Which statement about sending notifications with incident updates is true?
- A . Each connector used can have different notification settings.
- B . You must configure an output profile to send notifications by email.
- C . Each incident can send notifications to a single external platform.
- D . Notifications can be sent only when an incident is created or deleted.
What can you do on FortiAnalyzer to restrict administrative access from specific locations?
- A . Configure trusted hosts for that administrator.
- B . Enable geo-location services on accessible interface.
- C . Configure two-factor authentication with a remote RADIUS server.
- D . Configure an ADOM for respective location.
You’ve moved a registered logging device out of one ADOM and into a new ADOM.
What happens when you rebuild the new ADOM database?
- A . FortiAnalyzer resets the disk quota of the new ADOM to default.
- B . FortiAnalyzer migrates archive logs to the new ADOM.
- C . FortiAnalyzer migrates analytics logs to the new ADOM.
- D . FortiAnalyzer removes logs from the old ADOM.
Which connector type is enabled by default to be used in playbooks?
- A . Fabric
- B . EMS
- C . Local connector
- D . FortiOS
Which FortiAnalyzer featu hich statement regarding macros oach when managing your network security?
- A . FortiView Monitor
- B . Threat hunting
- C . Incidents dashboards
- D . Outbreak alert services
Which two FortiAnalyzer features allow you to build a dataset and a chart automatically, based on a filtered search result? (Choose two.)
- A . Chart Builder
- B . Custom View
- C . Export to Report Chart (FortiView)
- D . Dataset Library
Refer to the exhibit.
What is the purpose of using the Chart Builder feature on FortiAnalyzer?
- A . In Log View, this feature allows you to build a chart and chart automatically, on the top 100 log entries.
- B . In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results.
- C . This feature allows you to build a chart under FortiView.
- D . You can add charts to generated reports using this feature.
Refer to the exhibit.
Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.)
- A . Report size will be optimized to conserve disk space on FortiAnalyzer.
- B . Reports will be cached in the memory.
- C . This feature is automatically enabled for scheduled reports.
- D . Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.
Which SQL query is in the correct order to query the database in the FortiAnalyzer?
- A . SELECT devid WHERE ‘user’=’USER1’ FROM $log GROUP BY devid
- B . FROM $log WHERE ‘user’=’USER1’ SELECT devid GROUP BY devid
- C . SELECT devid FROM $log WHERE ‘user’=’USER1’ GROUP BY devid
- D . SELECT devid FROM $log GROUP BY devid WHERE ‘user’=’USER1’
Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.)
- A . Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version.
- B . Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy.
- C . A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end.
- D . Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
Which statement about the FortiSIEM management extension is correct?
- A . It requires a licensed FortiSIEM supervisor.
- B . Its use of the available disk space is capped at 50%.
- C . It can be installed as a dedicated VM.
- D . Allows you to manage the entire life cycle of a threat or breach.
View the exhibit.
What does the data point at 14:35 tell you?
- A . FortiAnalyzer is dropping logs.
- B . The sqlplugind daemon is ahead in indexing by one log.
- C . FortiAnalyzer has temporarily stopped receiving logs so older logs’ can be indexed.
- D . FortiAnalyzer is indexing logs faster than logs are being received.
What is the purpose of employing RAID with FortiAnalyzer?
- A . To introduce redundancy to your log data
- B . To provide data separation between ADOMs
- C . To separate analytical and archive data
- D . To back up your logs
What is the main purpose of deploying RAID with FortiAnalyzer?
- A . To back up your logs
- B . To make an identical copy of log data on two separate physical drives
- C . To provide redundancy of your log data
- D . To store data in chunks across multiple drives
In order for FortiAnalyzer to collect logs from a FortiGate device, what configuration is required? (Choose two.)
