02. Administration And Management

Question 1

Enable ADOM

Answer 1

1. From gui > system info > admin domain
2. From CLI
   Conf sys global
   Set adom-status enable/disable
   End

Question 2

Admin with what profile can enable ADOMS

Answer 2

Super_User

Question 3

ADOM can be created in which modes

Answer 3

1. Normal - full access to make config changes for ADOM and devices from FMG
2. Backup - backup config changes made directly on managed device

Question 4

How frequently config changes are checked in normal ADOM mode?

Answer 4

Every 5 sec diff config sent to FMG

Question 5

What protocol is used to send config diff

Answer 5

FortiGate-FortiManager communication protocol (FGFM)

Question 6

Limitation of auto update?

Answer 6

updates only device manager changes and not policy and object changes.

Question 7

Backup mode ADOM

Answer 7

1. Read only
2. Not all management panes available. AP Manager, VPN Manager, FortiSwitch Manager are not available
3. can add and delete devices, but the device-level settings are not available for configuration and installation.
4. can import firewall address and service objects into FortiManager, and FortiManager stores the objects in the Device Manager database. You can view the objects on the Policy & Objects pane. Although you can view the objects on the Policy & Objects pane, the objects are not stored in the central database. This lets you maintain a repository of objects used by all devices in the backup ADOM that is separate from the central database.
5. Only use the script feature on FortiManager to make configuration changes to managed devices.

Question 8

What is the difference between normal and advanced ADOM device modes

Answer 8

1. Normal -all VDOMs on same FGT to same ADOM only
2. Advanced - can assign different VDOMs from the same FortiGate device to different ADOMs

Question 9

At what level ADOM device mode is applied

Answer 9

Globally to all ADOMs

Question 10

What is the main purpose of backup ADOM

A. To maintain backup config of managed devices
B. To install policy package changes offline

Answer 10

A. To maintain backup config of managed devices

Question 11

Which action can you perform in advanced VDOMs mode

A. Assign different VDOMs from same FGT to different ADOMs
B. Assign same VDOM to different ADOMs

Answer 11

A. Assign different VDOMs from same FGT to different ADOMs

Question 12

Super_User

Answer 12

All system permissions
All device permissions

Question 13

Standard_User

Answer 13

No system permissions
RW all device permissions

Question 14

Restricted_User

Answer 14

No system permissions
RO device permissions

Question 15

Package_User

Answer 15

RW access to policy packages and object permissions
RO access to system and another permissions

Question 16

Types of administrator profiles defined in profile settings

Answer 16

System admin - allow them to view and configure as much, or as little, as required
Restricted admin - make changes to the web filtering profile, IPS sensor, and application sensor associated with their ADOM

Question 17

Methods to control and restrict administrator access

Answer 17

• Administrative profiles
• ADOMs
• Trusted hosts
• all or selected policy packages

Question 18

External user authentication servers

Answer 18

1. LDAP
2. RADIUS
3. TACACS+
4. PKI

Question 19

track installation changes from the FortiManager user from FortiGate

Answer 19

Log & Report > Events on the managed FortiGate device

Question 20

How can you restrict admin access only to a few ADOMS on FMG

A. By disabling concurrent access to ADOMs
B. By assigning ADOMs to admin account

Answer 20

B. By assigning ADOMs to admin account

Question 21

Which feature is available in Restricted admin profile

A. Device registration
B. IPS sensor

Answer 21

B. IPS sensor

Question 22

Default workspace mode status

Answer 22

Disabled.

By default, multiple administrators can access same ADOM concurrently because workspace-mode is set to disabled.

Conf sys global
Set workspace-mode disabled/normal
End

Question 23

What does Workspace mode do

Answer 23

Disables concurrent ADOM access
Adds ADOM locking
You must lock ADOM, device or policy package
RW access for only one admin. Other admin will have RO access

Conf sys global
Set workspace-mode normal
End

Question 24

What happens to device/policy lock if you lock whole ADOM

Answer 24

Locking an ADOM automatically removes locks on devices and policy packages that you have locked within
that ADOM.

Question 25

Workspace GUI icons

Answer 25

Green lock - RW admin access. Locked by me
Red lock - RO admin access. Locked by another admin
Grey lock - ADOM is unlocked

Question 26

Locking devices when ADOMs are in advanced mode

Answer 26

You cannot lock individual device

Question 27

When should you consider using workspace mode

A. When multiple admins require concurrent access
B. When multiple managed FGT devices have a single admin

Answer 27

A. When multiple admins require concurrent access

Question 28

Which statement locking ADOM is true

A. It auto remove locks,on devices and policies
B. Other admins have RW access

Answer 28

A. It auto remove locks,on devices and policies

Question 29

How many firmware versions can be managed by ADOM?

