Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. FCP_FAZ_AN-7.4

Fortinet FCP_FAZ_AN-7.4 Exam
FCP - FortiAnalyzer 7.4 Analyst (Page 6 )

Updated On: 1-Feb-2026
Page 2 of 13
PDF with 56 Questions

Which log will generate an event with the status Unhandled?

  1. An AV log with action=quarantine.
  2. An IPS log with action=pass.
  3. A WebFilter log will action=dropped.
  4. An AppControl log with action=blocked.

Answer(s): B

Explanation:

In FortiOS 7.4.1 and FortiAnalyzer 7.4.1, the "Unhandled" status in logs typically signifies that the FortiGate encountered a security event but did not take any specific action to block or alter it. This usually occurs in the context of Intrusion Prevention System (IPS) logs. IPS logs with action=pass: When the IPS engine inspects traffic and determines that it does not match any known attack signatures or violate any configured policies, it assigns the action "pass". Since no action is taken to block or modify this traffic, the status is logged as "Unhandled." Let's look at why the other options are incorrect:
An AV log with action=quarantine: Antivirus (AV) logs with the action "quarantine" indicate that a file was detected as malicious and moved to quarantine. This is a definitive action, so the status wouldn't be "Unhandled."
A WebFilter log will action=dropped: WebFilter logs with the action "dropped" indicate that web traffic was blocked according to the configured web filtering policies. Again, this is a specific action taken, not an "Unhandled" event.

An AppControl log with action=blocked: Application Control logs with the action "blocked" mean that an application was denied access based on the defined application control rules. This is also a clear action, not "Unhandled."



Refer to Exhibit:



What does the data point at 21:20 indicate?

  1. FortiAnalyzer is indexing logs faster than logs are being received.
  2. The fortilogd daemon is ahead in indexing by one log.
  3. The SQL database requires a rebuild because of high receive lag.
  4. FortiAnalyzer is temporarily buffering received logs so older logs can be indexed first.

Answer(s): A

Explanation:

The exhibit shows a graph that tracks two metrics over time: Receive Rate and Insert Rate. These two rates are crucial for understanding the log processing behavior in FortiAnalyzer.
Understanding Receive Rate and Insert Rate:
Receive Rate: This is the rate at which FortiAnalyzer is receiving logs from connected devices. Insert Rate: This is the rate at which FortiAnalyzer is indexing (inserting) logs into its database for storage and analysis.

Data Point at 21:20:
At 21:20, the Insert Rate line is above the Receive Rate line, indicating that FortiAnalyzer is inserting logs into its database at a faster rate than it is receiving them. This situation suggests that FortiAnalyzer is able to keep up with the incoming logs and is possibly processing a backlog or temporarily received logs faster than new logs are coming in.
Option Analysis:
Option A - FortiAnalyzer is Indexing Logs Faster Than Logs are Being Received: This accurately describes the scenario at 21:20, where the Insert Rate exceeds the Receive Rate. This indicates that FortiAnalyzer is handling logs efficiently at that moment, with no backlog in processing. Option B - The fortilogd Daemon is Ahead in Indexing by One Log: The data does not provide specific information about the fortilogd daemon's log count, only the rates. This option is incorrect. Option C - SQL Database Requires a Rebuild: High receive lag would imply a backlog in receiving and indexing logs, typically visible if the Receive Rate were significantly above the Insert Rate, which is not the case here.
Option D - FortiAnalyzer is Temporarily Buffering Logs to Index Older Logs First: There is no indication of buffering in this scenario. Buffering would usually occur if the Receive Rate were higher than the Insert Rate, indicating that FortiAnalyzer is storing logs temporarily due to indexing lag.
Conclusion:
Correct Answe r : A. FortiAnalyzer is indexing logs faster than logs are being received. The graph at 21:20 shows a higher Insert Rate than Receive Rate, indicating efficient log processing by FortiAnalyzer.


Reference:

FortiAnalyzer 7.4.1 documentation on log processing metrics, Receive Rate, and Insert Rate indicators.



A playbook contains five tasks in total. An administrator runs the playbook and four out of five tasks finish successfully, but one task fails.
What will be the status of the playbook after it is run?

  1. Attention required
  2. Upstream_failed
  3. Failed
  4. Success

Answer(s): A

Explanation:

In FortiAnalyzer, when a playbook is run, each task's status impacts the overall playbook status.
Here's what happens based on task outcomes:

Status When All Tasks Succeed:
If all tasks finish successfully, the playbook status is marked as Success.
Status When Some Tasks Fail:
If one or more tasks in the playbook fail, but others succeed, the playbook status generally changes to Attention required. This status indicates that the playbook completed execution but requires review due to one or more tasks failing.
This is different from a complete Failed status, which is used if the playbook cannot proceed due to a critical error in an early task, often one that upstream tasks depend on.
Option Analysis:
A . Attention required: This is correct as the playbook has completed, but with partial success and a task requiring review.
B . Upstream_failed: This status is used if a task cannot run because a prerequisite or "upstream" task failed. Since four out of five tasks completed, this is not the case here. C . Failed: This status would imply that the playbook completely failed, which does not match the scenario where only one task out of five failed.
D . Success: This status would apply if all tasks had completed successfully, which is not the case here.
Conclusion:
Correct Answe r : A. Attention required
The playbook status reflects that it completed, but an error occurred in one of the tasks, prompting the administrator to review the failed task.


