Test Q Flashcards
(117 cards)
1
Q
QUESTION 10
You have recently grouped multiple FortiGate devices into a single ADOM.System Settings> Storage lnfo shows the quota used.
What does the disk quota refer to?
A. The maximum disk utilization for each device in the ADOM
B. The maximum disk utilization for the FortiAnalyzer model
C. The maximum disk utilization for the ADOM type
D. The maximum disk utilization for all devices in the ADOM
A
D. The maximum disk utilization for all devices in the ADOM
2
Q
QUESTION 9
In FortiAnalyzer’s FortiView, source and destination IP addresses from FortiGate devices are not resolving to a hostname.
How can you resolve the source and destination IPs, without introducing any additional performance impact to FortiAnalyzer?
A. Resolve IP addresses on a per-ADOM basis to reduce delay on Forti View while IPs resolve
B. Configure# set resolve-ip enable in the system FortiView settings
C. Configure local DNS servers on ForriAnalyzer
D. Resolve lP addresses on FortiGate
A
D. Resolve lP addresses on FortiGate
3
Q
QUESTION 8
On the RAID management page, the disk status is listed as Initializing.
What does the status Initializing indicate about what the FortiAnalyzer is currently doing?
A. FortiAnalyzer is ensuring that the parity data of a redundant drive is valid
B. FortiAnalyzer is writing data to a newly added hard drive to restore it to an optimal state
C. FortiAnalyzer is writing to all of its hard drives to make the array fault tolerant
D. FortiAnalyzer is functioning normally
A
C. FortiAnalyzer is writing to all of its hard drives to make the array fault tolerant
4
Q
QUESTION 7
You are using RAID with a FortiAnalyzer that supports software RAID, and one of the hard disks on FortiAnalyzer has failed.
What is the recommended method to replace the disk?
A. Shut down FortiAnalyzer and then replace the disk
B. Downgrade your RAID level, replace the disk, and then upgrade your RAID level
C. Clear all RAID alanns and replace the disk while FortiAnalyzer is still running
D. Perform a hot swap
A
A. Shut down FortiAnalyzer and then replace the disk
5
Q
QUESTION 5
For which two purposes would you use the command set log checksum? (Choose two.)
A. To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server
B. To prevent log modification or tampering
C. To encrypt log communications
D. To send an identical set of logs to a second logging server
A
A. To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server
B. To prevent log modification or tampering
6
Q
QUESTION 4
Which two of the following must you configure on FortiAnalyzer to email a FortiAnalyzer report externally? (Choose two.)
A. Mail server
B. Output profile
C. SFTP server
D. Report scheduling
A
A. Mail server
B. Output profile
7
Q
QUESTION 3
An administrator has configured the following settings: config system global
set log-checksum md5-auth
end
What is the significance of executing this command?
A. This command records the log file MD5 hash value.
B. This command records passwords in log files and encrypts them.
C. This command encrypts log transfer between FortiAnalyzer and other devices.
D. This command records the log tile MD5 hash value and authentication code.
A
D. This command records the log tile MD5 hash value and authentication code.
8
Q
QUESTION 2
Which daemon is responsible for enforcing raw log file size?
A. logfiled
B. oftpd
C. sqlplugind
D. miglogd
A
A. logfiled
9
Q
QUESTION 1
Which two methods are the most common methods to control and restrict administrative access on FortiAnalyzer? (Choose two.)
A. Virtual domains
B. Administrative access profiles
C. Trusted hosts
D. Security Fabric
A
B. Administrative access profiles
C. Trusted hosts
10
Q
QUESTION 11
Why should you use an NTP server on FortiAnalyzer and all registered devices that log into fortiAnalyzer?
A. To properly correlate logs
B. To use real-time forwarding
C. To resolve host names
D. To improve DNS response times
A
A. To properly correlate logs
11
Q
QUESTION 12
You need to upgrade your FortiAnalyzer firmware.
What happens to the logs being sent to FortiAnalyzer from FortiGate during the time FortiAnalyzer is temporarily unavailable?
A. FortiAnalyzer uses log fetching to retrieve the logs when back online
B. FortiGate uses the miglogd process to cache the logs
C. The logfiled process stores logs in offline mode
D. Logs are dropped
A
B. FortiGate uses the miglogd process to cache the logs
12
Q
QUESTION 13
After you have moved a registered logging device out of one ADOM and into a new ADOM, what is the purpose of running the following CLI command?
execute sql-local rebuild-adom <new-ADOM-name.’>
A. To reset the disk quota enforcement to default
B. To remove the analytics logs of the device from the old database
C. To migrate the archive logs to the new ADOM
D. To populate the new ADOM with analytical logs for the moved device, so you can run reports
A
D. To populate the new ADOM with analytical logs for the moved device, so you can run reports
13
Q
QUESTION 14
A hard disk fails on a Forti Analyzer that supports software RAID, what should you do to bring the FortiAnalyzer back to functioning normally, without losing data?
A. Hot swap the disk
B. Replace the disk and rebuild the RAlD manually
C. Take no action if the RAID level supports a failed disk
D. Shut down FortiAnalyzer and replace the disk
A
D. Shut down FortiAnalyzer and replace the disk
14
Q
QUESTION 15
If you upgrade the FortiAnalyzer firmware, which report element can be affected?