Answer 29

An ADOM can concurrently manage FortiGate devices running two FortiGate firmware versions; for example, FortiOS 6.2 and 6.4.

Question 30

What will not happen to ADOM when you upgrade device to new firmware?

Answer 30

upgrading the FortiManager firmware version will not upgrade the ADOM version.

Question 31

When should you perform ADOM upgrade

Answer 31

Upgrade ADOM version once you upgraded all devices in this ADOM to new version

Starting in FortiManager 7.0.0, you can upgrade ADOM version 6.2 to 6.4 without first updating all devices in
the ADOM from FortiOS 6.2 to 6.4. In the older version ADOM, upgrade ForiGate devices first and then the
ADOM version.

Question 32

ADOM upgrade debugging CLI commands

Answer 32

Diag debug en
Diag debug service cdb 255

Question 33

What will not happen automatically when you Move device from one ADOM to another ADOM

Answer 33

policies and objects are not imported into the ADOM database.
You must run the Import Policy wizard to import policies and objects into the ADOM database.
Moving devices from one ADOM to another is not a recommended practice.
For example, if you have configured complex IPsec VPNs with VPN Manager, you will need to reconfigure the VPN settings after you move the IPsec VPNs from one ADOM to another

Question 34

Procedure to Migrate upgraded device to another ADOM

Answer 34

1. Upgrade device
2. Move to new ADOM
3. Import policy and objects to new ADOM

Question 35

ADOM best practice- before upgrade

Answer 35

1.install any pending device settings or policy package changes
2. Ensure device setting and policy packages are all synchronized

Question 36

ADOM best practice- after upgrade

Answer 36

1. perform the installation preview. The Install preview shows you any changes that occurred during the upgrade process.
2. check that all the to-be-installed changes are acceptable. make corrections if required

Question 37

Which step should you take as best practice after FGT firmware upgrade

A. Push policy package and run script to update objects
B. Upgrade ADOM and retrieve config

Answer 37

B. Upgrade ADOM and retrieve config

Question 38

What FortiManager backup includes and what not

Answer 38

Includes:
All devices
Global db
Flash config

Does NOT include logs, FortiGuard cache, and firmware images saved on FortiManager

Question 39

Schedule backups

Answer 39

From CLI only (ftp, scp, sftp)

Question 40

How to perform FortiManager restore. Requirements and limitations

Answer 40

From GUI or CLI
After restore FMG reboots
Must be same firmware version and same model

Exe restore all-settings <……..>

Question 41

Migrate FMG config from one model to another

Answer 41

back up the configuration on one FortiManager model, and then run the CLI migrate command on the second FortiManager.

Exe migrate all-settings ftp/scp/sftp <server> <filepath> <user> <pass> <cryptpass></cryptpass></pass></user></filepath></server>

Question 42

FGFM management protocol port

Answer 42

TCP/541

Question 43

Offline mode

Answer 43

By default disabled
Enabled after backup restoration
Can’t manage devices in offline mode

Question 44

Reset FMG

Answer 44

Exe reset all-settings - returns FortiManager to its factory default settings and reboots FortiManager.
Exe reset all-except-ip -

Exe format <disk….> -

erases all device settings and images, FortiGuard databases, and log data on the FortiManager hard drive.
To completely erase all configuration databases, reset all settings, then format the disk using the CLI.

Even if you format your disks, this only destroys the file system tables. Files remain. Use deep-erase flag

Question 45

What is included in FMG backup

A. Logs and firmware images
B. Global db and all devices

Answer 45

B. Global db and all devices

Question 46

Which statement about FMG backup is true

A. It supports FTP, SCP and SFTP
B. Can be configured using CLI and GUI

Answer 46

B. Can be configured using CLI and GUI (regular backup, not schedules)

Question 47

Default event log severity

Answer 47

Information

Question 48

How can you change event log severity level

Answer 48

From CLI only

Question 49

WSDL interface

Answer 49

use web services to monitor system.
Can Download definition file. The file itself defines the format of commands FortiManager will accept, as well as the response to expect.

Question 50

When should admin use event logs at debug level

A. When troubleshooting FMG with TAC
B. When searching for admin login event

Answer 50

A. When troubleshooting FMG with TAC

Question 51

What is the main purpose of using APIs on FMG

A. To manage FMG using 3rd party software and hardware
B. To manage devices without FMG license

Answer 51

A. To manage FMG using 3rd party software and hardware