FCP_FAZ_AN-7.6 Sample Questions Answers

Exact Extract: Study Guide p.188: diagnose sql status sqlreportd checks SQL query connections and hcache status for reports.

Technical Deep Dive: The correct answer is C. The sqlreportd diagnostic is a report troubleshooting command focused on SQL query connections and hcache status. It is useful when reports are slow because report generation depends heavily on hcache and SQL query execution. Option A is handled by scheduled report listing commands. Option B maps to diagnose sql process list. Option D maps more closely to sqlplugind insertion status, not sqlreportd.

Exact Extract: Study Guide p.217: zipped/base64 encoded JSON is one of the playbook export data types.

Technical Deep Dive: The correct answer is A. The exhibit shows encoded data rather than readable plain-text JSON, which indicates the playbook was exported in the zipped/base64 encoded format. That does not mean the playbook is misconfigured. It also does not prove connectors were excluded; connector inclusion is a separate export option. There is no indication of password protection. The key visual clue is that the export contains encoded data plus integrity information instead of a readable JSON playbook structure.

Exact Extract: Study Guide p.216: Playbook Monitor provides detailed logs, and failed jobs may include successful individual tasks.

Technical Deep Dive: The correct answers are B and D. Playbook Monitor is the troubleshooting location for playbook execution, and View Log shows task-level detail for the job. A failed playbook job does not mean every task failed; the guide explicitly notes some individual actions may complete successfully. Option A is wrong because FortiAnalyzer does not roll back all completed external or local actions just because a later task failed. Option C is not described as a default debugging playbook workflow in the guide.

Exact Extract: Study Guide p.107: more than one Fabric connector can be configured, with the same or different notification settings.

Technical Deep Dive: The correct answer is A. FortiAnalyzer can send incident status-change notifications through external platform connectors, and each connector can have its own settings. That flexibility lets a SOC notify Teams, ticketing, or other platforms differently depending on the connector and activity type. Option B is wrong because the guide permits multiple connectors. Option C confuses report output profiles with incident notifications. Option D is too narrow because notifications are not limited only to created or deleted incidents.

Exact Extract: Study Guide p.202: FortiOS connector actions appear only after enabling an automation rule using the Incoming Webhook Call trigger on FortiGate.

Technical Deep Dive: The correct answer is D. A FortiAnalyzer playbook can list a FortiOS connector after FortiGate is added, but the available FortiOS actions depend on FortiGate-side automation rules. FortiGate must expose an Incoming Webhook trigger so FortiAnalyzer can call the automation stitch. A FortiAnalyzer Event Handler is used on FortiAnalyzer to generate events, not to expose FortiOS connector actions. Fabric Connector events and FortiOS Event Log triggers do not provide the FortiAnalyzer-to-FortiGate action handoff tested here.

Exact Extract: Study Guide p.210: after creating a new playbook, FortiAnalyzer needs a few minutes to parse it.

Technical Deep Dive: The correct answer is A. FortiAnalyzer must parse the newly created playbook before it can execute reliably. Parsing checks the playbook definition and prepares it for execution by the automation engine. Option B is wrong because FortiAnalyzer is not automatically debugging the playbook; debugging happens after a failed or problematic run. Option C is unrelated to playbook creation. Option D is wrong because FortiAnalyzer can track multiple jobs; the wait is about playbook parsing, not waiting for all other playbooks to stop.

Exact Extract: Study Guide p.157-p.158: report datasets use SQL SELECT queries, and clauses must be in the correct order.

Technical Deep Dive: The correct answer is A. The valid query must select the required fields, read from $log, apply the filter for the source IP, group the selected values, and order the output as expected. Option A follows the SQL structure FortiAnalyzer expects for report datasets. The incorrect options either reverse the filter logic, place clauses in the wrong order, or use malformed aliases/conditions. In FortiAnalyzer reporting, a syntactically correct dataset is mandatory because the chart receives only the data returned by that SQL SELECT query.

Exact Extract: Study Guide p.217-p.218: exported playbooks preserve enabled/disabled status, and name conflicts are handled on import.

Technical Deep Dive: The correct answers are A and C. A playbook imported into another ADOM or FortiAnalyzer retains the enabled or disabled status it had when exported, which is why automatic playbooks should be exported disabled. If an imported playbook name already exists, FortiAnalyzer creates a new name with a timestamp to avoid conflicts, so importing with the same name is allowed. Option B is wrong because connectors can be included in the export. Option D is wrong because multiple playbooks can be exported at once.

Exact Extract: Study Guide p.141: Insert Rate is the rate logs are indexed; Receive Rate is the rate raw logs reach FortiAnalyzer.

