Question #1
When configuring collectors located in geographically separated sites, what ports must be open on a front end firewall?
- A . HTTPS, from the collector to the worker upload settings address only
- B . HTTPS, from the collector to the supervisor and worker upload settings addresses
- C . HTTPS, from the Internet to the collector
- D . HTTPS, from the Internet to the collector and from the collector to the FortiSIEM cluster
Correct Answer: B
B
Explanation:
FortiSIEM Architecture: In FortiSIEM, collectors gather data from various sources and send this data to supervisors and workers within the FortiSIEM architecture.
Communication Requirements: For collectors to effectively send data to the FortiSIEM system, specific communication channels must be open.
Port Usage: The primary port used for secure communication between the collectors and the FortiSIEM infrastructure is HTTPS (port 443).
Network Configuration: When configuring collectors in geographically separated sites, the HTTPS port must be open for the collectors to communicate with both the supervisor and the worker upload settings addresses. This ensures that the collected data can be securely transmitted to the appropriate processing and analysis components.
Reference: FortiSIEM 6.3 Administration Guide, Network Ports section details the necessary ports for communication within the FortiSIEM architecture.
B
Explanation:
FortiSIEM Architecture: In FortiSIEM, collectors gather data from various sources and send this data to supervisors and workers within the FortiSIEM architecture.
Communication Requirements: For collectors to effectively send data to the FortiSIEM system, specific communication channels must be open.
Port Usage: The primary port used for secure communication between the collectors and the FortiSIEM infrastructure is HTTPS (port 443).
Network Configuration: When configuring collectors in geographically separated sites, the HTTPS port must be open for the collectors to communicate with both the supervisor and the worker upload settings addresses. This ensures that the collected data can be securely transmitted to the appropriate processing and analysis components.
Reference: FortiSIEM 6.3 Administration Guide, Network Ports section details the necessary ports for communication within the FortiSIEM architecture.
Question #2
An administrator is in the process of renewing a FortiSIEM license.
Which two commands will provide the system ID? (Choose two.)
- A . phgetHWID
- B . ./phLicenseTool – support
- C . phgetUUID
- D . ./phLicenseTool-show
Correct Answer: AC
AC
Explanation:
License Renewal Process: When renewing a FortiSIEM license, it is essential to provide the system ID, which uniquely identifies the FortiSIEM instance.
Commands to Retrieve System ID:
phgetHWID: This command retrieves the hardware ID of the FortiSIEM appliance.
Usage: Run the command phgetHWID in the CLI to obtain the hardware ID.
phgetUUID: This command retrieves the universally unique identifier (UUID) for the FortiSIEM system.
Usage: Run the command phgetUUID in the CLI to obtain the UUID.
Verification: Both phgetHWID and phgetUUID are valid commands for retrieving the necessary system IDs required for license renewal.
Reference: FortiSIEM 6.3 Administration Guide, Licensing section details the commands and procedures for obtaining system identification information necessary for license renewal.
AC
Explanation:
License Renewal Process: When renewing a FortiSIEM license, it is essential to provide the system ID, which uniquely identifies the FortiSIEM instance.
Commands to Retrieve System ID:
phgetHWID: This command retrieves the hardware ID of the FortiSIEM appliance.
Usage: Run the command phgetHWID in the CLI to obtain the hardware ID.
phgetUUID: This command retrieves the universally unique identifier (UUID) for the FortiSIEM system.
Usage: Run the command phgetUUID in the CLI to obtain the UUID.
Verification: Both phgetHWID and phgetUUID are valid commands for retrieving the necessary system IDs required for license renewal.
Reference: FortiSIEM 6.3 Administration Guide, Licensing section details the commands and procedures for obtaining system identification information necessary for license renewal.
Question #3
Refer to the exhibit.
Which section contains the sortings that determine how many incidents are created?
- A . Actions
- B . Group By
- C . Aggregate
- D . Filters
Correct Answer: C
C
Explanation:
Incident Creation in FortiSIEM: Incidents in FortiSIEM are created based on specific patterns and conditions defined within the system.
Group By Function: The "Group By" section in the "Edit SubPattern" window specifies how the data should be grouped for analysis and incident creation.
