Which statement about sending notifications with incident updates is true?
Correct Answer: B
FCP_FAZ_AN-7.6 Exam Question 2
Refer to Exhibit: Client-1 is trying to access the internet for web browsing. All FortiGate devices in the topology are part of a Security Fabric with logging to FortiAnalyzer configured. All firewall policies have logging enabled. All web filter profiles are configured to log only violations. Which statement about the logging behavior for this specific traffic flow is true?
Correct Answer: D
The study guide explains that in a Security Fabric, traffic logging is not duplicated across FortiGates for the same session: "Traffic logging for a session ... is always carried out by the first FortiGate that handled it" and if a FortiGate receives traffic from a peer FortiGate MAC, "it does not generate a new traffic log for that session." For UTM (web filtering) logs, the study guide states: "When configured, upstream devices complete UTM logging." In the illustrated example, it further clarifies the role split: "All traffic from Client-1 is first received by FGT-B, which creates traffic logs for the initial session... [then] forwarded to FGT-A... [and] FGT-A ... applies web filtering ... and generates the relevant UTM logs as necessary." Because web filter profiles are configured to log only violations, web filter (UTM) logs will be generated only when a violation is detected-and per the study guide behavior, that UTM logging is done by the upstream FortiGate (FGT-A). Therefore, only FGT-A will create web filter logs if it detects a violation (Option D).
FCP_FAZ_AN-7.6 Exam Question 3
(Which two statements about FortiAnalyzer Fabric deployments are true? (Choose two answers))
Correct Answer: B,C
Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents: B is true (members operate in analyzer mode, not collector mode): The study guide defines Fabric members as FortiAnalyzer devices that "retain access to the features described in the FortiAnalyzer Administration Guide" and that "each member can create or raise incidents and events." In contrast, it states that a FortiAnalyzer operating in collector mode "does not provide capabilities for event management or reporting," and also notes that "in collector mode, the GUI doesn't include FortiView, Reports, or Incidents & Events." Since Fabric members must be able to generate/manage incidents and events, they must be operating with analyzer capabilities rather than collector-only functionality. C is true (members do not forward their logs to the supervisor): The supervisor provides centralized visibility, but the study guide describes the supervisor's log access as viewing logs collected on members, not receiving/storing forwarded log files. It states: "In the FortiAnalyzer Fabric supervisor, Log View displays logs collected on all FortiAnalyzer Fabric members," and clarifies "the logs contain the same information as displayed in the host FortiAnalyzer device they were collected on." This indicates the logs remain on the member (host) and are made visible to the supervisor for centralized monitoring rather than being forwarded and stored on the supervisor. For completeness, the study guide also explicitly states "HA is not available on the supervisor" (so A is false) and members do not need the same time zone as the supervisor (so D is false).
FCP_FAZ_AN-7.6 Exam Question 4
Refer to Exhibit: What does the data point at 21:20 indicate?
Correct Answer: A
The exhibit shows a graph that tracks two metrics over time: Receive Rate and Insert Rate. These two rates are crucial for understanding the log processing behavior in FortiAnalyzer. * Understanding Receive Rate and Insert Rate: * Receive Rate: This is the rate at which FortiAnalyzer is receiving logs from connected devices. * Insert Rate: This is the rate at which FortiAnalyzer is indexing (inserting) logs into its database for storage and analysis. * Data Point at 21:20: * At 21:20, the Insert Rate line is above the Receive Rate line, indicating that FortiAnalyzer is inserting logs into its database at a faster rate than it is receiving them. This situation suggests that FortiAnalyzer is able to keep up with the incoming logs and is possibly processing a backlog or temporarily received logs faster than new logs are coming in. * Option Analysis: * Option A - FortiAnalyzer is Indexing Logs Faster Than Logs are Being Received: This accurately describes the scenario at 21:20, where the Insert Rate exceeds the Receive Rate. This indicates that FortiAnalyzer is handling logs efficiently at that moment, with no backlog in processing. * Option B - The fortilogd Daemon is Ahead in Indexing by One Log: The data does not provide specific information about the fortilogd daemon's log count, only the rates. This option is incorrect. * Option C - SQL Database Requires a Rebuild: High receive lag would imply a backlog in receiving and indexing logs, typically visible if the Receive Rate were significantly above the Insert Rate, which is not the case here. * Option D - FortiAnalyzer is Temporarily Buffering Logs to Index Older Logs First: There is no indication of buffering in this scenario. Buffering would usually occur if the Receive Rate were higher than the Insert Rate, indicating that FortiAnalyzer is storing logs temporarily due to indexing lag. Conclusion: * Correct Answer: A. FortiAnalyzer is indexing logs faster than logs are being received. * The graph at 21:20 shows a higher Insert Rate than Receive Rate, indicating efficient log processing by FortiAnalyzer. References: FortiAnalyzer 7.4.1 documentation on log processing metrics, Receive Rate, and Insert Rate indicators.
FCP_FAZ_AN-7.6 Exam Question 5
Exhibit. Assume these are all the events that exist on the FortiAnalyzer device. How many events will be added to the incident created after running this playbook?
Correct Answer: D
In the exhibit, we see a playbook in FortiAnalyzer designed to retrieve events based on specific criteria, create an incident, and attach relevant data to that incident. The "Get Event" task configuration specifies filters to match any of the following conditions: * Severity = High * Event Type = Web Filter * Tag = Malware Analysis of Events: In the FortiAnalyzer Event Monitor list: * We need to identify events that meet any one of the specified conditions (since the filter is set to "Match Any Condition"). Events Matching Criteria: * Severity = High: * There are two events with "High" severity, both with the "Event Type" IPS. * Event Type = Web Filter: * There are two events with the "Event Type" Web Filter. One has a "Medium" severity, and the other has a "Low" severity. * Tag = Malware: * There are two events tagged with "Malware," both with the "Event Type" Antivirus and "Medium" severity. After filtering based on these criteria, there are four distinct events: * Two from the "Severity = High" filter. * One from the "Event Type = Web Filter" filter. * One from the "Tag = Malware" filter. Conclusion: * Correct Answer: D. Four events will be added. * This answer matches the conditions set in the playbook filter configuration and the events listed in the Event Monitor. References: FortiAnalyzer 7.4.1 documentation on event filtering, playbook configuration, and incident management criteria.