- A . Remote logging must be enabled on FortiGate
- B . FortiGate must be registered with FortiAnalyzer
- C . Log encryption must be enabled
- D . ADOMs must be enabled
After you have moved a registered logging device out of one ADOM and into a new ADOM, what is the purpose of running the following CLI command?
execute sql-local rebuild-adom <new-ADOM-name>
- A . To reset the disk quota enforcement to default
- B . To remove the analytics logs of the device from the old database
- C . To migrate the archive logs to the new ADOM
- D . To populate the new ADOM with analytical logs for the moved device, so you can run reports
For proper log correlation between the logging devices and FortiAnalyzer, FortiAnalyzer and all registered devices should:
- A . Use DNS
- B . Use an NTP server
- C . Use real-time forwarding
- D . Use host name resolution
What must you consider when using log fetching? (Choose two.)
- A . The fetch client can retrieve logs from devices that are not added to its local Device Manager.
- B . You can use filters to include only logs from a single device.
- C . The fetching profile must include a user with the Super_User profile.
- D . The archive logs retrieved from the server become archive logs in the client.
What happens when the IOC breach detection engine on FortiAnalyzer finds web logs that match a blocklisted IP address?
- A . The endpoint is marked as Compromised and. optionally, can be put in quarantine.
- B . FortiAnalyzer flags the associated host for further analysis.
- C . A new Infected entry is added for the corresponding endpoint.
- D . The detection engine classifies those logs as Suspicious
Which two statements are true regarding ADOM modes? (Choose two.)
- A . You can only change ADOM modes through CL
- B . In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advance mode, the disk quota of the ADOM is flexible because new devices are added to the ADO
- C . In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.
- D . Normal mode is the default ADOM mode.
When performing a log search on a FortiAnalyzer, it is generally recommended to use the Quick Search option.
What is a valid reason for using the Full Search option, instead?
- A . The search items you are looking for are not contained in indexed log fields.
- B . A quick search only searches data received within the last 24 hours.
- C . You want the search to include the FortiAnalyzer’s local logs.
- D . You want the search to include content archive data as well.
What FortiGate process caches logs when FortiAnalyzer is not reachable?
- A . miglogd
- B . oftpd
- C . logfiled
- D . sqlplugind
Which statements are true regarding securing communications between FortiAnalyzer and FortiGate with SSL? (Choose two.)
- A . FortiAnalyzer encryption level must be equal to, or higher than, FortiGate.
- B . SSL encryption levels are globally set on FortiAnalyzer.
- C . SSL can send logs in real-time only.
- D . SSL is the default setting.
- E . SSL communications are auto-negotiated between the two devices.
Refer to the exhibit.
Which statement is correct regarding the event displayed?
- A . An incident was created from this event.
- B . The security risk was blocked or dropped.
- C . The security event risk is considered open.
- D . The risk source is isolated.
When you move a FortiGate device from one ADOM to a new ADOM, what is the purpose of rebuilding the new ADOM database?
- A . To migrate the archive logs to the new ADOM
- B . To reset the disk quota enforcement to default
- C . To remove the device’s analytics logs from the old ADOM
- D . To run reports on the device’s analytics logs in the new ADOM
What is the purpose of the following CLI command?
- A . To encrypt log communications
- B . To add a unique tag to each log to prove that it came from this FortiAnalyzer
- C . To add the MD’s hash value and authentication code
- D . To add a log file checksum
When working with FortiAnalyzer reports, what is the purpose of a dataset?
- A . To set the data included in templates
- B . To retrieve data from the database
- C . To provide the layout used for reports
- D . To define the chart type to be used
Refer to the exhibit.
Laptop1 is used by several administrators to manage FortiAnalyzer. You want to configure a generic text filter that matches all login attempts to the web interface generated by any user other than "admin" and coming from Laptop1.
Which filter will achieve the desired result?
- A . operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin
- B . operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin
- C . operation-login & dstip==10.1.1.210 & userl-admin
- D . operation-login & performed_on=="GUI(10.1.1.210)’ & user!=admin
What types of logs will FortiAnalyzer store?
- A . Traffic/Event/Security, Data Leak Prevention (DLP) archive, Quarantine, and IPS (Intrusion Protection System) Packets.
- B . Traffic/Event, Data Leak Prevention (DLP) archive, Quarantine, and IPS (Intrusion Protection System) Packets.
- C . Traffic/Event/Security, Data Leak Prevention (DLP) archive, Quarantine.
