Which two statements about a FortiAnalyzer Fabric are true? (Choose two) The supervisor can access the logs in the fabric members using an API All fabric members must run in collector mode except the supervisor Fabric members and the supervisor support HA Fabric members must be in the same time zone as the supervisor .
Refer to the exhibit
What does the data point at 21:20 indicate? FortiAnalyzer is indexing logs faster than logs are being received The fortilogd daemon is ahead in indexing by one log FortiAnalyzer has temporarily stopped receiving logs so older logs can be indexed FortiAnalyzer is dropping logs to catch up.
Refer to the exhibit.
The exhibit shows a partial view of the Compromised Host section in FortiView with the number of threats blurred out.
Assuming that they are all included in the image, what is the number of threats? 11 16 1 3.
Which statement describes a dataset in FortiAnalyzer? They are used to set the data included in templates They determine what data is retrieved from the database They provide the layout used for reports They define the chart types to be used in reports .
Which statement about the FortiSOAR management extension is correct? It requires a dedicated FortSOAR device or VM It runs as a docker container on FortiAnalyzer It requires a FortiManager configured to manage FortiGate It does not include a limited trial by default .
Refer to the exhibit.
Which statement is correect regarding the event displayed? An incident was created from this event The security event risk is considered open The risk source is isolated The security risk was blocked or dropped.
Why run the command diagnose sql status sqlplugind? To list me current SQL processes running To view the current hcache size To display the SQL query connections and hcache status To check what is the database log insertion status.
Which statement describes archive logs on FortiAnalyzer? Logs compressed and saved in files with the .gz.extension Logs that are indexed and stored in the SQL database Logs a FortiAnalyzer administrator can access in FortiView Logs previously collected from devices that are offline.
After generating a report, you notice the information you ware expecting to see is not included in it.
What are two possible reasons for this scenario? (Choose two) You enable auto-cache with extended log filtering The log filed service has not indexed all the expected logs The logs were overwritten by the data retention policy The time frame selected in the report is wrong.
Which log will generate an event with the status Unhandled? An AV log with action=quarantine A webfilter log with action=dropped An appcontrol log with action=blocked An IPs log with action=pass.
What must you consider when using log fetching? (Choose two) You can use filters to include only logs from a single device The fetch client can retrieve logs from devices that are not added to its local Device The fetching profile must include a user with the Super_User profile The archive logs retrieved from the server become atchive logs in the client.
Which FortiAnalyzer tool can refer to the Cyber kill Chain stages and allows you to identify which Fortinet products can protect you against new vulnerabilities? FortView monitor top threats Outbreak detection services FortiSOC dashboards Threat hunting SIEM table.
Which item must you configure on FortiAnalyzer to email generated reports automatically? Report sheduling SFTP server SNMP server Output profile.
What are two benefits of using Fabric connectors? (Choose two) Fabric connectors allow you to improve redundancy They allow FortiAnalyzer to send logs in real-time to public cloud acconunts You do not need an additional license to send logs to the cloud platform Using fabric connectors is more efficient than using thirdṕarty polling with API.
Which two statement are true regarding FortiAnalyzer operating modes? (Choose two) When running in collector mode, FortiAnalyzer can forward logs to a syslog server You can create and edit reports when FortiAnalyzer is running in collector mode FortiAnalyzer runs in collector mode by default unless it is configure for HA A topology with FortiAnalyzer devices running is both modes can improve their performance.
Which log will generate an event with the status Contained? An IPS log with action=pass An webfilter log with action=dropped An AV log with action=quarantine An appControl log with action=blocked.
What are two effects of enabling auto-cache in a FortiAnalyzer report? (Choose two) When new logs are received, the hard-cache data is update automatically The generation time for reports is decreased FortiAnalyzer local cache is used to store generated reports The size of newly generated reports is optimized to conserve disk space.
Which statement about the FortiSIEM management extension is correct? Its use of the available disk space is capped at 50% It can be installed as a dedicated VM It requires a licensed FortiSIEM supervisor Allows you to manage the entire the cycle of a threat or breach.
Refer to the exhibit.
What does the data point at 12:20 indicate? The performance of FortiAnalyzer is below the baseline FortiAnalyzer is using its cache to avoid dropping logs The sqlpligind service is caught up with now logs The log insert lag time is increasing.
A playbook contains five tasks in total an administrator runs the playbook and four out of five tasks finish successfully, but one task fails.
What will be the status of the playback after it is run? Upstream_failed Success Running Failed.
Which statement about sending notifications with incident updates is true? Each incident can send notifications to a single external platform Each connector used can have different notification settings Notifications can be sent only when an incident is created or deleted You must configure an output profile to send notifications by email.
What is the purpose of using prefilters when configuring event handlers? They are common filters applied simultaneously to all event handlers They can filter the logs before they are precessed by FortiAnalyzer They limit which logs are checked for matches by the other filters They download new filters to be used in event handlers.
What happens when the IOC breach detection engine on an finds web logs that match a blocklisted IP address? The detection engine classifies those logs as Suspicious FortiAnalyzer flags the associated host for further analysis A new infected entry is added for the corresponding endpoint The endpoint is marked as .
Refer to the exhibit.
Which statement is correct regarding the event displayed? An incident was created from this event The security risk was blocked or dropped The risk source is isolated The security event risk considered open.
How can you attach a report to an incident? Saving it in JSON format, and then importing it By attaching it to an event handler alert By editing the setting of the desired report From the properties of an existing incident.
What does the disk status Degraded mean for RAID management? One or mean drives are missing from the FortiAnalyzer unit. The drive is no longer available to the operating system The FortiAnalyzer deevice is writing data to a newly added drive in order to restore the hard drive to an optimal status The hard drive is no longer being used by the RAID controller The FortiAnalyzer device is writing to all the hard drives on the device in order to make the away fault tolerant.
Refer to the exhibit.
Which statement is correct regarding the event displayed? An incident was created from this event The risk source is isolated The security event risk is considered The security risk was blocked or dropped.
Which two methods can you use to send event notifications when an event occurs that matches a configured event handler? (Choose two) Send Alert through Fabric Connectors Send SNMP trap Send SMS notification Send Alert through IM.
What is the purpose of using prefilters when configuration event handlers? They can filter the logs before they are precessed by ForitAnalyzer They can limit which logs are checked for matches by the other filters They download new filters to be used in event handlers They are common filters applied simultaneosly to all event handlers.
Refer to the exhibit.
The image displays the configuration of a FortiAnalyser the admonistrator wants to join to an existing HA cluster.
What can you conclude from the configuration displayed? This FortiAnalyzer is configuraed to received logs in its port1 This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds This FortiAnalyzer will join to the existing HA cluster as the primary After joining to the cluster, this FortiAnalyzer will keep an update log database.
Why do you need to wait for several minutes before you run a playbook that you just created? FortiAnalyzer needs that time to parse the new playbook FortiAnalyzer needs that time to debug the new playbook FortiAnalyzer needs that time to ensure there are no other playbooks running FortiAnalyzer needs that time to back up the current playbooks.
Refer to the exhibit.
The image shws the details of a playbooks after it finished running.
What is the status of the playbook? Upstream_failed Running Success Failed.
You are looking for a playbook that was exported by a junior administrator. You perform a seach and find the files listed below.
Which file would you choose to perform an import operation? Exported_playbook sql Exported_playbook csv Exported_playbook txt Exported_playbook json.
