Free Practice Questions for Fortinet NSE6_EDR_AD-7.0 Exam

The correct answers are A and B .

The FortiEDR 7.0.0 Administration Guide states that newly added applications are disabled by default , which means they are not blocked unless enabled. The guide further explains that the default state can be changed by enabling the Enable Default application state option in the Application Control Manager settings. Therefore, option A is correct.

Option B is also correct because Application Control allows an application to be defined by Hash or by any combination of File Name / Path / Signer . The guide says that the Path field specifies the path to the executable file of the application to be blocked. When using path-based matching, the enforcement is tied to the specified path criteria, not to every possible location of the same file.

Option C is wrong because the file name does not also need to match when only the Path attribute is used. Option D is wrong because blocking all instances regardless of location applies when only the File Name field is used, not when the match is path-specific. The guide explicitly states that if only the File Name field is filled, the application is blocked no matter where the executable appears.

The best answers are A and D , but be careful: A is directly verified by the guide; D is the only remaining statement that can be true in policy context, but it is weaker than A.

The FortiEDR 7.0.0 Administration Guide states that the Communication Control tab identifies communicating applications detected in the organization. More specifically, the Applications page lists “all communicating applications detected in your organization that have ever attempted to communicate.” Therefore, if software exists on a user’s computer but does not appear in the Communication Control application list, the most direct explanation is that it has not attempted external communication .

The guide also explains that FortiEDR Communication Control reduces the scope of administration because Security/IT only needs to handle applications that communicate externally. It also states that non-authorized applications can still execute, and only their outgoing communication is prevented. This confirms that the Communication Control application list is not a full software inventory; it is a list of applications that have communicated or attempted communication.

Option B is not correct. If an application were blocked due to FortiEDR security-policy enforcement after a connection attempt, FortiEDR would generate security-event visibility in the Incidents workflow, not simply hide the application from Communication Control. FortiEDR Collectors send communication-related data for Communication Control, and security events are sent for enforcement/monitoring purposes.

Option C is also wrong. Reputation score affects policy decisions and application risk evaluation, but it does not cause an application to be ignored or excluded from the application list. The guide says each application in the Applications page shows a reputation indicator, which proves reputation is displayed for listed applications rather than used to hide them.

For option D , if the application has never attempted communication, Communication Control has no observed communication event to list. In exam logic, this can be interpreted as the application is not currently being denied by Communication Control policies. However, the stronger technical truth is this: Communication Control does not list installed software; it lists applications that have attempted to communicate.

=========

The correct answer is C .

The exhibit shows a Threat Hunting saved query named CLI Command with the query:

Target.Process.Filename ( " net.exe " )

It is configured as a Scheduled Query , classified as Suspicious , and set to repeat every 15 minutes . The FortiEDR guide states that saving a Threat Hunting query allows it to be defined as a scheduled query to automate threat detection. When the scheduled query runs and detects matching activity, a security event is automatically created in the Incidents tab .

The guide also states that scheduled queries run automatically according to the configured schedule, and each time a match is detected, FortiEDR generates a security event in the Incidents tab and sends notifications according to the security event configuration.

So, when the endpoint runs:

net user edruser password! /ADD

FortiEDR records the relevant process activity, and when the scheduled query runs, it matches the target process net.exe and creates an incident/security event. It is not immediate by default because the query is scheduled every 15 minutes. It also does not block CLI commands by default unless playbook actions or policy controls are configured. The activity is treated according to the saved query classification, which in the exhibit is Suspicious .

=========

The correct answers are B and C .

The FortiEDR 7.0.0 Administration Guide explains that IoT device discovery continuously identifies newly connected non-workstation devices, such as printers, cameras, and media devices. During discovery, each relevant Collector periodically probes nearby neighboring devices. The guide states that nearby devices usually respond by providing information about themselves, including the device/host name and IP address . This directly supports option B .

Option C is also correct because the guide states that Collectors in degraded , disabled , or isolated states do not take part in the IoT probing process. It also says FortiEDR uses the most powerful Collectors in each subnet and excludes weaker Collectors, including disabled and degraded Collectors.