- D . Data Leak Prevention (DLP) archive, Quarantine, and IPS (Intrusion Protection System) Packets.
Which statements are correct regarding FortiAnalyzer reports? (Choose two)
- A . FortiAnalyzer provides the ability to create custom reports.
- B . FortiAnalyzer glows you to schedule reports to run.
- C . FortiAnalyzer includes pre-defined reports only.
- D . FortiAnalyzer allows reporting for FortiGate devices only.
What statements are true regarding disk log quota? (Choose two)
- A . The FortiAnalyzer stops logging once the disk log quota is met.
- B . The FortiAnalyzer automatically sets the disk log quota based on the device.
- C . The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.
- D . The FortiAnalyzer disk log quota is configurable, but has a minimum 100mb a maximum based on the reserved system space.
Which statements are true of Administrative Domains (ADOMs) in FortiAnalyzer? (Choose two.)
- A . ADOMs constrain other administrator’s access privileges to a subset of devices in the device list.
- B . ADOMs are enabled by default.
- C . Once enabled, the Device Manager, FortiView, Event Management, and Reports tab display per ADOM.
- D . All administrators can create ADOMs–not just the admin administrator.
For which two purposes would you use the command set log checksum? (Choose two.)
- A . To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server
- B . To prevent log modification or tampering
- C . To encrypt log communications
- D . To send an identical set of logs to a second logging server
How does FortiAnalyzer retrieve specific log data from the database?
- A . SQL FROM statement
- B . SQL GET statement
- C . SQL SELECT statement
- D . SQL EXTRACT statement
Which statement is true when you are upgrading the firmware on an HA cluster made up of two FortiAnalyzer devices?
- A . You can perform the firmware upgrade using only a console connection.
- B . You can enable uninterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster firmware upgrades.
- C . Both FortiAnalyzer devices will be upgraded at the same time.
- D . First, upgrade the secondary device, and then upgrade the primary device.
What is the purpose of output variables?
- A . To store playbook execution statistics
- B . To use the output of the previous task as the input of the current task
- C . To display details of the connectors used by a playbook
- D . To save all the task settings when a playbook is exported
What allows one task to use the output of a previous task as its input?
- A . Trigger variables
- B . Output variables
- C . Exported tasks
- D . Trigger variables
Logs are being deleted from one of your ADOMs earlier that the configured setting for archiving in your data policy.
What is the most likely problem?
- A . The ADOM disk quota is set too low based on log rates.
- B . Logs in that ADOM are being forwarded in real-time to another FortiAnalyzer device.
- C . CPU resources are too high.
- D . The total disk space is insufficient and you need to add other disk.
What statements are true regarding FortiAnalyzer’s treatment of high availability (HA) dusters? (Choose two)
- A . FortiAnalyzer distinguishes different devices by their serial number.
- B . FortiAnalyzer only needs to know the serial number of the primary device in the cluster-it automaticaly discovers the other devices.
- C . FortiAnalyzer receives bgs only from the primary device in the cluster.
- D . FortiAnalyzer receives logs from the devices in a cluster.
Which log will generate an event with the status Contained?
- A . An IPS log with action=pass.
- B . A WebFilter log with action=dropped.
- C . An AV log with action=quarantine.
- D . An AppControl log with action=blocked.
What is included in the disk quota for each ADOM on the FortiAnalyzer?
- A . SQL tables and archive files
- B . Raw logs and archive files
- C . Archive logs and analytics logs
- D . Raw logs, archive files, SQL database tables
What are analytics logs on FortiAnalyzer?
- A . Log type Traffic logs.
- B . Logs that roll over when the log file reaches a specific size.
- C . Logs that are indexed and stored in the SQL.
- D . Raw logs that are compressed and saved to a log file.
Refer to the exhibit.
Laptop1 is used by several administrators to manage FortiAnalyzer. You want to configure a generic text filter that matches all login attempts to the web interface generated by any user other than “admin" and coming from Laptop1.
Which filter will achieve the desired result?
- A . operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin
- B . operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin
- C . operation-login & dstip==10.1.1.210 & userl-admin
- D . operation-login & performed_on=="GUI(10.1.1.210)’ & user!=admin
Consider the CLI command:
What is the purpose of the command?
