How to pass FCP - FortiGate Administrator (FCP-FGT-AD)
19 min read5 domains coveredFree practice, no sign-up
The FCP - FortiGate Administrator (FCP-FGT-AD) is a professional-level exam in Fortinet's certification track. It tests whether you can configure, operate, and troubleshoot a FortiGate firewall running FortiOS the way an administrator does day to day: bringing a device online, writing firewall policies, inspecting traffic, routing packets, and standing up VPNs. This is a hands-on role exam, so the questions assume you have actually driven the GUI and the CLI, not just read about them.
It suits network and security administrators who already manage FortiGate, or who are moving onto it from another firewall platform. If you can explain the difference between flow-based and proxy-based inspection, or what an FGCP heartbeat does, much of the material will feel familiar. If those are new, the gap is real but closable with lab time, because almost every objective maps to something you can reproduce on a VM or an evaluation unit.
The five domains carry equal weight, so there is no single area you can safely skip. The exam rewards precise knowledge of how FortiOS behaves: the order policies are matched in, which NAT object does what, when deep inspection is required over certificate inspection, and how an SD-WAN rule picks a link. Build in a lab, read the explanation behind every practice answer, and treat the CLI as a first-class skill rather than a fallback.
FCP-FGT-AD is hands-on: it tests whether you can configure, operate, and troubleshoot a FortiGate the way an administrator does daily.
Difficulty
Intermediate
Best for
Network and security administrators who deploy and run FortiGate firewalls on FortiOS day to day.
Prerequisites
Working networking knowledge (routing, NAT, the TCP/IP stack). Access to a FortiGate lab is strongly recommended.
50
Questions
90 min
Time allowed
$200
Exam cost (USD)
300
Practice questions
How this exam thinks
This is a product exam, so it does not reward general firewall theory. It rewards knowing how FortiGate actually behaves and choosing the feature or setting that matches the stated requirement. The best answer is the one that fits how the box really processes traffic, not the one that sounds most secure in the abstract. When two options both look reasonable, the correct one is usually the one a FortiOS administrator would reach for given exactly what the scenario asked, and the wrong ones are real FortiGate features used in the wrong place.
The distractors are built from how FortiOS works, so they punish fuzzy knowledge of the processing order and the object model. Expect to be asked which policy a packet hits when policies overlap, which NAT object applies to inbound versus outbound traffic, which route wins when administrative distances differ, whether a feature needs full deep inspection or only certificate inspection, and whether identity comes from active authentication or passive FSSO. Each of these has a precise FortiOS answer, and the wrong options are the adjacent feature you would pick if you had the order or the object slightly wrong. Knowing roughly what a feature does is not enough; you have to know exactly when FortiGate uses it.
Read every question for the requirement first, then map it to the FortiGate mechanism that satisfies it. Many items describe a goal (translate this inbound address, steer this traffic to the better link, let this roaming user reach an internal app) and ask for the configuration that achieves it. Work backwards from the goal to the right object: a virtual IP for inbound DNAT, an SD-WAN rule plus a performance SLA for link steering, an SSL VPN tunnel for the roaming user. Verbs in the scenario (translate, inspect, authenticate, route, load balance) point at the domain and usually at the exact feature, so let the requirement choose the answer rather than picking the most powerful-sounding option on the list.
What each domain tests and how to study it
The FCP-FGT-AD blueprint is split across 5 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Bring a FortiGate into service, link devices through the Security Fabric, form an FGCP HA cluster, and reach for the right diagnostic command when traffic or resources misbehave.
In one sentenceThe operational backbone the other domains assume is in place: initial setup, the Security Fabric, FGCP high availability, and the built-in diagnostics.
Recall check: answer these from memory first
In an FGCP active-passive cluster, what does the heartbeat carry, and what happens to existing sessions when the primary fails?
Name the one device that holds the root role in a Security Fabric and what the downstream units report to it.
Traffic is being dropped and you do not know why. Which diagnostic command traces a packet through the policy engine, and which confirms what actually arrived on the interface?
What it tests. Getting a FortiGate into service and keeping it healthy: initial interface, administrative-access and network setup, building a Fortinet Security Fabric to link devices and centralise visibility, configuring an FGCP high-availability cluster in active-passive or active-active mode, and diagnosing resource and connectivity faults with the built-in tools and logs. It is the operational backbone the other domains assume is already in place.