Impact of Grouping: The way data is grouped affects the number of incidents generated. Each unique combination of the grouped attributes results in a separate incident.
Exhibit Analysis: In the provided exhibit, the "Group By" section lists "Reporting Device," "Reporting IP," and "User." This means incidents will be created for each unique combination of these attributes.
Reference: FortiSIEM 6.3 User Guide, Rule and Pattern Creation section, which details how grouping impacts incident generation.
C
Explanation:
Incident Creation in FortiSIEM: Incidents in FortiSIEM are created based on specific patterns and conditions defined within the system.
Group By Function: The "Group By" section in the "Edit SubPattern" window specifies how the data should be grouped for analysis and incident creation.
Impact of Grouping: The way data is grouped affects the number of incidents generated. Each unique combination of the grouped attributes results in a separate incident.
Exhibit Analysis: In the provided exhibit, the "Group By" section lists "Reporting Device," "Reporting IP," and "User." This means incidents will be created for each unique combination of these attributes.
Reference: FortiSIEM 6.3 User Guide, Rule and Pattern Creation section, which details how grouping impacts incident generation.
Question #4
Refer to the exhibit.
What does the pauso icon indicate?
- A . Data collection is paused after the intervals shown for metrics.
- B . Data collection has not started.
- C . Data collection execution failed because the device is not reachable.
- D . Data collection is paused duo to an issue, such as a change of password.
Correct Answer: D
D
Explanation:
Data Collection Status: FortiSIEM displays various icons to indicate the status of data collection for different devices.
Pause Icon: The pause icon specifically indicates that data collection is paused, but this can happen due to several reasons.
Common Cause for Pausing: One common cause for pausing data collection is an issue such as a change of password, which prevents the system from authenticating and collecting data.
Exhibit Analysis: In the provided exhibit, the presence of the pause icon next to the device suggests that data collection has encountered an issue that has caused it to pause.
Reference: FortiSIEM 6.3 User Guide, Device Management and Data Collection Status Icons section, which explains the different icons and their meanings.
D
Explanation:
Data Collection Status: FortiSIEM displays various icons to indicate the status of data collection for different devices.
Pause Icon: The pause icon specifically indicates that data collection is paused, but this can happen due to several reasons.
Common Cause for Pausing: One common cause for pausing data collection is an issue such as a change of password, which prevents the system from authenticating and collecting data.
Exhibit Analysis: In the provided exhibit, the presence of the pause icon next to the device suggests that data collection has encountered an issue that has caused it to pause.
Reference: FortiSIEM 6.3 User Guide, Device Management and Data Collection Status Icons section, which explains the different icons and their meanings.
Question #5
Refer to the exhibit.
A FortiSIEM administrator wants to group some attributes for a report, but is not able to do so successfully.
As shown in the exhibit, why are some of the fields highlighted in red?
- A . Unique attributes cannot be grouped.
- B . The Event Receive Time attribute is not available for logs.
- C . The attribute COUNT(Matched events) is an invalid expression.
- D . No RAW Event Log attribute is available for devices.
Correct Answer: A
A
Explanation:
Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be grouped to summarize and organize the data.
Unique Attributes: Attributes that are unique for each event cannot be grouped because they do not provide a meaningful aggregation or summary.
Red Highlighting Explanation
The red highlighting in the exhibit indicates attributes that cannot be grouped together due to their unique nature. These unique attributes include Event Receive Time, Reporting IP, Event Type, Raw Event Log, and COUNT (Matched Events).
Attribute Characteristics:
Event Receive Time is unique for each event.
Reporting IP and Event Type can vary greatly, making grouping them impractical in this context.
Raw Event Log represents the unprocessed log data, which is also unique.
COUNT (Matched Events) is a calculated field, not suitable for grouping.
Reference: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping attributes in reports.
A
Explanation:
Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be grouped to summarize and organize the data.
Unique Attributes: Attributes that are unique for each event cannot be grouped because they do not provide a meaningful aggregation or summary.
Red Highlighting Explanation
The red highlighting in the exhibit indicates attributes that cannot be grouped together due to their unique nature. These unique attributes include Event Receive Time, Reporting IP, Event Type, Raw Event Log, and COUNT (Matched Events).