A. Custom datasets
B. Report scheduling
C. Report settings
D. Output profiles
A
A. Custom datasets
15
Q
QUESTION 16
FortiAnalyzer reports are dropping analytical data from 15 days ago, even though the data policy setting for analytics logs is 60 days.
What is the most likely problem?
A. Quota enforcement is acting on analytical data before a report is complete
B. Logs are rolling before the report is run
C. CPU resources are too high
D. Disk utilization for archive logs is set for 15 days
A
B. Logs are rolling before the report is run
16
Q
QUESTION 17
Which log type does the FortiAnalyzer indicators of compromise feature use to identify infected hosts?
A. Antivirus logs
B. Web filter logs
C. IPS logs
D. Application control logs
A
B. Web filter logs
17
Q
QUESTION 18
Which two settings must you configure on FortiAnalyzer to allow non-local administrators to authenticate to FortiAnalyzer with any user account in a single LDAP group? (Choose two.)
A. A local wildcard administrator account
B. A remote LDAP server
C. A trusted host profile that restricts access to the LDAP group
D. An administrator group
A
A. A local wildcard administrator account
B. A remote LDAP server
18
Q
QUESTION 19
When you perform a system backup, what does the backup configuration contain? (Choose two.)
A. Generated reports
B. Device Iist
C. Authorized devices logs
D. System information
A
B. Device Iist
D. System information
19
Q
QUESTION 20
Which clause is considered mandatory in SELECT statements used by the FortiAnalyzer to generate reports?
A. FROM
B. LIMIT
C. WHERE
D. ORDER BY
A
A. FROM
20
Q
QUESTION 21
What is the purpose of a dataset query in FortiAnalyzer?
A. It sorts log data into tables
B. It extracts the database schema
C. It retrieves log data from the database
D. lt injects log data into the database
A
C. It retrieves log data from the database
21
Q
QUESTION 22
Logs are being deleted from one of the ADOMs earlier than the configured setting for archiving in the data policy.
What is the most likely problem?
A. CPU resources are too high
B. Logs in that ADOM are heing forwarded, in real-time, to another FortiAnalyzer device
C. The total disk space is insufficient and you need to add other disk
D. The ADOM disk quota is set too low, based on log rates
A
D. The ADOM disk quota is set too low, based on log rates
22
Q
QUESTION 23
Which two constraints can impact the amount of reserved disk space required by FortiAnalyzer? (Choose two.)
A. License type
B. Disk size
C. Total quota
D. RAID level
A
B. Disk size
D. RAID level
23
Q
QUESTION 24
View the exhibit:
What does the 1000MB maximum for disk utilization refer to?
A. The disk quota for the FortiAnalyzer model
B. The disk quota for all devices in the ADOM
C. The disk quota for each device in the ADOM
D. The disk quota for the ADOM type
A
B. The disk quota for all devices in the ADOM
24
Q
QUESTION 25
You’ve moved a registered logging device out of one ADOM and into a new ADOM.What happens when you rebuild the new ADOM database?
A. FortiAnalyzer resets the disk quota of the new ADOM to default.
B. FortiAnalyzer migrates archive logs to the new ADOM.
C. FortiAnalyzer migrates analytics logs to the new ADOM.
D. FortiAnalyzer removes logs from the old ADOM.
A
C. FortiAnalyzer migrates analytics logs to the new ADOM.
25
QUESTION 26
What happens when a log file saved on FortiAnalyzer disks reaches the size specified in the device log settings?
A. The log file is stored as a raw log and is available for analytic support.
B. The log file rolls over and is archived.
C. The log file is purged from the database.
D. The log file is overwritten.
B. The log file rolls over and is archived.
26
QUESTION 27
What is the purpose of employing RAID with FortiAnalyzer?
A. To introduce redundancy to your log data
B. To provide data separation between ADOMs
C. To separate analytical and archive data
D. To back up your logs
A. To introduce redundancy to your log data
27
QUESTION 28
Which FortiAnalyzer feature allows you to retrieve the archived logs matching a specific timeframe from another FortiAnalyzer device?
A. Log upload
B. Indicators of Compromise
C. Log forwarding an aggregation mode
D. Log fetching
D. Log fetching
28
QUESTION 29
What is the recommended method of expanding disk space on a FortiAnalyzer VM?
A. From the VM host manager, add an additional virtual disk and use the #execute lvm extend command to expand the storage
B. From the VM host manager, expand the size of the existing virtual disk
C. From the VM host manager, expand the size of the existing virtual disk and use the # execute format disk command to reformat the disk
D. From the VM host manager, add an additional virtual disk and rebuild your RAID array
A. From the VM host manager, add an additional virtual disk and use the #execute lvm extend command to expand the storage
29
QUESTION 30
How are logs forwarded when FortiAnalyzer is using aggregation mode?
A. Logs are forwarded as they are received and content files are uploaded at a scheduled time.
B. Logs and content files are stored and uploaded at a scheduled time.
C. Logs are forwarded as they are received.
D. Logs and content files are forwarded as they are received.
B. Logs and content files are stored and uploaded at a scheduled time.
30
QUESTION 31
How do you restrict an administrator access to a subset of your organization as ADOMs?
A. Set the ADOM mode to Advanced
B. Assign the ADOMs to the administrator's account
C. Configure trusted hosts
D. Assign the default Super_ User administrator profile
B. Assign the ADOMs to the administrator's account
31
QUESTION 32
In order for FortiAnalyzer to collect logs from a FortiGate device, what configuration is required? (Choose two.)
