Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free FCP FortiAuthenticator 6.5 Practice Questions

Pass your Fortinet FCP - FortiAuthenticator 6.5 Administrator (FCP_FAC_AD-6.5) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

When FortiAuthenticator brokers SAML SSO for SaaS and wants to push group claims to the SP, where are the claims defined?

A
B
C
D
to track
Same family resources

Explore More Fortinet Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Fortinet NSE 4 Network Security Professional

Practice Questions
1 blog

Fortinet NSE 7 Network Security Architect

Practice Questions

Fortinet FCP FortiAnalyzer 7.4 Administrator (FCP_FAZ_AD-7.4)

Practice Questions

Fortinet FCP FortiClient EMS 7.4 Administrator (FCP_FCT_AD-7.4)

Practice Questions

Fortinet FCP FortiMail 7.4 Administrator (FCP_FML_AD-7.4)

Practice Questions

Fortinet FCP FortiManager 7.4 Administrator (FCP_FMG_AD-7.4)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleFREE Fortinet NSE 4 Exam Guide 2026: FortiOS 7.6, FCP Rebrand, Pass First Try22 min read
2026 Statistics

Key Facts: FCP FortiAuthenticator 6.5 Exam

30

Questions

Fortinet exam description

60 min

Exam Duration

Fortinet

Pass/Fail

Scoring

No published numeric threshold

$200

Exam Fee

Fortinet / Pearson VUE

6.5

Software Version

FortiAuthenticator

2 years

Cert Validity

Fortinet FCP

The FCP FortiAuthenticator 6.5 Administrator (FCP_FAC_AD-6.5) exam has 30 multiple-choice questions delivered in 60 minutes through Pearson VUE for $200 USD, scored as pass/fail with no public numeric threshold. The credential is part of the Fortinet Certified Professional track and covers FortiAuthenticator deployment, user management, PKI, SSO, and troubleshooting on the 6.5 release. FortiAuthenticator is Fortinet's identity-and-access management appliance for RADIUS, LDAP, SAML, OAuth/OIDC, FSSO/RSSO, and MFA. The certification remains valid for two years before recertification is required.

Sample FCP FortiAuthenticator 6.5 Practice Questions

Try these sample questions to test your FCP FortiAuthenticator 6.5 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which FortiAuthenticator hardware appliance is positioned as the entry-level 1U platform for small to mid-sized deployments?
A.FAC-200F
B.FAC-400F
C.FAC-3000F
D.FAC-VM-Base
Explanation: The FAC-200F is the entry-level 1U hardware appliance in the FortiAuthenticator family, designed for small to mid-sized organizations. It supports a baseline number of users that can be expanded with additional user licenses up to its hardware ceiling.
2An administrator needs to deploy FortiAuthenticator on VMware ESXi. Which capacity model determines how many users can authenticate against the VM?
A.Number of vCPUs assigned to the VM
B.User license tier installed on the VM
C.Disk size selected at deployment
D.FortiOS version on the connected FortiGate
Explanation: FortiAuthenticator-VM capacity is governed by the user license tier installed on the appliance. The VM ships as FAC-VM-Base, and stackable user licenses raise the maximum number of users the appliance can manage.
3Two FortiAuthenticator appliances are configured as an HA active-passive cluster. Which interface role is reserved for synchronizing configuration and the heartbeat between cluster members?
A.The management interface (port1)
B.A dedicated HA interface defined in the cluster configuration
C.The portal services interface used by clients
D.The OOB serial console
Explanation: Active-passive HA on FortiAuthenticator uses a dedicated HA interface for heartbeat traffic and configuration synchronization between members. The HA link must reach both peers and is configured separately from user-facing service interfaces.
4A customer wants two FortiAuthenticator nodes to share authentication load and present a common service. Which HA mode supports this requirement?
A.Active-passive standalone
B.Active-active load balancing cluster
C.Independent units with manual configuration replication
D.Cold standby
Explanation: Active-active load balancing on FortiAuthenticator distributes RADIUS, LDAP, and portal authentication requests across cluster members so that both nodes process traffic concurrently while sharing configuration and user data.
5After racking a new FortiAuthenticator, an administrator runs initial configuration. Which CLI command shows current firmware version, serial number, and uptime?
A.diagnose system reload
B.get system status
C.execute factoryreset
D.show full-configuration
Explanation: `get system status` returns FortiAuthenticator system identity information including firmware version, build, serial number, hostname, and uptime. It is one of the first commands used to confirm baseline state.
6Where in the FortiAuthenticator GUI is the device hostname, time zone, and primary DNS configured?
A.Authentication > User Management > Local Users
B.System > Dashboard > Status
C.System > Network > Interfaces and System > Administration > System Access
D.Logging > Log Settings
Explanation: Initial system identity, DNS, and management settings are configured under System > Network > Interfaces and System > Administration. Time zone and time sync (NTP) live under System > Administration > System Access or System > Dashboard, depending on the FortiAuthenticator 6.5 build.
7An administrator wants to allow only specific source IPs to access the FortiAuthenticator GUI. Which feature enforces this restriction?
A.Trusted hosts on the admin profile
B.RADIUS NAS clients list
C.Local CA configuration
D.FSSO collector ACL
Explanation: Trusted hosts on the administrator account or admin profile restrict the source IP addresses or subnets allowed to authenticate to the GUI and CLI. This is a baseline security best practice.
8Which statement correctly describes user license behavior on FortiAuthenticator?
A.Each user license is consumed only when a user authenticates
B.User licenses are cumulative and stack on the appliance base SKU up to the hardware or VM ceiling
C.User licenses must be re-applied after every firmware upgrade
D.User licenses are tied to per-NAS device counts
Explanation: FortiAuthenticator user licenses are additive. Stacking licenses raises the user ceiling, capped by the platform's maximum supported users. Licenses persist across firmware upgrades.
9Which FortiAuthenticator hardware platform is positioned for large enterprise deployments with the highest user ceiling?
A.FAC-200F
B.FAC-400F
C.FAC-3000F
D.FAC-VM-Trial
Explanation: The FAC-3000F is Fortinet's high-end FortiAuthenticator hardware appliance, sized for large enterprise identity-management workloads with the highest stackable user ceiling among current 'F' series models.
10An administrator restores a FortiAuthenticator configuration backup on a different unit. Which item from the original system is NOT restored automatically by a configuration restore?
A.Local user database entries
B.Hardware serial number and license keys
C.Local CA certificates
D.RADIUS clients and profiles
Explanation: Configuration backups carry over local users, RADIUS clients, profiles, certificates and other configuration state, but not the destination unit's hardware serial or license entitlements. License keys are tied to the device they were issued to.

