Beruflich Dokumente
Kultur Dokumente
4 – EXAM TOPICS
1) When installation is performed from the FortiManager, what is the recovery logic used between
FortiManager and FortiGate for an FGFM tunnel?
A. After 15 minutes, FortiGate will unset all CLI commands that were part of the installation that caused
the tunnel to go down.
B. FortiGate will reject the CLI commands that will cause the tunnel to go down.
C. FortiManager will revert and install a previous configuration revision on the managed FortiGate.
D. FortiManager will not push the CLI commands as a part of the installation that will cause the tunnel to
go down.
Answer: C
2) Which of the following statements are true regarding VPN Manager? (Choose three.)
C. VPN Manager can install common IPsec VPN settings on multiple FortiGate devices at the same time.
D. Common IPsec settings need to be configured only once in a VPN Community for all managed
gateways.
E. VPN Manager automatically creates all the necessary firewall policies for traffic to be tunneled by
IPsec.
Answer: A, C, D
3) View the following exhibit:
When using Install Config option to install configuration changes to managed FortiGate, which of the
following statements are true? (Choose two.)
D. Once installed, the install process cannot be canceled and changes will be installed on the managed
device.
Answer: B, C
Which of the following statements are true if both FortiManager and FortiGate are behind the NAT
devices? (Choose two.)
A. FortiGate can announce itself to FortiManager only if the FortiManager IP address is configured on
FortiGate under central management.
B. If the FGFM tunnel is torn down, FortiManager will try to re-establish the FGFM tunnel.
D. During discovery, the FortiManager NATed IP address is not set by default on FortiGate.
Answer: B, C
B. To find and provide recommendation to combine multiple separate policy packages into one common
policy package.
Answer: A
Which one of the following statements is true regarding the object named ALL?
A. FortiManager updated the object ALL using FortiManager's value in its database.
B. FortiManager updated the object ALL using FortiGate’s value in its database.
C. FortiManager created the object ALL as a unique entity in its database, which can be only used by this
managed FortiGate.
Answer: C
7) Which of the following conditions trigger FortiManager to create a new revision history?
(Choose two.)
D. When FortiManager is auto-updated with configuration changes made directly on a managed device.
Answer: A, C
8) Which of the following statements are true regarding an FGFM keepalive message? (Choose
two.)
D. It is used between FortiManager HA cluster members to make sure cluster members are in sync.
Answer: B, D
9) An administrator would like to authorize a newly-installed AP using AP Manager. What steps
does the administrator need to perform to authorize an AP?
A. Authorize the new AP using AP Manager and wait until the change is updated on the FortiAP. Changes
to the AP's state do not require installation.
B. Changes to the AP's state must be performed directly on the managed FortiGate.
C. Authorize the new AP using AP Manager and install the policy package changes on the managed
FortiGate.
D. Authorize the new AP using AP Manager and install the device level settings on the managed
FortiGate.
Answer: D
10) An administrator has assigned a global policy package to custom ADOM1. What will happen if
the administrator tries to create a new policy package in custom
ADOM1?
A. When a new policy package is created, you need to reapply the global policy package to the ADOM.
B. When creating a new policy package, can select the option to assign the global policies to the new
package.
C. When a new policy package is created, it automatically assigns the global policies to the new package.
D. When a new policy package is created, you must assign the global policy package from the global
ADOM.
Answer: B
11) View the following exhibit:
An administrator, Trainer, who is assigned the Super_User profile, is trying to approve a workflow
session that was submitted by another administrator, Student.
However, Trainer is unable to approve the workflow session. What can prevent an admin account that
has Super_User rights over the device from approving a workflow session?
A. Trainer must close Student's workflow session before approving the request.
D. Student, who submitted the workflow session, must first self-approve the request.
Answer: C
12) View the following exhibit:
What of the following statements are true regarding the output? (Choose two.)
A. Configuration changes have been installed to FortiGate and represents FortiGate configuration has
been changed.
B. The latest revision history for the managed FortiGate does match with the FortiGate running
configuration.
C. The latest revision history for the managed FortiGate does not match with the device-level database.
D. Configuration changes directly made on the FortiGate have been automatically updated to device-
level database.