How to study it. Build it once by hand so the steps stick: bring up interfaces, lock down admin access, then join a second unit into an FGCP cluster and watch the heartbeat and session synchronisation behave. Learn the Security Fabric as a root-and-downstream topology, not a feature list. For diagnostics, practise the actual commands until they are muscle memory: diagnose debug flow to trace a packet through the policy engine, the sniffer to confirm what arrives on an interface, and the routing table when traffic goes nowhere.
Easy to confuse
Active-passive versus active-active HA. Active-passive keeps one unit primary and the others on standby, so only the primary processes traffic until a failover; active-active also load-balances inspection sessions across cluster members. If the scenario wants traffic spread across units it is active-active, otherwise active-passive.
diagnose debug flow versus diagnose sniffer packet. Debug flow shows FortiGate's internal decision for a packet (which policy, route, or NAT it hit and why it was dropped); the sniffer shows the raw packets crossing an interface. Use debug flow for why traffic was denied, the sniffer for whether it arrived at all.
Security Fabric root versus downstream FortiGate. The root FortiGate sits at the top and aggregates topology and security ratings; downstream units connect upward and report in. Only one root exists per fabric, and the upstream-downstream direction decides which device you configure the fabric connector on.
Worked example from the FCP-FGT-AD bank
lock_openFree sampleDeployment and system configurationeasy
An administrator manages several FortiGate units that all ship with the same default hostname, making it hard to tell devices apart in monitoring tools and on the CLI prompt. During initial configuration, which change gives each device a distinct identifier shown at the CLI prompt and in the GUI dashboard?
ASet a unique system hostname on each FortiGate under the global system settings.check_circle Correct
BSet a unique local-in alias on the management interface of each FortiGate.
CSet a unique administrator profile name on each FortiGate so logins identify the device.
DSet a unique SSL certificate common name on each FortiGate to label the device.
Set a unique system hostname so each FortiGate is clearly identified at the CLI prompt and in the GUI. The hostname configured under system global is the device identity FortiOS substitutes into the CLI prompt and shows in the dashboard system information widget, so giving each unit its own hostname removes the ambiguity caused by identical defaults.
Why A is correct: The system hostname is the device name displayed in the CLI prompt and the GUI dashboard, so assigning a unique hostname to each unit directly distinguishes them as the scenario requires.
Why B is wrong: Interface aliases are descriptive labels for individual ports and appear beside those interfaces, but they do not change the device-wide name shown at the prompt or dashboard, so they do not solve the identification problem.
Why C is wrong: Profile names organise access permissions and are easy to confuse with device naming, but they describe privilege sets rather than the unit itself, so renaming a profile does not alter how the device identifies itself.
Why D is wrong: A certificate common name appears during secure session negotiation and can carry a device name, but it is not what the CLI prompt or dashboard displays, so changing it does not meet the stated need.
What you must be able to do. Write a policy that matches the intended traffic at the right position, pick the correct NAT object for the direction, and choose active authentication or passive FSSO to identify the user.
In one sentenceThe core of the firewall: top-down policy matching, SNAT and DNAT objects, and identifying users by local, RADIUS, LDAP, or FSSO.
Recall check: answer these from memory first
Two policies could match the same session, a broad one above a specific one. Which one wins, and what does that imply about how you order rules?
A user on the internet must reach an internal web server on a private address. Which NAT object translates the destination, and which one would you use for the servers' outbound traffic instead?
Distinguish active authentication from passive FSSO in one line each, and say where FSSO learns the user's identity from.
What it tests. The core of the firewall: writing policies that control traffic between interfaces, applying SNAT and DNAT through virtual IPs and IP pools to translate addresses, and authenticating users against local, RADIUS, and LDAP databases including captive-portal active authentication. It also covers deploying Fortinet Single Sign-On (FSSO) with its DC agent and collector agent for passive, identity-based policy enforcement.
How to study it. Get policy matching exact: FortiGate evaluates policies top down and stops at the first match, so order and specificity decide the outcome. Drill the NAT objects until you never confuse them: a virtual IP does destination NAT for inbound traffic, an IP pool supplies source addresses for outbound, and NAT overload is many-to-one. Set up RADIUS or LDAP authentication in a lab, then contrast active authentication (the user is prompted) with passive FSSO (identity is learned from the directory), because the exam leans on that distinction.
