Which log type does the FortiAnalyzer indicators of compromise feature use to identify infected hosts?
- A . Antivirus logs
- B . Web filter logs
- C . IPS logs
- D . Application control logs
B
Explanation:
Reference: https://help.fortinet.com/fa/faz50hlp/60/6-0-2/Content/FortiAnalyzer_Admin_Guide/3600_FortiView/0200_Using_FortiView/1200_Compromised_hosts_page.htm?TocPath=FortiView%7CUsing%20FortiView%7C_____6
The admin administrator is failing to register a FortiClient EMS on the FortiAnalyzer device.
What can be the reason for this failure?
- A . FortiAnalyzer is in an HA cluster.
- B . ADOM mode should be set to advanced, in order to register the FortiClient EMS device.
- C . ADOMs are not enabled on FortiAnalyzer.
- D . A separate license is required on FortiAnalyzer in order to register the FortiClient EMS device.
C
Explanation:
Reference: https://help.fortinet.com/fa/faz50hlp/56/5-6-2/FMG-FAZ/0800_ADOMs/0015_FortiClient%20and%20ADOMs.htm
Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.)
- A . When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.
- B . Collector mode is the default operating mode.
- C . When in collector mode. FortiAnalyzer supports event management and reporting features.
- D . By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting
A,D
Explanation:
Reference:
https://docs.fortinet.com/document/fortianalyzer/7.0.0/administration-guide/227478/collector-mode
https://docs.fortinet.com/document/fortianalyzer/7.0.0/administration-guide/312644/analyzer-collector-collaboration
Which two settings must you configure on FortiAnalyzer to allow non-local administrators to authenticate to FortiAnalyzer with any user account in a single LDAP group? (Choose two.)
- A . A local wildcard administrator account
- B . A remote LDAP server
- C . A trusted host profile that restricts access to the LDAP group
- D . An administrator group
A,B
Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38567
If you upgrade the FortiAnalyzer firmware, which report element can be affected?
- A . Custom datasets
- B . Report scheduling
- C . Report settings
- D . Output profiles
A
Explanation:
https://docs.fortinet.com/document/fortianalyzer/6.2.5/upgrade-guide/669300/checking-reports
If you upgrade your FortiAnalyzer firmware, what report elements can be affected?
- A . Output profiles
- B . Report settings
- C . Report scheduling
- D . Custom datasets
What must you configure on FortiAnalyzer to upload a FortiAnalyzer report to a supported external server?(Choose two.)
- A . SFTP, FTP, or SCP server
- B . Mail server
- C . Output profile
- D . Report scheduling
B,C
Explanation:
https://docs.fortinet.com/document/fortianalyzer/6.0.2/administration-guide/598322/creating-output-profiles
Which two statements express the advantages of grouping similar reports? (Choose two.)
- A . Improve report completion time.
- B . Conserve disk space on FortiAnalyzer by grouping multiple similar reports.
- C . Reduce the number of hcache tables and improve auto-hcache completion time.
- D . Provides a better summary of reports.
What purposes does the auto-cache setting on reports serve? (Choose two.)
- A . To reduce report generation time
- B . To automatically update the hcache when new logs arrive
- C . To reduce the log insert lag rate
- D . To provide diagnostics on report generation time
A,B
Explanation:
Reference: https://docs.fortinet.com/document/fortianalyzer/6.0.0/administration-guide/282280/enabling-autocache
What are analytics logs on FortiAnalyzer?
- A . Log type Traffic logs.
- B . Logs that roll over when the log file reaches a specific size.
- C . Logs that are indexed and stored in the SQL.
- D . Raw logs that are compressed and saved to a log file.
Which two statements are true regarding fabric connectors? (Choose two.)
- A . Configuring fabric connectors to send notification to ITSM platform upon incidentcreation Is more efficient than third-party information from the FortiAnalyzer API.
- B . Fabric connectors allow to save storage costs and improve redundancy.
- C . Storage connector service does not require a separate license to send logs to cloud platform.
- D . Cloud-Out connections allow you to send real-time logs to pubic cloud accounts like Amazon S3, Azure Blob, and Google Cloud.
What are two of the key features of FortiAnalyzer? (Choose two.)
- A . Centralized log repository
- B . Cloud-based management
- C . Reports
- D . Virtual domains (VDOMs)
What is the purpose of employing RAID with FortiAnalyzer?
- A . To introduce redundancy to your log data
- B . To provide data separation between ADOMs
- C . To separate analytical and archive data
- D . To back up your logs
A
Explanation:
https://en.wikipedia.org/wiki/RAID#:~:text=RAID%20(%22Redundant%20Array%20of%20Inexpensive,%2C%20performance%20improvement%2C%20or%20both.
An administrator has moved FortiGate A from the root ADOM to ADOM1. However, theadministrator is not able to generate reports for FortiGate A in ADOM1.
