FCP_FAZ_AN-7.6 Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Free Practice Exam Questions (2026 Updated)

Exact Extract: Study Guide p.202-p.203: FortiOS connector actions require automation rules configured on FortiGate.

Technical Deep Dive: The correct answer is D. FortiAnalyzer lists the FortiOS connector after FortiGate is added, but the available actions depend on FortiGate automation configuration. Specifically, the FortiGate side must have automation rules using the Incoming Webhook Call trigger before actions become available to the connector. Option A is wrong because Fabric ADOMs do not automatically come with multiple usable external connectors. Options B and C misunderstand the local connector, which is available by default for local FortiAnalyzer actions.

Exact Extract: Study Guide p.58: Log View search results can be downloaded, and raw/text filtering helps with exact field syntax.

Technical Deep Dive: The correct answers are A and D. FortiAnalyzer Log View allows administrators to download filtered logs as text or CSV, so the displayed search results can be exported to a file. The exhibit also indicates a text-mode search/filter rather than a purely GUI-built filter. Option B would be true for formatted log tables in general, but the question asks what can be concluded from the displayed search results. Option C is not supported; whether FortiView can analyze related data depends on whether the logs are analytics logs, not merely on the search display.

Exact Extract: Study Guide p.189: for missing report data, check the report time frame and test the dataset.

Technical Deep Dive: The correct answers are A and D. If the logs exist but the generated report lacks expected information, the first checks are whether the report time frame includes those logs and whether the dataset query returns the expected rows. Reports are only as accurate as their time filter and SQL dataset. Disabling auto-cache is not the normal fix; cache improves performance and scheduled reports use it. Increasing a quota does not correct a wrong time range or broken SQL query unless the report fails for resource reasons, which is not the scenario described.

Exact Extract: Study Guide p.118: token usage includes prompt and response; more text and larger responses consume more tokens.

Technical Deep Dive: The correct answer is A. The best low-token prompt is concise and scoped: it specifies the endpoint and limits the response to the past week. Option C is verbose and asks for all log entries, increasing both input and output tokens. Option B asks for all logs for the past week without limiting to an endpoint, which can generate a large response. Option D is short, but it lacks a time window, so it can produce a broader and more token-heavy response than option A.

Exact Extract: Study Guide p.216: playbook jobs with one or more failed tasks are labeled Failed, even if some actions succeeded.

Technical Deep Dive: The correct answer is C. FortiAnalyzer marks the overall playbook job as Failed when any task in the job fails. That does not mean every task failed; it means the job requires review because the workflow did not complete cleanly. Option A is not the status described in the FortiAnalyzer guide for this scenario. Option B is a task-dependency style outcome, not the overall job status tested here. Option D is wrong because success requires all required tasks to complete successfully.

Exact Extract: Study Guide p.126: threat hunting is a proactive search for suspicious or risky network activity.

Technical Deep Dive: The correct answer is D. Threat hunting is FortiAnalyzer’s proactive investigation workflow. Instead of waiting for an event handler or incident to tell the SOC what happened, the analyst begins with a hypothesis and searches logs for suspicious patterns. FortiView is valuable for visibility but is not, by itself, the named proactive method. Outbreak alerts notify about emerging threats, and the Incidents dashboard manages known incidents. Threat hunting is the feature that best matches proactive network-security management.

Exact Extract: Study Guide p.82: " Unhandled " indicates the security event risk is considered open.

Technical Deep Dive: The displayed event is best interpreted as open/unhandled, so the correct answer is C. In FortiAnalyzer, event status is not just a label; it tells the analyst whether the risk still requires action. A risk source being isolated would map to Contained, while traffic being blocked or dropped maps to Mitigated. An incident being created from an event is a separate workflow action and cannot be concluded from the event status alone unless the exhibit explicitly shows the incident linkage.

Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.189: verify logs from the report time frame and test the dataset query when expected data is missing.

Technical Deep Dive: The correct answers are A and D. This duplicate scenario tests the same reporting troubleshooting logic. A report can be empty or incomplete even while the logs exist if the report uses a time window that excludes them or if the dataset filters them out. Testing the dataset proves whether the SQL query is actually retrieving the intended rows. Disabling auto-cache is a performance workaround only in very specific stale-cache investigations and is not the recommended first step. Report quota is not the issue when the report runs but contains the wrong data.

Exact Extract: Study Guide p.181: output profiles specify report format and whether to email or upload generated reports.

Technical Deep Dive: The correct answer is D. The mail server being configured only gives FortiAnalyzer the ability to send email. To send generated reports automatically, the report must use an output profile that defines the delivery method and recipients or upload target. Option A is not a report-level distribution setting. Option B confuses report layout content with report delivery. Option C is wrong because the report calendar shows scheduled report status; scheduling and distribution are configured in the report settings and output profile.

Exact Extract: Study Guide p.188: diagnose sql status sqlreportd checks SQL query connections and hcache status for reports.

Technical Deep Dive: The correct answer is C. The sqlreportd diagnostic is a report troubleshooting command focused on SQL query connections and hcache status. It is useful when reports are slow because report generation depends heavily on hcache and SQL query execution. Option A is handled by scheduled report listing commands. Option B maps to diagnose sql process list. Option D maps more closely to sqlplugind insertion status, not sqlreportd.

Exact Extract: Study Guide p.59: event logs show system-wide information; application logs are ADOM-specific, and non-root ADOMs show only application logs.

