Fortinet FCP_FAZ_AN-7.6 Dumps

Exact Extract: Study Guide p.82: Unhandled means the security event risk is open and not mitigated or contained.

Technical Deep Dive: The correct answer is D. The exhibit shows the event status as Unhandled, which FortiAnalyzer defines as an open security event risk. That means the analyst should not treat the event as already blocked, quarantined, or isolated. Option A cannot be concluded because incident creation is a separate escalation action. Option B maps to Contained, not Unhandled. Option C uses a workflow term that is not the status shown in the event.

Exact Extract: Study Guide p.107: FortiAnalyzer can send incident notifications to external platforms using Fabric connectors; more than one connector can be added.

Technical Deep Dive: The correct answer is A. Incident update notifications are not restricted to email. FortiAnalyzer can use configured Fabric connectors to notify external collaboration or response platforms, and each connector can be configured for the incident activities that should trigger a notification. Option B is too narrow because email is only one possible delivery model. Option C is wrong because multiple connectors do not have to share identical settings. Option D is wrong because notification triggers are configurable for different incident activities, not only update or delete events.

Exact Extract: Study Guide p.64-p.65: FortiView summarizes threats and can export FortiView information as a PDF file.

Technical Deep Dive: The correct answer is D. FortiView provides dashboard views such as Threats, where identified threats within a selected timeframe are summarized and organized for analysis. The guide also states FortiView information can be exported as a PDF. Log Browse and Log View are useful for searching individual logs, but they do not provide the same threat-summary dashboard workflow. Fabric View is for Security Fabric topology and inventory context, not top-threat investigation and PDF export.

Exact Extract: Study Guide p.78: event handlers can use notification profiles; p.107 describes external notifications through Fabric connectors.

Technical Deep Dive: The correct answers are A and C. When an event handler generates an event, FortiAnalyzer can use notification mechanisms such as SNMP traps through notification profiles. FortiAnalyzer also supports sending alerts to external platforms using configured Fabric connectors. FortiGuard is not an alert delivery server in this workflow; it supplies threat intelligence and outbreak content. SMS notification is not one of the event-handler notification methods described in the guide sections relevant to this question.

Exact Extract: Study Guide p.82: Contained means the risk source is isolated; antivirus quarantine is the example.

Technical Deep Dive: The correct answer is A. An AV log with action=quarantine indicates the detected file or object has been isolated, so FortiAnalyzer classifies the event status as Contained. An IPS action=pass is Unhandled because the risk was not stopped. WebFilter dropped and AppControl blocked are enforcement outcomes, so they align with Mitigated rather than Contained. The distinction matters in SOC triage because Contained still deserves review, but the immediate source/object has already been isolated.

Exact Extract: Study Guide p.139: one log message can consist of multiple logs in LZ4 format, explaining the log-rate/message-rate difference.

Technical Deep Dive: The correct answer is A. In the diagnostic output, the message rate being lower than the log rate is normal because FortiAnalyzer can receive a compressed log message that contains multiple individual logs. The log rate counts logs, while the message rate counts received log messages. Option B is not supported because the output does not prove indexing is almost finished. Option C cannot be inferred unless the command output breaks down traffic versus event log counts. Option D is wrong because these fortilogd rate commands are general logging statistics rather than an ADOM-specific view.

Exact Extract: Study Guide p.57-p.58: filtered Log View examples can show web filter category/action details, including allowed or blocked website categories.

Technical Deep Dive: The correct answer is B. The exhibit indicates social networking web activity is being allowed, not blocked. If the logs were application control logs, the log type/subtype would point to application control rather than web filtering. If unrated websites were blocked, the category/action fields would show that specific category and enforcement action. A custom view cannot be concluded unless the GUI explicitly displays a saved custom view name or custom view indicator.

Exact Extract: Study Guide p.102-p.106: incident charts and status tracking help analysts prioritize and manage incident lifecycle changes.

Technical Deep Dive: The correct answer is C. When an incident is closed as remediated, the incident dashboard and incident status views reflect the updated lifecycle state. FortiAnalyzer keeps incidents visible for tracking and audit unless an administrator deletes them separately. The corresponding event is not automatically rewritten as Mitigated simply because the incident is closed. Incident severity is not automatically lowered by changing status; severity and status are separate incident attributes.

Exact Extract: Study Guide p.82: " Unhandled " indicates the security event risk is considered open.