Technical Deep Dive: The correct answer is A. At the indicated time, the insert-rate value is higher than the receive-rate value, which means FortiAnalyzer is indexing logs faster than new logs are arriving. This can happen when the database is catching up with previously received logs. Option B is too literal and unsupported; the graph shows rates, not a one-log daemon lead. Option C is wrong because a rebuild is not indicated by a single favorable rate point. Option D would apply when received logs are waiting because indexing is behind, which is the reverse condition.

Exact Extract: Study Guide p.64-p.65: FortiView summarizes threats and can export FortiView information as a PDF file.

Technical Deep Dive: The correct answer is D. FortiView provides dashboard views such as Threats, where identified threats within a selected timeframe are summarized and organized for analysis. The guide also states FortiView information can be exported as a PDF. Log Browse and Log View are useful for searching individual logs, but they do not provide the same threat-summary dashboard workflow. Fabric View is for Security Fabric topology and inventory context, not top-threat investigation and PDF export.

Exact Extract: Study Guide p.120: FortiAI can support incident investigation, response, threat hunting, impact analysis, and remediation recommendations.

Technical Deep Dive: The correct answers are B, C, and E. FortiAI in FortiAnalyzer is designed to assist SOC workflows: interpreting security events, generating incident summaries, identifying possible impacts, recommending remediation, generating queries, and supporting threat hunting. Site-to-site VPN and SD-WAN overlay configuration are FortiGate/FortiManager network configuration tasks, not the FortiAnalyzer FortiAI use cases described in the Analyst guide. The guide keeps FortiAI scoped to FortiAnalyzer security operations and analytics workflows.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide explains that FortiView provides dashboards for summarized network information, and that the Threats dashboard shows “top threats.” It also states that from a FortiView widget, “you can find more details about a specific entry,” and that the Top Threats widget displays the top threats, including IPS events and related CVE information when available.

Technical Deep Dive: The correct answer is A because the FortiView Top Threats table includes an entry named Apache.Expect.Header.XSS . That threat name directly indicates a cross-site scripting/XSS-related signature associated with Apache. The same row shows the threat type as IPS , meaning FortiAnalyzer is displaying it as an IPS-detected threat event. Therefore, the analyst can reasonably conclude that FortiAnalyzer recorded XSS attack activity against an Apache web server or Apache-related service.

Option B is not supported. The presence of a CVE ID provides vulnerability context, but it does not automatically mean that attack must be prioritized over every other entry. In FortiAnalyzer/FortiView, prioritization depends on threat level, threat score, incident count, affected assets, and SOC impact. In the exhibit, some entries without CVE IDs have higher threat scores and more incidents than the Apache XSS entry.

Option C is wrong because the exhibit itself includes non-IPS threat types, such as Malicious Website and P2P . FortiAnalyzer does not treat only IPS threats as genuine threats. FortiView aggregates multiple security-relevant categories so analysts can review threats across different log and detection types.

Option D is not a safe conclusion. The displayed table does not show a Critical threat level in the visible rows, but that does not prove that no critical threats exist. The view may be filtered, scoped by time, or limited to the currently displayed Top Threats entries. A SOC analyst should not infer total absence of critical threats from a filtered widget alone.

Exact Extract: Study Guide p.211: trigger variables use information from the event or incident trigger in later playbook tasks.

Technical Deep Dive: The correct answer is B. Trigger variables allow a playbook task to reuse values from the event or incident that started the playbook, such as endpoint IP, device, severity, or incident fields. That allows a task to filter a report, get matching logs, or target a response action dynamically. Option A describes monitoring statistics, not variables. Option C reverses the relationship: the trigger starts the playbook, and the variables are then available to tasks. Option D is unrelated to ON_SCHEDULE timing.

Exact Extract: Study Guide p.78 and p.81: a data selector is a common filter applied before every rule in the event handler.

Technical Deep Dive: The correct answer is C. Data selectors prevent analysts from repeating the same filtering logic in each event-handler rule. They narrow the data evaluated by the handler using device, subnet, and log-field criteria before individual rules are processed. Option A is wrong because data selectors do not control what FortiAnalyzer accepts from registered devices. Option B is invented; they do not download filters. Option D is too broad because a data selector is applied to selected handlers, not automatically to all event handlers at the same time.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide states that to understand log volume and disk quota, administrators can use CLI commands “to gather log rate and device usage statistics.” It separately states that to understand “the log rate and log volume per ADOM,” administrators use CLI commands that gather “log rate and volume statistics” per ADOM. The guide also explains a different dashboard metric, Insert Rate vs Receive Rate , where receive rate is the rate raw logs reach FortiAnalyzer and insert rate is the rate logs are indexed by the SQL database and sqlplugind daemon.

