Pass the Fortinet Network Security Expert FCP_FMG_AD-7.6 Questions and answers with ValidTests

The configuration includes a server-list with server-type set to "update rating," which enables FortiGate HQ-NGFW-1 to contact FortiManager as a FortiGuard Distribution Server (FDS) for FortiGuard updates.

The installation includes a root_CA3 certificate, which FortiManager will install on FortiGate HQ-NGFW-1 to authenticate FGFM tunnel connections between the devices.

FortiManager creates a new revision history entry whenever changes are made to the device-level database on FortiManager.

FortiManager also creates a new revision when it auto-updates its database with configuration changes detected directly on a managed device.

FortiManager must have the NAT device's IP address and correct ports configured to communicate properly with the FortiGate behind NAT.

The NAT device must have the correct virtual IP address and ports configured to allow push updates to reach the FortiGate device.

The error occurs because the FortiToken used (FTKM0B4A9AC5C56D) must already exist and be registered on the FortiGate device HQ-NGFW-1. FortiManager cannot push or create new FortiTokens on the device; the token must be valid and present on the FortiGate before it can be assigned to a user.

The status "pending" indicates the latest revision history does not match the device-level database, meaning there are unapplied changes.

The template is marked as [modified], so the system template default will override device-level database configurations when installed.

Limiting ADOM revisions reduces the number of stored historical configurations, which helps avoid performance degradation and slow ADOM upgrades caused by a large volume of revisions.

If a BGP template is assigned to the FortiGate device on FortiManager, device-level BGP configurations made directly in the device-level database are overridden by the template settings, so the changes do not get pushed to the device.

When using scripts that reference VDOM-specific objects, such as interfaces, in FortiManager, metadata variables must be used to correctly map those objects per VDOM. This prevents "object unrecognized" errors during script execution.

The correct answer is A . This conclusion comes from the HA settings shown in the exhibit plus Fortinet’s HA behavior. In the exhibit, HQ-NGFW-1 has memory-based-failover enabled , memory-failover-threshold 70 , memory-failover-monitor-period 50 , and its memory usage is about 90% , while HQ-NGFW-2 is about 48.7% . Fortinet’s official documentation states that memory-failover-threshold is the memory percentage that triggers failover, and memory-failover-monitor-period is the duration high memory must persist before failover occurs. It also states that if utilization stays above the threshold for the entire monitor period, a failover is triggered , and the peer becomes primary. ( Fortinet Document Library )

Because the condition was observed for 55 seconds , which is longer than the configured 50-second monitor period , the cluster would fail over from HQ-NGFW-1 to HQ-NGFW-2 due to the memory-failover-threshold condition. The priority setting does not explain this result here, because override is disabled , and flip-timeout governs subsequent memory-based failovers, not the initial trigger. ( Fortinet Document Library )

=========

The exhibits are directly supported by the lab guide’s troubleshooting section. It states: “The only profile that can be replaced is the Firewall Profile-Protocol-Options profile, because the only difference is a change in the comment field.” It then explains that for the other two profiles, “Whether you accept the value from BR1-FGT-1 or FortiManager, it will cause changes on different devices.”

That exactly matches C . The conflict window is not primarily showing a firmware mismatch, and the guide does not say BR1-FGT-1 lacks HTTPS 443 support. It also does not describe this as a FortiGuard database mismatch for QUIC. Instead, the key point is that only the default Firewall Profile-Protocol-Options conflict is minor enough to safely take from FortiManager because the difference is only in the comment field . The web filter and SSL/SSH profiles would cause real configuration differences if replaced.