Technical Deep Dive: The displayed event is best interpreted as open/unhandled, so the correct answer is C. In FortiAnalyzer, event status is not just a label; it tells the analyst whether the risk still requires action. A risk source being isolated would map to Contained, while traffic being blocked or dropped maps to Mitigated. An incident being created from an event is a separate workflow action and cannot be concluded from the event status alone unless the exhibit explicitly shows the incident linkage.

Exact Extract: Study Guide p.185: reports can be attached to incidents manually from an existing report, manually from an incident, or automatically through playbooks.

Technical Deep Dive: The correct answer is A. Incidents are containers for related security events, and attaching a report gives the analyst historical or contextual evidence in addition to real-time event data. Option B is wrong because incident status is managed independently from attached event status. Option C is not a FortiAnalyzer default rule from the guide; SLA response times are organization-specific. Option D is wrong because incidents can be opened and analyzed directly; acknowledgment is not a prerequisite to analysis.

Exact Extract: Study Guide p.39-p.41: logs are saved first, and parsers are needed to normalize raw logs into standardized fields.

Technical Deep Dive: The correct answer is C. FortiAnalyzer does not discard a log simply because a matching parser is unavailable. The received log is still saved in the FortiAnalyzer log workflow. However, normalization requires a parser that can extract fields and map them into FortiAnalyzer’s common schema. Without that parser, the log remains stored but not normalized. Option A is too destructive. Option B assumes a generic parser is automatically applied. Option D confuses storage/archive state with parser availability.

Exact Extract: Study Guide p.54: custom views save search filters, device, and time period for repeated Log View searches.

Technical Deep Dive: The correct answer is B. A custom view is designed for exactly this use case: an analyst repeatedly searches Log View with the same filters and wants to avoid rebuilding them every time. A custom dashboard shows widgets and summary data but does not preserve a Log View search workflow. A data selector is used mainly as a reusable filter for event handlers and related features. A macro is for report data extraction, not for reusing interactive log-search parameters.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide states that to understand log volume and disk quota, administrators can use CLI commands “to gather log rate and device usage statistics.” It separately states that to understand “the log rate and log volume per ADOM,” administrators use CLI commands that gather “log rate and volume statistics” per ADOM. The guide also explains a different dashboard metric, Insert Rate vs Receive Rate , where receive rate is the rate raw logs reach FortiAnalyzer and insert rate is the rate logs are indexed by the SQL database and sqlplugind daemon.

Technical Deep Dive: The correct answer is B because the exhibit shows the commands:

diagnose fortilogd lograte

diagnose fortilogd msgrate

These commands display FortiAnalyzer-wide log/message rate statistics for recent intervals: last 5 seconds, last 30 seconds, and last 60 seconds. The output does not show an ADOM name, ADOM ID, device name, log type breakdown, traffic/event category, or per-ADOM quota field. Therefore, the safest conclusion from the exhibit is that this output is not ADOM-specific .

Option A is wrong because the exhibit is not showing indexing values. Indexing health is normally evaluated using insert rate , receive rate , and log insert lag time , which relate to how quickly FortiAnalyzer inserts logs into the SQL database. The exhibit only shows fortilogd log rate and message rate, not SQL insert/indexing lag.

Option C is wrong because there is no breakdown between traffic logs and event logs. The output gives only aggregate rate values, so you cannot conclude whether traffic logs outnumber event logs.

Option D is wrong because a higher log rate than message rate is not automatically abnormal. The output simply shows two different rate counters. Nothing in the exhibit indicates a fault condition, queue buildup, SQL lag, or database indexing issue.

Exact Extract: Study Guide p.211: trigger variables use information from the event or incident trigger in later playbook tasks.

Technical Deep Dive: The correct answer is B. Trigger variables allow a playbook task to reuse values from the event or incident that started the playbook, such as endpoint IP, device, severity, or incident fields. That allows a task to filter a report, get matching logs, or target a response action dynamically. Option A describes monitoring statistics, not variables. Option C reverses the relationship: the trigger starts the playbook, and the variables are then available to tasks. Option D is unrelated to ON_SCHEDULE timing.

Exact Extract: Study Guide p.82: " Unhandled " means the security event risk is not mitigated or contained, and an IPS/AV pass action is an example.

Technical Deep Dive: The correct answer is B because an IPS log with action=pass means the traffic matched or was observed in a way that generated a security event, but the traffic was not blocked, dropped, or quarantined. FortiAnalyzer therefore treats the event as still open from a SOC workflow perspective. Option A is wrong because quarantine isolates the malicious object and maps to Contained. Options C and D are wrong because dropped or blocked actions mean enforcement already occurred, which maps to Mitigated rather than Unhandled.

Exact Extract: Study Guide p.216: playbook jobs with one or more failed tasks are labeled Failed, even if some actions succeeded.