What is the purpose of trigger variables? To use information from the trigger to filter the action in a task To store the starting times for ON_Schedule triggers To provide the trigger information to make the playbook start running To display statistics about the playbook runtime.
Which statement correctly describes the management extensions available on FortiAnalyzer? Management extensions may require a minimum number of CPU cores to run Management extensions do not require additional licenses Management extensions require a dedicated VM for best performance Management extensions allow FortiAnalyzer t oact as a FortiSIEM supervisor.
What are offline logs on FortiAnalyzer? When you restart FortiAnalyzer, all stored logs are considered to be offline logs Logs that are collected from offline devices after they boot up Logs that are indexed and stored in the SQL database Compressed logs, also know as archive logs, are considered to be offline logs.
Which FortiAnalyzer feature allows you to use a proactive approach when managing you network security? Threat hunting Incident dashboards FortiView Monitor Outbreak alert services.
Refer to the exhibit.
Laptop1 is used by several administrators to manage FortiAnalyzer. You want to configure a generic text filter that matches all login attempts to the web interface generate Laptop1.
Which filter will achive the desired result? Operation-login & dstip==10.1.1.210 & user!-admin Operation-login & performed_on=="GUI(10.1.1.210)" & user!-admin Operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin Operation-login & performaned_on=="GUI(10.1.1.100)" & user!=admin.
Which two statements are true regarding hig availability (HA) on FortiAnalyzer? (Choose two) FortiAnalyzer HA can function without VRRP, and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster FortiAnalyzer HA implementation is supported by all cloud providers FortiAnalyzer HA supports synchronization of logs as well as come system and configuration settings All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.
After you have moved a registered logging device out of one ADOM and into a new ADOM, what is the purpose of running the following CLI command?
execute sql-local rebulid-adom <new-ADOM-name>. To populate the new ADOM with analytical logs for the moved device, so you can run reports To migrate the archive logs to the new ADOM To remove the analystics logs of the device from the old database To reset the disk quota enforcement to default.
What is the best approach to handle a hard disk failure on a FortiAnalyzer that supports hardware RAID? Run execute format disk to format and restart the FortiAnalyzer device Hot swap the disk There is no need to do anything because the disk will self-recover Shut down FortiAnalyzer and replace the disk.
Which statement is true regarding Macros on FortiAnalyzer? Macros are ADOM specific and each ADOM has unique macros relevant to that ADOM Macros are supported only on the FortiGate ADOM Macros are useful in generating excel log files automatically based on the report settings Macros are predefined templates for reports and cannot be customized.
A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see what activity was performanced by that rogue administrator on FortiAnalyzer. Click Task Monitor and view the tasks performed by that administrator Click Log View and generate a report for that administrator Click Fabric View and view the tasks performed by the rogue administrator Click FortiView and generate a report for that administrator.
Refer to the exhibit.
Which statement is correct regarding the event displayed? The security event risk is considered open An incient was created from this event The security risk was blocked or dropped The risk source is isolated.
What is required to ahthorize a Fortigate on FortiAnalyzer using Fabric authorization? A Fortigate ADOM Valid FortiAnalyzer credentials The Fortigate serial number A pre-shared key.
Which two actions should an administrator take to view Compromised Hosts on FortiAnalyzer? (Choose two) Enable device detection on an interface on the Fortigate device that are connected to the FortiAnalyzer device Make sure all end endpoints are reachable by FortiAnalyzer Enable web filtering in firewall policies on Fortigate devices, and make sure these logs are sent to FortiAnalyzer Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.
When working with FortiAnalyzer reports, what is the purpose of a dataset? To provide the layout used for reports To set the data included in templates To retrieve data from the database To define the chart type to be used.
A playbook contains five tasks in total. An administrator executed the playbook and four out of five tasks finished successfully, but one task failed.
What will be the status of the playbook after its execution? Failed Running Success Upstream_failed.
Which two statement are true regarding enabling auto-cache on FortiAnalyzer? (Choose two) This feature is automatically enabled for scheduled reports Report size will be optimized to conserve disk space on FortiAnalyzer Enabling auto-cache reduces report generation time for reports that require a long time to assemble dataset Reports will be cached in the memory.
If the primary FortiAnalyzer in an HA cluster fails, how is the new primary elected? The active port number is checked first The firmware version is checked first The configured priority is checked first The configured IP address is checked first.
For which two purpose would you use the command set log checksum? (Choose two) To encrypt log communications To help pretect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server To send an identical set of logs to a second logging server To prevent log modification or tampering.
In Log View, you can use the Chart Builder feature to buld a dataset and chart based on the filtered search results.
Similar, which feature can you use for FortiView? Export to PDF Export to Custom Chart Export to Report Chart Export to Chart Builder.
Which two statements are true regarding FortiAnalyzer operating modes? (Choose two) When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binario Byh deplying different FortiAnalyzer devices in both modes, you can improve their overall performance When in collector mode, FortiAnalyzer supports event management and reporting features Collector mode is the default operating mode.
Which statement is true about seding notifications with incidente updats? If you use multiple fabric connectors, all connectors must have the same notification settings Notification can be sent only email You can send notification to multiple external platforms Noticiation can sent only when an incident updated or deleted .
Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two). Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from on FortiAnalyzer device and sending them to another FortiAnalyzer A FortiAnalyzer device can performance either the fetch server or client role, and it can performance two roles the same time with the same FortiAnalyzer devices at the other end Log fetching allows the administrator to fetch analyzer logs from another FortiAnalyzer for redundancy Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version.
For witch two SAML roles can the FortiAnalyzer be configured? (Choose two) Principal Service provider Identify collector Identify provider.
An administrator, fortinet, is able to view logs and perform device management tasks, such as adding an removing registered devices. Howeve r, administrator fortinet is not able to create a mail server that can be used to send alert emails.
What can be the problem? ADOM mode is configured with Advanced mode A trusted host is configured fortinet is assigned the Standard_User administrative profile fortinet is assigned the Restricted_User administrative profile.
Which two statement are correct regarding the export and import of playbooks? (Choose two) Playbooks can be exported and imported only within the same FortAnalyzer A playbook that was disabled when it was exported, will be disabled when it is imported You can import a playbook even if there is another one with the same name in the destination You can export only one playbook at a time.
Which SQL query is in the correct order to query the database in the FortiAnlyzer? Select devid FROM $log GROUP BY devid WHERE 'user'='USER1' Select devid FROM $log WHERE 'user'='USER1' GROUP BY devid FROM $log WHERE 'user'='USER1' SELECT devid GROUP BY devid Select devid WHERE 'user'='USER1' FROM $log GROUP BY devid.
What is the purpose of output variables? To save all the task settings whenj a playbooks is exported To display details of the connectors used by a playbook To store playbook execution statistics To use the output of the previous task as the input of the current task.
Which statement is true when you are upgrading the firmware on an HA cluster made up of two FortiAnalyzer devices? First, upgrade the secondary device, and then upgrade the primary device Both FortiAnalyzer devices will be upgrade at the same time You can perform the firmware upgrade using only a console connection You can enable uniterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster firmware upgrades.
Which two statements are true regarding FortiAnalyzer log forwarding? (Choose two) Forwarding mode forwards logs in real time only to other FortiAnalyzer devices Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time In aggregation mode, you can forward logs to syslog and CEF serversas well Both modes, forwarding and aggregation, support encryption of logs betwaeen devices.
Which two statements at true regarding ADOM modes? (Choose two) Normal mode is the default ADOM mode In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota os the ADOM is flexible In an advanced mode ADOM, you can assing FortiGate VDOMs from a single Fortigate device to multiple FortiAnalyzer ADOMs You can change ADOM modes only through the CLI.