What should the administrator do to solve this issue?
- A . Use the execute sql-local rebuild-db command to rebuild all ADOM databases.
- B . Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database.
- C . Use the execute sql-report run ADOM1 command to run a report.
- D . Use the execute sql-local rebuild-adom root command to rebuild the ADOM database.
B
Explanation:
Reference: https://help.fortinet.com/fmgr/cli/5-6-1/FortiManager_CLI_Reference/700_execute/sql-local+.htm
If the primary FortiAnalyzer in an HA cluster fails, how is the new primary elected?
- A . The configured IP address is checked first.
- B . The active port number is checked first.
- C . The firmware version is checked first.
- D . The configured priority is checked first
Which statements are correct regarding FortiAnalyzer reports? (Choose two)
- A . FortiAnalyzer provides the ability to create custom reports.
- B . FortiAnalyzer glows you to schedule reports to run.
- C . FortiAnalyzer includes pre-defined reports only.
- D . FortiAnalyzer allows reporting for FortiGate devices only.
Refer to the exhibit.
Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.)
- A . Report size will be optimized to conserve disk space on FortiAnalyzer.
- B . Reports will be cached in the memory.
- C . This feature is automatically enabled for scheduled reports.
- D . Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.
C,D
Explanation:
Reference: https://help.fortinet.com/fa/faz50hlp/56/5-6-2/FMG-FAZ/2300_Reports/0025_Auto-cache.htm
Refer to the exhibits.
How many events will be added to the incident created after running this playbook?
- A . Ten events will be added.
- B . No events will be added.
- C . Five events will be added.
- D . Thirteen events will be added.
Which statements are true regarding securing communications between FortiAnalyzer and FortiGate with IPsec? (Choose two.)
- A . Must configure the FortiAnalyzer end of the tunnel only–the FortiGate end is auto-negotiated.
- B . Must establish an IPsec tunnel ID and pre-shared key.
- C . IPsec cannot be enabled if SSL is enabled as well.
- D . IPsec is only enabled through the CLI on FortiAnalyzer.
What statements are true regarding disk log quota? (Choose two)
- A . The FortiAnalyzer stops logging once the disk log quota is met.
- B . The FortiAnalyzer automatically sets the disk log quota based on the device.
- C . The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.
- D . The FortiAnalyzer disk log quota is configurable, but has a minimum o 100mb a maximum based on the reserved system space.
What is the purpose of a dataset query in FortiAnalyzer?
- A . It sorts log data into tables
- B . It extracts the database schema
- C . It retrieves log data from the database
- D . It injects log data into the database
C
Explanation:
Reference: https://docs2.fortinet.com/document/fortianalyzer/6.0.4/administration-guide/148744/creating-datasets
Refer to the exhibit.
What is the purpose of using the Chart Builder feature on FortiAnalyzer?
- A . In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results.
- B . In Log View, this feature allows you to build a chart and chart automatically, on the top 100 log entries.
- C . This feature allows you to build a chart under FortiView.
- D . You can add charts to generated reports using this feature.
Which daemon is responsible for enforcing raw log file size?
- A . logfiled
- B . oftpd
- C . sqlplugind
- D . miglogd
Logs are being deleted from one of the ADOMs earlier than the configured setting for archiving in the datapolicy.
What is the most likely problem?
- A . CPU resources are too high
- B . Logs in that ADOM are being forwarded, in real-time, to another FortiAnalyzer device
- C . The total disk space is insufficient and you need to add other disk
- D . The ADOM disk quota is set too low, based on log rates
D
Explanation:
Reference: https://help.fortinet.com/fmgr/50hlp/56/5-6-1/FMG-FAZ/1100_Storage/0017_Deleted%20device%20logs.htm
Why should you use an NTP server on FortiAnalyzer and all registered devices that log into FortiAnalyzer?
- A . To properly correlate logs
- B . To use real-time forwarding
- C . To resolve host names
- D . To improve DNS response times
After you have moved a registered logging device out of one ADOM and into a new ADOM, what is thepurpose of running the following CLI command?
execute sql-local rebuild-adom <new-ADOM-name>
- A . To reset the disk quota enforcement to default
- B . To remove the analytics logs of the device from the old database
- C . To migrate the archive logs to the new ADOM
- D . To populate the new ADOM with analytical logs for the moved device, so you can run reports
In order for FortiAnalyzer to collect logs from a FortiGate device, what configuration is required? (Choose two.)
- A . Remote logging must be enabled on FortiGate
- B . Log encryption must be enabled
- C . ADOMs must be enabled
- D . FortiGate must be registered with FortiAnalyzer
A,D
Explanation:
Pg 70: “after you add and register a FortiGate device with the FortiAnalyzer unit, youmust also ensure that the FortiGate device is configured to send logs to theFortiAnalyzer unit.”
https://docs.fortinet.com/uploaded/files/4614/FortiAnalyzer-5.4.6-Administration%20Guide.pdf
Pg 45: “ADOMs must be enabled to support the logging and reporting of NON-FORTIGATE devices, such as FortiCarrier, FortiClientEMS, FortiMail, FortiWeb, FortiCache, and FortiSandbox.”