About the FCP FortiAuthenticator 6.5 Exam

The Fortinet FCP FortiAuthenticator 6.5 Administrator certification validates skills required to deploy, configure, and operate FortiAuthenticator 6.5 as the identity-and-access foundation of a Fortinet Security Fabric. Topics include FortiAuthenticator hardware (FAC-200F, FAC-400F, FAC-3000F) and VM platforms, HA active-passive cluster heartbeat and active-active load balancing, user license tiers, local users, Active Directory and OpenLDAP integration, RADIUS profiles, realms, and proxy, RADIUS attributes (Class, NAS-Port-Type, Filter-Id, Tunnel-Pvt-Group-ID), 802.1X EAP-PEAP/EAP-TLS/EAP-GTC, SAML 2.0 IdP and SP roles, OAuth 2.0 / OpenID Connect, MFA factors (FortiToken Mobile push and OTP, hardware FortiToken-200/220/410, FIDO2/WebAuthn, SMS and email OTP), the internal Certification Authority (root and subordinate CA), certificate templates, SCEP enrollment, OCSP responder, CRL publishing, FSSO collectors (DC Agent, FSSO Collector Agent, polling mode), RSSO, Kerberos SSO with SPNEGO/keytab, captive portal and self-service portals, MAC-based authentication, and troubleshooting with debug logs, raw-debug, configuration extracts, and `diagnose sniffer packet` captures.

Assessment

30 multiple-choice questions covering FortiAuthenticator deployment and configuration, user management and authentication, PKI and certificate management, single sign-on (FSSO/RSSO/Kerberos/SAML), and monitoring and troubleshooting

Time Limit

60 minutes

Passing Score

Pass/Fail

Exam Fee

$200 USD (Fortinet / Pearson VUE)

FCP FortiAuthenticator 6.5 Exam Content Outline

~20%

FortiAuthenticator Deployment & Configuration

Initial setup, hardware (FAC-200F, FAC-400F, FAC-3000F) and VM, user license stacking, HA active-passive cluster (heartbeat), HA active-active load balancing, admin profiles, trusted hosts, REST API access, backups and restore

~20%

User Management & Authentication

Local users, Active Directory and OpenLDAP via LDAP/LDAPS, RADIUS profiles and realms, RADIUS proxy, RADIUS attributes (Class, NAS-Port-Type, Filter-Id, Tunnel-Pvt-Group-ID), 802.1X EAP-PEAP/EAP-TLS/EAP-GTC, SAML IdP and SP, OAuth 2.0/OIDC, MFA factors (FortiToken Mobile push/OTP, FortiToken-200/220, FIDO2/WebAuthn, SMS/email OTP), self-service and guest portals, MAC-based authentication

~20%

PKI & Certificate Management

Internal CA (root and subordinate), certificate templates, EAP-TLS server certificates, SCEP for IoT/network device enrollment, OCSP responder, CRL publishing, trusted CAs, key usage and EKU, revocation reason codes, CA key rotation