Easy to confuse
Virtual IP (DNAT) versus IP pool (SNAT). A virtual IP translates the destination of inbound traffic so external clients reach an internal host; an IP pool supplies the source address for outbound traffic leaving the FortiGate. The direction in the scenario, inbound or outbound, tells you which object the answer needs.
Active authentication versus passive FSSO. Active authentication prompts the user, usually through a captive portal, before traffic is allowed; FSSO is passive and learns identity from the directory through the DC agent and collector agent with no prompt. If the scenario wants a seamless login the answer is FSSO, if it wants the user challenged it is active authentication.
RADIUS versus LDAP authentication. RADIUS is an authentication protocol that returns an accept or reject and can carry group attributes in the reply; LDAP queries a directory where the FortiGate binds and reads group membership from the tree. The exam hinges on which one the scenario's identity source actually speaks.
Worked example from the FCP-FGT-AD bank
lock_openFree sampleFirewall policies and authenticationhard
A network administrator is deploying FSSO in DC agent mode for a Windows Active Directory domain with three domain controllers. Each user logon must be captured and forwarded to the collector agent so that the FortiGate can apply identity-based policies. Which component must be installed on each monitored domain controller for this mode to function?
AA DC agent (dcagent.dll) registered on every monitored domain controller, which intercepts logon events and forwards them to the collector agent.check_circle Correct
BA collector agent installed directly on every domain controller, so each controller independently sends user-to-IP mappings to the FortiGate.
CA TS agent on each domain controller to track per-session source ports for users sharing one host.
DThe FortiGate polling service enabled against each controller, removing the need for any agent on the controllers.
Identify that FSSO DC agent mode requires a DC agent installed on each monitored domain controller to capture logon events. In DC agent mode the dcagent.dll is loaded on each domain controller and intercepts user logon events in real time, forwarding them to the collector agent, which then sends consolidated user-to-IP-to-group mappings to the FortiGate. This per-controller agent is what separates DC agent mode from agentless polling.
Why A is correct: DC agent mode requires the FSSO DC agent to be installed on each domain controller; it hooks logon events at the source and pushes them to the collector agent, which is the defining characteristic of this mode.
Why B is wrong: It is tempting because the collector agent is central to FSSO, but in DC agent mode the collector is a single (or redundant) service that aggregates events from DC agents, not a per-controller component that talks to the FortiGate alone.
Why C is wrong: The TS agent is used for Citrix or Terminal Server environments to distinguish users on a shared host by port range, not for capturing standard domain controller logon events.
Why D is wrong: This describes agentless polling mode rather than DC agent mode; the question explicitly specifies DC agent mode, which depends on an installed DC agent rather than FortiGate-initiated polling.
What you must be able to do. Decide whether a requirement needs certificate inspection or full deep inspection, pick flow-based or proxy-based mode for the feature, and let FortiGuard ratings or signatures drive the verdict.
In one sentenceLooking inside traffic to enforce security: the SSL inspection choice, the flow versus proxy mode trade-off, and the FortiGuard-fed profiles for web, application, antivirus, and IPS.
Recall check: answer these from memory first
A web filter must block a page based on its category but does not need to read the encrypted payload. Which SSL inspection mode is enough, and which one would you need to scan the content for a virus instead?
State the trade-off between flow-based and proxy-based inspection in one line, and name a reason you would accept the heavier mode.
Which FortiGuard service feeds web filtering's category rating, and which feeds IPS its detection logic?
What it tests. Looking inside traffic to enforce security: inspecting encrypted sessions with certificate inspection versus full deep inspection, choosing between flow-based and proxy-based inspection modes, and configuring web filtering, application control through deep packet inspection, antivirus scanning, and IPS signature-based detection. FortiGuard services feed most of these features, so their role recurs throughout the domain.
How to study it. Pin down the SSL choice first: certificate inspection reads only the certificate and SNI, while deep inspection decrypts the session and so needs a CA certificate trusted by clients. Learn the inspection-mode trade-off as a decision: flow-based is faster and lighter, proxy-based buffers content and enables features flow mode cannot. Then walk each profile in a lab (web filter, application control, antivirus, IPS) and note which mode each runs in and how FortiGuard ratings or signatures drive the verdict.