Attribute Characteristics:
Event Receive Time is unique for each event.
Reporting IP and Event Type can vary greatly, making grouping them impractical in this context.
Raw Event Log represents the unprocessed log data, which is also unique.
COUNT (Matched Events) is a calculated field, not suitable for grouping.
Reference: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping attributes in reports.
Question #6
Refer to the exhibit.
Which value will FortiSIEM use to populate the Event Type field?
- A . PHL_INFO
- B . phPerfJob
- C . PH_DSV_MON_SYS_DISK_UTIL
- D . diskUtil
Correct Answer: A
A
Explanation:
Event Type Population: In FortiSIEM, the Event Type field is populated based on specific identifiers within the raw message or event log.
Raw Message Analysis: The exhibit shows a raw message with various components, including PH_DEV_MON_SYS_DISK_UTIL, PHL_INFO, phPerfJob, and diskUtil.
Primary Event Identifier: The PH_DEV_MON_SYS_DISK_UTIL at the beginning of the raw message is the primary identifier for the event type. It categorizes the type of event, in this case, a system disk utilization monitoring event.
Event Type Field: FortiSIEM uses this primary identifier to populate the Event Type field, providing a clear categorization of the event.
Reference: FortiSIEM 6.3 User Guide, Event Processing and Event Types section, details how event types are identified and populated in the system.
A
Explanation:
Event Type Population: In FortiSIEM, the Event Type field is populated based on specific identifiers within the raw message or event log.
Raw Message Analysis: The exhibit shows a raw message with various components, including PH_DEV_MON_SYS_DISK_UTIL, PHL_INFO, phPerfJob, and diskUtil.
Primary Event Identifier: The PH_DEV_MON_SYS_DISK_UTIL at the beginning of the raw message is the primary identifier for the event type. It categorizes the type of event, in this case, a system disk utilization monitoring event.
Event Type Field: FortiSIEM uses this primary identifier to populate the Event Type field, providing a clear categorization of the event.
Reference: FortiSIEM 6.3 User Guide, Event Processing and Event Types section, details how event types are identified and populated in the system.
Question #7
An administrator defines SMTP as a critical process on a Linux server.
It the SMTP process is stopped. FortiSIEM will generate a critical event with which event type?
- A . Postfix-Mail-Stop
- B . PH_DEV_MON_PROC_STOP
- C . PH_DEV_MON_SMTP_STOP
- D . Generic_SMTP_Procoss_Exit
Correct Answer: B
B
Explanation:
Process Monitoring in FortiSIEM: FortiSIEM can monitor critical processes on managed devices, such as an SMTP process on a Linux server.
Event Generation: When a critical process stops, FortiSIEM generates an event to alert administrators.
Event Types: Specific event types correspond to different monitored conditions. For a stopped process, the event type PH_DEV_MON_PROC_STOP is used.
Reasoning: The name PH_DEV_MON_PROC_STOP (Device Monitoring Process Stop) is a generic event type used by FortiSIEM to indicate that any monitored process, including SMTP, has stopped.
Reference: FortiSIEM 6.3 User Guide, Event Types section, explains the predefined event types and their usage in different monitoring scenarios.
B
Explanation:
Process Monitoring in FortiSIEM: FortiSIEM can monitor critical processes on managed devices, such as an SMTP process on a Linux server.
Event Generation: When a critical process stops, FortiSIEM generates an event to alert administrators.
Event Types: Specific event types correspond to different monitored conditions. For a stopped process, the event type PH_DEV_MON_PROC_STOP is used.
Reasoning: The name PH_DEV_MON_PROC_STOP (Device Monitoring Process Stop) is a generic event type used by FortiSIEM to indicate that any monitored process, including SMTP, has stopped.
Reference: FortiSIEM 6.3 User Guide, Event Types section, explains the predefined event types and their usage in different monitoring scenarios.
Question #8
Refer to the exhibit.
An administrator is investigating a FortiSIEM license issue.
The procedure is for which offline licensing condition?
- A . The procedure is for offline license debug.
- B . The procedure is for offline license registration.
- C . The procedure is for offline license validation.
- D . The procedure is for offline license verification.
