FMG 5.

4 – EXAM TOPICS

1) When installation is performed from the FortiManager, what is the recovery logic used between
FortiManager and FortiGate for an FGFM tunnel?

A. After 15 minutes, FortiGate will unset all CLI commands that were part of the installation that caused
the tunnel to go down.

B. FortiGate will reject the CLI commands that will cause the tunnel to go down.

C. FortiManager will revert and install a previous configuration revision on the managed FortiGate.

D. FortiManager will not push the CLI commands as a part of the installation that will cause the tunnel to
go down.

Answer: C

2) Which of the following statements are true regarding VPN Manager? (Choose three.)

A. VPN Manager must be enabled on a per ADOM basis.

B. VPN Manager automatically adds newly-registered devices to a VPN community.

C. VPN Manager can install common IPsec VPN settings on multiple FortiGate devices at the same time.

D. Common IPsec settings need to be configured only once in a VPN Community for all managed
gateways.

E. VPN Manager automatically creates all the necessary firewall policies for traffic to be tunneled by
IPsec.

Answer: A, C, D
 3) View the following exhibit:

When using Install Config option to install configuration changes to managed FortiGate, which of the
following statements are true? (Choose two.)

A. Will not create new revision in the revision history.

B. Provides the option to preview configuration changes prior to installing them.

C. Installs device-level changes to FortiGate without launching the Install Wizard.

D. Once installed, the install process cannot be canceled and changes will be installed on the managed
device.

Answer: B, C

4) View the following exhibit:

Which of the following statements are true if both FortiManager and FortiGate are behind the NAT
devices? (Choose two.)
A. FortiGate can announce itself to FortiManager only if the FortiManager IP address is configured on
FortiGate under central management.

B. If the FGFM tunnel is torn down, FortiManager will try to re-establish the FGFM tunnel.

C. FortiGate is discovered by FortiManager through the FortiGate NATed IP address.

D. During discovery, the FortiManager NATed IP address is not set by default on FortiGate.

Answer: B, C

5) What is the purpose of the Policy Check feature on FortiManager?

A. To find and merge duplicate policies in the policy package.

B. To find and provide recommendation to combine multiple separate policy packages into one common
policy package.

C. To find and delete disabled firewall policies in the policy package.

D. To find and provide recommendation for optimizing policies in a policy package.

Answer: A

6) View the following exhibit:

Which one of the following statements is true regarding the object named ALL?
A. FortiManager updated the object ALL using FortiManager's value in its database.

B. FortiManager updated the object ALL using FortiGate’s value in its database.

C. FortiManager created the object ALL as a unique entity in its database, which can be only used by this
managed FortiGate.

D. FortiManager installed the object ALL with the updated value.

Answer: C

7) Which of the following conditions trigger FortiManager to create a new revision history?
(Choose two.)

A. When FortiManager installs device-level changes to a managed device.

B. When configuration revision is reverted to previous revision in the revision history.

C. When changes to device-level database is made on FortiManager.

D. When FortiManager is auto-updated with configuration changes made directly on a managed device.

Answer: A, C

8) Which of the following statements are true regarding an FGFM keepalive message? (Choose
two.)

A. It includes the configuration checksum of FortiGate.

B. The keepalive interval for keepalive messages is configured on FortiGate.

C. It is sent only by FortiGate.

D. It is used between FortiManager HA cluster members to make sure cluster members are in sync.

Answer: B, D
 9) An administrator would like to authorize a newly-installed AP using AP Manager. What steps
does the administrator need to perform to authorize an AP?

A. Authorize the new AP using AP Manager and wait until the change is updated on the FortiAP. Changes
to the AP's state do not require installation.

B. Changes to the AP's state must be performed directly on the managed FortiGate.

C. Authorize the new AP using AP Manager and install the policy package changes on the managed
FortiGate.

D. Authorize the new AP using AP Manager and install the device level settings on the managed
FortiGate.

Answer: D

10) An administrator has assigned a global policy package to custom ADOM1. What will happen if
the administrator tries to create a new policy package in custom
ADOM1?

A. When a new policy package is created, you need to reapply the global policy package to the ADOM.

B. When creating a new policy package, can select the option to assign the global policies to the new
package.

C. When a new policy package is created, it automatically assigns the global policies to the new package.

D. When a new policy package is created, you must assign the global policy package from the global
ADOM.

Answer: B
 11) View the following exhibit:

An administrator, Trainer, who is assigned the Super_User profile, is trying to approve a workflow
session that was submitted by another administrator, Student.

