Main Flashcards
(136 cards)
1
Q
Event status ‘mitigated’
A
Security risk was dropped or blocked
2
Q
Handle HD failure on FAZ with hardware RAID
A
Hot swap disk
3
Q
Handle HD failure on FAZ with software RAID
A
Shutdown device and replace hard drive
4
Q
Statement describes management extensions on faz
A
May require a min number of CPU cores to run
5
Q
2 most common way to control and restrict admin access on faz
A
- Trusted hosts 2. Admin profiles
6
Q
Daemon responsible for enforcing raw log file size
A
Logfiled
7
Q
Process responsible for disk quota enforcement
A
Logfiled
8
Q
Process that enforces SQL database size
A
Sqlplugind
9
Q
Process that enforces archive file size
A
Oftpd
10
Q
How frequently Logfiled checks processes
A
Every 2 minutes
11
Q
What is the purpose of a predefined template on the FortiAnalyzer?
A
It specifies the report layout which contains predefined texts, charts, and macros
12
Q
Which clause is considered mandatory in SELECT statements used by the FortiAnalyzer to generate reports?
A
FROM
13
Q
In Log View, you can use the Chart Builder feature to build a dataset and chart based on the filtered search results.
Similarly, which feature can you use for FortiView?
A
Export to Report Chart
14
Q
2 ways to enable ADOMS
A
- GUI System Setting > Dashboard > Enable Administrative Domains
- CLI
config sys global
set adom-status enable/disable
end
15
Q
FAZ modes
A
- Analyzer (default)
- Collector (no event management or reporting
16
Q
what Collector mode does
A
Forwards logs in original binary format
17
Q
Collector mode advantages
A
- Increase performance
- Focuses on receiving logs
- Helps with logs over unreliable links
- Allocate most disk space for archive logs
18
Q
What GUI elements not available in collector mode
A
- FortiView
- Fabric View
- FortiSOC
- Reports
19
Q
SQL DB in collector mode
A
Disabled by default. Can be enabled from CLI
20
Q
Admin pass recovery procedure
A
- Factory reset VM/appliance
- Execute migrate from CLI
- Use default admin account and pass
21
Q
Reset to factory defaults CLI options
A
Exe reset all-settings
Exe reset all-except-ip
Exe format disk - deletes all settings, images, DBs, log data from disk
22
Q
What includes system config backup
A
Includes
1. Sys information
2. Device list
3. Report info
23
Q
System config backup
Does NOT include
A
Does NOT include
1.actual logs
2. Generated reports
24
Q
Exe backup logs
A
Backup logs and reports
25
How to backup logs/reports from GUI
Log view
Reports
26
FAZ graceful shutdown
Exe shutdown
27
Storage connector service
Requires separate license
License includes
1. Amount of data that can be uploaded to the cloud
2. Expiry date. Typically 1y
28
How to see storage connector license info
Diag fmupdate dbcontract fds
29
Command to show Usage quota, total data upload, total # of files uploaded, number of days
Diag test app uploadd 63
30
Super_user profile
All sys privilege
All device privileges
31
Standard_user Profiles
No sys privileges
RW device privileges
32
Restricted_user profile
No system privileges
RO access for all devices privileges
No access to management extensions
33
Max number of Trusted hosts
Up to 10 IPs/ subnets
34
External authentication for admins
1. LDAP
2. RADIUS
3. TACACS+
4. PKI
35
Wildcard auth feature
Admin type: group
Check: Match all users on remote server
36
Add remote auth server groups
From CLI ONLY
37
What FAZ HA does. Max members
Sync logs and data between HA members
Up to 4 members
38
FAZ HA requirements
Same model
Same firmware
Same operation mode
Same hypervisor if VMs
39
What license is effective on FAZ HA if licenses on members don’t match
License with least amount of managed devices is used
40
How primary HA unit is determined
1. By priority setting (range 80-120). Higher number = higher priority. Default=100
2. By IP with greatest value if priorities are same across all members
41
Condition for HA failover
By default only network reachability triggers failover
Postgres’s healthcheck can be enabled manually to initiate failover if process stop working
42
How to enable Postgress DB healthcheck
Config sys ha
Set healthcheck DB
