Free Practice Questions for Fortinet FCP_FAZ_AN-7.6 Exam

Exact Extract: Study Guide p.172: templates include only Editor-tab details and do not include report settings or advanced settings.

Technical Deep Dive: The correct answer is C. Templates define the report layout: text, charts, and macros. They do not carry report settings such as the report time range, selected devices, scheduling, filters, output profile, or advanced settings. Reports include those operational settings. Option A is wrong because templates can include macros. Option B is wrong because both reports and templates can be cloned. Option D is imprecise: reports/charts can be imported/exported between same-type ADOMs, while templates are not exported directly, but the tested difference is settings.

Exact Extract: Study Guide p.188: diagnose sql status sqlreportd checks SQL query connections and hcache status for reports.

Technical Deep Dive: The correct answer is C. The sqlreportd diagnostic is a report troubleshooting command focused on SQL query connections and hcache status. It is useful when reports are slow because report generation depends heavily on hcache and SQL query execution. Option A is handled by scheduled report listing commands. Option B maps to diagnose sql process list. Option D maps more closely to sqlplugind insertion status, not sqlreportd.

Exact Extract: Study Guide p.59: event logs show system-wide information; application logs are ADOM-specific, and non-root ADOMs show only application logs.

Technical Deep Dive: The correct answers are C and D. FortiAnalyzer local logs include system-wide event logs and ADOM-specific application logs. Because non-root ADOMs show only application logs, system event logs are effectively a root-ADOM visibility item. Option A is wrong because local audit logs are accessible in Log View under ADOMs. Option B overstates playbook visibility; playbook/application logs are ADOM-specific and should not be treated as all centralized in root for every ADOM.

Exact Extract: Study Guide p.168-p.172: templates define layout, while reports include report settings and more configuration.

Technical Deep Dive: The correct answer is A. Reports provide more configuration options because they include the layout/template plus operational settings such as time period, target devices, scheduling, filters, output behavior, and advanced settings. Templates contain the Editor-tab layout elements and do not include basic or advanced report settings. Option B is wrong because both reports and templates can be cloned. Option C is wrong because templates can include macros. Option D is wrong because templates are not mapped to device groups as stated.

Exact Extract: Study Guide p.130: the IOC service uses FortiGuard and analyzes web filtering, DNS, and traffic logs for breach detection.

Technical Deep Dive: The correct answers are B and D. To view compromised hosts, FortiAnalyzer needs relevant logs that expose suspicious destinations or web activity, and it needs current FortiGuard IOC intelligence. Web filtering logs are especially important because they contain URL/domain activity that can be compared with FortiGuard threat intelligence. The FortiGuard subscription keeps the threat database current. Option A may help identify devices in some FortiGate workflows, but it is not the core IOC requirement described in the Analyst guide. Option C is wrong because FortiAnalyzer does not need direct reachability to every endpoint; it evaluates logs received from FortiGate.

Exact Extract: Study Guide p.134-p.135: Outbreak Detection Service is licensed and downloads related event handlers and reports from FortiGuard.

Technical Deep Dive: The correct answers are A and B. The Outbreak Detection Service requires a license and allows FortiAnalyzer to receive outbreak alerts and automatically download related event handlers and reports created by Fortinet for emerging threats. Option C is wrong because outbreak alerts are available on all ADOMs, not root only. Option D is not the core mechanism described in the guide; the feature is FortiGuard-delivered content within FortiAnalyzer, not simply email-based alerting.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide states that to understand log volume and disk quota, administrators can use CLI commands “to gather log rate and device usage statistics.” It separately states that to understand “the log rate and log volume per ADOM,” administrators use CLI commands that gather “log rate and volume statistics” per ADOM. The guide also explains a different dashboard metric, Insert Rate vs Receive Rate , where receive rate is the rate raw logs reach FortiAnalyzer and insert rate is the rate logs are indexed by the SQL database and sqlplugind daemon.

Technical Deep Dive: The correct answer is B because the exhibit shows the commands:

diagnose fortilogd lograte

diagnose fortilogd msgrate

These commands display FortiAnalyzer-wide log/message rate statistics for recent intervals: last 5 seconds, last 30 seconds, and last 60 seconds. The output does not show an ADOM name, ADOM ID, device name, log type breakdown, traffic/event category, or per-ADOM quota field. Therefore, the safest conclusion from the exhibit is that this output is not ADOM-specific .

Option A is wrong because the exhibit is not showing indexing values. Indexing health is normally evaluated using insert rate , receive rate , and log insert lag time , which relate to how quickly FortiAnalyzer inserts logs into the SQL database. The exhibit only shows fortilogd log rate and message rate, not SQL insert/indexing lag.

Option C is wrong because there is no breakdown between traffic logs and event logs. The output gives only aggregate rate values, so you cannot conclude whether traffic logs outnumber event logs.

Option D is wrong because a higher log rate than message rate is not automatically abnormal. The output simply shows two different rate counters. Nothing in the exhibit indicates a fault condition, queue buildup, SQL lag, or database indexing issue.

Exact Extract: Study Guide p.211: trigger variables use information from the event or incident trigger in later playbook tasks.

Technical Deep Dive: The correct answer is B. Trigger variables allow a playbook task to reuse values from the event or incident that started the playbook, such as endpoint IP, device, severity, or incident fields. That allows a task to filter a report, get matching logs, or target a response action dynamically. Option A describes monitoring statistics, not variables. Option C reverses the relationship: the trigger starts the playbook, and the variables are then available to tasks. Option D is unrelated to ON_SCHEDULE timing.

Exact Extract: Study Guide p.217: zipped/base64 encoded JSON is one of the playbook export data types.

Technical Deep Dive: The correct answer is A. The exhibit shows encoded data rather than readable plain-text JSON, which indicates the playbook was exported in the zipped/base64 encoded format. That does not mean the playbook is misconfigured. It also does not prove connectors were excluded; connector inclusion is a separate export option. There is no indication of password protection. The key visual clue is that the export contains encoded data plus integrity information instead of a readable JSON playbook structure.

Exact Extract: Official Fortinet Administration Guide: Management Extension Applications are installed and run on FortiAnalyzer; CLI options include enabling the fortisoar container.

Technical Deep Dive: The correct answer is B. FortiSOAR MEA is a management extension application hosted by FortiAnalyzer, not a separate FortiSOAR appliance requirement for this question. FortiAnalyzer uses Docker-based MEA support, and FortiSOAR MEA is one of the supported extensions. Option A is wrong because FortiManager is not required just to run the FortiSOAR MEA. Option C describes a standalone FortiSOAR deployment, not the management extension. Option D is wrong because Fortinet documents FortiSOAR MEA trial licensing behavior for evaluation use.