Easy to confuse
Certificate inspection versus deep inspection. Certificate inspection reads only the certificate and the server name without decrypting, so it cannot see the payload; deep inspection decrypts and re-encrypts the session, so antivirus and web content filtering can read inside, and it needs a CA certificate clients trust. If the feature must inspect the payload, the answer is deep inspection.
Flow-based versus proxy-based inspection. Flow-based inspects packets as they pass and is faster with lower latency; proxy-based buffers the whole object before scanning, which is heavier but enables features flow mode cannot offer. The scenario's priority, throughput or thoroughness, points at the mode.
Application control versus web filtering. Application control identifies the application from signatures and deep packet inspection regardless of port; web filtering acts on the URL or the FortiGuard category of the site. If the question is about an app like a messaging client it is application control, if it is about a website or category it is web filtering.
Worked example from the FCP-FGT-AD bank
lock_openFree sampleContent inspectionmedium
An administrator builds a firewall policy that references a web filter profile set to proxy-based inspection, while the policy itself has its inspection mode left at flow-based. When traffic matches the policy, how does FortiGate handle the web filter profile's proxy-based inspection?
AFortiGate applies the web filter profile using proxy-based inspection regardless of the policy inspection mode, because the profile setting takes precedence.
BFortiGate blocks all traffic on the policy until the inspection modes of the policy and the profile are made to match.
CFortiGate raises a configuration error and refuses to save the policy until the profile is changed to flow-based.
DFortiGate silently converts the profile to flow-based inspection and applies the web filter using flow-based logic for that policy.check_circle Correct
Understand that the firewall policy inspection mode, not the profile, determines whether web filtering runs as flow-based or proxy-based. The firewall policy inspection mode is authoritative for the security profiles it applies. A flow-based policy executes a referenced web filter profile using flow-based inspection, so proxy-specific options either map to their flow equivalent or are not enforced, rather than forcing the policy into proxy mode or dropping traffic.
Why A is wrong: This is tempting because it assumes the profile's own inspection mode wins, but the policy inspection mode governs how security profiles run, so a flow-based policy cannot execute a proxy-based profile as proxy.
Why B is wrong: This sounds cautious and secure, but FortiGate does not fail closed on a mode mismatch; it reconciles the profile to the policy mode rather than dropping traffic.
Why C is wrong: This is plausible because some mismatches are blocked at save time, but a web filter profile can be referenced by either policy mode, so the configuration commits without error.
Why D is correct: Correct: when the policy is in flow mode, FortiGate runs the web filter profile in flow-based mode, so any proxy-only behaviour in the profile is applied using the flow-based equivalent.
What you must be able to do. Predict which route FortiGate installs and uses when several compete, and configure SD-WAN so a performance SLA and a rule steer sessions to the link that meets the requirement.
In one sentenceGetting packets to the right next hop: static, default, blackhole, and policy routes ranked by administrative distance, plus SD-WAN link steering by performance SLA.
Recall check: answer these from memory first
Two static routes to the same destination have different administrative distances. Which one does FortiGate install in the FIB, and what happens to the other?
What does a blackhole route do to matching traffic, and where does a policy route sit relative to the routing table?
In SD-WAN, what marks a link as out of SLA, and what then decides which member a session is steered onto?
What it tests. Getting packets to the right next hop: static routing including default routes, blackhole routes, and policy routes, with administrative distance deciding which route wins, and SD-WAN to load balance across multiple WAN links using performance SLAs, link health monitoring, and SD-WAN rules. It is the smallest domain by objective count but still a full fifth of the exam.
How to study it. Make the route-selection logic automatic: lowest administrative distance wins, a blackhole route silently drops matching traffic, and a policy route is consulted before the routing table. For SD-WAN, build a two-link setup and configure a performance SLA so you can see how link health monitoring marks a member out of SLA and how an SD-WAN rule then steers sessions. Understanding why a link was chosen matters more than memorising menu paths.
Easy to confuse
Administrative distance versus route priority. Administrative distance decides which route is installed in the routing table when destinations tie; priority breaks the tie between routes that share the same distance. The exam tests distance for which route wins, priority only when distances are already equal.
Blackhole route versus a deny policy. A blackhole route silently drops traffic at the routing layer by sending it to a null interface; a deny firewall policy blocks it at the policy layer and can log it. Blackhole routes are a routing tool, often used to drop traffic for unreachable subnets, not a substitute for policy control.