Technical Deep Dive: The correct answer is B because the exhibit shows the commands:

diagnose fortilogd lograte

diagnose fortilogd msgrate

These commands display FortiAnalyzer-wide log/message rate statistics for recent intervals: last 5 seconds, last 30 seconds, and last 60 seconds. The output does not show an ADOM name, ADOM ID, device name, log type breakdown, traffic/event category, or per-ADOM quota field. Therefore, the safest conclusion from the exhibit is that this output is not ADOM-specific .

Option A is wrong because the exhibit is not showing indexing values. Indexing health is normally evaluated using insert rate , receive rate , and log insert lag time , which relate to how quickly FortiAnalyzer inserts logs into the SQL database. The exhibit only shows fortilogd log rate and message rate, not SQL insert/indexing lag.

Option C is wrong because there is no breakdown between traffic logs and event logs. The output gives only aggregate rate values, so you cannot conclude whether traffic logs outnumber event logs.

Option D is wrong because a higher log rate than message rate is not automatically abnormal. The output simply shows two different rate counters. Nothing in the exhibit indicates a fault condition, queue buildup, SQL lag, or database indexing issue.

Exact Extract: Study Guide p.189: verify logs from the report time frame and test the dataset query when expected data is missing.

Technical Deep Dive: The correct answers are A and D. This duplicate scenario tests the same reporting troubleshooting logic. A report can be empty or incomplete even while the logs exist if the report uses a time window that excludes them or if the dataset filters them out. Testing the dataset proves whether the SQL query is actually retrieving the intended rows. Disabling auto-cache is a performance workaround only in very specific stale-cache investigations and is not the recommended first step. Report quota is not the issue when the report runs but contains the wrong data.

Exact Extract: Study Guide p.43 and p.58: Log View uses normalized format, and the GUI can toggle between formatted and raw log views.

Technical Deep Dive: The correct answers are A and D. The exhibit shows a raw key/value style log display, so it is in raw log format. However, in FortiAnalyzer Log View, received device logs are parsed and normalized for consistent fields, even when the analyst toggles into raw display. Option B is wrong because formatted view would appear as structured table columns. Option C is not the best conclusion because the displayed raw view is not necessarily the untouched original FortiGate message; it is the raw display of FortiAnalyzer’s stored/normalized log data.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide states that administrators can use CLI commands “to gather log rate and device usage statistics” to understand “the log volume and whether your disk quota is configured appropriately.” It also explains that if log volume is too high, FortiAnalyzer may not be able to retain “analytics logs or archive logs for the amount of time configured in the ADOM.”

Technical Deep Dive: The correct answer is B because the exhibit shows the disk quota allocation for ADOM1 split into two major areas: Logs and Database . Under the ADOM1 row, the Logs quota is shown as 900.0 MB , and the Database quota is shown as 2.1 GB . When these are added together, the total allocated quota for ADOM1 is approximately 3 GB .

Option A is not the best answer because the output does not show that ADOM1 has exactly 300 MB of total disk space remaining. It is true that the Logs section has roughly 299 MB remaining because 900 MB quota minus 601 MB used is about 299 MB. However, the question asks what can be concluded from the whole output, and the output also includes the database quota and database usage. So treating 300 MB as the total remaining ADOM space is incomplete.

Option C is wrong because archive/log-file usage is not greater than analytic/database usage in the output. The Logs section shows about 601 MB used, while the Database section shows about 1.9 GB used. The study guide separates archive logs from analytics logs: archive logs are rolled and compressed log files, while analytics logs are indexed in the SQL database for immediate analysis. Here, the database/analytic side is using more space than the log/archive side.

Option D is wrong because the exhibit showing 0.0 KB for quarantine does not mean no quota is allocated to quarantining files. It only means quarantine usage is currently zero. The output is reporting current disk usage and quota allocation, not proving that quarantine storage is unavailable.

Exact Extract: Study Guide p.19-p.20: the Security Fabric root/upstream FortiGate relationship affects how traffic and UTM logs are correlated.

Technical Deep Dive: The correct answer is B. The output indicates FGT_B is acting as the Security Fabric root. In Security Fabric logging, FortiAnalyzer uses Fabric relationships to correlate logs and avoid duplicate traffic logging. The other options draw conclusions the output does not support: disk quota allocation to quarantine files, exact ADOM disk quota size, or archive-versus-analytics usage require explicit storage lines. The Fabric root conclusion is the one directly supported by the displayed Fabric relationship information.

Exact Extract: Study Guide p.157-p.159: datasets are SQL SELECT queries over $log, and WHERE filters narrow returned log rows.

Technical Deep Dive: The correct answer is A. The required dataset must select source IP, destination IP, and URL from $log, then filter web-filter logs where the category description equals Gambling. Option A uses the correct fields and catdesc filter. Option B incorrectly uses IPv6 aliases that do not match the expected output. Option C filters Dating instead of Gambling. Option D reverses the table and filter logic by placing Gambling in the FROM position and $log in the WHERE expression, which is invalid for the intended dataset.