Technical Deep Dive: The correct answer is C. FortiAnalyzer marks the overall playbook job as Failed when any task in the job fails. That does not mean every task failed; it means the job requires review because the workflow did not complete cleanly. Option A is not the status described in the FortiAnalyzer guide for this scenario. Option B is a task-dependency style outcome, not the overall job status tested here. Option D is wrong because success requires all required tasks to complete successfully.

Exact Extract: Study Guide p.202: FortiOS connector actions appear only after enabling an automation rule using the Incoming Webhook Call trigger on FortiGate.

Technical Deep Dive: The correct answer is D. A FortiAnalyzer playbook can list a FortiOS connector after FortiGate is added, but the available FortiOS actions depend on FortiGate-side automation rules. FortiGate must expose an Incoming Webhook trigger so FortiAnalyzer can call the automation stitch. A FortiAnalyzer Event Handler is used on FortiAnalyzer to generate events, not to expose FortiOS connector actions. Fabric Connector events and FortiOS Event Log triggers do not provide the FortiAnalyzer-to-FortiGate action handoff tested here.

Exact Extract: Study Guide p.216: Playbook Monitor provides detailed logs, and failed jobs may include successful individual tasks.

Technical Deep Dive: The correct answers are B and D. Playbook Monitor is the troubleshooting location for playbook execution, and View Log shows task-level detail for the job. A failed playbook job does not mean every task failed; the guide explicitly notes some individual actions may complete successfully. Option A is wrong because FortiAnalyzer does not roll back all completed external or local actions just because a later task failed. Option C is not described as a default debugging playbook workflow in the guide.

Exact Extract: Study Guide p.210: after creating a new playbook, FortiAnalyzer needs a few minutes to parse it.

Technical Deep Dive: The correct answer is A. FortiAnalyzer must parse the newly created playbook before it can execute reliably. Parsing checks the playbook definition and prepares it for execution by the automation engine. Option B is wrong because FortiAnalyzer is not automatically debugging the playbook; debugging happens after a failed or problematic run. Option C is unrelated to playbook creation. Option D is wrong because FortiAnalyzer can track multiple jobs; the wait is about playbook parsing, not waiting for all other playbooks to stop.

Exact Extract: Study Guide p.82: Mitigated means a security risk was blocked or dropped.

Technical Deep Dive: The correct answer is C. The exhibit shows a mitigated event with blocked web activity, so the accurate statement is that the security risk was blocked. A dropped action would also be a mitigated outcome, but the displayed event specifically indicates blocked. Option B describes Contained status, where the risk source is isolated. Option D is wrong because the event type shown is Web Filter, not application control. Option A is less precise than the exhibit because the action shown is blocked rather than dropped.

Exact Extract: Study Guide p.19-p.20: the first FortiGate creates the traffic log, while upstream devices complete UTM logging.

Technical Deep Dive: The correct answer is D. Client traffic first reaches the access-layer FortiGate, which creates the initial traffic log. The upstream FortiGate applies the web filter profile; therefore, if the session violates the web filtering policy, the upstream FortiGate generates the web filter UTM log. Because the web filter profile is configured to log only violations, no web filter log appears unless a violation occurs. Options A and C incorrectly place web filter logging on FGT-B. Option B misstates how Security Fabric logging avoids duplicate logs; FortiGates do not notify peers to log the flow.

Exact Extract: Study Guide p.168-p.172: templates define layout, while reports include report settings and more configuration.

Technical Deep Dive: The correct answer is A. Reports provide more configuration options because they include the layout/template plus operational settings such as time period, target devices, scheduling, filters, output behavior, and advanced settings. Templates contain the Editor-tab layout elements and do not include basic or advanced report settings. Option B is wrong because both reports and templates can be cloned. Option C is wrong because templates can include macros. Option D is wrong because templates are not mapped to device groups as stated.

Exact Extract: Official Fortinet Administration Guide: Management Extension Applications are installed and run on FortiAnalyzer; CLI options include enabling the fortisoar container.

Technical Deep Dive: The correct answer is B. FortiSOAR MEA is a management extension application hosted by FortiAnalyzer, not a separate FortiSOAR appliance requirement for this question. FortiAnalyzer uses Docker-based MEA support, and FortiSOAR MEA is one of the supported extensions. Option A is wrong because FortiManager is not required just to run the FortiSOAR MEA. Option C describes a standalone FortiSOAR deployment, not the management extension. Option D is wrong because Fortinet documents FortiSOAR MEA trial licensing behavior for evaluation use.