NSE6_EDR_AD-7.0 Fortinet NSE 6 - FortiEDR 7.0 Administrator Free Practice Exam Questions (2026 Updated)

The correct answers are B and C .

The exhibit shows:

FortiEDR Service: Up

FortiEDR Driver: Up

FortiEDR Status: Degraded (no configuration)

This means the local Collector service and driver are running, but the Collector has not received valid configuration. In FortiEDR, a Collector must register and communicate with the FortiEDR Aggregator to receive its configuration. The guide states that the Collector initially sends registration information to the FortiEDR Aggregator using SSL, sends ongoing health/status/security-event information, and receives its configuration from the Aggregator.

During installation, a non-customized Windows Collector requires the correct Aggregator address , Aggregator port 8081 , and registration password . The guide explicitly states that the Aggregator port should be specified as 8081 , and that the registration password must be entered during installation.

Therefore, an incorrect registration password or incorrect port number can prevent proper registration/configuration retrieval, resulting in a degraded/no-configuration state.

Option A is not the best answer because Windows Firewall being enabled by itself does not automatically cause this FortiEDR status; only if it blocks required FortiEDR communication would it matter, and the option is too generic. Option D is also not correct as written because the Collector receives configuration from the Aggregator , not directly from the Central Manager. The guide describes Collector-to-Aggregator communication for registration and configuration.

=========

The correct answer is A. Core.

For FortiAnalyzer / FortiAnalyzer Cloud integration, the FortiEDR 7.0.0 Administration Guide states that one prerequisite is “A Jumpbox with connectivity to FortiAnalyzer.” The same section says to refer to Setting up the FortiEDR Core for details about installing a FortiEDR Core and configuring it as a Jumpbox. In the connector configuration, the guide also states that the Jumpbox field is used to select the FortiEDR Jumpbox that will communicate with FortiAnalyzer or FortiAnalyzer Cloud.

So, the FortiEDR component associated with JumpBox capability is the Core. The Central Manager must have connectivity to Fortinet Cloud Services, but it is not the component configured as the JumpBox. The Aggregator handles registration, configuration, and monitoring between Collectors/Cores and Central Manager, and the Reputation Server is unrelated to FortiAnalyzer JumpBox communication in this context.

=========

The correct answers are B and C .

The FortiEDR 7.0.0 Administration Guide has a specific troubleshooting section named “A FortiEDR Collector does not display in the INVENTORY tab.” It states that after a Collector is first launched, it registers with the FortiEDR Central Manager and appears in the Inventory tab. If it does not appear, the first checks are to confirm that the device where the Collector is installed is powered on and has Internet connectivity, and to validate that ports 8081 and 555 are available and not blocked by another third-party product.

Option B is therefore correct in the exam sense because ports 8081 and 555 must be open for FortiEDR communication. More precisely, the Collector communicates with the Aggregator on port 8081 and the Core on port 555 , not directly to the Central Manager in every architecture. The option wording says “between the collector and the central manager,” which is technically loose, but the required troubleshooting item is still the port availability.

Option C is also correct because the same guide says to check that the endpoint is powered on and connected. In practical FortiEDR troubleshooting, this includes confirming the FortiEDR Collector service/driver are running on the endpoint; otherwise the Collector cannot register or report health.

Option A is not listed in the FortiEDR guide as a required step for this issue. Option D is not the best answer because the guide says logs are generally retrieved when Fortinet Support requests them, and Collector logs can only be exported for Collectors in Running status; a newly installed Collector that does not appear in Inventory cannot normally be selected from Central Manager for log export.

The correct answer is C. The user account does not have the REST API role assigned .

The exhibit shows a Postman request to the FortiEDR Central Manager REST endpoint:

/management-rest/inventory/list-collectors

The response is 401 Unauthorized , which means the request reached the FortiEDR API endpoint but the supplied user credentials are not authorized for REST API access.

The FortiEDR 7.0.0 Administration Guide states that when adding or editing a user, the Rest API advanced option controls whether the user is allowed to access the FortiEDR Central Manager through API calls. The guide defines this option as: “Rest API — Specifies whether to allow the user to access the FortiEDR Central Manager through API calls.”