Answer: A, D
13) An administrator wants to delete an address object that is currently referenced in a firewall
policy. Which one of the following statements is true?
A. FortiManager will replace the deleted address object with the all address object in the referenced
firewall policy.
C. FortiManager will not allow the administrator to delete a referenced address object.
D. FortiManager will replace the deleted address object with the none address object in the referenced
firewall policy.
Answer: C
14) What are the factory default settings on FortiManager? (Choose three.)
A. Password is fortinet
D. Username is admin
Answer: B, C, D
15) View the following exhibit:
Answer: A
16) View the following exhibit, which shows the Download Import Report:
A. The address object used in policy ID 2 already exist in ADOM database with any as interface
association and conflicts with address object interface association locally on the FortiGate.
B. Policy ID 2 is configured from interface any to port6. FortiManager rejects to import this policy
because any interface does not exist on FortiManager.
C. Policy ID 2 for this managed FortiGate already exists on FortiManager in policy package named
Remote-FortiGate.
Answer: B
B. Make sure ADOMs are enabled and the administrator has access to the Global ADOM.
Answer: D
18) As a result of enabling FortiAnalyzer features on FortiManager, which one of the following
statements is true?
B. FortiManager will enable ADOMs automatically to collect logs from non-FortiGate devices.
C. FortiManager will send the logging configuration to the managed devices so the managed devices will
start sending logs to FortiManager.
Answer: C
19) How are the points calculated when using FortiMeter to deploy FortiOS-VM? (Choose two.)
D. Based on the amount of traffic (per GB) passing through the FortiOS-VM.
Answer: B, C
20) View the following exhibit.
Which of the following statements are true based on this configuration setting? (Choose two.)
C. This setting will allow assigning different VDOMs from the same FortiGate to different ADOMs.
D. This setting will allow automatic updates to the policy package configuration for a managed device.
Answer: B, C
21) Which of the following statements are true regarding ADOM revisions? (Choose two.)
A. ADOM revisions can save the current state of all policy packages and objects for an ADOM.
B. ADOM revisions can significantly increase the size of the configuration backups.
C. ADOM revisions can create System Checkpoints for the FortiManager configuration.
D. ADOM revisions can save the current state of the whole ADOM.
Answer: A, B
22) What does a policy package status of Modified indicate?
A. Policy package configuration has been changed on FortiManager and changes have not yet been
installed on the managed device.
B. The policy package was never imported after a device was registered on FortiManager.
D. Policy configuration has been changed on a managed device and changes have not yet been imported
into FortiManager.
Answer: A
An administrator has created a firewall address object, Training, which is used in the Local-FortiGate
policy package. When the install operation is performed, which IP/Netmask will be installed on the
Local-FortiGate, for the Training firewall address object?
A. 192.168.0.1/24
B. It will create firewall address group on Local-FortiGate with 192.168.0.1/24 and 10.0.1.0/24 object
values.
C. Local-FortiGate will automatically choose an IP/Netmask based on its network interface settings.
D. 10.0.1.0/24
Answer: C
24) What type of access is automatically enabled on an interface after it is added to FortiClient
Manager?
A. Device Detection
B. FortiTelemetry
C. CAPWAP
D. FMG-Access
Answer: B
A. FortiManager provides a preview of CLI commands before executing this script on a managed
FortiGate.
Answer: A, C
26) What configuration setting for FortiGate is part of a device-level database on FortiManager?
A. Routing
B. Security profiles
D. Firewall policies
Answer: D
A. From the list of configured override servers with ability to fall back to public FDN servers
Answer: A
28) An administrator ran the reload failure command; diagnose test deploymanager reload config
<deviceid> on FortiManager. What does this command do?
A. It compares and provides differences in configuration on FortiManager with the current running
configuration of the specified FortiGate.
C. It downloads the latest configuration from the specified FortiGate and performs a reload operation on
the device database.
D. It installs the latest configuration on the specified FortiGate and updates the revision history
database.
Answer: C
29) What does the diagnose cdb check policy-assignment command do?
B. Internally upgrades existing ADOMs to the same ADOM version in order to clean up and correct the
ADOM syntax.
