Fortinet FCP_FAZ_AN-7.6 - Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst

Exact Extract: Study Guide p.134-p.135: Outbreak Detection Service is licensed and downloads related event handlers and reports from FortiGuard.

Technical Deep Dive: The correct answers are A and B. The Outbreak Detection Service requires a license and allows FortiAnalyzer to receive outbreak alerts and automatically download related event handlers and reports created by Fortinet for emerging threats. Option C is wrong because outbreak alerts are available on all ADOMs, not root only. Option D is not the core mechanism described in the guide; the feature is FortiGuard-delivered content within FortiAnalyzer, not simply email-based alerting.

Exact Extract: Study Guide p.184: reports and charts can be imported/exported between same-type ADOMs; chart exports include associated datasets.

Technical Deep Dive: The correct answers are A and C. FortiAnalyzer requires the source and destination ADOMs to be the same type when moving reports or charts. Reports contain charts, and exported charts carry their associated datasets, so the reporting dependency comes across with the import workflow. Option B describes name-conflict behavior for playbook imports, not the report-moving requirement tested here. Option D is wrong because reports can be imported/exported directly; converting them to templates first is not required.

Exact Extract: Study Guide p.216: Playbook Monitor provides detailed logs, and failed jobs may include successful individual tasks.

Technical Deep Dive: The correct answers are B and D. Playbook Monitor is the troubleshooting location for playbook execution, and View Log shows task-level detail for the job. A failed playbook job does not mean every task failed; the guide explicitly notes some individual actions may complete successfully. Option A is wrong because FortiAnalyzer does not roll back all completed external or local actions just because a later task failed. Option C is not described as a default debugging playbook workflow in the guide.

Exact Extract: Study Guide p.22-p.24: analyzer is the default mode; collector mode forwards logs, including to syslog/CEF, and mixed deployments improve scale.

Technical Deep Dive: The correct answers are A and D. In collector mode, FortiAnalyzer collects logs and forwards them to another analyzer, syslog server, or CEF server depending on forwarding mode. A topology using both collectors and analyzers can improve performance and regional scalability by offloading collection and keeping analysis/reporting on analyzer devices. Option B is wrong because analyzer mode is the default, not collector mode. Option C is wrong because collector mode has fewer features and does not provide reporting or event-management capabilities.

Exact Extract: Official Fortinet 7.6 documentation: historical logs migrate from PSQL to ClickHouse, and real-time logs insert into ClickHouse.

Technical Deep Dive: The correct answer is A. FortiAnalyzer 7.6 uses ClickHouse as the backend log database for on-premises log analytics. This change supports faster analytical queries and scalable handling of large log datasets. MySQL and Elasticsearch are not the FortiAnalyzer 7.6 log database. PostgreSQL was used in previous versions for log tables, but Fortinet’s 7.6 documentation states that historical logs are migrated from PSQL to ClickHouse and new real-time logs are inserted into ClickHouse.

Exact Extract: Study Guide p.59: root ADOM shows local event logs; application logs are ADOM-specific.

Technical Deep Dive: The correct answers are B and D. Local event logs are available from the root ADOM and provide system-wide FortiAnalyzer information. Application logs, including logs generated by FortiAnalyzer applications such as playbooks and incident management, are ADOM-specific. Option A is wrong because local logs are accessible in Log View. Option C is wrong because playbook/application logs are not all simply placed in the root ADOM for every ADOM; non-root ADOMs show application logs relevant to that ADOM.

Exact Extract: Study Guide p.98: blocking suspicious indicators requires an authorized FortiManager connector and updates a FortiManager External Resource list.

Technical Deep Dive: The correct answer is B. FortiAnalyzer does not directly push the block to FortiGate from the indicator page. It uses a FortiManager connector; the Block_indicator playbook periodically sends blocked indicators to FortiManager, where they are added to an External Resource list. FortiManager policies or threat feeds can then be used to push enforcement to FortiGate. Option A skips FortiManager, which is the documented control point. Options C and D use the wrong integration mechanism for indicator blocking.

Exact Extract: Study Guide p.82: Contained means the risk source is isolated; antivirus quarantine is the example.

Technical Deep Dive: The correct answer is A. An AV log with action=quarantine indicates the detected file or object has been isolated, so FortiAnalyzer classifies the event status as Contained. An IPS action=pass is Unhandled because the risk was not stopped. WebFilter dropped and AppControl blocked are enforcement outcomes, so they align with Mitigated rather than Contained. The distinction matters in SOC triage because Contained still deserves review, but the immediate source/object has already been isolated.

Exact Extract: Study Guide p.168-p.172: templates define layout, while reports include report settings and more configuration.

Technical Deep Dive: The correct answer is A. Reports provide more configuration options because they include the layout/template plus operational settings such as time period, target devices, scheduling, filters, output behavior, and advanced settings. Templates contain the Editor-tab layout elements and do not include basic or advanced report settings. Option B is wrong because both reports and templates can be cloned. Option C is wrong because templates can include macros. Option D is wrong because templates are not mapped to device groups as stated.

Exact Extract: Study Guide p.202-p.203: FortiOS connector actions require automation rules configured on FortiGate.

Technical Deep Dive: The correct answer is D. FortiAnalyzer lists the FortiOS connector after FortiGate is added, but the available actions depend on FortiGate automation configuration. Specifically, the FortiGate side must have automation rules using the Incoming Webhook Call trigger before actions become available to the connector. Option A is wrong because Fabric ADOMs do not automatically come with multiple usable external connectors. Options B and C misunderstand the local connector, which is available by default for local FortiAnalyzer actions.