Fortinet FCP_FAZ_AN-7.6 - Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst

Exact Extract: Study Guide p.175: Chart Builder automatically builds a dataset and chart from filtered Log View search results.

Technical Deep Dive: The correct answer is D. Chart Builder is a shortcut for turning a useful filtered log search into reusable reporting content. The analyst first filters Log View to the desired data, then uses Chart Builder to create the dataset and chart automatically. Option A is wrong because it is not based on a fixed top-100 list. Option B is incomplete because the feature creates chart/dataset objects rather than merely adding a chart to a generated report. Option C incorrectly places the output under FortiView instead of reporting libraries.

Exact Extract: Official Fortinet Administration Guide: Management Extension Applications are installed and run on FortiAnalyzer; CLI options include enabling the fortisoar container.

Technical Deep Dive: The correct answer is B. FortiSOAR MEA is a management extension application hosted by FortiAnalyzer, not a separate FortiSOAR appliance requirement for this question. FortiAnalyzer uses Docker-based MEA support, and FortiSOAR MEA is one of the supported extensions. Option A is wrong because FortiManager is not required just to run the FortiSOAR MEA. Option C describes a standalone FortiSOAR deployment, not the management extension. Option D is wrong because Fortinet documents FortiSOAR MEA trial licensing behavior for evaluation use.

Exact Extract: Study Guide p.210: after creating a new playbook, FortiAnalyzer needs a few minutes to parse it.

Technical Deep Dive: The correct answer is A. FortiAnalyzer must parse the newly created playbook before it can execute reliably. Parsing checks the playbook definition and prepares it for execution by the automation engine. Option B is wrong because FortiAnalyzer is not automatically debugging the playbook; debugging happens after a failed or problematic run. Option C is unrelated to playbook creation. Option D is wrong because FortiAnalyzer can track multiple jobs; the wait is about playbook parsing, not waiting for all other playbooks to stop.

Exact Extract: Study Guide p.202: FortiOS connector actions require an Incoming Webhook Call trigger configured on FortiGate.

Technical Deep Dive: The correct answer is B. The FortiOS connector can appear once FortiGate is added to FortiAnalyzer, but FortiAnalyzer will not show the FortiOS automation actions until FortiGate has the proper automation rule. The trigger required is Incoming webhook/Incoming Webhook Call. A FortiAnalyzer Event Handler is a FortiAnalyzer-side event generator, not a FortiGate trigger for connector actions. Fabric Connector event and IP ban are not the trigger type required to expose FortiOS connector actions.

Exact Extract: Study Guide p.157-p.158: report datasets use SQL SELECT queries, and clauses must be in the correct order.

Technical Deep Dive: The correct answer is A. The valid query must select the required fields, read from $log, apply the filter for the source IP, group the selected values, and order the output as expected. Option A follows the SQL structure FortiAnalyzer expects for report datasets. The incorrect options either reverse the filter logic, place clauses in the wrong order, or use malformed aliases/conditions. In FortiAnalyzer reporting, a syntactically correct dataset is mandatory because the chart receives only the data returned by that SQL SELECT query.

Exact Extract: Study Guide p.39: rolled log files are compressed, receive the .gz extension, and are known as archive logs.

Technical Deep Dive: The correct answer is C. FortiAnalyzer stores received logs first as log files and also indexes them for analytics. When the log file rolls over, FortiAnalyzer renames it, timestamps it, and compresses it into a .gz file. That compressed offline file is the archive log. Option A describes analytics logs in the SQL database. Option B is wrong because FortiView uses analytics logs, not archive logs. Option D confuses archive status with device availability; a log is archived because of the storage workflow, not because the source device is offline.

Exact Extract: Study Guide p.58: Log View search results can be downloaded, and raw/text filtering helps with exact field syntax.

Technical Deep Dive: The correct answers are A and D. FortiAnalyzer Log View allows administrators to download filtered logs as text or CSV, so the displayed search results can be exported to a file. The exhibit also indicates a text-mode search/filter rather than a purely GUI-built filter. Option B would be true for formatted log tables in general, but the question asks what can be concluded from the displayed search results. Option C is not supported; whether FortiView can analyze related data depends on whether the logs are analytics logs, not merely on the search display.

Exact Extract: Study Guide p.173: macros represent dataset queries in abbreviated form, and macros are ADOM-specific.

Technical Deep Dive: The correct answer is C. FortiAnalyzer macros are not Excel-generation shortcuts and are not fixed templates. A macro is an abbreviated way to insert data extracted by a dataset query into a report without using a chart. Because reports, libraries, and related definitions are separated by ADOM, macros are ADOM-specific. Option A is wrong because custom macros can be created. Option B invents an Excel-specific behavior not described by the guide. Option D is too restrictive because macros are not limited only to FortiGate ADOMs.

Exact Extract: Study Guide p.40-p.45: FortiAnalyzer normalizes supported device logs, including FortiGate traffic, event, and security logs.

Technical Deep Dive: The correct answers are A, B, and C. FortiGate devices generate traffic logs, event logs, and security logs, and FortiAnalyzer collects and normalizes these supported log types for analysis. Security logs include UTM-related subtypes such as web filter, antivirus, IPS, and application control. Firewall and system in the answer list are not the three FortiGate log-type categories used by the guide for this question; system is a subtype under event logs, not a top-level selection here.