Option A is wrong because the guide explicitly says Collectors running on servers do not take part in IoT probing. Option D is wrong because IoT probing is not described as deep packet inspection of all neighboring traffic; it is a discovery/probing process used to identify nearby devices and collect basic device information.

=========

The correct answers are A. Device and user name and D. IP address and MAC address .

The FortiEDR 7.0.0 Administration Guide states that the GDPR feature is implemented in Administration > Settings > Personal Data Handling . It is used to remove relevant data for an employee or FortiEDR user who no longer has access to or uses the FortiEDR system. The guide explicitly identifies the personal data as device name, IP address, MAC address, and user name . It further states: “You must remove all device name, IP address, MAC address, and user name data from FortiEDR in order to fully comply with the GDPR standard.”

Therefore, installed applications and installed OS name are not the required GDPR personal data types in this FortiEDR procedure. The required removal is performed iteratively for the employee’s/user’s device name , IP address , MAC address , and user name . The guide also instructs administrators to continue removing the other required data: IP address, MAC address, and user name , and to delete any reports that may contain the user’s data.

The correct answers are A. %upload_file and B. %ipconfig_all .

The FortiEDR 7.0.0 Administration Guide states that FortiEDR Connect opens a console that provides direct access to a FortiEDR-protected device through a remote shell connection. This allows administrators to respond to incidents, run commands and scripts, collect and download forensic data, and remediate threats. The guide also states that the FortiEDR Connect terminal has a prompt where commands can be typed, and the Help button displays the supported commands and their parameters.

The guide further confirms that FortiEDR Connect supports FortiEDR-specific commands, Windows command-line access through %cmd , and Python commands.

For the exact command list, Fortinet’s official FortiEDR Connect technical tip lists the supported commands. In that list, %ipconfig_all is explicitly described as returning extended IP information, and %upload_file is explicitly described as uploading a file to the specified path. ( Fortinet Community )

Options C. %psexec and D. %timestamp are not listed as supported FortiEDR Connect commands in the official Fortinet command list. Therefore, they must not be selected.

=========

=========

The correct answers are C and D .

The exhibit shows the incident classification as Malicious . In the Activity Audit, the entry from FortinetCloudServices states: “Classification change: Malicious” and also says the file is classified as malicious. This directly proves that FCS classified the event as malicious . The FortiEDR guide explains that the audit history shows the chronology for classifying the security event and displays details when FortiEDR Cloud Service (FCS) reclassifies a security event after its initial classification by the Core.

The exhibit also states that the file was “Detected as Unknown malware.” This supports option D in the exam wording: FortiEDR/FCS has classified the file as malicious, but it is being identified as unknown malware , meaning it was not recognized as a known malware family/signature at the time of classification. The guide explains that FCS enhances classification using data enrichment, automated and manual analysis, file analysis, sandboxing, machine learning flow analysis, commonality analysis, crowdsourced data deduction, and other methods, so “unknown malware” can still be classified malicious by FCS.

Option A is wrong because the exhibit shows Malicious , not Suspicious. Option B is wrong because the incident status is Unhandled , not resolved or handled.

=========

The correct answer is A. Create a separate communication control policy for each organization .

The key point is that Communication Control is not available in Hoster view . In a FortiEDR multi-tenant environment, Hoster view is the view used to display information for all organizations together. However, the guide clearly states under the Hoster view section: “Communication Control — The Communication Control window is not available in Hoster view.”

That means you cannot create one global Communication Control policy from Hoster view and assign it across all organizations. Options B , C , and D all assume cross-organization/global Communication Control policy assignment, but the guide does not support that capability. The practical recommendation is to configure Communication Control policies separately inside each organization.

The guide contrasts this with Security Policies, where in Hoster view the Security Policies page displays all policies from all organizations and supports cloning a security policy from one organization to another. That statement is for Security Policies , not Communication Control policies.

=========