Policy route versus static route. A policy route is consulted before the routing table and can match on more than the destination, such as source or service; a static route matches the destination prefix only. If the scenario routes by source or protocol rather than destination, the answer is a policy route.
Worked example from the FCP-FGT-AD bank
lock_openFree sampleRoutingeasy
A FortiGate has two static default routes out of two different ISP links. Both routes have the same administrative distance and the same priority. What is the effect on traffic that uses the default route?
ABoth routes are installed in the forwarding table and traffic is load balanced across both links using equal-cost multi-path routingcheck_circle Correct
BOnly the route whose gateway has the lower IP address is installed, and all default traffic uses that single link
CNeither route is installed because FortiGate rejects duplicate default routes and logs a configuration conflict
DBoth routes are installed but only the most recently configured one forwards traffic until it fails over to the other
Static routes with equal administrative distance and equal priority become equal-cost paths, so FortiGate installs both and load balances using ECMP. FortiGate first compares administrative distance to pick which routes enter the routing table, then compares priority among same-distance routes. When both values are equal, the routes are equal-cost and FortiGate uses ECMP to spread sessions across them.
Why A is correct: When two routes share the same distance and priority, FortiGate treats them as equal-cost and installs both, performing ECMP load balancing across the two links according to the configured load-balancing method.
Why B is wrong: FortiGate does not select between equal routes by comparing gateway IP addresses. This sounds like a deterministic tie-breaker but no such rule exists, so it is incorrect.
Why C is wrong: FortiGate accepts multiple default routes; it does not reject them as duplicates. The idea of a conflict rejection is plausible to a newcomer but does not reflect FortiOS behaviour.
Why D is wrong: Equal routes do not behave as an active and passive pair when distance and priority match. This describes failover, which requires differing priority or distance, so it is a tempting but wrong assumption.
What you must be able to do. Pick SSL VPN or IPsec for the access pattern, choose tunnel or web mode and split tunnelling for remote users, and get IKE phase 1 and phase 2 to agree on both ends.
In one sentenceSecure connectivity: SSL VPN tunnel and web modes for roaming users, and IPsec with matching IKE phase 1 and phase 2 for site-to-site and redundant links.
Recall check: answer these from memory first
A roaming user needs full network access from their own laptop, and another only needs a few web apps through a browser. Which SSL VPN mode fits each?
Name one parameter that must match on both ends in IKE phase 1 and one in phase 2, and say what each phase establishes.
With split tunnelling enabled, which traffic enters the tunnel and which does not?
What it tests. Secure connectivity: SSL VPN in tunnel mode and web mode with portals and split tunnelling for remote users, and IPsec VPN in meshed or partially redundant topologies, including IKE phase 1 and phase 2 configuration and hub-and-spoke designs. The focus is on choosing the right VPN type for the access pattern and getting both negotiation phases to agree.
How to study it. Separate the two clearly: SSL VPN suits roaming individual users (tunnel mode for full access, web mode for a portal), while IPsec suits site-to-site and redundant links. For IPsec, learn phase 1 and phase 2 as distinct negotiations with their own parameters that must match on both ends, and practise a hub-and-spoke build so redundancy and routing over the tunnels make sense. Configure split tunnelling so you can explain what traffic does and does not enter the tunnel.
Easy to confuse
SSL VPN versus IPsec VPN. SSL VPN suits roaming individual users connecting from a browser or the client, with no fixed peer; IPsec suits site-to-site and redundant links between known gateways. If the scenario is one user on the move it is SSL VPN, if it is two sites or a hub-and-spoke design it is IPsec.
SSL VPN tunnel mode versus web mode. Tunnel mode runs a client and gives the user full network-layer access as if on the LAN; web mode is clientless and reaches only the applications published in the portal. The amount of access the scenario needs, full versus a handful of apps, picks the mode.
IKE phase 1 versus phase 2. Phase 1 authenticates the peers and builds the secure IKE channel; phase 2 negotiates the IPsec security associations that actually encrypt the data, scoped by selectors. A mismatch in phase 1 stops the tunnel coming up at all, a phase 2 mismatch lets phase 1 succeed but blocks traffic.
Worked example from the FCP-FGT-AD bank
lock_openFree sampleVPNhard
Two FortiGates negotiate IKEv2 phase 1, but the tunnel never establishes. Diagnostics show phase 1 proposals do not match: one peer offers AES256-SHA256 with DH group 14, the other offers AES256-SHA256 with DH group 20. Both peers share the same pre-shared key and the same phase 2 selectors. What is the correct conclusion about why phase 1 fails?
