Free Practice Questions for Fortinet FCP_FAZ_AN-7.6 Exam

Exact Extract: Study Guide p.216: playbook jobs with one or more failed tasks are labeled Failed, even if some actions succeeded.

Technical Deep Dive: The correct answer is C. FortiAnalyzer marks the overall playbook job as Failed when any task in the job fails. That does not mean every task failed; it means the job requires review because the workflow did not complete cleanly. Option A is not the status described in the FortiAnalyzer guide for this scenario. Option B is a task-dependency style outcome, not the overall job status tested here. Option D is wrong because success requires all required tasks to complete successfully.

Exact Extract: Study Guide p.126: threat hunting is a proactive search for suspicious or risky network activity.

Technical Deep Dive: The correct answer is D. Threat hunting is FortiAnalyzer’s proactive investigation workflow. Instead of waiting for an event handler or incident to tell the SOC what happened, the analyst begins with a hypothesis and searches logs for suspicious patterns. FortiView is valuable for visibility but is not, by itself, the named proactive method. Outbreak alerts notify about emerging threats, and the Incidents dashboard manages known incidents. Threat hunting is the feature that best matches proactive network-security management.

Exact Extract: Study Guide p.82: " Unhandled " indicates the security event risk is considered open.

Technical Deep Dive: The displayed event is best interpreted as open/unhandled, so the correct answer is C. In FortiAnalyzer, event status is not just a label; it tells the analyst whether the risk still requires action. A risk source being isolated would map to Contained, while traffic being blocked or dropped maps to Mitigated. An incident being created from an event is a separate workflow action and cannot be concluded from the event status alone unless the exhibit explicitly shows the incident linkage.

Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.189: verify logs from the report time frame and test the dataset query when expected data is missing.

Technical Deep Dive: The correct answers are A and D. This duplicate scenario tests the same reporting troubleshooting logic. A report can be empty or incomplete even while the logs exist if the report uses a time window that excludes them or if the dataset filters them out. Testing the dataset proves whether the SQL query is actually retrieving the intended rows. Disabling auto-cache is a performance workaround only in very specific stale-cache investigations and is not the recommended first step. Report quota is not the issue when the report runs but contains the wrong data.

Exact Extract: Study Guide p.181: output profiles specify report format and whether to email or upload generated reports.

Technical Deep Dive: The correct answer is D. The mail server being configured only gives FortiAnalyzer the ability to send email. To send generated reports automatically, the report must use an output profile that defines the delivery method and recipients or upload target. Option A is not a report-level distribution setting. Option B confuses report layout content with report delivery. Option C is wrong because the report calendar shows scheduled report status; scheduling and distribution are configured in the report settings and output profile.

Exact Extract: Study Guide p.202-p.203: FortiOS connector actions require automation rules configured on FortiGate.

Technical Deep Dive: The correct answer is D. FortiAnalyzer lists the FortiOS connector after FortiGate is added, but the available actions depend on FortiGate automation configuration. Specifically, the FortiGate side must have automation rules using the Incoming Webhook Call trigger before actions become available to the connector. Option A is wrong because Fabric ADOMs do not automatically come with multiple usable external connectors. Options B and C misunderstand the local connector, which is available by default for local FortiAnalyzer actions.

Exact Extract: Study Guide p.58: Log View search results can be downloaded, and raw/text filtering helps with exact field syntax.

Technical Deep Dive: The correct answers are A and D. FortiAnalyzer Log View allows administrators to download filtered logs as text or CSV, so the displayed search results can be exported to a file. The exhibit also indicates a text-mode search/filter rather than a purely GUI-built filter. Option B would be true for formatted log tables in general, but the question asks what can be concluded from the displayed search results. Option C is not supported; whether FortiView can analyze related data depends on whether the logs are analytics logs, not merely on the search display.

Exact Extract: Study Guide p.189: for missing report data, check the report time frame and test the dataset.

Technical Deep Dive: The correct answers are A and D. If the logs exist but the generated report lacks expected information, the first checks are whether the report time frame includes those logs and whether the dataset query returns the expected rows. Reports are only as accurate as their time filter and SQL dataset. Disabling auto-cache is not the normal fix; cache improves performance and scheduled reports use it. Increasing a quota does not correct a wrong time range or broken SQL query unless the report fails for resource reasons, which is not the scenario described.