~20%

Single Sign-On (SSO)

FSSO collectors (DC Agent, FSSO Collector Agent, polling mode), Citrix/RDS TS Agent, FortiAuthenticator as FSSO carrier to FortiGate over TCP 8000, RSSO with RADIUS accounting, Kerberos SSO with SPNEGO and keytab, SAML claim and attribute mapping

~20%

Monitoring & Troubleshooting

Authentication and event/audit logs, debug subsystems, `diagnose sniffer packet`, `get system status`, sanitized configuration extracts, RADIUS/LDAP/SAML troubleshooting, FortiToken Mobile push reachability, TOTP time drift, CRL and OCSP issues

How to Pass the FCP FortiAuthenticator 6.5 Exam

What You Need to Know

  • Passing score: Pass/Fail
  • Assessment: 30 multiple-choice questions covering FortiAuthenticator deployment and configuration, user management and authentication, PKI and certificate management, single sign-on (FSSO/RSSO/Kerberos/SAML), and monitoring and troubleshooting
  • Time limit: 60 minutes
  • Exam fee: $200 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

FCP FortiAuthenticator 6.5 Study Tips from Top Performers

1Build a FortiAuthenticator 6.5 lab (VM trial works) and authorize at least one FortiGate so you can practice RADIUS, FSSO, and SAML end-to-end
2Master the RADIUS attribute set tested by Fortinet: Class (25), NAS-Port-Type (61), Filter-Id (11), Tunnel-Type (64), Tunnel-Medium-Type (65), and Tunnel-Private-Group-ID (81)
3Practice both HA modes: configure an active-passive cluster (heartbeat over the dedicated HA interface) and an active-active load-balancing cluster
4Enroll an EAP-TLS supplicant against the Local CA - confirm the server certificate has the 'TLS Web Server Authentication' EKU and the supplicant trusts the chain
5Wire all three FSSO modes - DC Agent, polling mode, and FortiAuthenticator as the FSSO carrier to FortiGate on TCP 8000 - and verify mappings on the FortiGate
6Memorize debug workflows: `diagnose sniffer packet any 'port 1812 or port 1813' 4`, `get system status`, and how to sanitize a `show full-configuration` extract for TAC

Frequently Asked Questions

What is the Fortinet FCP_FAC_AD-6.5 exam?

FCP_FAC_AD-6.5 is the Fortinet Certified Professional - FortiAuthenticator 6.5 Administrator exam. It validates applied knowledge of FortiAuthenticator deployment and operations, including users, PKI, SSO, MFA, and troubleshooting. The exam contains 30 multiple-choice questions delivered in 60 minutes through Pearson VUE.

How much does the FCP FortiAuthenticator 6.5 exam cost?

The exam fee is $200 USD per attempt through Pearson VUE, consistent with Fortinet's Certified Professional (FCP) tier pricing. Vouchers, retake bundles, and partner discounts may apply depending on region and program. Pricing is set by Fortinet and may change.

What is the passing score for FCP_FAC_AD-6.5?

Fortinet does not publish a numeric passing score for FCP exams. The result is reported as pass or fail at the end of the test. Plan to achieve high confidence across all five exam topic areas rather than targeting a specific percentage.

What topics are covered on the FortiAuthenticator 6.5 Administrator exam?

The exam description groups content into five areas: FortiAuthenticator deployment and configuration, user management and authentication (including RADIUS, LDAP, SAML, OAuth, MFA, 802.1X), PKI and certificate management (CA, SCEP, OCSP, CRL), single sign-on (FSSO/RSSO, Kerberos), and monitoring and troubleshooting. Domain weightings are not published; we approximate ~20% per area for study planning.

How long should I study for FCP FortiAuthenticator 6.5?

Most candidates study 30-50 hours when they already operate FortiGate. Plan to: 1) Review the official exam description, 2) Set up a FortiAuthenticator 6.5 lab (VM works), 3) Configure RADIUS, LDAP, and an HA cluster, 4) Build a Local CA and enroll an EAP-TLS supplicant, 5) Wire FSSO from a Windows DC, and 6) Complete 100+ practice questions to validate readiness.

How long is the FCP FortiAuthenticator 6.5 certification valid?

Fortinet FCP credentials are valid for two years from the date of passing. Recertification requires passing a current FCP exam in the same track or moving up to FCSS or FCX. Fortinet may update the exam version (for example to a 7.x successor) during the validity period.

Should I expect a 7.x successor to FCP_FAC_AD-6.5?

Fortinet typically refreshes FCP exam versions to align with major product releases. Watch the Fortinet Training Institute portal for any successor (for example a 7.x FortiAuthenticator Administrator exam) before scheduling a fresh attempt, and confirm which version is currently delivered by Pearson VUE.