FCP_FAZ_AN-7.6 Questions and Answers

Exact Extract: Study Guide p.126: threat hunting is a proactive search for suspicious or risky network activity.

Technical Deep Dive: The correct answer is D. Threat hunting is FortiAnalyzer’s proactive investigation workflow. Instead of waiting for an event handler or incident to tell the SOC what happened, the analyst begins with a hypothesis and searches logs for suspicious patterns. FortiView is valuable for visibility but is not, by itself, the named proactive method. Outbreak alerts notify about emerging threats, and the Incidents dashboard manages known incidents. Threat hunting is the feature that best matches proactive network-security management.

Exact Extract: Study Guide p.217-p.218: exported playbooks preserve enabled/disabled status, and name conflicts are handled on import.

Technical Deep Dive: The correct answers are A and C. A playbook imported into another ADOM or FortiAnalyzer retains the enabled or disabled status it had when exported, which is why automatic playbooks should be exported disabled. If an imported playbook name already exists, FortiAnalyzer creates a new name with a timestamp to avoid conflicts, so importing with the same name is allowed. Option B is wrong because connectors can be included in the export. Option D is wrong because multiple playbooks can be exported at once.

Exact Extract: Study Guide p.21: FortiAnalyzer Fabric operates with a supervisor and members; members send information to the supervisor for centralized monitoring.

Technical Deep Dive: The correct answer is D. The exhibit shows devices that meet the conditions to participate as FortiAnalyzer Fabric members, so all listed devices can be members. The key concept is that Fabric membership is about centralized monitoring visibility between FortiAnalyzer systems, not about forcing every member into HA or a single time zone. A member remains an operating FortiAnalyzer device and reports member information to the supervisor. The distractor pairs are too restrictive because they unnecessarily exclude devices that still satisfy the Fabric member role.

Exact Extract: Study Guide p.184: reports and charts can be imported/exported; templates and datasets cannot be exported directly.

Technical Deep Dive: The correct answers are B and C. FortiAnalyzer allows reports and charts to be imported and exported between same-type ADOMs or FortiAnalyzer devices. The guide explicitly says templates and datasets cannot be exported directly. Datasets move only as dependencies of exported charts, not as standalone exportable modules. Therefore, reports and charts are the two modules that match the direct import/export capability described in the guide.

Exact Extract: Study Guide p.173: macros represent dataset queries in abbreviated form, and macros are ADOM-specific.

Technical Deep Dive: The correct answer is C. FortiAnalyzer macros are not Excel-generation shortcuts and are not fixed templates. A macro is an abbreviated way to insert data extracted by a dataset query into a report without using a chart. Because reports, libraries, and related definitions are separated by ADOM, macros are ADOM-specific. Option A is wrong because custom macros can be created. Option B invents an Excel-specific behavior not described by the guide. Option D is too restrictive because macros are not limited only to FortiGate ADOMs.

Exact Extract: Study Guide p.211: trigger variables use information from the event or incident trigger in later playbook tasks.

Technical Deep Dive: The correct answer is B. Trigger variables allow a playbook task to reuse values from the event or incident that started the playbook, such as endpoint IP, device, severity, or incident fields. That allows a task to filter a report, get matching logs, or target a response action dynamically. Option A describes monitoring statistics, not variables. Option C reverses the relationship: the trigger starts the playbook, and the variables are then available to tasks. Option D is unrelated to ON_SCHEDULE timing.

Exact Extract: Study Guide p.181: output profiles specify report format and whether to email or upload generated reports.

Technical Deep Dive: The correct answer is D. The mail server being configured only gives FortiAnalyzer the ability to send email. To send generated reports automatically, the report must use an output profile that defines the delivery method and recipients or upload target. Option A is not a report-level distribution setting. Option B confuses report layout content with report delivery. Option C is wrong because the report calendar shows scheduled report status; scheduling and distribution are configured in the report settings and output profile.

Exact Extract: Study Guide p.200-p.203: playbooks run from a trigger and tasks can filter events before adding them to an incident.

Technical Deep Dive: The correct answer is D. The playbook task is filtering events using the configured criteria, and only the events that match those criteria are added to the incident. Because the task is configured to match any of the listed conditions, the analyst must count unique events matching severity, event type, or tag filters. The exhibit contains four unique matching events. Options A and B overcount by treating all or most events as matching. Option C is wrong because the filter is not empty and the exhibit shows events that meet the task criteria.

Exact Extract: Study Guide p.175: Chart Builder automatically builds a dataset and chart from filtered Log View search results.

Technical Deep Dive: The correct answer is D. Chart Builder is a shortcut for turning a useful filtered log search into reusable reporting content. The analyst first filters Log View to the desired data, then uses Chart Builder to create the dataset and chart automatically. Option A is wrong because it is not based on a fixed top-100 list. Option B is incomplete because the feature creates chart/dataset objects rather than merely adding a chart to a generated report. Option C incorrectly places the output under FortiView instead of reporting libraries.

