administrator Study Guide gives the exact extract: “If you need to move a device from one ADOM to another, run the Import Configuration wizard to import the policy package into the new ADOM.” It also states: “When you move devices from one ADOM to another ADOM, shared policy packages and objects do not move to the new ADOM. You will need to import policy packages from managed devices.”

That is exactly why the administrator cannot see the policy and object configuration after the move: the device itself moved, but its shared policy package and objects did not automatically move with it. The required corrective action is to manually import the policy package into the new ADOM using Import Configuration . Options A , B , and D are not the documented remedy in the uploaded FortiManager sources.

=========