However, Trainer is unable to approve the workflow session. What can prevent an admin account that
has Super_User rights over the device from approving a workflow session?

A. Trainer must close Student's workflow session before approving the request.

B. Trainer does not have full rights over this ADOM.

C. Trainer is not a part of workflow approval group.

D. Student, who submitted the workflow session, must first self-approve the request.

Answer: C
 12) View the following exhibit:

What of the following statements are true regarding the output? (Choose two.)

A. Configuration changes have been installed to FortiGate and represents FortiGate configuration has
been changed.

B. The latest revision history for the managed FortiGate does match with the FortiGate running
configuration.

C. The latest revision history for the managed FortiGate does not match with the device-level database.

D. Configuration changes directly made on the FortiGate have been automatically updated to device-
level database.

Answer: A, D

13) An administrator wants to delete an address object that is currently referenced in a firewall
policy. Which one of the following statements is true?

A. FortiManager will replace the deleted address object with the all address object in the referenced
firewall policy.

B. FortiManager will disable the status of the referenced firewall policy.

C. FortiManager will not allow the administrator to delete a referenced address object.

D. FortiManager will replace the deleted address object with the none address object in the referenced
firewall policy.

Answer: C
 14) What are the factory default settings on FortiManager? (Choose three.)

A. Password is fortinet

B. port1 interface IP address is 192.168.1.99/24

C. Service Access is enabled on port1

D. Username is admin

E. Reports and Event Monitor panes are enabled

Answer: B, C, D
 15) View the following exhibit:

Which statement is true regarding this failed installation log?

A. Policy ID 2 is installed without a source address.

B. Policy ID 2 is installed without a source device.

C. Policy ID 2 will not be installed.

D. Policy ID 2 is installed in disabled state.

Answer: A
 16) View the following exhibit, which shows the Download Import Report:

Why it is failing to import firewall policy ID 2?

A. The address object used in policy ID 2 already exist in ADOM database with any as interface
association and conflicts with address object interface association locally on the FortiGate.

B. Policy ID 2 is configured from interface any to port6. FortiManager rejects to import this policy
because any interface does not exist on FortiManager.

C. Policy ID 2 for this managed FortiGate already exists on FortiManager in policy package named
Remote-FortiGate.

D. Policy ID 2 does not have ADOM Interface mapping configured on FortiManager.

Answer: B

17) An administrator is unable to log in to FortiManager. Which one of the following

troubleshooting step should you take to resolve the issue?

A. Make sure FortiManager Access is enabled in the administrator profile.

B. Make sure ADOMs are enabled and the administrator has access to the Global ADOM.

C. Make sure Offline Mode is disabled.

D. Make sure the administrator IP address is part of the trusted hosts.

Answer: D
 18) As a result of enabling FortiAnalyzer features on FortiManager, which one of the following
statements is true?

A. FortiManager can be used only as a logging device.

B. FortiManager will enable ADOMs automatically to collect logs from non-FortiGate devices.

C. FortiManager will send the logging configuration to the managed devices so the managed devices will
start sending logs to FortiManager.

D. FortiManager will reboot.

Answer: C

19) How are the points calculated when using FortiMeter to deploy FortiOS-VM? (Choose two.)

A. Based on the number of sessions on the mgmt interface of FortiOS-VM.

B. Based on the FortiGuard service option enabled for FortiOS-VM.

C. Based on the traffic usage on port1 and port2 on FortiOS-VM.

D. Based on the amount of traffic (per GB) passing through the FortiOS-VM.

Answer: B, C
 20) View the following exhibit.

Which of the following statements are true based on this configuration setting? (Choose two.)

A. This setting will enable the ADOMs feature on FortiManager.

B. This setting is applied globally to all ADOMs.

C. This setting will allow assigning different VDOMs from the same FortiGate to different ADOMs.

D. This setting will allow automatic updates to the policy package configuration for a managed device.

Answer: B, C

21) Which of the following statements are true regarding ADOM revisions? (Choose two.)

A. ADOM revisions can save the current state of all policy packages and objects for an ADOM.

B. ADOM revisions can significantly increase the size of the configuration backups.

C. ADOM revisions can create System Checkpoints for the FortiManager configuration.

D. ADOM revisions can save the current state of the whole ADOM.

Answer: A, B
 22) What does a policy package status of Modified indicate?

A. Policy package configuration has been changed on FortiManager and changes have not yet been
installed on the managed device.