AThe pre-shared key mismatch is the real cause, because a differing DH group always indicates the authentication payload was computed with different secrets.
BThe phase 2 selectors are too broad, so the kernel rejects the phase 1 SA before the Diffie-Hellman exchange can complete.
CThe Diffie-Hellman group must match in at least one common phase 1 proposal, so groups 14 and 20 with no overlap cause the IKE SA negotiation to fail.check_circle Correct
DIKEv2 ignores the Diffie-Hellman group during the initial exchange, so the failure must come from a mismatched encryption algorithm instead.
Identify that a non-overlapping Diffie-Hellman group between peers prevents the IKE phase 1 SA from establishing. The Diffie-Hellman group is a mandatory negotiated element of the phase 1 key exchange. Each peer proposes one or more groups, and the negotiation needs at least one common group to derive shared keying material. With one peer on group 14 and the other on group 20 and no overlap, the IKE SA cannot form regardless of matching encryption, hash, or pre-shared key.
Why A is wrong: It is tempting to blame authentication when phase 1 fails, but the scenario states the keys are identical and a DH group is an independent negotiated parameter, so the key is not the fault here.
Why B is wrong: Phase 2 selectors are negotiated only after phase 1 succeeds and cannot block the phase 1 SA, so selector breadth cannot explain a failure that occurs during the phase 1 key exchange.
Why C is correct: Phase 1 builds the IKE SA using a mutually agreed Diffie-Hellman group; if neither peer offers a group the other accepts, the key exchange cannot complete and phase 1 fails even when encryption, hash, and the pre-shared key all match.
Why D is wrong: IKEv2 absolutely requires an agreed Diffie-Hellman group in the initial exchange, and the scenario shows encryption and hash already match, so blaming the cipher is both factually wrong and inconsistent with the diagnostics.
A study plan that works
Map the blueprint and set a date
Day 1
Read the official Fortinet exam description and the five domains. Note that they carry equal weight, so plan to cover all five rather than betting on a heavy area. Book a provisional exam date now; a fixed date is the single biggest predictor of actually sitting.
Stand up a lab
Week 1
Get a FortiGate VM or evaluation unit and a couple of test hosts. Almost every objective is something you configure, so a lab where you can break and rebuild safely is worth more than any number of read-throughs. Use both the GUI and the CLI from the start.
Master deployment and policies (Domains 1 and 2)
Weeks 2-3
Build a device from scratch, form an FGCP cluster, then write firewall policies and NAT. Get policy matching order and the SNAT and DNAT objects exact, and configure local, RADIUS, LDAP, and FSSO authentication so the identity model is concrete.
Work through content inspection (Domain 3)
Weeks 3-4
Configure certificate and deep SSL inspection, then web filtering, application control, antivirus, and IPS. Note for each which inspection mode it uses and how FortiGuard drives the decision. This domain has the most objectives, so give it proportionate time.
Cover routing and VPN (Domains 4 and 5)
Week 5
Configure static routes, a blackhole route, and a policy route, then build an SD-WAN setup with a performance SLA. For VPN, stand up an SSL VPN portal and an IPsec tunnel, getting IKE phase 1 and phase 2 to negotiate cleanly.
Practise on scenarios and close weak domains
Week 5
Move to full practice sets and read the explanation for every question, including ones you got right. Use your per-domain accuracy to drill the areas dragging you down rather than re-reading what you already know, until each clears comfortably.
Sit a timed mock and review it
Week 6
Take at least one full timed mock to rehearse pacing across 50 questions in 90 minutes and the flag-and-return habit. Treat the score as a readiness signal, then review every missed item before you book or sit.
Know when you're ready
Readiness for the FCP-FGT-AD is a score on questions you have not seen before, not a feeling that the material is familiar. Those are different things, and the gap between them is where people fail. Re-reading notes and rewatching a build feels like learning, and that fluency reads as confidence, but it does not prove you can choose the right FortiOS feature under a fresh scenario. The test is whether you can answer unseen questions and explain why each wrong option is the wrong FortiGate object for the requirement.