A. Remote logging must be enabled on Forti Gate
B. Log encryption must be enabled
C. ADOMs must be enabled
D. FortiGate must be registered with FortiAnalyzer
A. Remote logging must be enabled on Forti Gate
D. FortiGate must be registered with FortiAnalyzer
32
QUESTION 33
What can the CLI command # diagnose test application oftpd 3 help you to determine?
A. What devices and IP addresses are connecting to Forti Analyzer
B. What logs, if any, are reaching FortiAnalyzer
C. What ADOMs are enabled and configured
D. What devices are registered and unregistered
A. What devices and IP addresses are connecting to Forti Analyzer
33
QUESTION 34
What FortiView tool can you use to automatically build a dataset and chart based on a filtered search result?
A. Chart Builder
B. Export to Report Chart
C. Dataset Library
D. Custom View
B. Export to Report Chart
34
QUESTION 35
In FortiAnalyzer's FortiView source and destination IP addresses from FortiGate devices are not resolving to a hostname. How can you resolve the source and destination IPs, without introducing any additional performance impact to FortiAnalyzer?
A. Configure local DNS servers on FortiAnalyzer
B. Resolve IPs on FortiGate
C. Configure # set resolve-ip enable in the system FortiView settings
D. Resolve IPs on a per-ADOM basis to reduce delay on FortiView while IPs resolve
B. Resolve IPs on FortiGate
35
QUESTION 36
What must you configure on FortiAnalyzer to upload a FortiAnalyzer report to a supported external server? (Choose two.)
A. SFTP, FTP, or SCP server
B. Mail server
C. Output profile
D. Report scheduling
B. Mail server
C. Output profile
36
QUESTION 37
View the exhibit.
Why is the total quota less than the total system storage?
A. 3.6% of the system storage is already being used.
B. Some space is reserved for system use, such as storage of compression files, upload files, and temporary report files
C. The oftpd process has not archived the logs yet
D. The logfiled process is just estimating the total quota
B. Some space is reserved for system use, such as storage of compression files, upload files, and temporary report files
37
QUESTION 38
What purposes does the auto-cache setting on reports serve? (Choose two.)
A. To reduce report generation time
B. To automatically update the hcache when new logs arrive
C. To reduce the log insert lag rate
D. To provide diagnostics on report generation time
A. To reduce report generation time
B. To automatically update the hcache when new logs arrive
38
QUESTION 39
If you upgrade your FortiAnalyzer firmware, what report elements can be affected?
A. Output profiles
B. Report settings
C. Report scheduling
D. Custom datasets
D. Custom datasets
39
QUESTION 40
How does FortiAnalyzer retrieve specific log data from the database?
A. SQL FROM statement
B. SQL GET statement
C. SQL SELECT statement
D. SQL EXTRACT statement
C. SQL SELECT statement
40
QUESTION 41
On FortiAnalyzer, what is a wildcard administrator account?
A. An account that permits access to members of an LDAP group
B. An account that allows guest access with read-only privileges
C. An account that requires two-factor authentication
D. An account that validates against any user account on a FortiAuthenticator
A. An account that permits access to members of an LDAP group
41
QUESTION 42
For proper log correlation between the logging devices and FortiAnalyzer, FortiAnalyzer and all registered devices should:
A. Use DNS
B. Use host name resolution
C. Use real-time forwarding
D. Use an NTP server
D. Use an NTP server
42
QUESTION 43
What Forti Gate process caches logs when Forti Analyzer is not reachable?
A. logfiled
B. sqlplugind
C. oftpd
D. miglogd
D. miglogd
43
QUESTION 44
FortiAnalyzer uses the Optimized Fabric Transfer Protocol (OFTP) over SSL for what purpose?
A. To upload logs to an SFTP server
B. To prevent log modification during backup
C. To send an identical set of logs to a second logging server
D. To encrypt log communication between devices
D. To encrypt log communication between devices
44
QUESTION 45
How can you configure FortiAnalyzer to permit administrator logins from only specific locations?
A. Use static routes
B. Use administrative profiles
C. Use trusted hosts
D. Use secure protocols
C. Use trusted hosts
45
QUESTION 46
Logs are being deleted from one of your ADOMs earlier that the configured setting for archiving in your data policy.
What is the most likely problem?
A. The total disk space is insufficient and you need to add other disk.
B. CPU resources are too high.
C. The ADOM disk quota is set too low based on log rates.
D. Logs in that ADOM are being forwarded in real-time to another FortiAnalyzer device.
C. The ADOM disk quota is set too low based on log rates.
46
QUESTION 47
What is the purpose of the following CLI command?
Config system global
Set log-checksum md5
End
A. To add a log file checksum
B. To add the MD's hash value and authentication code
C. To add a unique tag to each log to prove that it came from this FortiAnalyzer
D. To encrypt log communications
A. To add a log file checksum
47
QUESTION 49
What remote authentication servers can you configure to validate your FortiAnalyzer administrator logons? (Choose three)
A. RADIUS
B. Local
C. LDAP
D. PKT
E. TACACS+
A. RADIUS
C. LDAP
E. TACACS+
48
QUESTION 50
What statements are true regarding disk log quota? (Choose two)
A. The FortiAnalyzer stops logging once the disk log quota is met.
B. The FortiAnalyzer automatically sets the disk log quota based on the device.
C. The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.
D. The FortiAnalyzer disk quota is configurable, but has a minimum of 100MB and a maximum based on the reserved system space.