Which two elements are contained in system backup created on FortiAnalyzer? (Choose two) Database snapshot Report information System information Logs from registered devices.
Which daemon is responsible for enforcing the log file size? logfiled sqlplugind miglogd oftpd.
Refer to the exhibit.
How many events will be added to the incident created after running this playbook? No events will be added Thirteen events will be added Five events will be added Ten events will be added.
You created a playbook on FortiAnalyzer that uses a FortiOS connector.
When configuration the Fortigat side, which type of trigger must be used so that the action in an automation stich are available in the FortiOS connector? Fabric Connector event FortiAnalyzer Event Handler FortiOS Event Log Incoming webhook.
Refer to the exhibit.
What is the purpose of using the Chart Builder feature on FortiAnalyzer? To build a dataset and chart automatically, based on the filtered search results To add charts directly to generated reports To build a chart under FortiView To build a chart automatically based on the top 100 log entries.
What is required to authorize a FortiGate on FortiANalyzer using Fabric authorization? A FortiGate ADOM A pre-shared key Valid FortiANalyzer credentials The FortiGate serial number.
An administrator has configured the following settings:
config system global
set log-checksum md5-auth
end
What is the significance of executing these commands? These commands record the MD5 hash value and authentication code of log files These commands create the secure channel used by the OFTP precess These commands verify the integrity of the log files received These commands encrypt log transfer between FortiAnalyzer and and other devices .
Whih two parameters impact the amount of reserved disk space required by FortiAnalyzer? (Choose two) Disk size License type Total quota RAID level.
Which two statement are true regarding FortiAnalyzer operating modes? (Choose two) By deploying different FortiAnalyzer devices in both modes, you can improve their overall performance. When in collector mode, FortiAnalyzer supports avent management and reporting features Collector mode is the default operating mode When in collector mode, FortiAnalyzer collectors logs from multiple devices and forwards these logs in the original binary format.
Which two items must you configure on FortiAnalyzer to email a FortiAnalyzer report externally? (Choose two) Output profile SFTP server Mail server Rerport scheduling.
Which statement is true about seding notifications with incident updates? You can send notifications to multiple external platforms If you use multiple fabric connectors, all connectos must have the same notification settings Notification can be sent only when an incident is updated or deleted Notifications can be sent only by email.
Which statement is true when you are upgrading the firmware on an HA cluster made up of two FortiAnalyzer devices? You can perform the firmware upgrade using only a console connection You can enable uinterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster firmware upgrades Both FortiAnalyzer devices will be upgrade at the same time First, upgrade the secondary device, and then upgrade the primary device.
What is true purpose of predefined report templates on FortiAnalyzer? They can be customized to meet your needs They can be created by saving reports as templates They specify the layout used in reports They include the data used in reprts charts.
Which two statements are true regarding fabric connectors? (Choose two) Fabric connectors allow you to save storage costs and improve redundancy Configuring fabric connectors is more efficient than trird-party polling information from the FortiAnalyzer API The storage connector service does not require a separate license to send logs to the cloud platform Cloud-out connectors allow you to send real-time logs to public cloud acconunts like Amazon S3, Azure Blob, and Google Cloud.
Which two methods can be used to restrict administrative access on FortiAnalyzer? (Choose two) Use administrator profiles Limit access to specific virtual domains Configure trusted hosts Add custom Security Fabric connectors.
Refer to the exhibit.
The exhibit shows "remoteservergroup" is an authentication server group with LDAP and RADIUS servers.
Which two statements express the significance of enabling Match all users on remote server when configuring a new administrator? (Choose two) User remoteadmin from LDAP and RADUIS servers will be able to log in to FOrtiAnalyzer at any time Administrators can log in to FortiAnalyzer using their credentials on remote LDAP and RADIUS servers It creates a wildcard adminisrator using LDAP and RADIUS servers It allows administrator to use two-factor authentication.
Refer eto the exhibit.
The exhibit shows "remoteservergroup" is an authentication server group with LDAP and RADIUS servers.
Which two statements express the significance of enabling MAtch all users on remote server when configuring a new adminitrator? (Choose two) User remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at any time Administrators can log in to FortiAnalyzer using their credentials on remote LDAP and RADIUS servers It creates a wildcard administrator using LDAP and RADIUS servers It allows administrator to use two-factor authentication.
For which two purpose would you use the command set log checksum? (Choose two) To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server To encrypt log communications To send an identical set of logs to a second logging server To prevent log modification or tampering.
An administrator has moved FortiGate A from the root ADOM to adom1.
Which two statement are true regarding logs? (Choose two) Logs will be present in both ADOMs immediately after the move Analytics logs will be moved to ADOM1 from the root ADOM automatically Analytics logs will be moved to adom1 from the root ADOM after you rebuild the ADOM1 SQL database Archived logs will be moved to ADOM1 from the root ADOM automatically.
Which SQL query is in the correct order to query the database in the FortiAnalyzer? Setect devid WHERE 'user'='USER1' FROM $log GROUP by devid FROM $log WHERE 'user'='USER1' SELECT devid GROUP BY devid SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid SELECT devid FROM $log GROUP BY devid WHERE 'user'='USER1'.
Which two statements are true regarding ADOM modes? (Choose two) In an advanced mode ADOM, you can assing FortiGate VDOMs from a single Fortigate device to multiple FortiAnalyzer ADOMs You can change ADOM modes only through the CLI Normal mode is the default ADOM mode In normal mode, disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible.
Which statement is true about using aggregation mode on FortiAnalyzer? Aggregation mode supports logs filters In aggregation mode, logs and content files are forwarded in real time Aggregation mode can be configured only on the CLI Aggregation mode can work with syslog servers.
What does the disk status Degraded mean for RAID management? One or more drives are missing from the FortiAnalyzer unit. The drive is no longer available to the operating system The FortiAnalyzer device is writing data to a newly added hard crive in order to restore the hard drive to an optimal state The hard drive is no longer being used by the RAID controller The FortiAnalyzer device is writing to all the hard drives on the device in order to make the array fault tolerant .
What can you do on FortiAnalyzer to restrict administrative access from specific locations? Configure an ADOM for a respective location Configure two-factor authentication wih a remote RADIUS server Configure trusted hosts for that administrator Enable geo-location services on accessible interfaces.
Which two statements are true regarding the outbreak alert service? (Choose two) Outbreak alerts are available on the root ADOM only An additional license is required It automatically downloads new avent handlers and reports New alerts are received by email.
Refer to the exhibit.
What does tha data point at 10:15:42 indicate? FortiAnalyzer has temporarily stopped receiving logs so older logs can be indexed The fortilogd daemon is ahead in indexing by one log FortiAnalyzer is indexing logs faster than logs are being received FortiAnalyzer is dropping logs.
What are two advantages of grouping similr reports? (Choose two) Improves report completion time Conserves disk space on FortiAnalyzer by grouping multiple similar reports Provides a bettter summary of reports Reduces the number of hcache table and improves auto-hcache completion time.
What are analytics logs on FortiAnalyzer? Log type Traffic logs Logs that are indexed and stored in the SQL Logs that are compressed and saved to a log file Logs that roll over when the log file reaches a specific size.
Which two settings must you configure on FortiAnalyzer to allow non-local administrators to authenticate on FortiAnalyzer with any user account in a single LDAP group? (Choose two) A trusted host profile that restricts access to the LDAP group A remote LDAP server An administrator group A local wildcad admionistrator account.