Correct Answer: B
B
Explanation:
Offline Licensing in FortiSIEM: FortiSIEM provides mechanisms for offline licensing to accommodate environments without direct internet access.
License Tool Command: The command ./phLicenseTool –collect license_req.dat is used to collect license information necessary for offline registration.
Procedure Analysis: The exhibit shows the output of this command, which indicates the collection of license information to a file named license_req.dat.
Offline License Registration: This collected data file is then typically uploaded to the FortiSIEM support portal or provided to the FortiSIEM support team for processing and generating a license file.
Reference: FortiSIEM 6.3 Administration Guide, Licensing section, details the procedures for both online and offline license registration, including the use of the phLicenseTool for offline scenarios.
B
Explanation:
Offline Licensing in FortiSIEM: FortiSIEM provides mechanisms for offline licensing to accommodate environments without direct internet access.
License Tool Command: The command ./phLicenseTool –collect license_req.dat is used to collect license information necessary for offline registration.
Procedure Analysis: The exhibit shows the output of this command, which indicates the collection of license information to a file named license_req.dat.
Offline License Registration: This collected data file is then typically uploaded to the FortiSIEM support portal or provided to the FortiSIEM support team for processing and generating a license file.
Reference: FortiSIEM 6.3 Administration Guide, Licensing section, details the procedures for both online and offline license registration, including the use of the phLicenseTool for offline scenarios.
Question #9
Which FortiSIEM feature must you use to produce a report on which FortiGate devices in your environment are running which firmware version?
- A . Run an analytic search.
- B . Run a query using the Inventory tab.
- C . Run a baseline report.
- D . Run a CMDB report
Correct Answer: B
B
Explanation:
Feature Overview: FortiSIEM provides several tools for querying and reporting on device information within an environment.
Inventory Tab: The Inventory tab is specifically designed to display detailed information about devices, including their firmware versions.
Query Functionality: Within the Inventory tab, you can run queries to filter and display devices based on specific attributes, such as the firmware version for FortiGate devices.
Report Generation: By running a query in the Inventory tab, you can produce a report that lists the FortiGate devices and their corresponding firmware versions.
Reference: FortiSIEM 6.3 User Guide, Inventory Management section, explains how to use the Inventory tab to query and report on device attributes.
B
Explanation:
Feature Overview: FortiSIEM provides several tools for querying and reporting on device information within an environment.
Inventory Tab: The Inventory tab is specifically designed to display detailed information about devices, including their firmware versions.
Query Functionality: Within the Inventory tab, you can run queries to filter and display devices based on specific attributes, such as the firmware version for FortiGate devices.
Report Generation: By running a query in the Inventory tab, you can produce a report that lists the FortiGate devices and their corresponding firmware versions.
Reference: FortiSIEM 6.3 User Guide, Inventory Management section, explains how to use the Inventory tab to query and report on device attributes.
Question #10
Which statement about global thresholds and per device thresholds is true?
- A . FortiSIEM uses global and per device thresholds tor all performance metrics.
- B . FortiSIEM uses global thresholds for all performance metrics.
- C . FortiSIEM uses fixed hardcoded thresholds for all performance metrics.
- D . FortiSIEM uses global thresholds for all security metrics.
Correct Answer: A
A
Explanation:
Threshold Management: FortiSIEM uses thresholds to generate alerts and incidents based on performance and security metrics.
Global Thresholds: These are default thresholds applied to all devices and metrics across the system, providing a baseline for alerts.
Per Device Thresholds: These thresholds can be customized for individual devices, allowing for more granular control and tailored monitoring based on specific device characteristics and requirements.
Usage in Performance Metrics: Both global and per device thresholds are used for performance metrics to ensure comprehensive and precise monitoring.
Reference: FortiSIEM 6.3 User Guide, Thresholds and Alerts section, details the application of global and per device thresholds for performance and security metrics.
A
Explanation:
Threshold Management: FortiSIEM uses thresholds to generate alerts and incidents based on performance and security metrics.
Global Thresholds: These are default thresholds applied to all devices and metrics across the system, providing a baseline for alerts.
Per Device Thresholds: These thresholds can be customized for individual devices, allowing for more granular control and tailored monitoring based on specific device characteristics and requirements.