What can you do on FortiAnalyzer to restrict administrative access from specific locations?
- A . Configure trusted hosts for that administrator.
- B . Enable geo-location services on accessible interface.
- C . Configure two-factor authentication with a remote RADIUS server.
- D . Configure an ADOM for respective location.
A
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
What does the disk status Degraded mean for RAID management?
- A . One or more drives are missing from the FortiAnalyzer unit. The drive is no longer available to the operating system.
- B . The FortiAnalyzer device is writing to all the hard drives on the device in order to make the array fault tolerant.
- C . The FortiAnalyzer device is writing data to a newly added hard drive in order to restore the hard drive to an optimal state.
- D . The hard driveiIs no longer being used by the RAID controller
How can you configure FortiAnalyzer to permit administrator logins from only specific locations?
- A . Use static routes
- B . Use administrative profiles
- C . Use trusted hosts
- D . Use secure protocols
C
Explanation:
https://docs.fortinet.com/document/fortianalyzer/6.2.5/administration-guide/186508/trusted-hosts
Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two.)
- A . FortiAnalyzer HA can function without VRRP. and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster.
- B . FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.
- C . All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.
- D . FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud.
B,C
Explanation:
Reference: https://help.fortinet.com/fa/faz50hlp/60/6-0-2/Content/FMG-FAZ/4600_HA/0000_HA.htm?TocPath=High%20Availability%7C_____0
What can the CLI command # diagnose test application oftpd 3 help you to determine?
- A . What devices and IP addresses are connecting to FortiAnalyzer
- B . What logs, if any, are reaching FortiAnalyzer
- C . What ADOMs are enabled and configured
- D . What devices are registered and unregistered
A
Explanation:
https://docs.fortinet.com/document/fortianalyzer/6.2.5/cli-reference/395556/test#test_application
For which two purposes would you use the command set log checksum? (Choose two.)
- A . To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server
- B . To prevent log modification or tampering
- C . To encrypt log communications
- D . To send an identical set of logs to a second logging server
An administrator has configured the following settings:
config system fortiview settings
set resolve-ip enable
end
What is the significance of executing this command?
- A . Use this command only if the source IP addresses are not resolved on FortiGate.
- B . It resolves the source and destination IP addresses to a hostname in FortiView onFortiAnalyzer.
- C . You must configure local DNS servers on FortiGate for this command to resolve IP addresses on Forti Analyzer.
- D . It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer.
D
Explanation:
Reference: https://community.fortinet.com/t5/Fortinet-Forum/Hostnames-in-FortiAnalyzer/m-p/95351?m=156950
You’ve moved a registered logging device out of one ADOM and into a new ADOM.
What happens when you rebuild the new ADOM database?
- A . FortiAnalyzer resets the disk quota of the new ADOM to default.
- B . FortiAnalyzer migrates archive logs to the new ADOM.
- C . FortiAnalyzer migrates analytics logs to the new ADOM.
- D . FortiAnalyzer removes logs from the old ADOM.
C
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40383
An administrator fortinet, is able to view logs and perform device management tasks, such as adding and removing registered devices. However, administrator fortinet is not able to create a mall server that can be used to send email.
What could be the problem?
- A . Fortinet is assigned the Standard_ User administrator profile.
- B . A trusted host is configured.
- C . ADOM mode is configured with Advanced mode.
- D . Fortinet is assigned the Restricted_ User administrator profile.
In FortiAnalyzer’s FormView, source and destination IP addresses from FortiGate devices are not resolving toa hostname.
How can you resolve the source and destination IPs, without introducing any additionalperformance impact to FortiAnalyzer?
- A . Configure local DNS servers on FortiAnalyzer
- B . Resolve IPs on FortiGate
- C . Configure # set resolve-ip enable in the system FortiView settings
- D . Resolve IPs on a per-ADOM basis to reduce delay on FortiView while IPs resolve
What is the recommended method of expanding disk space on a FortiAnalyzer VM?
- A . From the VM host manager, add an additional virtual disk and use the #execute lvm extend <disk number> command to expand the storage
- B . From the VM host manager, expand the size of the existing virtual disk
- C . From the VM host manager, expand the size of the existing virtual disk and use the # execute format disk command to reformat the disk
- D . From the VM host manager, add an additional virtual disk and rebuild your RAID array
A
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40848
Refer to the exhibit.
Which image corresponds to the packet capture shown in the exhibit?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
Which clause is considered mandatory in SELECT statements used by the FortiAnalyzer to generate reports?
- A . FROM
- B . LIMIT
- C . WHERE
- D . ORDER BY
A
Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48500