FCP_FAZ_AN-7.6 Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Questions and Answers

Exact Extract: Study Guide p.19-p.20: the Security Fabric root/upstream FortiGate relationship affects how traffic and UTM logs are correlated.

Technical Deep Dive: The correct answer is B. The output indicates FGT_B is acting as the Security Fabric root. In Security Fabric logging, FortiAnalyzer uses Fabric relationships to correlate logs and avoid duplicate traffic logging. The other options draw conclusions the output does not support: disk quota allocation to quarantine files, exact ADOM disk quota size, or archive-versus-analytics usage require explicit storage lines. The Fabric root conclusion is the one directly supported by the displayed Fabric relationship information.

Exact Extract: Study Guide p.189: verify logs from the report time frame and test the dataset query when expected data is missing.

Technical Deep Dive: The correct answers are A and D. This duplicate scenario tests the same reporting troubleshooting logic. A report can be empty or incomplete even while the logs exist if the report uses a time window that excludes them or if the dataset filters them out. Testing the dataset proves whether the SQL query is actually retrieving the intended rows. Disabling auto-cache is a performance workaround only in very specific stale-cache investigations and is not the recommended first step. Report quota is not the issue when the report runs but contains the wrong data.

Exact Extract: Study Guide p.40-p.45: FortiAnalyzer normalizes supported device logs, including FortiGate traffic, event, and security logs.

Technical Deep Dive: The correct answers are A, B, and C. FortiGate devices generate traffic logs, event logs, and security logs, and FortiAnalyzer collects and normalizes these supported log types for analysis. Security logs include UTM-related subtypes such as web filter, antivirus, IPS, and application control. Firewall and system in the answer list are not the three FortiGate log-type categories used by the guide for this question; system is a subtype under event logs, not a top-level selection here.

Exact Extract: Study Guide p.185: reports can be attached to incidents manually from an existing report, manually from an incident, or automatically through playbooks.

Technical Deep Dive: The correct answer is A. Incidents are containers for related security events, and attaching a report gives the analyst historical or contextual evidence in addition to real-time event data. Option B is wrong because incident status is managed independently from attached event status. Option C is not a FortiAnalyzer default rule from the guide; SLA response times are organization-specific. Option D is wrong because incidents can be opened and analyzed directly; acknowledgment is not a prerequisite to analysis.

Exact Extract: Study Guide p.184: reports and charts can be imported/exported; templates and datasets cannot be exported directly.

Technical Deep Dive: The correct answers are B and C. FortiAnalyzer allows reports and charts to be imported and exported between same-type ADOMs or FortiAnalyzer devices. The guide explicitly says templates and datasets cannot be exported directly. Datasets move only as dependencies of exported charts, not as standalone exportable modules. Therefore, reports and charts are the two modules that match the direct import/export capability described in the guide.

Exact Extract: Study Guide p.57-p.58: filtered Log View examples can show web filter category/action details, including allowed or blocked website categories.

Technical Deep Dive: The correct answer is B. The exhibit indicates social networking web activity is being allowed, not blocked. If the logs were application control logs, the log type/subtype would point to application control rather than web filtering. If unrated websites were blocked, the category/action fields would show that specific category and enforcement action. A custom view cannot be concluded unless the GUI explicitly displays a saved custom view name or custom view indicator.

Exact Extract: Study Guide p.217-p.218: exported playbooks preserve enabled/disabled status, and name conflicts are handled on import.

Technical Deep Dive: The correct answers are A and C. A playbook imported into another ADOM or FortiAnalyzer retains the enabled or disabled status it had when exported, which is why automatic playbooks should be exported disabled. If an imported playbook name already exists, FortiAnalyzer creates a new name with a timestamp to avoid conflicts, so importing with the same name is allowed. Option B is wrong because connectors can be included in the export. Option D is wrong because multiple playbooks can be exported at once.

Exact Extract: Study Guide p.43 and p.58: Log View uses normalized format, and the GUI can toggle between formatted and raw log views.

Technical Deep Dive: The correct answers are A and D. The exhibit shows a raw key/value style log display, so it is in raw log format. However, in FortiAnalyzer Log View, received device logs are parsed and normalized for consistent fields, even when the analyst toggles into raw display. Option B is wrong because formatted view would appear as structured table columns. Option C is not the best conclusion because the displayed raw view is not necessarily the untouched original FortiGate message; it is the raw display of FortiAnalyzer’s stored/normalized log data.

Exact Extract: Study Guide p.181: output profiles specify report format and whether to email or upload generated reports.

Technical Deep Dive: The correct answer is D. The mail server being configured only gives FortiAnalyzer the ability to send email. To send generated reports automatically, the report must use an output profile that defines the delivery method and recipients or upload target. Option A is not a report-level distribution setting. Option B confuses report layout content with report delivery. Option C is wrong because the report calendar shows scheduled report status; scheduling and distribution are configured in the report settings and output profile.

Exact Extract: Study Guide p.175: Chart Builder automatically builds a dataset and chart from filtered Log View search results.

Technical Deep Dive: The correct answer is D. Chart Builder is a shortcut for turning a useful filtered log search into reusable reporting content. The analyst first filters Log View to the desired data, then uses Chart Builder to create the dataset and chart automatically. Option A is wrong because it is not based on a fixed top-100 list. Option B is incomplete because the feature creates chart/dataset objects rather than merely adding a chart to a generated report. Option C incorrectly places the output under FortiView instead of reporting libraries.