Usage in Performance Metrics: Both global and per device thresholds are used for performance metrics to ensure comprehensive and precise monitoring.
Reference: FortiSIEM 6.3 User Guide, Thresholds and Alerts section, details the application of global and per device thresholds for performance and security metrics.
Question #11
In FortiSIEM enterprise licensing mode, it the link between the collector and data center FortiSlEM cluster is down, what happens?
- A . The collector drops incoming events like syslog. but stops performance collection.
- B . The collector processes stop, and events ate dropped.
- C . The collector continues performance collection of devices, but slops receiving syslog.
- D . The collector buffers events
Correct Answer: C
C
Explanation:
Enterprise Licensing Mode: In FortiSIEM enterprise licensing mode, collectors are deployed in remote sites to gather and forward data to the central FortiSIEM cluster located in the data center. Collector Functionality: Collectors are responsible for receiving logs, events (e.g., syslog), and performance metrics from devices.
Link Down Scenario: When the link between the collector and the FortiSIEM cluster is down, the collector needs a mechanism to ensure no data is lost during the disconnection.
Event Buffering: The collector buffers the events locally until the connection is restored, ensuring that no incoming events are lost. This buffered data is then forwarded to the FortiSIEM cluster once the link is re-established.
Reference: FortiSIEM 6.3 User Guide, Data Collection and Buffering section, explains the behavior of collectors during network disruptions.
C
Explanation:
Enterprise Licensing Mode: In FortiSIEM enterprise licensing mode, collectors are deployed in remote sites to gather and forward data to the central FortiSIEM cluster located in the data center. Collector Functionality: Collectors are responsible for receiving logs, events (e.g., syslog), and performance metrics from devices.
Link Down Scenario: When the link between the collector and the FortiSIEM cluster is down, the collector needs a mechanism to ensure no data is lost during the disconnection.
Event Buffering: The collector buffers the events locally until the connection is restored, ensuring that no incoming events are lost. This buffered data is then forwarded to the FortiSIEM cluster once the link is re-established.
Reference: FortiSIEM 6.3 User Guide, Data Collection and Buffering section, explains the behavior of collectors during network disruptions.
Question #12
Which two FortiSIEM components work together to provide real-time event correlation?
- A . Supervisor and worker
- B . Collector and Windows agent
- C . Worker and collector
- D . Supervisor and collector
Correct Answer: C
C
Explanation:
FortiSIEM Architecture: The FortiSIEM architecture includes several components such as Supervisors, Workers, Collectors, and Agents, each playing a distinct role in the SIEM ecosystem.
Real-Time Event Correlation: Real-time event correlation is a critical function that involves analyzing and correlating incoming events to detect patterns indicative of security incidents or operational issues.
Role of Supervisor and Worker:
Supervisor: The Supervisor oversees the entire FortiSIEM system, coordinating the processing and analysis of events.
Worker: Workers are responsible for processing and correlating the events received from Collectors and Agents.
Collaboration for Correlation: Together, the Supervisor and Worker components perform real-time event correlation by distributing the load and ensuring efficient processing of events to identify incidents in real-time.
Reference: FortiSIEM 6.3 User Guide, Event Correlation and Processing section, details how the Supervisor and Worker components collaborate for real-time event correlation.
C
Explanation:
FortiSIEM Architecture: The FortiSIEM architecture includes several components such as Supervisors, Workers, Collectors, and Agents, each playing a distinct role in the SIEM ecosystem.
Real-Time Event Correlation: Real-time event correlation is a critical function that involves analyzing and correlating incoming events to detect patterns indicative of security incidents or operational issues.
Role of Supervisor and Worker:
Supervisor: The Supervisor oversees the entire FortiSIEM system, coordinating the processing and analysis of events.
Worker: Workers are responsible for processing and correlating the events received from Collectors and Agents.
Collaboration for Correlation: Together, the Supervisor and Worker components perform real-time event correlation by distributing the load and ensuring efficient processing of events to identify incidents in real-time.
Reference: FortiSIEM 6.3 User Guide, Event Correlation and Processing section, details how the Supervisor and Worker components collaborate for real-time event correlation.
Question #13
FortiSIEM is deployed in disaster recovery mode.