B. The policy package was never imported after a device was registered on FortiManager.

C. FortiManager is unable to determine the policy package status.

D. Policy configuration has been changed on a managed device and changes have not yet been imported
into FortiManager.

Answer: A

23) View the following exhibit:

An administrator has created a firewall address object, Training, which is used in the Local-FortiGate
policy package. When the install operation is performed, which IP/Netmask will be installed on the
Local-FortiGate, for the Training firewall address object?
A. 192.168.0.1/24

B. It will create firewall address group on Local-FortiGate with 192.168.0.1/24 and 10.0.1.0/24 object
values.

C. Local-FortiGate will automatically choose an IP/Netmask based on its network interface settings.

D. 10.0.1.0/24

Answer: C

24) What type of access is automatically enabled on an interface after it is added to FortiClient
Manager?

A. Device Detection

B. FortiTelemetry

C. CAPWAP

D. FMG-Access

Answer: B

25) View the following exhibit:

Which of the following statements are true if the script is executed using Remote FortiGate Directly(via
CLI) option? (Choose two)

A. FortiManager provides a preview of CLI commands before executing this script on a managed
FortiGate.

B. FortiManager will create a new revision history.

C. FortiManager will auto-update FortiManager's device-level database.

D. You must install these changes using Install Wizard.

Answer: A, C

26) What configuration setting for FortiGate is part of a device-level database on FortiManager?

A. Routing

B. Security profiles

C. VIP and IP Pools

D. Firewall policies

Answer: D

27) View the following exhibit:

How will FortiManager try to get updates for antivirus and IPS?

A. From the list of configured override servers with ability to fall back to public FDN servers

B. From the configured override server list only.

C. From the default server fds1.fortinet.com.

D. From public FDNI servers with highest index number only.

Answer: A

28) An administrator ran the reload failure command; diagnose test deploymanager reload config
<deviceid> on FortiManager. What does this command do?

A. It compares and provides differences in configuration on FortiManager with the current running
configuration of the specified FortiGate.

B. It installs the provisioning template configuration on the specified FortiGate.

C. It downloads the latest configuration from the specified FortiGate and performs a reload operation on
the device database.

D. It installs the latest configuration on the specified FortiGate and updates the revision history
database.

Answer: C

29) What does the diagnose cdb check policy-assignment command do?

A. Fixes incorrect ADOM-level object references based on the firewall policies.

B. Internally upgrades existing ADOMs to the same ADOM version in order to clean up and correct the
ADOM syntax.

C. Verifies and checks dynamic mappings, and removes invalid dynamic mappings.
D. Verifies and corrects global ADOM policy package assignments that have been disassociated from an
ADOM.

Answer: C

30) Which of the following statements are true regarding schedule backup of FortiManager?
(Choose two.)

A. Can be configured from the CLI and GUI.

B. Does not back up firmware images saved on FortiManager.

C. Backs up all devices and the FortiGuard database.

D. Supports FTP, SCP, and SFTP.

Answer: A, D
 31) View the following exhibit:

Which one of the following statements is true regarding installation targets in the Install On column?

A. Policy seq.# 3 will be installed on all managed devices and VDOMs that are listed under Installation
Targets.

B. Policy seq.# 3 will be installed on the Trainer[NAT] VDOM only.

C. Policy seq.# 3 will not be installed on any managed device.

D. The Install On column value represents successful installations on the managed devices.

Answer: B
 32) Refer to the following exhibit:

Which of the following statements are true based on this configuration? (Choose two.)

A. Unlocking an ADOM will submit configuration changes automatically to the approval administrator.

B. Unlocking an ADOM will install configuration changes automatically on managed devices.

C. Ungraceful closed sessions will keep the ADOM in a locked state until the administrator session times
out.

D. The same administrator can lock more than one ADOM at the same time.

Answer: C, D

33) View the following exhibit:

An administrator is importing a new device to FortiManager and has selected the shown options. What
will happen if the administrator makes the changes and installs the modified policy package on this
managed FortiGate?
A. The unused objects that are not tied to the firewall policies will be installed on FortiGate.

B. The unused objects that are not tied to the firewall policies will remain as read-only locally on
FortiGate.

C. The unused objects that are not tied to the firewall policies in policy package will be deleted from the
FortiManager database.

D. The unused objects that are not tied to the firewall policies locally on FortiGate will be deleted.

Answer: A

34) In the event that the primary FortiManager fails, which of the following actions must be
performed to return the FortiManager HA to a working state?

A. Secondary device with highest priority will automatically be promoted to the primary role, and
manually reconfigure all other secondary devices to point to the new primary device.

B. FortiManager HA state transition is transparent to administrators and does not require any
reconfiguration.

C. Manually promote one of the secondary devices to the primary role and reconfigure all other
secondary devices to point to the new primary device.