C. The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.
D. The FortiAnalyzer disk quota is configurable, but has a minimum of 100MB and a maximum based on the reserved system space.
49
QUESTION 51
What statements are true regarding FortiAnalyzer 's treatment of high availability (HA) clusters? (Choose two)
A. FortiAnalyzer distinguishes different devices by their serial number.
B. FortiAnalyzer receives logs from all devices in a cluster.
C. FortiAnalyzer receives logs only from the primary device in the cluster.
D. FortiAnalyzer only needs to know (he serial number of the primary device in the cluster-it automaticaly discovers the other devices.
A. FortiAnalyzer distinguishes different devices by their serial number.
B. FortiAnalyzer receives logs from all devices in a cluster.
50
QUESTION 52
What are the operating modes of FortiAnalyzer? (Choose two)
A. Standalone
B. Manager
C. Analyzer
D. Collector
C. Analyzer
D. Collector
51
QUESTION 53
Which statements are correct regarding FortiAnalyzer reports? (Choose two)
A. FortiAnalyzer provides the ability to create custom reports.
B. FortiAnalyzer allows you to schedule reports to run.
C. FortiAnalyzer includes pre-defined reports only.
D. FortiAnalyzer allows reporting for FortiGate devices only.
A. FortiAnalyzer provides the ability to create custom reports.
B. FortiAnalyzer allows you to schedule reports to run.
52
QUESTION 54
Which tabs do not appear when FortiAnalyzer is operating in Collector mode?
A. FortiView
B. Event Management
C. Device Manger
D. Reporting
A. FortiView
53
QUESTION 55
FortiAnalyzer centralizes which functions? (Choose three.)
A. Network analysis
B. Graphical reporting
C. Content archiving / data mining
D. Vulnerability assessment
E. Security log analysis / forensics
B. Graphical reporting
C. Content archiving / data mining
E. Security log analysis / forensics
54
QUESTION 56
By default, what happens when a log file reaches its maximum file size?
A. FortiAnalyzer overwrites the log files.
B. FortiAnalyzer stops logging.
C. FortiAnalyzer rolls the active log by renaming the file.
D. FortiAnalyzer forwards logs to syslog.
C. FortiAnalyzer rolls the active log by renaming the file.
55
QUESTION 57
Which statements are true of Administrative Domains (ADOMs) in FortiAnalyzer? (Choose two.)
A. ADOMs are enabled by default.
B. ADOMs constrain other administrator's access privileges to a subset of devices in the device list.
C. Once enabled, the Device Manager, FortiView, Event Management, and Reports tab display per ADOM.
D. All administrators can create ADOMs--not just the admin administrator.
B. ADOMs constrain other administrator's access privileges to a subset of devices in the device list.
C. Once enabled, the Device Manager, FortiView, Event Management, and Reports tab display per ADOM.
56
QUESTION 58
Which statements are true regarding securing communications between FortiAnalyzer and FortiGate with SSL? (Choose two.)
A. SSL is the default setting.
B. SSL communications are auto-negotiated between the two devices.
C. SSL can send logs in real-time only.
D. SSL encryption levels are globally set on FortiAnalyzer.
E. FortiAnalyzer encryption level must be equal to, or higher than, FortiGate.
B. SSL communications are auto-negotiated between the two devices.
D. SSL encryption levels are globally set on FortiAnalyzer.
P148.
57
QUESTION 59
What are two of the key features of FortiAnalyzer? (Choose two.)
A. Centralized log repository
B. Cloud-based management
C. Reports
D. Virtual domains (VDOMs)
A. Centralized log repository
C. Reports
58
QUESTION 60
What statements are true regarding the "store and upload" log transfer option between FortiAnalyzer and FortiGate? (Choose three.)
A. All Forti Gates can send logs to FortiAnalyzer using the store and upload option.
B. Only Forti Gate models with hard disks can send logs to FortiAnalyzer using the store and upload option.
C. Both secure communications methods (SSL and IPsec) allow the store and upload option.
D. Disk logging is enabled on the FortiGatc through the CLI only.
E. Disk logging is enabled by default on the Forti Gate.
B. Only Forti Gate models with hard disks can send logs to FortiAnalyzer using the store and upload option.
C. Both secure communications methods (SSL and IPsec) allow the store and upload option.
D. Disk logging is enabled on the FortiGatc through the CLI only.
59
Which FortiAnalyzer feature allows you to use a proactive approach when managing your network security?
A. FortiView Monitor
B. Threat hunting
C. Incidents dashboards
D. Outbreak alert services
B. Threat hunting
60
Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.)
A. Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy.
B. A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end.
C. Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version.
D. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
C. Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version.
D. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
61
Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.)
A. By deploying different FortiAnalyzer devices in both modes, you can improve their overall performance.
B. When in collector mode. FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.
C. When in collector mode. FortiAnalyzer supports event management and reporting features.
D. Collector mode is the default operating mode.
A. By deploying different FortiAnalyzer devices in both modes, you can improve their overall performance.
B. When in collector mode. FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.
62
Which statement is true about sending notifications with incident updates?