PAG 52 PAG 52 PAG 52.
An administrator has configured the folling settings:
config t system foriwiew settings
set resolve-ip enable
end
What is the significance of executing this command? It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer Use this command only if the source IP address are not resolved on FortiGate You must configure local DNS servers on Fortigate for this command to resolve IP address on FortiAnalyzer It resolves the source and destination IP address to a hostname in FortiView on FortiAnalyzer.
What statement is correct regrading the FortiSOAR management extension? It includes a limited trial by default It runs as a VM It requires a FortiManager configured to manage Fortigate It requires a dedicated FortiSOAR appliance or VM.
Which two of the following must you configure on FortiAnalyzer to email a FortiAnalyzer report externally? (Choose two) Mail server Output profile SFTP server Report schedulling.
Refer to the exhibit.
Why is the total quota less than the total system storage? Some space is reserved for system use 3.6% of the system storage is already being used The logfiled process is just estimating the total quota The oftpd process has not archived the logs yet.
For which two purpose wuold you use the command set log checksum? (Choose two) To help protect against man-in-the-middle attacks during log log upload from FortiAnalyzer to an SFTP server To prevent log modification or tampering To encrypt log communications To send an identical set of logs to a second logging server.
Refer to the exhibit.
What does the data point at 14:55 tell you? The received rate is almost at its maximum for this device The sqlplugind daemon is behind in log indexing by two logs Logs are being dropped Raw logs are reaching FortiAnalyzer faster than they can be indexed.
You are using RAID with a FortiAnalyzer that supports software RAID, and one of the hard disks on FortiAnalyzer has failed.
What is the recommended method to replace the disk? Shut down FortiAnalyzer and then replace the disk Downgrade your RAID level, replcace the disk, and then upgrade your RAID level Clear all RAID alarms and replace the disk while FortiAnalyzer is still running Peform a hot swap.
On the RAID management page, the disk status is listed as initializing.
What does the status inializing indicate about what the FortiAnalyzer is current doing? FortiAnalyze ris ensuring that the parity data of a redundant drive is valid FortiAnalyzer is writing data to a newly added hard drive to restore it to an optimal state FortiAnalyzer is writing to all of its hard drives to make the array fault tolerant FortiAnalyzer is functioning normally.
In the FortiAnalyzer FortiView, source and destination IP address from Fortigate devices are not resolving to a hostname. How can you resolve the source and destination IP address, without introducing any additional performance impact to FortiAnalyzer? Resolve IP address on a per-ADOM basisto reduce delay on FortiView while IPs resolve Configure # set resolve-ip enable in the system FortiView settings Configure local DNS servers on FortiAnalyzer Resolve IP address on FortiGate.
You have recently grouped multiple FortiGate devices into a single ADOM. System Settings > Storage Info shows the quota used. What does the disk quota refer to? The maximum disk utilization for each device in the ADOM The maximum disk utilization for the FortiAnalyzer model The maximum disk utilization for the ADOM type The maximum disk utilization for all devices in the ADOM.
Why should you use an NTP server on FortiAnalyzer and all registered devices that log into FortiAnalyzer? To properly correlate logs To use real-time forwarding To resolve host names To improve DNS response times.
You need to upgrade your FortiAnalyzer firmware.
What happens to the logs being sent to FortiAnalyzer from Fortigate during the time FortiAnalyzer is temporaly unavailable? FortiANalyzer uses log fetching to retrieve the logs when back online Fortigate uses the miglogd process to cache the logs The logfield process stores logs in offline mode Logs are dropped.
After you have moved a registered logging device out of one ADOM and into a new ADOM, what is the purpose of running the following CLI command? Execute sql-local rebuild-adom <new-ADOM-name> TO reset the disk quota enforcement to default To remove the analytics logs of the device from old database To migrate the archive logs to the new ADOM To populate the new ADOM with analytical logs for the moved device, so you can run reports.
If a hard disk fails on a FortiAnalyzer that supports software RAID, what should you do to bring the FortiAnalyzer back to functioning normally, whithout losing data? Hot swap the disk Replace the disk and rebuild the RAID manually Take no action if the RAID level supports a failed disk Shut dwon Fortianalyzer and replace the disk.
Which FortiAnalyzer feature allows you to retrieve the archied logs matching a specific timeframe, from another FortiAnalyzer device? Log fetching Indicators of compromise Log forwarding in aggregation mode Log upload.
If you upgrade the FOrtiAnalyzer firmware, which report element can be affected? Custom datasets Report scheduling Report settings Output profiles.
FortiAnalyzer reports are dropping analytical data from 15 days ago, even through the data policy settings for analytics logs is 60 days.
What is the most likely problem? Quota enforcement is action on analytical data before a report is complete Logs are rolling before the report is run CPU resources are too high Disk utilization for archive logs is set for 15 days .
Which log type does the FortiAnalyzer indicators of compromise feature use to identify infeted hosts? Antivirus logs Web filter logs IPS logs Application control logs.
Which two purpose does the auto-cache settings on reports serve? (Choose two) It automatically updates the hcache when new logs arrive It reduces report generation time It provides diagnostics on report generation time It reduces the log insert lag rate.
In order for FortiAnalyzer to collect logs from a FortiGate device, which two configurations are required? (Choose two) Fortigate must be registered with FortiAnalyzer Remote logging must be enable on Fortigate ADOMs must be enabled Log encryption must be enabled.
Which two settings must you configure on FortiAnalyzer to allow non-local administrators to authenticate to FortiAnalyzer with any user account in single LDAP group? (Choose two) A local wildcard administrator account A remote LDAP server A trusted host profile that restricts access ti the LDAP group An administrator group.
When you perform a system backup, what does the backup configuration contain? (Choose two). Generated reports Device list Authorized devices logs System information.
Which clause is considered mandatory in SELECT statement used by the FortAnalyzer to generate reports? FROM LIMIT WHERE ORDER BY.
What is the purpose of a dataset query in FortiAnalyzer? It sorts log data into tables It extracts the database schema It retrieves log data from the database It injects log data into the database.
Logs are being deleted from one of the ADOMs earlier than the configured setting for archiving in the data policy.
What is the most likely problem? CPU resources are too high Logs in that ADOM are beling forwarded, in real-time, to another FortiAnalyzer device The total disk space is insufficient and you need to add other disk The ADOM disk quota is set too low, based on log rates.
Which two constraints can impact the amount of reserved disk space required by FortiAnalyzer? (Choose two) License type Disk size Total quota RAID level.
What happens when a log file saved on FortiAnalyzer disks reaches the size specified the device log settings? The log file is overwritten The log file is stored as a raw log and is available for analytic support The log file rolls over is archived The log file is purged from the database.
Which two statements about log forwarding are true? (Choose two). Forwarded logs cannot be filtered to match specific criteria Logs are forwarded in real-time only The client retains a local copy of the logs after forwarding You can use aggregation mode only with another FortiAnalyzer.
Which two methods can you use to send event notifications when an event occurs that matches a configured event handler? (Choose two) SMS Email SNMP IM.
You have moved a registered logging device out of one ADM and into a new ADOM.
What happens when you rebuild the new ADOM database? FortiAnalyzer migrates analytics logs to the new ADOM FortiAnalyzer removes analytics logs from the old ADOM FortiAnalyzer resets the disk quota of the new ADOM to default FortiAnalyzer migrates archive logs to the new ADOM.
