Examworthyexamworthy.comFCP - FortiGate Administrator cheat sheet
Fortinet
Free to share. Examworthy is not affiliated with or endorsed by Fortinet; FCP-FGT-AD and related marks belong to their respective owners.
At a glance
Format: Multiple choice
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
FCP-FGT-AD is hands-on: it tests whether you can configure, operate, and troubleshoot a FortiGate the way an administrator does daily.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
Configuring a second heartbeat interface on the WAN port will force the cluster to switch units when that link fails.
Why it fails
This confuses heartbeat with port monitoring. Heartbeat interfaces detect peer reachability between cluster members, not the up or down state of a data interface like the WAN port, so they will not react to a WAN link failure.
Deployment and system configuration
Tempting but wrong
For FSSO DC agent mode, you install a collector agent on every domain controller so each one independently sends user-to-IP mappings to the FortiGate.
Why it fails
Tempting because the collector agent is central to FSSO, but in DC agent mode the collector is a single (or redundant) service that aggregates events from the DC agents, not a per-controller component that talks to the FortiGate on its own.
Firewall policies and authentication
Tempting but wrong
Believing the web filter profile's own proxy-based setting takes precedence, so FortiGate applies it as proxy regardless of the policy's flow-based mode.
Why it fails
Tempting because it assumes the profile's own inspection mode wins, but the policy inspection mode governs how security profiles run, so a flow-based policy cannot execute a proxy-based profile as proxy.
Content inspection
Tempting but wrong
Two equal default routes get installed, but only the most recently configured one forwards traffic until it fails over to the other.
Why it fails
This describes failover, which is tempting but wrong: equal routes do not behave as an active and passive pair when distance and priority match. Active/passive failover requires differing priority or distance, otherwise both routes forward together via ECMP.
Routing
Tempting but wrong
If a phase 1 tunnel fails while the Diffie-Hellman groups differ, the real cause must be a pre-shared key mismatch, because a differing DH group means the authentication payload was computed with different secrets.
Why it fails
It is tempting to blame authentication when phase 1 fails, but when the keys are identical a DH group is an independent negotiated parameter, so the key is not the fault. The non-overlapping DH group is what blocks the IKE SA.
VPN
Tempting but wrong
PPPoE mode is the right choice for a WAN interface that needs to learn its address from an upstream router handing out leases.
Why it fails
PPPoE also obtains an address dynamically, but it is used over provider links that require PPP session authentication rather than a plain DHCP server, so it is the wrong fit for an upstream router handing out leases.
Deployment and system configuration
Tempting but wrong
To make authenticated logins last longer, raise the firewall policy session-ttl so each accepted session stays in the session table longer and avoids a fresh login.
Why it fails
Tempting because session-ttl is a real policy setting, but it controls how long idle traffic sessions persist in the session table, not how long an authenticated user identity remains valid.
Firewall policies and authentication
Tempting but wrong
Believing certificate inspection decrypts the TLS payload and reads the HTTP host header inside the stream to match the application signature.
Why it fails
Certificate inspection does not decrypt the payload, so it cannot read an HTTP host header inside the encrypted stream; this confuses certificate inspection with full deep inspection.
Content inspection
Key terms
Exam-day rules
- Read the last line of the question first. It tells you what is actually being asked, so you can read the scenario looking for the answer rather than absorbing every detail blind.
- Remember that policies match top down and stop at the first hit. Many questions hinge on policy order, so check whether a more specific rule sits above or below the one in the scenario.
- Keep the NAT objects straight under pressure: a virtual IP is destination NAT for inbound traffic, an IP pool is source NAT for outbound. Confusing the two is a common trap.
- When a question turns on inspecting encrypted traffic, ask whether decryption is needed. If the feature must see inside the payload it is deep inspection and needs a trusted CA certificate, not certificate inspection.
- Flag and move on. With 50 questions in 90 minutes you have time, but do not burn it on one hard item while easier marks wait; cover everything first, then return.
Revision schedule
- Day 1Map the blueprint and set a date
- Week 1Stand up a lab
- Weeks 2-3Master deployment and policies (Domains 1 and 2)
- Weeks 3-4Work through content inspection (Domain 3)
- Week 5Cover routing and VPN (Domains 4 and 5)