Exact Extract: Study Guide p.141: Insert Rate is the rate logs are indexed; Receive Rate is the rate raw logs reach FortiAnalyzer.

Technical Deep Dive: The correct answer is A. At the indicated time, the insert-rate value is higher than the receive-rate value, which means FortiAnalyzer is indexing logs faster than new logs are arriving. This can happen when the database is catching up with previously received logs. Option B is too literal and unsupported; the graph shows rates, not a one-log daemon lead. Option C is wrong because a rebuild is not indicated by a single favorable rate point. Option D would apply when received logs are waiting because indexing is behind, which is the reverse condition.

Exact Extract: Study Guide p.188: diagnose sql status sqlreportd checks SQL query connections and hcache status for reports.

Technical Deep Dive: The correct answer is C. The sqlreportd diagnostic is a report troubleshooting command focused on SQL query connections and hcache status. It is useful when reports are slow because report generation depends heavily on hcache and SQL query execution. Option A is handled by scheduled report listing commands. Option B maps to diagnose sql process list. Option D maps more closely to sqlplugind insertion status, not sqlreportd.

Exact Extract: Study Guide p.19-p.20: the Security Fabric root/upstream FortiGate relationship affects how traffic and UTM logs are correlated.

Technical Deep Dive: The correct answer is B. The output indicates FGT_B is acting as the Security Fabric root. In Security Fabric logging, FortiAnalyzer uses Fabric relationships to correlate logs and avoid duplicate traffic logging. The other options draw conclusions the output does not support: disk quota allocation to quarantine files, exact ADOM disk quota size, or archive-versus-analytics usage require explicit storage lines. The Fabric root conclusion is the one directly supported by the displayed Fabric relationship information.

Exact Extract: Study Guide p.172: templates include only Editor-tab details and do not include report settings or advanced settings.

Technical Deep Dive: The correct answer is C. Templates define the report layout: text, charts, and macros. They do not carry report settings such as the report time range, selected devices, scheduling, filters, output profile, or advanced settings. Reports include those operational settings. Option A is wrong because templates can include macros. Option B is wrong because both reports and templates can be cloned. Option D is imprecise: reports/charts can be imported/exported between same-type ADOMs, while templates are not exported directly, but the tested difference is settings.

Exact Extract: Study Guide p.187: troubleshoot slow reports by reviewing diagnostics and enabling auto-cache to reduce generation time.

Technical Deep Dive: The correct answers are B and D. When reports take too long, Fortinet recommends checking report diagnostics and hcache timing, log rates, insert/receive rate, and log insert lag. Enabling auto-cache is also a documented way to improve report generation performance. Option A is not a recommended troubleshooting step in the study guide; removing old hcache blindly can make reports slower because hcache must be rebuilt. Option C is not the relevant control for report generation time in this scenario.

Exact Extract: Study Guide p.189: for missing report data, check the report time frame and test the dataset.

Technical Deep Dive: The correct answers are A and D. If the logs exist but the generated report lacks expected information, the first checks are whether the report time frame includes those logs and whether the dataset query returns the expected rows. Reports are only as accurate as their time filter and SQL dataset. Disabling auto-cache is not the normal fix; cache improves performance and scheduled reports use it. Increasing a quota does not correct a wrong time range or broken SQL query unless the report fails for resource reasons, which is not the scenario described.

Exact Extract: Study Guide p.184: reports and charts can be imported/exported between same-type ADOMs; chart exports include associated datasets.

Technical Deep Dive: The correct answers are A and C. FortiAnalyzer requires the source and destination ADOMs to be the same type when moving reports or charts. Reports contain charts, and exported charts carry their associated datasets, so the reporting dependency comes across with the import workflow. Option B describes name-conflict behavior for playbook imports, not the report-moving requirement tested here. Option D is wrong because reports can be imported/exported directly; converting them to templates first is not required.

Exact Extract: Study Guide p.202: FortiOS connector actions appear only after enabling an automation rule using the Incoming Webhook Call trigger on FortiGate.

Technical Deep Dive: The correct answer is D. A FortiAnalyzer playbook can list a FortiOS connector after FortiGate is added, but the available FortiOS actions depend on FortiGate-side automation rules. FortiGate must expose an Incoming Webhook trigger so FortiAnalyzer can call the automation stitch. A FortiAnalyzer Event Handler is used on FortiAnalyzer to generate events, not to expose FortiOS connector actions. Fabric Connector events and FortiOS Event Log triggers do not provide the FortiAnalyzer-to-FortiGate action handoff tested here.

Exact Extract: Study Guide p.168-p.172: templates define layout, while reports include report settings and more configuration.

Technical Deep Dive: The correct answer is A. Reports provide more configuration options because they include the layout/template plus operational settings such as time period, target devices, scheduling, filters, output behavior, and advanced settings. Templates contain the Editor-tab layout elements and do not include basic or advanced report settings. Option B is wrong because both reports and templates can be cloned. Option C is wrong because templates can include macros. Option D is wrong because templates are not mapped to device groups as stated.