end
43
Stages of FAZ HA sync logs
1. Initial sync
2. Real time sync (log data sync)
44
FAZ HA firmware upgrade
1. Log to each secondary device
2. Upgrade all secondary devices
3. Wait for all secondary devices to join HA
4. verify log on secondary device in sync with primary
5. Upgrade primary
45
FAZ HA load balancing
Reports
FortiView
Round robin with multiple report jobs
46
ADOM modes
1. Normal (default) - all VDOMs from same FGT belong to same ADOM
2. Advanced - each VDOM can belong to different ADOMS
47
At what level applied disk quota
ADOM
48
Default max allowed disk quota
50gb
49
CLI to show all ADOMS
diag dvm adom list
50
How to define preshared key to Add device by preshared key
Only from CLI
conf log fortyanalyzer setting
Set preshared-key “pass”
End
51
System performance CLI command
get system performance
Look for used info when troubleshooting performance issues
52
See who connects to FAZ (IPs/Hostnames)
Diag test app oftpd 3
Devices/IPs
53
How to see Faz config from fgt
Show log fortianalyzer setting
54
See if FGT capable of generating logs
Diag log test
55
Check if FAZ receiving logs
Diag debug app oftpd 8
56
Role of miglogd
Caches logs on FGT when Faz is not available
57
View miglogd queues
Diag test app miglogd 6
Cur:0 total-so-far: 1023
Faz 0: sent=170, failed=0
Failed value increases if link overloaded or there are bursts
58
Methods to control administrative access
1. Admin profiles
2. Trusted hosts
3. ADOMS
59
How to prevent log tampering
Add log checksum
Conf system global
Set log-checksum md5/md5-auth/none
60
Log checksum helps
Against main in the middle attacks
Tampering with stored logs
When log is rolled and archived
When log is uploaded
61
Meaning of receive rate higher than insert rate
Raw logs reaching FAZ faster than they can be indexed
62
Who handles data insertion (insert rate)
Sqlplugind
63
Who handles log receival (receive rate)
Fortilogd
64
RAID disk status: Ready
Functioning normally
65
RAID disk status: rebuilding
Writing data to a newly added disk
66
RAID disk status: initializing
Writing to all hard drives in order to make array fault tolerant
67
RAID disk status: Verifying
Ensuring parity data of redundant drive is valid
68
RAID disk status: degraded
Drive is no longer used by RAID controller
69
RAID disk status: inoperable
One or more drives are missing
70
How to resolve source and destination IPs in FortiView without performance impact on FAZ
Do name resolves on FortiGate
71
How to configure FAZ to perform name resolves in FortiView
1. Configure local dns servers on Faz
2. Enter from CLI
Conf system fortiview settings
Set resolve-ip enable
End
72
What disk quota in ADOM system setting refers to
Max disk quota for all devices in selected ADOM
73
Importance of using ntp server on Faz and all reporting devices
Sync time allows Properly correlate logs
74
What happens to logs from FGT when faz temporarily is not available
Miglogd process on FGT caches logs until Faz come back online. If offline log size exceeds size of miglogd cache older logs will be dropped. When Faz is back online miglogd will send all cached logs to faz
75
Exe sql-local rebuild-adom
Rebuild analytics for new ADOM. Only archive logs are moved automatically, not analytics
76
If you upgrade Faz firmware, which report element can be affected
Custom datasets
77
Which logs does FAZ IOC use to identify compromised hosts
Web filtering logs
IOC Engine detects end users with suspicious web usage compromises by checking new and historical logs against IOC signatures (FortiGuard subscription)
Logs from av/ips are not used since these threats have already been detected or prevented by these services on FortiGate
78
2 settings to configure on FAZ to allow remote admin to auth to Faz
1. Local wildcard admin account
2. Remote auth server
79
How to see if log queue is full?
Diag log kernel stats
Value of field failed_log=0 is increasing indicating queue is full
80
How to stop logging if disk full
Conf sys locallog disk setting
Set diskfull no log
End
By default when disk is full alert is generated with level warning and oldest Log get deleted.