Exact Extract: Study Guide p.39: rolled log files are compressed, receive the .gz extension, and are known as archive logs.

Technical Deep Dive: The correct answer is C. FortiAnalyzer stores received logs first as log files and also indexes them for analytics. When the log file rolls over, FortiAnalyzer renames it, timestamps it, and compresses it into a .gz file. That compressed offline file is the archive log. Option A describes analytics logs in the SQL database. Option B is wrong because FortiView uses analytics logs, not archive logs. Option D confuses archive status with device availability; a log is archived because of the storage workflow, not because the source device is offline.

Exact Extract: Study Guide p.216: Playbook Monitor provides detailed logs, and failed jobs may include successful individual tasks.

Technical Deep Dive: The correct answers are B and D. Playbook Monitor is the troubleshooting location for playbook execution, and View Log shows task-level detail for the job. A failed playbook job does not mean every task failed; the guide explicitly notes some individual actions may complete successfully. Option A is wrong because FortiAnalyzer does not roll back all completed external or local actions just because a later task failed. Option C is not described as a default debugging playbook workflow in the guide.

Exact Extract: Study Guide p.19-p.20: the first FortiGate creates the traffic log, while upstream devices complete UTM logging.

Technical Deep Dive: The correct answer is D. Client traffic first reaches the access-layer FortiGate, which creates the initial traffic log. The upstream FortiGate applies the web filter profile; therefore, if the session violates the web filtering policy, the upstream FortiGate generates the web filter UTM log. Because the web filter profile is configured to log only violations, no web filter log appears unless a violation occurs. Options A and C incorrectly place web filter logging on FGT-B. Option B misstates how Security Fabric logging avoids duplicate logs; FortiGates do not notify peers to log the flow.

Exact Extract: Study Guide p.82: Contained means the risk source is isolated; antivirus quarantine is the example.

Technical Deep Dive: The correct answer is A. An AV log with action=quarantine indicates the detected file or object has been isolated, so FortiAnalyzer classifies the event status as Contained. An IPS action=pass is Unhandled because the risk was not stopped. WebFilter dropped and AppControl blocked are enforcement outcomes, so they align with Mitigated rather than Contained. The distinction matters in SOC triage because Contained still deserves review, but the immediate source/object has already been isolated.

Exact Extract: Study Guide p.141: Log Insert Lag Time is the time between log receipt and indexing.

Technical Deep Dive: The correct answer is A. A rising data point on the Log Insert Lag Time graph means the delay between receiving logs and indexing them is increasing. That indicates the database/indexing pipeline is falling behind at that moment. Option B is wrong because the chart is not proving cache use to avoid drops. Option C might become true if lag exceeds baseline persistently, but a single point only shows lag behavior. Option D is the opposite: if sqlplugind were caught up, lag would be low or decreasing.

Exact Extract: Study Guide p.82: Mitigated means a security risk was blocked or dropped.

Technical Deep Dive: The correct answer is C. The exhibit shows a mitigated event with blocked web activity, so the accurate statement is that the security risk was blocked. A dropped action would also be a mitigated outcome, but the displayed event specifically indicates blocked. Option B describes Contained status, where the risk source is isolated. Option D is wrong because the event type shown is Web Filter, not application control. Option A is less precise than the exhibit because the action shown is blocked rather than dropped.

Exact Extract: Study Guide p.82: " Unhandled " means the security event risk is not mitigated or contained, and an IPS/AV pass action is an example.

Technical Deep Dive: The correct answer is B because an IPS log with action=pass means the traffic matched or was observed in a way that generated a security event, but the traffic was not blocked, dropped, or quarantined. FortiAnalyzer therefore treats the event as still open from a SOC workflow perspective. Option A is wrong because quarantine isolates the malicious object and maps to Contained. Options C and D are wrong because dropped or blocked actions mean enforcement already occurred, which maps to Mitigated rather than Unhandled.

Exact Extract: Study Guide p.188: diagnose sql status sqlreportd checks SQL query connections and hcache status for reports.

Technical Deep Dive: The correct answer is C. The sqlreportd diagnostic is a report troubleshooting command focused on SQL query connections and hcache status. It is useful when reports are slow because report generation depends heavily on hcache and SQL query execution. Option A is handled by scheduled report listing commands. Option B maps to diagnose sql process list. Option D maps more closely to sqlplugind insertion status, not sqlreportd.

Exact Extract: Study Guide p.94 and p.130-p.131: indicators include IP addresses, URLs, and domains; IOC checks use IP/domain/URL values.

Technical Deep Dive: The correct answers are A and B. FortiAnalyzer identifies IOC matches by checking log artifacts such as IP addresses, domains, and URLs against FortiGuard threat intelligence. IP address and URL are explicitly listed as indicator types and IOC comparison parameters. Policy ID identifies which FortiGate policy matched traffic, but it is not an IOC artifact. Application category describes application classification, not a compromise indicator used for FortiGuard IOC matching.

Exact Extract: Study Guide p.59: event logs show system-wide information; application logs are ADOM-specific, and non-root ADOMs show only application logs.

Technical Deep Dive: The correct answers are C and D. FortiAnalyzer local logs include system-wide event logs and ADOM-specific application logs. Because non-root ADOMs show only application logs, system event logs are effectively a root-ADOM visibility item. Option A is wrong because local audit logs are accessible in Log View under ADOMs. Option B overstates playbook visibility; playbook/application logs are ADOM-specific and should not be treated as all centralized in root for every ADOM.