C. Verifies and checks dynamic mappings, and removes invalid dynamic mappings.
D. Verifies and corrects global ADOM policy package assignments that have been disassociated from an
ADOM.
Answer: C
30) Which of the following statements are true regarding schedule backup of FortiManager?
(Choose two.)
Answer: A, D
31) View the following exhibit:
Which one of the following statements is true regarding installation targets in the Install On column?
A. Policy seq.# 3 will be installed on all managed devices and VDOMs that are listed under Installation
Targets.
D. The Install On column value represents successful installations on the managed devices.
Answer: B
32) Refer to the following exhibit:
Which of the following statements are true based on this configuration? (Choose two.)
A. Unlocking an ADOM will submit configuration changes automatically to the approval administrator.
C. Ungraceful closed sessions will keep the ADOM in a locked state until the administrator session times
out.
D. The same administrator can lock more than one ADOM at the same time.
Answer: C, D
An administrator is importing a new device to FortiManager and has selected the shown options. What
will happen if the administrator makes the changes and installs the modified policy package on this
managed FortiGate?
A. The unused objects that are not tied to the firewall policies will be installed on FortiGate.
B. The unused objects that are not tied to the firewall policies will remain as read-only locally on
FortiGate.
C. The unused objects that are not tied to the firewall policies in policy package will be deleted from the
FortiManager database.
D. The unused objects that are not tied to the firewall policies locally on FortiGate will be deleted.
Answer: A
34) In the event that the primary FortiManager fails, which of the following actions must be
performed to return the FortiManager HA to a working state?
A. Secondary device with highest priority will automatically be promoted to the primary role, and
manually reconfigure all other secondary devices to point to the new primary device.
B. FortiManager HA state transition is transparent to administrators and does not require any
reconfiguration.
C. Manually promote one of the secondary devices to the primary role and reconfigure all other
secondary devices to point to the new primary device.
D. Reboot one of the secondary devices to promote it automatically to the primary role and reconfigure
all other secondary devices to point to the new primary device.
Answer: C
35) In addition to the default ADOMs, an administrator has created a new ADOM named Training
for FortiGate devices. The administrator sent a device registration request to FortiManager from
a remote FortiGate. Which one of the following statements is true?
D. The FortiGate will be added automatically to the default ADOM named FortiGate.
Answer: B
36) Which of the following statements are true regarding VPN Gateway configuration in VPN
Manager? (Choose two.)
C. Protected subnets are the subnets behind the device that you don’t want to allow access to over the
IPsec VPN
Answer: A, D
37) An administrator’s PC crashed before the administrator could submit a workflow session for
approval. After the PC restarted, the administrator noticed that the ADOM was locked from the
session before the crash. How can the administrator unlock the ADOM?
C. Delete the previous admin session manually through the FortiManager’s GUI or CLI.
D. The administrator must log in using the same administrator account to unlock the ADOM
Answer: D
38) An administrator removed one of the secondary devices from the FortiManager HA cluster.
What change will be pushed by the primary FortiManager device?
A. FortiManager will remove the secondary device’s IP address and serial number immediately from the
central management configuration of managed devices.
B. FortiManager will remove the secondary device’s serial number immediately from the central
management configuration of managed devices.
C. FortiManager will remove the secondary device’s IP address immediately from the central
management configuration of managed devices.
D. FortiManager will remove the secondary device’s IP address from the server-list configuration central
management configuration of managed devices.
Answer: A
39) Which of the following are included in the FortiManager backup? (Choose two.)
A. Global database
B. FortiGuard database
C. Logs
D. All devices
Answer: C, D
40) Which of the following statements are true regarding reverting to previous revision version from
the revision history? (Choose two.)
A. To push these changes to a managed device, it required an install operation to the managed
FortiGate.
B. Reverting to a previous revision history will generate a new version ID and remove all other history
versions.
C. Reverting to a previous revision history will tag the device settings status as Auto-Update.
Answer: AD
An administrator logs in to the FortiManager GUI and sees these panes. Which of the following can be
the reason the FortiAnalyzer feature panes don’t appear? (Choose two.)