Therefore, the most accurate cause is that the account being used in Postman does not have the Rest API permission enabled.

Option A is incorrect because the request uses GET against a list endpoint, and an unsupported method would not normally be represented by this user-authentication failure. Option B is not supported by the exhibit or guide wording; the guide describes enabling REST API access per user. Option D is incorrect because first-login password reset is not the direct cause of this REST API authorization failure. The guide separately discusses password reset and password policy behavior, but that is not what the API error indicates.

The correct answers are B and C .

The FortiEDR 7.0.0 Administration Guide explains that IoT device discovery continuously identifies newly connected non-workstation devices, such as printers, cameras, and media devices. During discovery, each relevant Collector periodically probes nearby neighboring devices. The guide states that nearby devices usually respond by providing information about themselves, including the device/host name and IP address . This directly supports option B .

Option C is also correct because the guide states that Collectors in degraded , disabled , or isolated states do not take part in the IoT probing process. It also says FortiEDR uses the most powerful Collectors in each subnet and excludes weaker Collectors, including disabled and degraded Collectors.

Option A is wrong because the guide explicitly says Collectors running on servers do not take part in IoT probing. Option D is wrong because IoT probing is not described as deep packet inspection of all neighboring traffic; it is a discovery/probing process used to identify nearby devices and collect basic device information.

=========

The correct answer is A .

The FortiEDR 7.0.0 Administration Guide states that the FortiEDR Cloud Service (FCS) enriches and enhances system security by performing deep, thorough analysis and investigation about the classification of a security event. It determines the exact classification of security events with a high degree of accuracy.

The guide further explains that the FCS classification process is performed through data enrichment and enhanced deep analysis and investigation enabled by automated and manual processes . These processes may include intelligence services, static and dynamic file analysis, sandboxing, flow analysis through machine learning, commonality analysis, crowdsourced data deduction, and more.

Therefore, FCS does not rely only on FortiGate firewall policies, local signatures, or raw Collector log correlation. It performs enriched cloud-based automated and manual analysis to classify the incident accurately.

=========

The correct answer is B. Exclude only app.exe when it is running from C:\Tools.

The FortiEDR 7.0.0 Administration Guide explains that the Exclusion Manager is used to define which processes, files, or domains are excluded from Security Policies monitoring. For Process Exclusions, FortiEDR does not inspect actions performed by specific processes, and those processes are identified by the attributes defined by the administrator.

The guide further explains that process/source attributes can include File Name, Path, Hash, and Signer. It also states that when an exclusion contains multiple conditions, an AND relationship exists between the conditions. If an OR relationship is required, a separate exclusion must be created.

In this exhibit, both conditions are selected:

File Name = app.exe

Path = C:\Tools

Because FortiEDR applies an AND relationship between multiple exclusion conditions, the exclusion applies only when both conditions match. Therefore, FortiEDR excludes app.exe only when it is located/running from C:\Tools.

Option A is wrong because no Signer condition is selected. Option C is wrong because that would apply if only the file name were used broadly. Option D is wrong because FortiEDR is not excluding every file in C:\Tools; it is excluding the process that matches both the file name and path conditions.

The correct answers are C and D .

The exhibit shows the incident classification as Malicious . In the Activity Audit, the entry from FortinetCloudServices states: “Classification change: Malicious” and also says the file is classified as malicious. This directly proves that FCS classified the event as malicious . The FortiEDR guide explains that the audit history shows the chronology for classifying the security event and displays details when FortiEDR Cloud Service (FCS) reclassifies a security event after its initial classification by the Core.

The exhibit also states that the file was “Detected as Unknown malware.” This supports option D in the exam wording: FortiEDR/FCS has classified the file as malicious, but it is being identified as unknown malware , meaning it was not recognized as a known malware family/signature at the time of classification. The guide explains that FCS enhances classification using data enrichment, automated and manual analysis, file analysis, sandboxing, machine learning flow analysis, commonality analysis, crowdsourced data deduction, and other methods, so “unknown malware” can still be classified malicious by FCS.

Option A is wrong because the exhibit shows Malicious , not Suspicious. Option B is wrong because the incident status is Unhandled , not resolved or handled.

=========