D. Reboot one of the secondary devices to promote it automatically to the primary role and reconfigure
all other secondary devices to point to the new primary device.

Answer: C

35) In addition to the default ADOMs, an administrator has created a new ADOM named Training
for FortiGate devices. The administrator sent a device registration request to FortiManager from
a remote FortiGate. Which one of the following statements is true?

A. The FortiGate will be automatically added to the Training ADOM.

B. By default, the unregistered FortiGate will appear in the root ADOM.

C. The FortiManager administrator must add the unregistered device manually to the Training ADOM
using the Add Device wizard.

D. The FortiGate will be added automatically to the default ADOM named FortiGate.

Answer: B

36) Which of the following statements are true regarding VPN Gateway configuration in VPN
Manager? (Choose two.)

A. Managed gateways are devices managed by FortiManager in the same ADOM

B. External gateways are third-party VPN gateway devices only

C. Protected subnets are the subnets behind the device that you don’t want to allow access to over the
IPsec VPN

D. Managed devices in other ADOMs must be treated as external gateways

Answer: A, D

37) An administrator’s PC crashed before the administrator could submit a workflow session for
approval. After the PC restarted, the administrator noticed that the ADOM was locked from the
session before the crash. How can the administrator unlock the ADOM?

A. The administrator must log in as Super_User in order to unlock the ADOM.

B. The administrator must restore the configuration from a previous backup.

C. Delete the previous admin session manually through the FortiManager’s GUI or CLI.

D. The administrator must log in using the same administrator account to unlock the ADOM

Answer: D
 38) An administrator removed one of the secondary devices from the FortiManager HA cluster.
What change will be pushed by the primary FortiManager device?

A. FortiManager will remove the secondary device’s IP address and serial number immediately from the
central management configuration of managed devices.

B. FortiManager will remove the secondary device’s serial number immediately from the central
management configuration of managed devices.

C. FortiManager will remove the secondary device’s IP address immediately from the central
management configuration of managed devices.

D. FortiManager will remove the secondary device’s IP address from the server-list configuration central
management configuration of managed devices.

Answer: A

39) Which of the following are included in the FortiManager backup? (Choose two.)

A. Global database

B. FortiGuard database

C. Logs

D. All devices

Answer: C, D

40) Which of the following statements are true regarding reverting to previous revision version from
the revision history? (Choose two.)

A. To push these changes to a managed device, it required an install operation to the managed
FortiGate.

B. Reverting to a previous revision history will generate a new version ID and remove all other history
versions.
C. Reverting to a previous revision history will tag the device settings status as Auto-Update.

D. It will modify device-level database

Answer: AD

41) View the following exhibit:

An administrator logs in to the FortiManager GUI and sees these panes. Which of the following can be
the reason the FortiAnalyzer feature panes don’t appear? (Choose two.)

A. The administrator IP address is not a part of the trusted hosts configured on FortiManager’s
interfaces.

B. FortiAnalyzer features are not enabled on FortiManager.

C. The administrator logged in using unsecure protocol HTTP, so the view is restricted.

D. The administrator profile does not have full access privileges like the Super_User profile

Answer: A, B
 42) An administrator has assigned a global policy package to custom ADOM1. Then the
administrator created a new policy package, Fortinet, in the custom ADOM1. Which one of the
following statements is true regarding global policy package assignment to the newly-created
policy package Fortinet?

A. When a new policy package is created, you need to reapply the global policy package to the ADOM.

B. When a new policy package is created, it automatically assigns the global policies to the new package.

C. When a new policy package is created, you need to assign the global policy package from the global
ADOM.

D. When a new policy package is created, you can select the option to assign the global policies to the
new package.

Answer: B

43) An administrator has enabled Service Access on FortiManager. What is the purpose of Service
Access on the FortiManager interface?

A. Allows FortiManager to run real-time debugs on the managed devices.

B. Allows FortiManager to respond to requests for FortiGuard services from FortiGate devices.

C. Allows FortiManager to automatically configure a default route.

D. Allows FortiManager to download IPS packages.

Answer: B

44) What is the purpose of the ADOM revisions?

A. To revert individual policy packages and device-level settings for a managed FortiGate by reverting to
a specific ADOM revision.

B. To create System Checkpoints for the FortiManager configuration.

C. To save the current state of all policy packages and objects for an ADOM.

D. To save the current state of the whole ADOM.

Answer: C

45) An administrator configured a new firewall policy on FortiManager and has yet pushed to the
managed FortiGate. In which database will the configuration be saved?