Technical Deep Dive: The correct answers are C and D. FortiAnalyzer local logs include system-wide event logs and ADOM-specific application logs. Because non-root ADOMs show only application logs, system event logs are effectively a root-ADOM visibility item. Option A is wrong because local audit logs are accessible in Log View under ADOMs. Option B overstates playbook visibility; playbook/application logs are ADOM-specific and should not be treated as all centralized in root for every ADOM.

Exact Extract: Study Guide p.168-p.172: templates define layout, while reports include report settings and more configuration.

Technical Deep Dive: The correct answer is A. Reports provide more configuration options because they include the layout/template plus operational settings such as time period, target devices, scheduling, filters, output behavior, and advanced settings. Templates contain the Editor-tab layout elements and do not include basic or advanced report settings. Option B is wrong because both reports and templates can be cloned. Option C is wrong because templates can include macros. Option D is wrong because templates are not mapped to device groups as stated.

Exact Extract: Study Guide p.130: the IOC service uses FortiGuard and analyzes web filtering, DNS, and traffic logs for breach detection.

Technical Deep Dive: The correct answers are B and D. To view compromised hosts, FortiAnalyzer needs relevant logs that expose suspicious destinations or web activity, and it needs current FortiGuard IOC intelligence. Web filtering logs are especially important because they contain URL/domain activity that can be compared with FortiGuard threat intelligence. The FortiGuard subscription keeps the threat database current. Option A may help identify devices in some FortiGate workflows, but it is not the core IOC requirement described in the Analyst guide. Option C is wrong because FortiAnalyzer does not need direct reachability to every endpoint; it evaluates logs received from FortiGate.

Exact Extract: Study Guide p.134-p.135: Outbreak Detection Service is licensed and downloads related event handlers and reports from FortiGuard.

Technical Deep Dive: The correct answers are A and B. The Outbreak Detection Service requires a license and allows FortiAnalyzer to receive outbreak alerts and automatically download related event handlers and reports created by Fortinet for emerging threats. Option C is wrong because outbreak alerts are available on all ADOMs, not root only. Option D is not the core mechanism described in the guide; the feature is FortiGuard-delivered content within FortiAnalyzer, not simply email-based alerting.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide states that to understand log volume and disk quota, administrators can use CLI commands “to gather log rate and device usage statistics.” It separately states that to understand “the log rate and log volume per ADOM,” administrators use CLI commands that gather “log rate and volume statistics” per ADOM. The guide also explains a different dashboard metric, Insert Rate vs Receive Rate , where receive rate is the rate raw logs reach FortiAnalyzer and insert rate is the rate logs are indexed by the SQL database and sqlplugind daemon.

Technical Deep Dive: The correct answer is B because the exhibit shows the commands:

diagnose fortilogd lograte

diagnose fortilogd msgrate

These commands display FortiAnalyzer-wide log/message rate statistics for recent intervals: last 5 seconds, last 30 seconds, and last 60 seconds. The output does not show an ADOM name, ADOM ID, device name, log type breakdown, traffic/event category, or per-ADOM quota field. Therefore, the safest conclusion from the exhibit is that this output is not ADOM-specific .

Option A is wrong because the exhibit is not showing indexing values. Indexing health is normally evaluated using insert rate , receive rate , and log insert lag time , which relate to how quickly FortiAnalyzer inserts logs into the SQL database. The exhibit only shows fortilogd log rate and message rate, not SQL insert/indexing lag.

Option C is wrong because there is no breakdown between traffic logs and event logs. The output gives only aggregate rate values, so you cannot conclude whether traffic logs outnumber event logs.

Option D is wrong because a higher log rate than message rate is not automatically abnormal. The output simply shows two different rate counters. Nothing in the exhibit indicates a fault condition, queue buildup, SQL lag, or database indexing issue.

Exact Extract: Study Guide p.211: trigger variables use information from the event or incident trigger in later playbook tasks.

Technical Deep Dive: The correct answer is B. Trigger variables allow a playbook task to reuse values from the event or incident that started the playbook, such as endpoint IP, device, severity, or incident fields. That allows a task to filter a report, get matching logs, or target a response action dynamically. Option A describes monitoring statistics, not variables. Option C reverses the relationship: the trigger starts the playbook, and the variables are then available to tasks. Option D is unrelated to ON_SCHEDULE timing.

Exact Extract: Study Guide p.217: zipped/base64 encoded JSON is one of the playbook export data types.

Technical Deep Dive: The correct answer is A. The exhibit shows encoded data rather than readable plain-text JSON, which indicates the playbook was exported in the zipped/base64 encoded format. That does not mean the playbook is misconfigured. It also does not prove connectors were excluded; connector inclusion is a separate export option. There is no indication of password protection. The key visual clue is that the export contains encoded data plus integrity information instead of a readable JSON playbook structure.

Exact Extract: Official Fortinet Administration Guide: Management Extension Applications are installed and run on FortiAnalyzer; CLI options include enabling the fortisoar container.

Technical Deep Dive: The correct answer is B. FortiSOAR MEA is a management extension application hosted by FortiAnalyzer, not a separate FortiSOAR appliance requirement for this question. FortiAnalyzer uses Docker-based MEA support, and FortiSOAR MEA is one of the supported extensions. Option A is wrong because FortiManager is not required just to run the FortiSOAR MEA. Option C describes a standalone FortiSOAR deployment, not the management extension. Option D is wrong because Fortinet documents FortiSOAR MEA trial licensing behavior for evaluation use.