Consider the CLI command:
# configure system global
set log-chacksum md5
end
What is the purpose of the command? To add unique tag to each log to prove that it came from this FortiAnalyzer To add the MD5 hash value and authentication code To add a logg file checksum To encrypt log communications .
How are logs forwarded when FortiAnalyzer is configured to use aggregation mode? Logs are forwarded as they are received Logs are forwarded as they are received and content files are uploaded at a scheduled time Logs and content files are stored and uploaded at a scheduled time Logs and content files are forwarded as they are received.
Refer to exhibit.
What does the data point at 14:25 tell you? FortiAnalyzer is indexing logs faster than logs are being received FortiAnalyzer has temporily stopped receiving logs so older can be indexed FortiAnalyzer is dropping logs The sqlplugind daemon is ahead in indexing by one log.
What is the main purpose of using an NTP server on FortiAnalyzer and all of its registed devices? Log correlation Host name resolution Log collection Real-time forwarding.
FortiAnalyzer uses the Optimized Fabric Transfer Protocol (OFTP) over SSL for which purpose? To send an identical set of logs to a second logging server To encrypt log communication between devices To upload logs to an SFTP server To prevent log modification during backup.
What are two advantages of setting up fabric ADOM (Choose two) It can be used for fast data processing and log correlation It can be used to facilitate communication between devices in same Security Fabric It can include all Fortinet devices that are part of the same Security Fabric It can include only Fortigate devices that are part of the same Security Fabric .
What is the purpose of a predefined template on the FortiAnalyzer? It can be edited and modified as required It specifies the report layout which contains predefined texts, charts, and macros It specifies report settings which contains time period, device selection, and schedule It contains predefined data to generate mock reports.
How does ForiAnalyzer retrieve specific log data from the database? SQL EXTRACT statement SQL GET statement SQL FROM statement SQL SELECT statement.
Which Fortigate process caches logs when FortiAnalyzer is not reachable? sqlplugind miglogd logfiled oftpd.
Refer to the exhibit.
What does the 1000MB maximum for disk utilization refer to? The disk quota for each device in the ADOM The disk quota for all device in the ADOM The disk quota for the FortiAnalyzer model The disk quota for the ADOM type.
For wich two SAML roles can the FortiAnalyzer be configured? (Choose two) Principal Service provider Identify collector Identify provider.
What is the purpose of employing RAID with FortiAnalyzer? To introduce redundancy to your log data To provide data separation between ADOMs To separate analytical and archive data To back uo your logs.
What is the recommended method of expanding disk space on a FortiAnalyzer VM? From the VM host manager, add an additional virtual disk and use the #execute lvm extend <disk number> command to expand the storage From the VM host manager, expand the size of the existing virtual disk From the VM host manager, expand the size of the existing virtual disk and use the # execute format disk command to reformat the disk From the VM host manager, add an additional virtual disk and rebuild your RAID array.
How do you restrict an administrator's access to a subset of your organization's ADOMs? Set the ADOM mode to Advanced Assign the ADOM to the administrator's account Configure truested hosts C Assign the default Super_User administrator profile.
What can the CLI command # diagnose test application oftpd 3 help you to determine? What devices and IP addresses are connecting to FortiAnalyzer What logs, if any are reaching FortiAnalyzer What ADOMs are enabled and configured What devices are registered and unregistered.
What FortiView tool can you use to automatically build a dataset and chart based on a filtered search result? Chart Builder Export to Report Chart Dataset Library Custom View.
What must you configure on FortiAnalyzer to upload a FortiAnalyzer report to a supported external server? (Choose two) SFTP, FTP or SCP server Mail server Output profile Report scheduling.
What purpose does the auto-cache setting on reports serve? (Choose two) To reduce report generation time To automatically update the hcache when new logs arrive To reduce the log insert lag rate To provide diagnostics on report generation time.
On FortiAnalyzer, what is a wildcard admnistrator account? An account that permits access to members of an LDAP group An account that allows guest access with read-only privileges An account that requires two-factor authentication An account that validates against any user account on a FortiAuthenticator.
For propoer log correlation between the logging devices and FortiANalyzer, FortiAnalyzer and all registered devices should: Use DNS Use host name resolution Use real-time forwarding Use an NTP server.
How can you configure FortiAnalyzer to permit administrator logins from only specific locations? Use static routes Use administrative profiles Use trusted hosts Use secure protocols.
Refer to the exhibit. What does the data point at 14:55 tell you? The received rate is almost at its maximum for this device The sqlpluging daemon is behind in log endexing by two logs Logs are being dropped Raw logs are reaching FortiAnalyzer faster than can be indexed.
What are event handlers? Threats edentified by FortiGuard Specific matched conditions in the raw logs Alert notifications SNMP traps.
Which two FortiAnalyzer features allow you to automatically build a dataset and chart based on
a filtered search result? (Choose two.) Export to Report Chart (FortiView) Custom View Dataset Library Chart Builder.
What is the main purpose of deploying RAID with FortiAnalyzer? To back up your logs To make an identical copy of log data on two separate physical drives To provide redundancy of your log data To store data in chunks across multiple drives.
It is a best practice to upload FortiAnalyzer local logs to a remote server. Which three remote
servers are supported for the upload? (Choose three.) SFTP SCP FTP UDP TCP.
Which database language does FortiAnalyzer support for the purposes of logging and reporting? LDAP SSH SQL XML.
What should you always do after erasing the FortiAnalyzer configuration on flash? Run the execute reset all-settings command Run the execute format disk command Run the execute reboot command Perform a system backup.
What is included in the disk quota for each ADOM on the FortiAnalyzer? SQL tables and archive files Raw logs and archive files Archive logs and analytics logs Raw logs, archive files, SQL database tables.
When generating reports on FortiAnalyzer, macros can be used to include additional data.
Which two statements about macros are true? (Choose two.) Macros are abbreviated dataset queries Macros do not need to be associated with a chart Macros are supported in FortiGate ADOMs only Macros cannot be customized.
When you move a FortiGate device from one ADOM to a new ADOM, what is the purpose of
rebuilding the new ADOM database? To migrate the archive logs to the new ADOM To reset the disk quota enforcement to default To remove the device's analytics logs from the old ADOM To run reports on the device's analytics logs in the new ADOM.
Which two external servers can you configure to validate administrator logins? (Choose two.) Syslog LDAP RADIUS Only locally by FortiAnalyzer.
You have moved a registered logging device out of one ADOM and into a new ADOM. What happens when you rebuild the new ADOM database? FortiAnalyzer migrates analytics logs to the new ADOM. FortiAnalyzer removes analytics logs from the old ADOM. FortiAnalyzer resets the disk quota of the new ADOM to default. FortiAnalyzer migrates archive logs to the new ADOM.
What are analytics logs on FortiAnalyzer? Logs that are indexed and stored in the SQL Raw logs that are compressed and saved to a log file Logs that roll over when the log file reaches a specific size Log type Traffic logs.
Which two statements are true regarding Initial Logs Sync and Log Data Sync for HA on FortiAnalyzer? (Choose two) By default, Log Data Sync is disabled on all backup devices With Initial Logs Sync when you add a unit to an HA cluster the primary device synchronizes its logs with the backup When Log Data Sync is tuned on the backup device will reboot and then rebuild the log database with the synchronized logs Log Data Sync provides real-time log synchronization to all backup devices.
Refer to de exhibit
What is the purpose of using the Chart Builder feauture on FortiAnalyzer? This feature allows you to build a chart under FortiView In Log View this feature allows you to build a chart automatically based on the top 100 log entries In Log View this feature allows you to build a dataset and chart automatically, based on the filtered search results You can add charts directly to generated reports using this feature.