A. Configuration-level database

B. Device-level database

C. ADOM-level database

D. Revision history database

Answer: B

46) Which of the following statements about the Policy Check feature on FortiManager is true?

A. It provides recommendation to combine similar policy packages within a ADOM into one single policy
package.

B. It compares the policy packages with the revision history, and updates policy packages in the ADOM
database.

C. It provides recommendation for optimizing policies in a policy package.

D. It merges and creates dynamic mapping for duplicate objects used in a policy package.

Answer: C
 47) View the following exhibit:

An administrator used the value shown in the exhibit when importing a Local-FortiGate into
FortiManager. What name will be used to display the firewall policy for port1?

A. port1 on FortiGate and WAN on FortiManager

B. port1 on both FortiGate and FortiManager

C. WAN zone on FortiGate and WAN zone on FortiManager

D. WAN zone on FortiGate and WAN interface on FortiManager

Answer: A

48) An administrator has configured the following command on FortiManager:

A configuration change has been installed from FortiManager to the managed FortiGate that causes the
FGFM tunnel to go down for more than 15 minutes. What is the purpose of this command?
A. It allows FortiGate to reboot and recover the previous configuration from its configuration file.

B. It allows FortiGate to unset central management settings.

C. It allows the FortiManager to revert and install a previous configuration revision on the managed
FortiGate.

D. It allows FortiGate to reboot and restore a previously working firmware image.

Answer: A

49) View the following exhibit:

An administrator has created a firewall address object which is used in multiple policy packages for
multiple FortiGate devices in a ADOM. When the install operation is performed, which IP/Netmask will
be installed on managed devices, for this firewall address object?

A. 10.200.1.0/24 on Remote-FortiGate

B. FortiManager administrator can choose the value for the firewall address object in the Install Wizard
for Remote-FortiGate

C. 192.168.0.1/24 on Remote-FortiGate

D. If no dynamic mapping is defined for other FortiGate devices, the object will not be installed

Answer: A

50) View the following exhibit:

Which of the following statements are true based on this configuration? (Choose two.)

A. It allows two or more administrators to make configuration changes at the same time, in the same
ADOM.

B. It disables concurrent read-write access to an ADOM.

C. It allows the same administrator to lock more than one ADOM at the same time.

D. It is used to validate your administrator login attempts through external servers.

Answer: B, C
 51) An administrator is replacing a device on FortiManager by running the following command:
execute device replace sn <devname> <serialnum>. What device name and serial number must
the administrator use?

A. Device name of the original device and serial number of the replacement device.

B. Device name and serial number of the replacement device.

C. Both device name and serial number of the original device. The administrator must update the
hostname manually on the replacement device to match the device name currently on FortiManager.

D. Device name of the replacement device and serial number of the original device.

Answer: A

52) View the following exhibit:

Which of the following statements are true if the script is executed using Device Database option?
(Choose two.)

A. The Device Settings Status will be tagged as Modified

B. Successful execution of script on Device Database will create a new revision history

C. The script history will show successful installation of script on the remote FortiGate

D. You must install these changes using Install Wizard to a managed device

Answer: B, C

53) View the following exhibit:

Which of the following statements are true regarding when ADOM is set as Normal mode on the
FortiManager? (Choose two.)

A. Cannot assign the same ADOM to multiple administrators

B. Supports FortiManager script feature

C. FortiManager automatically installs the configuration difference in revisions on the managed

FortiGate

D. Allows making configuration changes for managed devices on FortiManager panes

Answer: C, D

54) What does a policy package status of Conflict indicate?

A. Policy package configuration has been changed on both FortiManager and the managed device
independently.

B. The policy package reports inconsistencies and conflicts during a Policy Consistency Check

C. The policy package doesn’t have a FortiGate as the installation target.

D. Policy configuration has never been imported after a device was registered on FortiManager

Answer: B

55) Which of the following statements are true regarding device management on FortiManager?
(Choose two.)

A. FortiGate in transparent mode configurations are not counted toward the device count on
FortiManager.

B. The maximum number of managed devices for each ADOM is 500.

C. FortiGate devices in HA cluster devices are counted as a single device.

D. FortiGate devices in an HA cluster that has five VDOMs are counted as five separate devices.

Answer: C, D
 56) What does the diagnose dvm check-integrity command do? (Choose two.)

A. Verifies and corrects database schemas in all object tables.

B. Internally upgrades existing ADOMs to the same ADOM version in order to clean up and correct the
ADOM syntax.

C. Verifies and corrects duplicate VDOM entries.

D. Verifies and corrects unregistered, registered, and deleted device states.

Answer: C, D