Reference:

FortiAnalyzer 7.4.1 documentation on playbook execution statuses and task error handling.



Refer to Exhibit:



Client-1 is trying to access the internet for web browsing. All FortiGate devices in the topology are part of a Security Fabric with logging to FortiAnalyzer configured. All firewall policies have logging enabled. All web filter profiles are configured to log only violations.
Which statement about the logging behavior for this specific traffic flow is true?

  1. Only FGT-B will create traffic logs.
  2. FGT-B will see the MAC address of FGT-A as the destination and notifies FGT-A to log this flow.
  3. FGT B will create traffic logs and will create web filter logs if it detects a violation.
  4. Only FGT-A will create web filter logs if it detects a violation.

Answer(s): C

Explanation:

The topology shows a Security Fabric setup involving FortiGate devices (FGT-A and FGT-B) and a FortiAnalyzer for centralized logging. Let's break down the logging and traffic flow behavior:
Traffic Flow Analysis:
Client-1 initiates web traffic directed to the internet, which is routed through FGT-B and then FGT-A before reaching the internet. This is indicated by the direction of the red-dashed arrow from Client-1 through FGT-B to FGT-A.
Policy and NAT Settings:
On FGT-B, NAT is disabled, meaning it will pass the traffic through without altering the source IP. This device has a Web Filter enabled with a policy to log violations only. On FGT-A, NAT is enabled, and a Web Filter profile is also applied. Like FGT-B, it logs only violations for web filtering.
Logging Behavior:
Since both FortiGate devices have logging enabled for traffic and web filtering, they can create logs if conditions are met.
FGT-B will log all traffic, as per its configuration, and will also create web filter logs if it detects a violation, as the web filter profile is applied. Because NAT is disabled on FGT-B, it processes the traffic but doesn't perform any address translation, allowing it to see the original source IP of Client-1. FGT-A, as the Security Fabric root, will handle NAT and forward the traffic to the internet. However, in this case, the question is focused on where the traffic and web filter logs would be generated first, particularly by FGT-B.
Option Analysis:
Option A - Only FGT-B will create traffic logs: This is incorrect because FGT-B can create both traffic logs and web filter logs if it detects a violation.
Option B - FGT-B will see the MAC address of FGT-A and notify FGT-A to log: This is not how logging works in this setup. Each FortiGate logs independently based on configured policies. Option C - FGT-B will create traffic logs and will create web filter logs if it detects a violation: This is correct, as FGT-B has logging enabled and will log traffic and web filter violations. Option D - Only FGT-A will create web filter logs if it detects a violation: This is incorrect, as FGT-B can also log web filter violations independently.
Conclusion:
Correct Answe r : C. FGT-B will create traffic logs and will create web filter logs if it detects a violation.
FGT-B is responsible for logging the traffic from Client-1 and will generate web filter logs if there is a policy violation, as configured.


Reference:

FortiOS 7.4.1 documentation on Security Fabric logging behavior and FortiAnalyzer log integration.



What are two effects of enabling auto-cache in a FortiAnalyzer report? (Choose two.)

  1. The generation time for reports is decreased.
  2. When new logs are received, the hard-cache data is updated automatically.
  3. FortiAnalyzer local cache is used to store generated reports.
  4. The size of newly generated reports is optimized to conserve disk space.

Answer(s): A,C

Explanation:

Enabling auto-cache in FortiAnalyzer reports is designed to improve the efficiency and speed of report generation by leveraging cached data. Let's analyze each option to determine which effects are correct.
Option A - The Generation Time for Reports is Decreased:
When auto-cache is enabled, FortiAnalyzer can use previously cached data instead of reprocessing all log data from scratch each time a report is generated. This results in faster report generation times, especially for recurring reports that use similar datasets.
Conclusion: Correct.
Option B - Hard-Cache Data is Automatically Updated When New Logs are Received:
Enabling auto-cache does not immediately update the cache with every new log received. Instead, the cache is updated when reports are generated, based on the existing logs up to that point. Therefore, auto-cache does not constantly refresh with each incoming log, which would be inefficient.
Conclusion: Incorrect.
Option C - FortiAnalyzer Local Cache is Used to Store Generated Reports:
Auto-cache utilizes FortiAnalyzer's local cache to store data used in reports, reducing the need to retrieve and process logs repeatedly. This cached data can be reused for subsequent report generation, enhancing performance.
Conclusion: Correct.
Option D - The Size of Newly Generated Reports is Optimized to Conserve Disk Space:
Auto-cache does not directly impact the size of the report files themselves. It focuses on performance optimization through cached data for faster access, but it does not compress or optimize the storage size of the generated report.
Conclusion: Incorrect.
Conclusion:
Correct Answe r : A. The generation time for reports is decreased and C. FortiAnalyzer local cache is used to store generated reports.
Enabling auto-cache helps reduce report generation time by using locally cached data and optimizes report processing, though it does not impact report size or continuously update with each new log.


Reference:

FortiAnalyzer 7.4.1 documentation on report caching, auto-cache functionality, and report generation optimizations.



Viewing page 6 of 13
Viewing questions 26 - 30 out of 56 questions



Post your Comments and Discuss Fortinet FCP_FAZ_AN-7.4 exam prep with other Community members:

Join the FCP_FAZ_AN-7.4 Discussion