A. You can send notifications to multiple external platforms.
B. If you use multiple fabric connectors, all connectors must have the same notification settings.
C. Notifications can be sent only by email.
D. Notifications can be sent only when an incident is updated or deleted.
Hide Solution
A. You can send notifications to multiple external platforms.
63
Which SQL query is in the correct order to query the database in the FortiAnalyzer?
A. SELECT devid WHERE 'user'='USER1' FROM $log GROUP BY devid
B. FROM $log WHERE 'user'='USER1' SELECT devid GROUP BY devid
C. SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid
D. SELECT devid FROM $log GROUP BY devid WHERE 'user'='USER1'
C. SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid
64
A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see what activity was performed by that rogue administrator on FortiAnalyzer.
What can you do on FortiAnalyzer to accomplish this?
A. Click Task Monitor and view the tasks performed by that administrator.
B. Click Fabric View and view the tasks performed by the rogue administrator.
C. Click Log View and generate a report for that administrator.
D. Click FortiView and generate a report for that administrator.
A. Click Task Monitor and view the tasks performed by that administrator.
65
QUESTION 61
Which statements are true regarding securing communications between FortiAnalyzer and FortiGate with IPsec? (Choose two.)
A. Must configure the FortiAnalyzer end of the tunnel only--the FortiGate end is auto-negotiated.
B. Must establish an IPsec tunnellD and pre-shared key.
C. IPsec cannot be enabled if SSL is enabled as well.
D. IPsec is only enabled through the CLI on FortiAnalyzer
B. Must establish an IPsec tunnellD and pre-shared key.
C. IPsec cannot be enabled if SSL is enabled as well.
66
QUESTION 62
Which two statements about log forwarding are true? (Choose two.)
A. Forwarded logs cannot be filtered to match specific criteria.
B. Logs are forwarded in real-time only.
C. The client retains a local copy of the logs after forwarding.
D. You can use aggregation mode only with another FortiAnalyzer.
C. The client retains a local copy of the logs after forwarding.
D. You can use aggregation mode only with another FortiAnalyzer.
www.fortinetguru.com/2020/07/log-forwarding-fortianalyzer-fortios-6-2-3/
In addition to forwarding logs to another unit or server, the client retains a local copy of the logs. The local copy of the logs is subject to the data policy settings for archived logs. See Log storage on page 21 for more information.
FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported
67
QUESTION 63
Which two methods can you use to send event notifications when an event occurs that matches a configured event handler? (Choose two.)
A. SMS
B. Email
C. SNMP
D. IM
B. Email
C. SNMP
68
QUESTION 64
Consider the CLI command:
Conf sys global
Set log-checksum md5
End
What is the purpose of the command?
A. To add a unique tag to each log to prove that it came from this FortiAnalyzer
B. To add the MD5 hash value and authentication code
C. To add a log file checksum
D. To encrypt log communications
C. To add a log file checksum
69
QUESTION 65
What is the main purpose of using an NTP server on Forti Analyzer and all of its registered devices?
A. Log correlation
B. Host name resolution
C. Log collection
D. Real-time forwarding
A. Log correlation
70
QUESTION 66
What are two advantages of setting up fabric ADOM? (Choose two.)
A. It can be used for fast data processing and log correlation
B. It can be used to facilitate communication between devices in same Security Fabric
C. It can include all Fortinet devices that are part of the same Security Fabric
D. It can include only FortiGate devices that are part of the same Security Fabric
A. It can be used for fast data processing and log correlation
C. It can include all Fortinet devices that are part of the same Security Fabric
Explanation/Reference:
All Fortinet devices in a Security Fabric can be placed into the same ADOM
It allows for fast data processing and data correlation, also enables combined results to be presented in reports, FortiView, and more
71
QUESTION 67
What is the purpose of a predefined template on the FortiAnalyzer?
A. It can be edited and modified as required
B. It specifies the report layout which contains predefined texts, charts, and macros
C. It specifies report settings which contains time period, device selection, and schedule
D. It contains predefined data to generate mock reports
B. It specifies the report layout which contains predefined texts, charts, and macros
72
QUESTION 68
For which two SAML roles can the FortiAnalyzer be configured? (Choose two.)
A. Principal
B. Service provider
C. Identity collector
D. Identity provider
B. Service provider
D. Identity provider
73
QUESTION 69
Which two purposes does the auto cache setting on reports serve? (Choose two.)
A. It automatically updates the hcache when new logs arrive.
B. It provides diagnostics on report generation time.
C. It reduces the log insert lag rate.
D. It reduces report generation time.
A. It automatically updates the hcache when new logs arrive.
D. It reduces report generation time.
74
QUESTION 70
What are offline logs on FortiAnalyzer?
A. Compressed logs, which are also known as archive logs, are considered to be offline logs.
B. When you restart FortiAnalyzer.all stored logs are considered to be offline logs.
C. Logs that are indexed and stored in the SQL database.
D. Logs that are collected from offline devices after they boot up.
A. Compressed logs, which are also known as archive logs, are considered to be offline logs.
75
QUESTION 71
Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.)
A. A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end.
B. Log fetching can be done only on two Forti Analyzer devices that are running the same firmware version.
C. Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy.
D. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
B. Log fetching can be done only on two Forti Analyzer devices that are running the same firmware version.
D. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
76
QUESTION 72
An administrator has configured the following settings:
config system fortiview settings
set resolve-ip enable
end
What is the significance of executing this command?