What is the purpose of a dataset query in FortiAnalyzer? It injects log data into the database It retrievers log data from the database It sorts log data into tables It extracts the database schema.
Refer to the exhibit
The exhibit shows “remoteservergroup” is an authentication server group with LDAP and RADIUS servers. Which two statements express the significate of enabling Match all users on remote server when configuring a new administrator? (Choose two.) Administrators can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS It allows administrator to use two-factor authentication It creates a wildcard administrator using LDAP and RADIUS servers User remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at any time.
What two things should an administrator do to view Compromised Hosts on FortiAnalyzer? (Choose two) Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up-to-date Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device Make sure all endpoints are reachable by FortiAnalyzer Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.
Which two statements express the advantages of grouping similar reports? (Choose two) Reduce the number of hcache tables and improve auto-hcache completion time Conserve disk space on FortiAnalyzer by grouping multiple similar reports Provides a better summary of reports Improve report completion time.
Refer to the exhibit
Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two) Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets Report size will be optimized to conserve disk space on FortiAnalyzer Reports will be cached in the memory This feature is automatically enabled for scheduled reports.
What is Log Insert Lag Time on FortiAnalyzer? The number of times in the logs where end users experienced slowness while accessing resources The amount of lag time that occurs when the administrator is rebuilding the ADOM database The amount of time that passes between the time a log was received and when it was indexed on FortiAnalyzer The amount of time FortiAnalyzer takes to receive logs from a registered device.
Which two statements are true regarding fabric connectors? (Choose two) Configuring fabric connectors to send notifications to ITSM platforms upon incident creation is more efficient than third-party polling information from the FortiAnalyzer API Fabric connectors allow you to save storage costs improve redundancy Storage connector service does not require a separate license to send logs to cloud platform A and B Cloud-out connectors allow you to send real-time logs to public cloud accounts like Amazon S3, Azure Blob, and Google Cloud.
Which statement is true regarding Macros on FortiAnalyze? Macros are useful in generating excel log files automatically based on the report settings Macros are predefined templates for reports and cannot be customized Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM Macros are supported only on the FortiGate ADOM.
What does the disk status Degraded mean for RAID management? For FortiAnalyzer device is writing data to a newly added hard drive in order to restore the hard drive to an optimal state The hard drive is no longer being used by the RAID controller One ore more drives are missing from the fortiAnalyzer unit. The drive is no longer available to the operating system The FortiAnalyzer device is writing to all the hard drives on the device in order to make the array fault tollerant.
An Administrator has moved FortiGate A from root ADMIN to ADOM1
Which two statements are true regarding logs? Archived logs will be moved to ADOM1 from the root ADOM automatically Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the ADMOM1 SQL database Logs will be present in both ADOMs immediately after the move Analytics logs will be moved to ADOM1 from the root ADOM automatically.
Which two statements are true regarding FortiAnalyzer log forwarding? (Choose two) Aggregation mode stores logs and content files and uploads from them to another FortiAnalyzer device at a scheduled time In aggregation mode, you can forward logs to syslog and CEF servers as well B. Both modes, forwarding and aggregation, support encryption of logs between devices Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.
Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two) Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end Log fetching allows the administrator to run query and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
An administrator fortinet, is able to view logs and perform device management task, such us adding and removing registered device. However, administrator fortinet is not able to create a mail server that can be used to send alert emails. What could be the problem? fortinet is assigned the Standard_User administrative profile ADOM mode is configured with Advanced mode Fortinet is assigned the Restricted_User admistrative profile A trusted host is configured.
Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two) FortiAnalyzer HA supports synchronization of logs as wellas some system and configuration settings A ll devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud FortiAnalyzer HA can function without VRRP, and VRRP is required only if you have more then two FortiAnalyzer devices in a cluster.
Which daemon is responsible for enforcing raw log file size? Sqlplugind ftpd Logfiled iglogd.
A rogue administrator was FortiAnalyzer without permission and you are tasked to see what activity was performed.
What can you do on FortiAnalyzer to accomplish this? Click Task Monitor and view the performed by that administrator View the tasks performed by the rogue administrator in Fabric View Click FortiView and generate a report for that administrator Click Log View and generate a report for that administrator.
Which two methods are the most common methods to control and restrict administrative access on FortiAnalyzer? (Choose two) Security Fabric Administrative access profiles Trusted hosts Virtual domains.
An administrator has configured the following settings:
config system global
set log-checksum md5-auth
end
What is the significance of executing this command? This command encrypts log transfer between FortiAnalyzer and other devices This command records passwords in log files encrypts them This command records the log file MD5 hash valeu and authentication code This command records the log file MD5 hash valee.
An administrator has moved Fortigate A from the root ADOM to ADOM1. Hower the administrator is not able to generate reports.
What should the administrator do to solve issue? Use the execute sql-local rebuild-db command to rebuild all ADOM databases Use the execute sql-local rebuild-adom root command to rebuild the ADOM database Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database Use the exeucute sql-report run ADOM1 command to run a report.
An administrator has configured the following settings:
config system fortiview settings
set resolve-ip enable
end
Waht is the significance of executing this command? It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer It resolves the source and destination IP address to a hostname in FortiView on FortiAnalyzer Use this command only if the source IP address are not resolved on Fortigate You must configure local DNS servers on Fortigate for this command to resolve IP address on FortiAnalyzer.
The admin administrator is failing to register a Forticlient EMS on the FortiANalyzer device.
What can be the reason for this failure? ADOMs are not enabled on FortiAnalyzer ADOM mode should be set to advanced in order to register the FortiClient EMS device FortiAnalyzer is in an HA cluster A separate license is required on FortiAnalyzer in order to register the Forticlient EMS device.
In Log View you can use the Chart Builder feature to build a dataset and chart based on the filtered search results Similary, which feature you can use for FortiView? Export to Custom Chart Export to Report Chart Export to PDF Export to Chart Builder.
What are offline logs on FortiAnalyzer? Compressed logs which are also know as archive logs are considered to be offline logs Wheb you restart FortiAnalyzer all stored logs are considered to be offline logs Logs that are colledted from offline devices after they boot up Logs that are indexed and stored in the SQL database.
Which two statements are true regarding ADOM modes? (Choose two) In an advanced mode ADOM you can assign FortiGate VDOMs from a single Fortigate device to multiple FortiAnalyzer ADOM You can only change ADOM modes through CLI In normal mode the disk quot aof the ADOM is fixed and cannot be modified, but in advanced mode the disk quota of the ADOM Normal mode is the default ADOM mode.
Which clause is considered mandatory in SELECT statements used by the FortiAnalyzer to generate reports? FROM ORDER BY LIMIT WHERE.
If a hard disk on FortiAnalyzer that supports hardware RAID fails, what can be done on FortiAnalyzer? Shut down FortiAnalyzer and replace the disk. Run execute format disk to format and restart the FortiAnalyzer device. No need to do anything because the disk will self-recover. Hot swap the disk.
Which two methods are the most common methods to control and restrict administrative access on
FortiAnalyzer? (Choose two.) Virtual domains Administrative access profiles Trusted hosts Security Fabric.
Which daemon is responsible for enforcing raw log file size? logfiled oftpd sqlplugind miglogd.
You are using RAID with a FortiAnalyzer that supports software RAID, and one of the hard disks on
FortiAnalyzer has failed.