For this exam, hands-on practice is part of the bar, not an optional extra. Because the questions assume you have configured policies, NAT, inspection, routes, and VPNs yourself, you are ready when you can both reproduce those builds in a lab and answer scenario questions about them across more than one session, with every domain clearing comfortably rather than scraping by once. Trust your measured per-domain accuracy over your gut, and be wary of early confidence after a single pass, because that is exactly when you have not yet met the questions that show you what you missed.
This guide gives you the map and the lab plan gives you the reps. The practice bank is where you find out whether you can navigate the box under pressure, with a worked explanation and a reason every distractor is the wrong feature on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free FCP-FGT-AD questions with worked explanations. No sign-up.
Read the last line of the question first. It tells you what is actually being asked, so you can read the scenario looking for the answer rather than absorbing every detail blind.
Remember that policies match top down and stop at the first hit. Many questions hinge on policy order, so check whether a more specific rule sits above or below the one in the scenario.
Keep the NAT objects straight under pressure: a virtual IP is destination NAT for inbound traffic, an IP pool is source NAT for outbound. Confusing the two is a common trap.
When a question turns on inspecting encrypted traffic, ask whether decryption is needed. If the feature must see inside the payload it is deep inspection and needs a trusted CA certificate, not certificate inspection.
Flag and move on. With 50 questions in 90 minutes you have time, but do not burn it on one hard item while easier marks wait; cover everything first, then return.
For routing ties, reach for administrative distance: the lowest wins. For SD-WAN, the steering comes from performance SLAs and rules, not the static routing table alone.
Frequently asked questions
Is FCP-FGT-AD hard?
It is a professional-level, hands-on exam, so the difficulty is in knowing exactly how FortiOS behaves rather than in tricky wording. If you have configured FortiGate firewall policies, NAT, inspection, routing, and VPNs yourself, it is fair. If you have only read about them, build a lab first, because the questions assume practical familiarity.
How long should I study for FCP-FGT-AD?
Administrators already working with FortiGate are often ready in a few weeks of focused revision plus lab time. Coming from another firewall platform, allow longer to learn FortiOS-specific behaviour. The five domains are equally weighted, so budget time across all of them rather than front-loading one.
What is the pass mark for FCP-FGT-AD?
Fortinet does not publish a fixed pass mark or percentage breakdown for this exam, so anyone quoting an exact figure is guessing. The most reliable approach is to clear every domain comfortably on fresh practice questions rather than aiming at an invented target number.
Do I need hands-on FortiGate experience to pass?
Effectively yes. This is an administrator exam, and most objectives are things you configure rather than define. A FortiGate VM or evaluation unit where you can build clusters, policies, inspection profiles, routes, and VPNs is the most valuable preparation tool you have.
Which domains should I focus on?
All five carry equal weight, so none can be skipped. Content inspection has the most objectives, and the deployment and firewall-policy domains underpin everything else, so they reward early, thorough work. Routing and VPN have fewer objectives but are still a full fifth of the exam each.
What FortiOS version does the exam cover?
The exam description this guide is built from is the FortiGate 7.6 Administrator series. FortiOS behaviour shifts between versions, so study against 7.6 documentation and lab on a matching build to avoid learning behaviour that has since changed.
What is the difference between certificate inspection and deep inspection?
Certificate inspection examines only the certificate and server name without decrypting the session, so it is lighter but cannot inspect the payload. Deep inspection decrypts and re-encrypts the traffic so features like antivirus and web filtering can see inside, which requires a CA certificate that clients trust. Knowing which a scenario needs is a recurring exam theme.
How many practice questions should I do before booking?
Enough that every one of the five domains clears comfortably on questions you have not seen before, and a full timed mock feels relaxed on pacing. Quality of review beats raw volume: read the worked explanation on every question, including the ones you answered correctly.
Is FCP-FGT-AD worth it for network and security professionals?
It is a well-regarded credential for administrators who deploy and run FortiGate firewalls day to day, because it validates hands-on competence with the product rather than general firewall theory. The preparation itself is useful: mapping FortiOS behaviour precisely, particularly around policy order, NAT objects, and inspection modes, tends to close the gaps that accumulate in self-taught configurations. A common next step is one of the specialist FCP tracks such as FortiManager or FortiAnalyzer, or deepening into the NSE 7 level for more advanced Fortinet infrastructure.
Examworthy is not affiliated with or endorsed by Fortinet. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. FCP-FGT-AD and related marks belong to their respective owners.