A. Use this command only if the source IP addresses are not resolved on Forti Gate.
B. Tt resolves the source and destination IP addresses to a hostname in FortiView on FortiAnalyzer.
C. You must configure local DNS servers on FortiGate for this command to resolve IP addresses on Forti Analyzer.
D. It resolves the destination IP address to a hostname in Forti View on FortiAnalyzer.
D. It resolves the destination IP address to a hostname in Forti View on FortiAnalyzer.
77
QUESTION 73
Which two statements are true regarding ADOM modes? (Choose two.)
A. You can only change ADOM modes through CLI.
B. In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advance mode, the disk quota of the ADOM is flexible because new devices are added to the ADOM.
C. In an advanced mode ADOM.you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.
D. Normal mode is the default ADOM mode.
C. In an advanced mode ADOM.you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.
D. Normal mode is the default ADOM mode.
78
QUESTION 74
Which two statements are true regarding FortiAnalyzer log forwarding? (Choose two.)
A. In aggregation mode, you can forward logs to syslog and CEF servers as well.
B. Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.
C. Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.
D. Both modes, forwarding and aggregation, support encryption of logs between devices.
C. Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.
D. Both modes, forwarding and aggregation, support encryption of logs between devices.
79
QUESTION 75
An administrator has moved FortiGate A from the root ADOM to ADOM1. However, the administrator is not able to generate reports for FortiGate A in ADOM1.
What should the administrator do to solve this issue?
A. Use the execute sql-local rebuild-db command to rebuild all ADOM databases.
B. Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database.
C. Use the execute sql-report run ADOM1 command to run a report.
D. Use the execute sql-local rebuild-adom root command to rebuild the ADOM database.
B. Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database.
80
QUESTION 76
Which statement is true regarding Macros on FortiAnalyzer?
A. Macros arc ADOM specific and each ADOM will have unique macros relevant to that ADOM.
B. Macros are supported only on the FortiGate ADOM.
C. Macros are useful in generating excel log flies automatically based on the reports settings.
D. Macros are predefined templates for reports and cannot be customized.
A. Macros arc ADOM specific and each ADOM will have unique macros relevant to that ADOM.
81
QUESTION 77
Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.)
A. When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.
B. Collector mode is the default operating mode.
C. When in collector mode.Forti Analyzer supports event management and reporting features.
D. By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting
A. When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.
D. By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting
82
QUESTION 78
Refer to the exhibit.
The exhibit shows “remoteservergroup” is an authentication server group with LDAP and RADIUS servers. Which two statements express the significance of enabling “Match all users on remote server” when configuring a new administrator? (Choose two.)
A. It creates a wildcard administrator using LDAP and RADIUS servers.
B. Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.
C. It allows administrators to use two-factor authentication.
D. Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.
A. It creates a wildcard administrator using LDAP and RADIUS servers.
B. Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.
83
QUESTION 79
A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see what activity was performed by that rogue administrator on FortiAnalyzer.
What can you do on FortiAnalyzer to accomplish this?
A. Click FortiView and generate a report for that administrator.
B. Click Task Monitor and view the tasks performed by that administrator.
C. Click Log View and generate a report for that administrator.
D. View the tasks performed by the rogue administrator in Fabric View.
B. Click Task Monitor and view the tasks performed by that administrator.
84
QUESTION 80
The admin administrator is failing to register a FortiClient EMS on the FortiAnalyzer device. What can be the reason for this failure?
A. FortiAnalyzer is in an HA cluster.
B. ADOM mode should be set to advanced, in order to register the FortiClient EMS device.
C. ADOMs are not enabled on FortiAnalyzer.
D. A separate license is required on FortiAnalyzer in order to register the FortiClient EMS device.
C. ADOMs are not enabled on FortiAnalyzer.
85
QUESTION 81
Refer to the exhibit.
Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.)
A. Report size will be optimized to conserve disk space on FortiAnalyzer.
B. Reports will be cached in the memory.
C. This feature is automatically enabled for scheduled reports.
D. Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.
C. This feature is automatically enabled for scheduled reports.
D. Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.
86
QUESTION 82
Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two.)
A. FortiAnalyzer HA can function without VRRP.and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster.
B. FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.
C. All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.
D. FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as A WS, Microsoft Azure,and Google Cloud.
B. FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.
C. All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.
87
QUESTION 83
An administrator has moved FortiGate A from the root ADOM to ADOM1. Which two statements are true regarding logs? (Choose two.)
A. Analytics logs will be moved to ADOM1 from the root ADOM automatically.
B. Archived logs will be moved to ADOM1 from the root ADOM automatically.
C. Logs will be presented in both ADOMs immediately after the move.
D. Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the ADOM1 SQL database.
B. Archived logs will be moved to ADOM1 from the root ADOM automatically.
D. Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the ADOM1 SQL database.
88
QUESTION 84
Which two actions should an administrator take to view Compromised Hosts on FortiAnalyzer? (Choose two.)
A. Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.
B. Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device.
C. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.
D. Make sure all endpoints are reachable by FortiAnalyzer.
A. Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.
C. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.
89
QUESTION 85
In Log View, you can use the Chart Builder feature to build a dataset and chart based on the filtered search results.
Similarly, which feature you can use for FortiView?