What is the recommended method to replace the disk? Downgrade your RAID level, replace the disk, and then upgrade your RAID level. Perform a hot swap. Clear all RAID alarms and replace the disk while FortiAnalyzer is still running. Shut down FortiAnalyzer and then replace the disk.
What is the purpose of a predefined template on the FortiAnalyzer? It specifies the report layout which contains predefined texts, charts, and macros It specifies report settings which contains time period, device selection, and schedule It contains predefined data to generate mock reports It can be edited and modified as required.
An administrator has configured the following settings:
config system global
set log-checksum md5-auth
end
What is the significance of executing this command? This command records the log file MD5 hash value. This command records passwords in log files and encrypts them. This command encrypts log transfer between FortiAnalyzer and other devices. This command records the log file MD5 hash value and authentication code.
Which two methods can you use to send event notifications when an event occurs that matches a configured
event handler? (Choose two.) SNMP IM SMS Email.
What are offline logs on FortiAnalyzer? Compressed logs, which are also known as archive logs, are considered to be offline logs. When you restart FortiAnalyzer, all stored logs are considered to be offline logs. Logs that are indexed and stored in the SQL database. Logs that are collected from offline devices after they boot up.
Refer to the exhibit.
What does the data point at 14:35 tell you? FortiAnalyzer has temporary stopped receiving logs so older logs can be indexed. FortiAnalyzer is indexing logs faster than logs are being received. The fortilogd daemon is ahead in indexing by one log. FortiAnalyzer is dropping logs.
Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.) A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the
same time with the same FortiAnalyzer devices at the other end. Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version. Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
An administrator has configured the following settings:
config system fortiview settings set resolve-ip enable
end
What is the significance of executing this command? Use this command only if the source IP addresses are not resolved on FortiGate. It resolves the source and destination IP addresses to a hostname in FortiView on FortiAnalyzer. You must configure local DNS servers on FortiGate for this command to resolve IP addresses on FortiAnalyzer. It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer.
Which two statements are true regarding ADOM modes? (Choose two.) You can only change ADOM modes through CLI. In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advance mode, the disk quota of the ADOM is flexible because new devices are added to the ADOM. In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs. Normal mode is the default ADOM mode.
Which two statements are true regarding FortiAnalyzer log forwarding? (Choose two.) In aggregation mode, you can forward logs to syslog and CEF servers as well. Forwarding mode forwards logs in real time only to other FortiAnalyzer devices. Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a
scheduled time. Both modes, forwarding and aggregation, support encryption of logs between devices.
An administrator has moved FortiGate A from the root ADOM to ADOM1. However, the administrator is not able to generate reports for FortiGate A in ADOM1.
What should the administrator do to solve this issue? Use the execute sql-local rebuild-db command to rebuild all ADOM databases. Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database. Use the execute sql-report run ADOM1 command to run a report. Use the execute sql-local rebuild-adom root command to rebuild the ADOM database.
When you perform a system backup, what does the backup configuration contain? (Choose two.) Device list System information Generated reports Authorized devices logs.
Which statement is true regarding Macros on FortiAnalyzer? Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM. Macros are supported only on the FortiGate ADOM. Macros are useful in generating excel log files automatically based on the reports settings. Macros are predefined templates for reports and cannot be customized.
Which two of the following must you configure on FortiAnalyzer to email a FortiAnalyzer report externally? (Choose two.) Output profile Report scheduling Mail server SFTP server.
Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.) When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the
original binary format. Collector mode is the default operating mode. When in collector mode, FortiAnalyzer supports event management and reporting features. By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can
improve the overall performance of log receiving, analysis, and reporting.
What the purpose of a dataset query in FortiAnalyzer? It injects log data into the database It retrieves log data from the database It sorts log data into tables It extracts the database schema.
Refer to the exhibit.
The exhibit shows ‘remoteservergroup†is an authentication server group with LDAP and RADIUS servers.
Which two statements express the significance of enabling ‘Match all users on remote server†when
configuring a new administrator? (Choose two.) It creates a wildcard administrator using LDAP and RADIUS servers. Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS. Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at any time. It allows administrators to use two-factor authentication.
A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see what activity was performed by that rogue administrator on FortiAnalyzer.
What can you do on FortiAnalyzer to accomplish this? Click FortiView and generate a report for that administrator. Click Task Monitor and view the tasks performed by that administrator. Click Log View and generate a report for that administrator. View the tasks performed by the rogue administrator in Fabric View.
The admin administrator is failing to register a FortiClient EMS on the FortiAnalyzer device.
What can be the reason for this failure? FortiAnalyzer is in an HA cluster. ADOM mode should be set to advanced, in order to register the FortiClient EMS device. ADOMs are not enabled on FortiAnalyzer. A separate license is required on FortiAnalyzer in order to register the FortiClient EMS device.
Refer to the exhibit.
Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.) Report size will be optimized to conserve disk space on FortiAnalyzer. Reports will be cached in the memory. This feature is automatically enabled for scheduled reports. Enabling auto-cache reduces report generation time for reports that require a long time to assemble
datasets.
Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two.) FortiAnalyzer HA can function without VRRP, and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster. FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings. All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector. FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud.
An administrator has moved FortiGate A from the root ADOM to ADOM1.
Which two statements are true regarding logs? (Choose two.) Analytics logs will be moved to ADOM1 from the root ADOM automatically. Archived logs will be moved to ADOM1 from the root ADOM automatically. Logs will be presented in both ADOMs immediately after the move. Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the ADOM1 SQL database.
What two things should an administrator do to view Compromised Hosts on FortiAnalyzer? (Choose two.) Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer. Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up-to-date. Make sure all endpoints are reachable by FortiAnalyzer.
How are logs forwarded when FortiAnalyzer is configured to use aggregation mode? Logs and content files are forwarded as they are received. Logs are forwarded as they are received and content files are uploaded at a scheduled time. Logs are forwarded as they are received. Logs and content files are stored and uploaded at a scheduled time.
In Log View, you can use the Chart Builder feature to build a dataset and chart based on the filtered search
results.
Similarly, which feature you can use for FortiView? Export to Report Chart Export to PDF Export to Chart Builder Export to Custom Chart.
What can you do on FortiAnalyzer to restrict administrative access from specific locations? Configure trusted hosts for that administrator. Enable geo-location services on accessible interface. Configure two-factor authentication with a remote RADIUS server. Configure an ADOM for respective location.
Refer to the exhibit.
The exhibit shows 'remoteservergroup" is an authentication server group with LDAP and RADIUS servers.
Which two statements express the significance of enabling Match all users on remote server when configuring a new administrator? (Choose two.) It creates a wildcard administrator using LDAP and RADIUS servers. User remoteadmin from LDAP and RADIUS servers will be able to log in to FortlAnalyzer at any time. Administrators can log in to FortiAnalyzer using their credentials on remote severs LDAP and RADIUS. It allows administrators to use two-factor authentication.
Which two constraints can impact the amount of reserved disk space required by FortiAnalyzer? (Choose two.) Total quota RAID level Disk size License type.
What is the purpose of a predefined template on the FortiAnalyzer? It can be edited and modified as required It specifies report settings which contains time period, device selection, and schedule tfilt specifies the report layout which contains predefined texts, charts, and macros It contains predefined data to generate mock reports.
What does the disk status Degraded mean for RAID management? One or more drives are missing from the FortiAnalyzer unit.The drive is no longer available to the operating system. The FortiAnalyzer device is writing to all the hard drives on the device in order to make the array fault tolerant. The FortiAnalyzer device is writing data to a newly added hard drive in order to restore the hard drive to an optimal state, The hard drive is no longer being used by the RAID controller.