A. The administrator IP address is not a part of the trusted hosts configured on FortiManager’s
interfaces.
C. The administrator logged in using unsecure protocol HTTP, so the view is restricted.
D. The administrator profile does not have full access privileges like the Super_User profile
Answer: A, B
42) An administrator has assigned a global policy package to custom ADOM1. Then the
administrator created a new policy package, Fortinet, in the custom ADOM1. Which one of the
following statements is true regarding global policy package assignment to the newly-created
policy package Fortinet?
A. When a new policy package is created, you need to reapply the global policy package to the ADOM.
B. When a new policy package is created, it automatically assigns the global policies to the new package.
C. When a new policy package is created, you need to assign the global policy package from the global
ADOM.
D. When a new policy package is created, you can select the option to assign the global policies to the
new package.
Answer: B
43) An administrator has enabled Service Access on FortiManager. What is the purpose of Service
Access on the FortiManager interface?
B. Allows FortiManager to respond to requests for FortiGuard services from FortiGate devices.
Answer: B
A. To revert individual policy packages and device-level settings for a managed FortiGate by reverting to
a specific ADOM revision.
Answer: C
45) An administrator configured a new firewall policy on FortiManager and has yet pushed to the
managed FortiGate. In which database will the configuration be saved?
A. Configuration-level database
B. Device-level database
C. ADOM-level database
Answer: B
46) Which of the following statements about the Policy Check feature on FortiManager is true?
A. It provides recommendation to combine similar policy packages within a ADOM into one single policy
package.
B. It compares the policy packages with the revision history, and updates policy packages in the ADOM
database.
D. It merges and creates dynamic mapping for duplicate objects used in a policy package.
Answer: C
47) View the following exhibit:
An administrator used the value shown in the exhibit when importing a Local-FortiGate into
FortiManager. What name will be used to display the firewall policy for port1?
Answer: A
A configuration change has been installed from FortiManager to the managed FortiGate that causes the
FGFM tunnel to go down for more than 15 minutes. What is the purpose of this command?
A. It allows FortiGate to reboot and recover the previous configuration from its configuration file.
C. It allows the FortiManager to revert and install a previous configuration revision on the managed
FortiGate.
Answer: A
A. 10.200.1.0/24 on Remote-FortiGate
B. FortiManager administrator can choose the value for the firewall address object in the Install Wizard
for Remote-FortiGate
C. 192.168.0.1/24 on Remote-FortiGate
D. If no dynamic mapping is defined for other FortiGate devices, the object will not be installed
Answer: A
Which of the following statements are true based on this configuration? (Choose two.)
A. It allows two or more administrators to make configuration changes at the same time, in the same
ADOM.
C. It allows the same administrator to lock more than one ADOM at the same time.
Answer: B, C
51) An administrator is replacing a device on FortiManager by running the following command:
execute device replace sn <devname> <serialnum>. What device name and serial number must
the administrator use?
A. Device name of the original device and serial number of the replacement device.
C. Both device name and serial number of the original device. The administrator must update the
hostname manually on the replacement device to match the device name currently on FortiManager.
D. Device name of the replacement device and serial number of the original device.
Answer: A
B. Successful execution of script on Device Database will create a new revision history
C. The script history will show successful installation of script on the remote FortiGate
D. You must install these changes using Install Wizard to a managed device
Answer: B, C
Which of the following statements are true regarding when ADOM is set as Normal mode on the
FortiManager? (Choose two.)
A. Policy package configuration has been changed on both FortiManager and the managed device
independently.
B. The policy package reports inconsistencies and conflicts during a Policy Consistency Check
D. Policy configuration has never been imported after a device was registered on FortiManager
Answer: B
55) Which of the following statements are true regarding device management on FortiManager?
(Choose two.)
A. FortiGate in transparent mode configurations are not counted toward the device count on
FortiManager.
D. FortiGate devices in an HA cluster that has five VDOMs are counted as five separate devices.
Answer: C, D
56) What does the diagnose dvm check-integrity command do? (Choose two.)
B. Internally upgrades existing ADOMs to the same ADOM version in order to clean up and correct the
ADOM syntax.
Answer: C, D