A. Export to Report Chart
B. Export to PDF
C. Export to Chart Builder
D. Export to Custom Chart
A. Export to Report Chart
90
QUESTION 86
An administrator fortinet, is able to view logs and perform device management tasks, such as adding and removing registered devices.However, administrator Fortinet is not able to create a mail server that can be used to send email.
What could be the problem?
A. Fortinet is assigned the Standard_ User administrator profile.
B. A trusted host is configured.
C. ADOM mode is configured with Advanced mode.
D. Fortinet is assigned the Restricted_ User administrator profile.
A. Fortinet is assigned the Standard_ User administrator profile.
91
QUESTION 87
Which two statements express the advantages of grouping similar reports? (Choose two.)
A. Improve report completion time.
B. Conserve disk space on fortiAnalyzer by grouping multiple similar reports.
C. Reduce the number of hcache tables and improve auto-hcache completion time.
D. Provides a better summary of reports.
A. Improve report completion time.
C. Reduce the number of hcache tables and improve auto-hcache completion time.
92
QUESTION 88
What are analytics logs on FortiAnalyzer?
A. Log type Traffic logs.
B. Logs that roll over when the log file reaches a specific size.
C. Logs that are indexed and stored in the SQL.
D. Raw logs that are compressed and saved to a log file.
C. Logs that are indexed and stored in the SQL.
93
QUESTION 89
What is Log Insert Lag Time on FortiAnalyzer?
A. The number of times in the logs where end users experienced slowness while accessing resources.
B. The amount of lag time that occurs when the administrator is rebuilding the ADOM database.
C. The amount of time that passes between the time a log was received and when it was indexed on ForriAnalyzer.
D. The amount oftime FortiAnalyzer takes to receive logs from a registered device
C. The amount of time that passes between the time a log was received and when it was indexed on ForriAnalyzer.
94
QUESTION 90
Refer to the exhibit.
What is the purpose of using the Chart Builder feature on FortiAnalyzer?
A. In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results.
B. In Log View, this feature allows you to build a chart and chart automatically, on the top 100 log entries.
C. This feature allows you to build a chart under FortiView.
D. You can add charts to generated reports using this feature.
A. In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results.
95
QUESTION 91
Which two statement are true regarding initial Logs sync and Log Data Sync for Ha on FortiAnalyzer?
A. By default, Log Data Sync is disabled on all backup device.
B. Log Data Sync provides real-time log synchronization to all backup devices.
C. With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.
D. When Logs Data Sync is turned on, the backup device will reboot and then rebuilt the log database with the synchronized logs.
B. Log Data Sync provides real-time log synchronization to all backup devices.
C. With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.
96
QUESTION 92
Which two statements are true regarding fabric connectors? (Choose two.)
A. Configuring fabric connectors to send notification to ITSM platform upon incident creation Is more efficient than third-party information from the FortiAnalyzer API.
B. Fabric connectors allow to save storage costs and improve redundancy.
C. Storage connector service does not require a separate license to send logs to cloud platform.
D. Cloud-Out connections allow you to send real-time logs to pubic cloud accounts like Amazon S3, Azure Blob , and Google Cloud.
A. Configuring fabric connectors to send notification to ITSM platform upon incident creation Is more efficient than third-party information from the FortiAnalyzer API.
D. Cloud-Out connections allow you to send real-time logs to pubic cloud accounts like Amazon S3, Azure Blob , and Google Cloud.
97
QUESTION 93
What does the disk status Degraded mean for RAID management?
A. One or more drives are missing from the foortiAnalyzer unit.The drive is no longer available to the operating system.
B. The FortiAnalyzer device is writing to all the hard drives on the device in order to make the array fault tolerant.
C. The FortiAnalyzer device is writing data to a newly added hard drive in order to restore the hard drive to an optimal state.
D. The hard drivei ls no longer being used by the RAID controller
D. The hard drivei ls no longer being used by the RAID controller
98
QUESTION 94
Which statement is true when you are upgrading the firmware on an HA cluster made up of two FortiAnalyzer devices?
A. First, upgrade the secondary device, and then upgrade the primary device.
B. Both FortiAnalyzer devices will be upgraded at the same time.
C. You can enable uninterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster fri mware upgrades.
D. You can perform the firmware upgrade using only a console connection.
A. First, upgrade the secondary device, and then upgrade the primary device.
99
QUESTION 95
What is the purpose of output variables?
A. To store playbook execution statistics
B. To use the output of the previous task as the input of the current task
C. To display details of the connectors used by a playbook
D. To save all the task settings when a playbook is exported
B. To use the output of the previous task as the input of the current task
100
QUESTION 96
Which two elements are contained in a system backup created on FortiAnalyzer? (Choose two.)
A. System information
B. Logs from registered devices
C. Report information
D. Database snapshot
A. System information
C. Report information
101
QUESTION 97
Which two statements are correct regarding the export and import of playbooks? (Choose two.)
A. You can export only one playbook at a time.
B. You can import a playbook even if there is another one with the same name in the destination.
C. Playbooks can be exported and imported only within the same FortiAnaryzer.
D. A playbook that was disabled when it was exported, will be disabled when it is imported.
B. You can import a playbook even if there is another one with the same name in the destination.
D. A playbook that was disabled when it was exported, will be disabled when it is imported.
102
QUESTION 98
Which SQL query is in the correct order to query the database in the FortiAnslyzer?