Refer to the exhibit.
What does the data point at 14:35 tell you? The fortilogd daemon is ahead in indexing by one log. FortiAnalyzer is dropping logs. FortiAnalyzer is indexing logs faster than logs are being received. FortiAnalyzer has temporarily stopped receiving logs so older logs can be indexed.
Insert Rate.
When you perform a system backup, what does the backup configuration contain? (Choose two.) System information Generated reports Authorized devices logs Device list.
In the FortiAnalyzer FortiView, source and destination IP addresses from FortiGate devices are not resolving to a hostname.
How can you resolve the source and destination IP addresses, without introducing any additional performance impact to FortiAnalyzer? Configure # set resolve-ip enable in the system FortiView settings Resolve IP addresses on a per-ADOM basis to reduce delay on FortiView while IPs resolve Resolve IP addresses on FortiGate Configure local DNS servers on FortiAnalyzer.
Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two.) FortiAnalyzer HA can function without VRRP, and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster. FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings. All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector. FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud.
For which two purposes would you use the command set log checksum? (Choose two.) To encrypt log communications To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server To prevent log modification or tampering To send an identical set of logs to a second logging server.
After you have moved a registered logging device out of oneADOM and into a newADOM, what is the purpose of running the following CLI command?
execute sql-local rebuild-adom <new-ADOM-name> To reset the disk quota enforcement to default To reset the disk quota enforcement to default To populate the new ADOM with analytical logs for the moved device, so you can run reports To migrate the archive logs to the newADOM.
Which clause is considered mandatory in SELECT statements used by the FortiAnalyzer to generate reports? WHERE LIMIT FROM ORDER BY.
Which statement is true regarding Macros on FortiAnalyzer? Macros are useful in generating excel log files automatically based on the report settings. Macros are supported only on the FortiGate ADOM. Macros are predefined templates for reports and cannot be customized. Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM.
Which two statements express the advantages of grouping similar reports? (Choose two.) Improve report completion time. Conserve disk space on FortiAnalyzer by grouping multiple similar reports. Reduce the number of hcache tables and improve auto-hcache completion time. Provides a better summary of reports.
Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.) Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version. Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy. A FortiAnalyzer device can perform either the fetch server or client role,and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
How are logs forwarded when FortiAnalyzer is configured to use aggregation mode? Logs are forwarded as they are received and content files are uploaded at a scheduled time. Logs are forwarded as they are received. Logs and content files are forwarded as they are received. Logs and content files are stored and uploaded at a scheduled time.
What are analytics logs on FortiAnalyzer? Log type Traffic logs. Logs that roll over when the log file reaches a specific size. Logs that are indexed and stored in the SQL. Raw logs that are compressed and saved to a log file.
What is Log Insert Lag Time on FortiAnalyzer? The number of times in the logs where end users experienced slowness while accessing resources. The amount of lag time that occurs when the administrator is rebuilding the ADOM database. The amount of time that passes between the time a log was received and when it was indexed on FortiAnalyzer. The amount of time FortiAnalyzer takes to receive logs from a registered device.
Which two statements are true regarding FortiAnalyzer log forwarding? (Choose two.) In aggregation mode, you can forward logs to syslog and CEF servers as well. Both modes, forwarding and aggregation, support encryption of logs between devices. Forwarding mode forwards logs in real time only to other FortiAnalyzer devices. Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.
For which two SAML roles can the FortiAnalyzer be configured? (Choose two.) Principal Service provider Identity collector Identity provider.
An administrator has moved FortiGate A from the root ADOM to ADOMI.
Which two statements are true regarding logs? (Choose two.) Archived logs will be moved to ADOMI from the root ADOM automatically. Analytics logs will be moved to ADOMI from the root ADOM automatically. Analytics logs will be moved to ADOMI from the root ADOM after you rebuild the ADOM1 SQL database. Logs will be present in both ADOMs immediately after the move.
Refer to the exhibit.
Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.) Report size will be optimized to conserve disk space on FortiAnalyzer. Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets. Reports will be cached in the memory. This feature is automatically enabled for scheduled reports.
Refer to the exhibit.
What is the purpose of using the Chart Builder feature on FortiAnalyzer? In Log View, this feature allows you to build a dataset and chart automatically, based on the
filtered search results. In Log View, this feature allows you to build a chart automatically based on the top 100 log
entries. This feature allows you to build a chart under FortiView. You can add charts directly to generated reports using this feature.
Which daemon is responsible for enforcing raw log file size? miglogd sqlplugind oftpd logfiled.
Which two statements are true regarding Initial Logs Sync and Log Data Sync for HA on FortiAnalyzer? (Choose two.) By default, Log Data Sync is disabled on all backup devices. Log Data Sync provides real-time log synchronization to all backup devices. With Initial Logs Sync when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device. When Log Data Sync is turned on, the backup device will reboot and then rebuild the log database with the synchronized logs.
Which two statements are true regarding fabric connectors? (Choose two.) Configuring fabric connectors to send notifications to ITSM platforms upon incident creation is more efficient than third-party polling information from the FortiAnalyzer API. Fabric connectors allow you to save storage costs and improve redundancy. Storage connector service does not require a separate license to send logs to cloud platform. Cloud-out connectors allow you to send real-time logs to public cloud accounts like Amazon S3.Azure Blob, and Google Cloud.
What is the purpose of a dataset query in FortiAnalyzer? It extracts the database schema It sorts log data into tables It injects log data into the database It retrieves log data from the database.
You are using RAID with a FortiAnalyzer that supports software RAID, and one of the hard disks on FortiAnalyzer has failed.
What is the recommended method to replace the disk? Clear all RAID alarms and replace the disk while FortiAnalyzer is still running. Downgrade your RAID level, replace the disk, and then upgrade your RAID level. Perform a hot swap. Shut down FortiAnalyzer and then replace the disk.
An administrator, fortinet.Is able to view logs and perform device management tasks, such as adding and removing registered devices. However, administrator fortinetIs not able to create a mall server that can be used to send alert emails.
What could be the problem? forti.net Is assigned the standardises administrative profile A trusted host is configured ADOM mode is configured with Advanced mode fortinet is assigned the Restricted_Oser administrative profile.
Which two settings must you configure on FortlAnalyzer to allow non-local administrators to authenticate to FortiAnalyzer with any user account in a single LDAP group? (Choose two.) A local wildcard administrator account A trusted host profile that restricts access to the LDAP group A remote LDAP server An administrator group.
What two things should an administrator do to view Compromised Hosts on FortiAnalyzer? (Choose two.) Make sure all endpoints are reachable by FortiAnalyzer. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up-to-date. Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device. Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.
What can you do on FortiAnalyzer to restrict administrative access from specific locations? Enable geo-location services on accessible interface. Configure two-factor authentication with a remote RADIUS server. Configure an ADOM for respective location.I Configure trusted hosts for that administrator.
An administrator has moved FortiGate A from the root ADOM to ADOM1.
Which two statements are true regarding logs? (Choose two.) Logs will be present in both ADOMs immediately after the move. Analytics logs will be moved to AD0M1 from the root ADOM automatically. Analytics logs will be moved to ADOM1 from the t t ADOM after you rebuild the ADOM1 SQL database. Archived logs will be moved to ADOM1 from the root ADOM automatically.
Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.) When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.I Collector mode is the default operating mode. When in collector mode, FortiAnalyzer supports event management and reporting features. By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting.I.
|