81
Types of logs on FAZ
1. Archive logs - offline/compressed
2. Analytical logs - online/stored and indexed in db
82
Log sizes
Indexed log = 400 bytes
Compressed log = 50 bytes
83
Default ratio between analytical and archive logs
70 vs 30
84
How total quota is calculated
Total storage - reserved space = total quota
85
How allocated quota is calculated
Archive + Analytics
86
How used storage is calculated
Logs + all system files
87
Default disk quota for ADOM
1GB
88
Min disk quota for ADOM
100mb
89
How to increase disk space on VM
1. Stop FAZ VM. Add new virtual disk
2. Exe lvm info - to identify added disk
3. Exe lvm extend
4. Reboot FAZ VM
Get sys status - to see new disk space
90
Why rebuild new ADOM db
To move analytics from old ADOM to new one and include old data in new analytics/reports
91
Why rebuild old ADOM db
To remove old device analytics from db. Should rebuild new ADOM db to migrate analytics to new ADOM before rebuilding old db and removing old analytics from original ADOM
92
Log forwarding in aggregation mode
Collector send only delta of the logs to aggregation server
93
Between what device available aggregation
Only between 2 FAZ devices
94
Log forwarding modes
1. Aggregation (only between 2 faz)
2. Forwarding (faz, syslog, sef)
95
Log forwarding config
1. Set mode: aggregation or forwarding
2. Define server (log recipient)
3. Configure client (faz sending logs). What logs to send, set filters
96
Oftp communication
Over tcp/514
Encrypted
97
Log communication
Over Udp/514
NOT encrypted
98
IOC dependencies
1. IOC subscription
2. web filtering subscription on FGT
3. Web filtering Policies on FGT with logging enabled
99
Difference between name resolution on Faz and FGT
1. Faz resolves dst only
2. FGT resolves both src and dst
3. Performance improvement on Faz when name resolution is done on FGT
100
Log rate receiving rate per sec CLI command
Diag fortilogd lograte
101
Log rate receive rate totals CLI command
Diag fortilogd lograte-total
102
Device log rate CLI command
Diag fortilogd lograte-device
103
Log rate for each log type
Diag fortilogd lograte-type
104
Message receive rate
Diag fortilogd msgrate
105
Difference between log and message
One log message can contain multiple logs
106
SQL insertion rate CLI command
Diag sql status sqlplugind
107
Log usage for all logging devices CLI command
Diag log device
108
What is data insertion
Log indexing. Inserting data into sql db
109
Best practice difference between insert rate vs receive rate
Difference should be consistent and as small as possible
110
Event status ‘unhandled’
Risk not mitigated/contained = open
111
Event status ‘contained’
Risk src is isolated (av action = quarantine)
112
Event status ‘blank’
Other scenarios
113
Format to export event handlers
JSON
114
Outbreak alerts include
1. FortiGuard report
2. Event handlers
3. Report template
115
Event_trigger
Run playbook when event is created
116
Incident_trigger
Run playbook when incident is created
117
On_demand trigger
Run playbook manually
118
On_schedule trigger
Run playbook by schedule
119
What connector is enabled by default
Localhost
120
Output variable
Output of previous task is input of current task
121
Trigger variables
Use some info from the trigger to filter the action
122
At what levels playbooks are created
Adom
123
What happens when you edit chart in report
Changes effect only this specific report, not other reports that use same chart
124
What templates consist of
Include only layout of the report. Do not include report settings
125
What are macros
Sequence of dataset queries to extract data from logs
126
Notifications/output profile is defined
For EACH report
127
Output profile defined on
Each ADOM level
128
Hcache
Must build hcashe BEFORE Faz can build report
129
What happens if new logs come in
Hcache needs to rebuild
130
Default Hcache setting for scheduled reports
Auto enabled
131
Reports troubleshooting best practice
1. check log rates
2. Check insert rate and receive rate
3. Enable auto cache in report settings
132
Show Hcache size
Diag sql show hcache-size
133
FGT send 2 types of logs
1. Tlog - traffic logs
2. Elog - event log
All utm logs sent with traffic logs
134
What is the difference between Log Forward and Log Aggregation modes?
Log Forwarding: Logs are forwarded to a remote server in real-time or near real-time as they are received as specified by a device filter, log filter, and log format.
Log Aggregation: As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs to a remote FortiAnalyzer at a specified time every day.
135
Initial Sync
The Initial Sync setting is mainly for the initial setup of the HA cluster. When Initial Sync is turned on and you add that unit to an HA cluster, the primary unit synchronizes its logs with the new unit.
After Initial Sync is complete, the backup unit automatically reboots. After the reboot, the backup unit rebuilds its log database with the synchronized logs.
136
Log Data Sync
After the initial log synchronization, the HA cluster goes into real-time log synchronization state.
Log Data Sync is turned on by default for all units in the HA cluster.
When Log Data Sync is turned on in the primary unit, the primary unit forwards logs in real-time to all backup units. This ensures that the logs in the primary and backup units are synchronized.
Log Data Sync is turned on by default in backup units so that if the primary unit fails, the backup unit selected to be the new primary unit will continue to synchronize logs with backup units.
If you want to use a FortiAnalyzer unit as a standby unit (not as a backup unit), then you don't need real-time log synchronization so you can turn off Log Data Sync.