A. SELECT devid WHERE 'user'='USER1' FROM $log GROUP BY devid
B. FROM $log WHERE 'user'='USER1' SELECT devid GROUP BY devid
C. SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid
D. SELECT devid FROM $log GROUP BY devid WHERE 'user'='USER1'
C. SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid
103
QUESTION 100
Which daemon is responsible for enforcing the log file size?
A. sqlplugind
B. logfiled
C. miglogd
D. ofrpd
B. logfiled
104
QUESTION 101
Refer to the exhibit.
Which statement is correct regarding mitigated event
A. The security risk was blocked or dropped.
B. The security event risk is considered open.
C. An incident was created from this event.
D. The risk source is isolated
A. The security risk was blocked or dropped.
105
QUESTION 102
What is required to authorize a FortiGate on FortiAnalyzer using Fabric authorization?
A. A FortiGate ADOM
B. The FortiGate serial number
C. A pre-shared key
D. Valid FortiAnalyzer credentials
D. Valid FortiAnalyzer credentials
106
QUESTION 104
Refer to the exhibit.
Laptop is used by several administrators to manage FortiAnalyzer. You want to configure a generic text filter that matches all login attempts to the web interface generated by any user other than "admin" and coming from Laptop1:
Laptop=10.1.1.100
Faz=10.1.1.210
Which filter will achieve the desired result?
A. operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin
B. operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin
C. operation-login & dstip==10.1.1.210 & userl-admin
D. operation-login & performed_on=="GUI(10.1.1.210)' & user!=admin
A. operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin
GUI refers to ip address of the client not FAZ
107
QUESTION 105
If the primary FortiAnalyzer in an HA cluster fails, how is the new primary elected?
A. The configured IP address is checked first.
B. The active port number is checked first.
C. The firmware version is checked first.
D. The configured priority is checked first.
D. The configured priority is checked first.
108
QUESTION 106
What is the best approach to handle a hard disk failure on a FortiAnalyzer that supports hardware RAID?
A. Hot swap the disk.
B. There is no need to do anything because the disk will self-recover.
C. Run execute format disk to format and restart the FortiAnalyzer device.
D. Shut down FortiAnalyzer and replace the disk
A. Hot swap the disk.
109
QUESTION 107
Which statement is true about sending notifications with incident updates? A. Notifications can be sent only when an incident is updated or deleted.
B. If you use multiple fabric connectors, all connectors must have the same notification settings
C. Notifications can be sent only by email.
D. You can send notifications to multiple external platforms
D. You can send notifications to multiple external platforms
110
QUESTION 108
Which statement correctly describes the management extensions available on FortiAnalyzer?
A. Management extensions do not require additional licenses.
B. Management extensions allow FortiAnalyzer to act as a ForbSTEM supervisor.
C. Management extensions require a dedicated VM for best performance.
D. Management extensions may require a minimum number of CPU cores to run
D. Management extensions may require a minimum number of CPU cores to run
111
QUESTION 109
A playbook contains five tasks in total. An administrator executed the playbook and four out of five tasks finished successfully, but one task failed.
What will be the status of the playbook after its execution?
A. Success
B. Failed
C. Running
D. Upstream_failed
B. Failed
112
QUESTION 110
When working with FortiAnalyzer reports, what is the purpose of a dataset? A. To provide the layout used for reports
B. To define the chart type to be used
C. To retrieve data from the database
D. To set the data included in templates
C. To retrieve data from the database
113
QUESTION 111
Refer to the exhibit.
The image displays the configuration of a FortiAnalyzer the administrator wants to join to an existing HA cluster.
What can you conclude from the configuration displayed?
A. This FortiAnalyzer will join to the existing HA cluster as the primary.
B. This FortiAnalyzer is configured to receive logs in its port1.
C. This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds. D. After joining to the cluster, this FortiAnalyzer will keep an updated log database.
A. This FortiAnalyzer will join to the existing HA cluster as the primary.
114
QUESTION 112
You created a playbook on FortiAnalyzer that uses a FortiOS connector.
When configuring the FortiGate side, which type of trigger must be used so that the actions in an automation stitch are available in the FortiOS connector?
A. FortiAnalyzer Event Handler
B. Incoming webhook
C. FortiOS Event Log
D. Fabric Connector event
B. Incoming webhook
115
QUESTION 113
Which FortiAnalyzer feature allows you to use a proactive approach when managing your network security?
A. Incidents dashboards
B. Threat hunting
C. FortiView Monitor
D. Outbreak alert services
B. Threat hunting
116
QUESTION 114
What can you do on FortiAnalyzer to restrict administrative access from specific locations?
A. Configure trusted hosts for that administrator.
B. Enable geo-location services on accessible interface.
C. Configure two-factor authentication with a remote RADIUS server.
D. Configure an ADOM for respective location.
A. Configure trusted hosts for that administrator.
117
QUESTION 115
An administrator, fortinet, is able to view logs and perform device management tasks, such as adding and removing registered devices. However, administrator fortinet is not able to create a mail server that can be used to send alert emails.
What can be the problem?
A. fortinet is assigned the Standard_User administrative profile.
B. A trusted host is configured.
C. ADOM mode is configured with Advanced mode.
D. fortinet is assigned the Restricted_User administrative profile.
A. fortinet is assigned the Standard_User administrative profile.