- A . To add a unique tag to each log to prove that it came from this FortiAnalyzer
- B . To add a log file checksum
- C . To encrypt log communications
- D . To add the MD5 hash value and authentication code
What two things should an administrator do to view Compromised Hosts on FortiAnalyzer? (Choose two.)
- A . Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.
- B . Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer.
- C . Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up-to-date.
- D . Make sure all endpoints are reachable by FortiAnalyzer.
What database language does FortiAnalyzer use for logging and reporting?
- A . XQuery
- B . XML
- C . SQL
- D . Java
An administrator has configured the following settings:
config system global
set log-checksum md5-auth
end
What is the significance of executing this command?
- A . This command records the log file MD5 hash value.
- B . This command records passwords in log files and encrypts them.
- C . This command encrypts log transfer between FortiAnalyzer and other devices
- D . This command records the log file MD5 hash value and authentication code.
What is the main purpose of using an NTP server on FortiAnalyzer and all of its registered devices?
- A . Log correlation
- B . Host name resolution
- C . Log collection
- D . Real-time forwarding
You have recently grouped multiple FortiGate devices into a single ADOM. System Settings > Storage Info shows the quota used.
What does the disk quota refer to?
- A . The maximum disk utilization for each device in the ADOM
- B . The maximum disk utilization for the FortiAnalyzer model
- C . The maximum disk utilization for the ADOM type
- D . The maximum disk utilization for all devices in the ADOM
Which two methods can you use to send event notifications when an event occurs that matches a configured event handler? (Choose two.)
- A . SMS
- B . Email
- C . SNMP
- D . IM
You are using RAID with a FortiAnalyzer that supports software RAID, and one of the hard disks on FortiAnalyzer has failed.
What is the recommended method to replace the disk?
- A . Shut down FortiAnalyzer and then replace the disk
- B . Downgrade your RAID level, replace the disk, and then upgrade your RAID level
- C . Clear all RAID alarms and replace the disk while FortiAnalyzer is still running
- D . Perform a hot swap
Which clause is considered mandatory in SELECT statements used by the FortiAnalyzer to generate reports?
- A . FROM
- B . LIMIT
- C . WHERE
- D . ORDER BY
Which two statements about log forwarding are true? (Choose two.)
- A . Forwarded logs cannot be filtered to match specific criteria.
- B . Logs are forwarded in real-time only.
- C . The client retains a local copy of the logs after forwarding.
- D . You can use aggregation mode only with another FortiAnalyzer.
Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.)
- A . When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.
- B . Collector mode is the default operating mode.
- C . When in collector mode. FortiAnalyzer supports event management and reporting features.
- D . By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting
Which database language does FortiAnalyzer support for the purposes of logging and reporting?
- A . LDAP
- B . SSH
- C . SQL
- D . XML
What are two benefits of using fabric connectors? (Choose two.)
- A . They allow FortiAnalyzer to send logs in real-time to public cloud accounts.
- B . You do not need an additional license to send logs to the cloud platform.
- C . Fabric connectors allow you to improve redundancy.
- D . Using fabric connectors is more efficient than using third-party polling with API.
For which two SAML roles can the FortiAnalyzer be configured? (Choose two.)
- A . Principal
- B . Identity provider
- C . Identity collector
- D . Service provider
Why should you use an NTP server on FortiAnalyzer and all registered devices that log into FortiAnalyzer?
- A . To properly correlate logs
- B . To use real-time forwarding
- C . To resolve host names
- D . To improve DNS response times
Which statement describes a dataset in FortiAnalyzer?
- A . They determine what data is retrieved from the database.
- B . They provide the layout used for reports.
- C . They are used to set the data included in templates.
- D . They define the chart types to be used in reports.
A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see what activity was performed by that rogue administrator on FortiAnalyzer.
What can you do on FortiAnalyzer to accomplish this?
- A . Click Task Monitor and view the tasks performed by that administrator.
- B . Click Fabric View and view the tasks performed by the rogue administrator.
- C . Click Log View and generate a report for that administrator.
- D . Click FortiView and generate a report for that administrator.