When disaster strikes, which two tasks must you perform manually to achieve a successful disaster recovery operation? (Choose two.)
- A . Promote the secondary workers to the primary rotes using the phSecworker2priworker command.
- B . Promote the secondary supervisor to the primary role using the phSecondary2primary command.
- C . Change the DNS configuration to ensure that users, devices, and collectors log in to the secondary FortiSIEM.
- D . Change the configuration for shared storage NFS configured for EventDB to the secondary FortiSIEM.
Correct Answer: A, C
A, C
Explanation:
Disaster Recovery Mode: FortiSIEM’s disaster recovery (DR) mode ensures that there is a backup system ready to take over in case the primary system fails.
Manual Tasks for DR Operation: In the event of a disaster, certain tasks must be performed manually to ensure a smooth transition to the secondary system.
Promoting the Secondary Supervisor:
Use the command phSecondary2primary to promote the secondary supervisor to the primary role. This command reconfigures the secondary supervisor to take over as the primary supervisor, ensuring continuity in management and coordination. Changing DNS Configuration:
Update the DNS configuration to direct all users, devices, and collectors to the secondary FortiSIEM instance. This ensures that all components in the environment can communicate with the newly promoted primary supervisor without manual reconfiguration of individual devices.
Reference: FortiSIEM 6.3 Administration Guide, Disaster Recovery section, provides detailed steps on promoting the secondary supervisor and updating DNS configurations during a disaster recovery operation.
A, C
Explanation:
Disaster Recovery Mode: FortiSIEM’s disaster recovery (DR) mode ensures that there is a backup system ready to take over in case the primary system fails.
Manual Tasks for DR Operation: In the event of a disaster, certain tasks must be performed manually to ensure a smooth transition to the secondary system.
Promoting the Secondary Supervisor:
Use the command phSecondary2primary to promote the secondary supervisor to the primary role. This command reconfigures the secondary supervisor to take over as the primary supervisor, ensuring continuity in management and coordination. Changing DNS Configuration:
Update the DNS configuration to direct all users, devices, and collectors to the secondary FortiSIEM instance. This ensures that all components in the environment can communicate with the newly promoted primary supervisor without manual reconfiguration of individual devices.
Reference: FortiSIEM 6.3 Administration Guide, Disaster Recovery section, provides detailed steps on promoting the secondary supervisor and updating DNS configurations during a disaster recovery operation.
Question #14
IF the reported packet loss is between 50% and 98%. which status is assigned to the device in the Availability column of summary dashboard?
- A . Up status is assigned because of received packets.
- B . Critical status is assigned because of reduction in number of packets received.
- C . Degraded status is assigned because of packet loss
- D . Down status is assigned because of packet loss.
Correct Answer: B
B
Explanation:
Device Status in FortiSIEM: FortiSIEM assigns different statuses to devices based on their operational state and performance metrics.
Packet Loss Impact: The reported packet loss percentage directly influences the status assigned to a device. Packet loss between 50% and 98% indicates significant network issues that affect the device’s performance.
Degraded Status: When packet loss is between 50% and 98%, FortiSIEM assigns a "Degraded" status to the device. This status indicates that the device is experiencing substantial packet loss, which impairs its performance but does not render it completely non-functional.
Reasoning: The "Degraded" status helps administrators identify devices with serious performance issues that need attention but are not entirely down.
Reference: FortiSIEM 6.3 User Guide, Device Availability and Status section, explains the criteria for assigning different statuses based on performance metrics such as packet loss.
B
Explanation:
Device Status in FortiSIEM: FortiSIEM assigns different statuses to devices based on their operational state and performance metrics.
Packet Loss Impact: The reported packet loss percentage directly influences the status assigned to a device. Packet loss between 50% and 98% indicates significant network issues that affect the device’s performance.
Degraded Status: When packet loss is between 50% and 98%, FortiSIEM assigns a "Degraded" status to the device. This status indicates that the device is experiencing substantial packet loss, which impairs its performance but does not render it completely non-functional.
Reasoning: The "Degraded" status helps administrators identify devices with serious performance issues that need attention but are not entirely down.
Reference: FortiSIEM 6.3 User Guide, Device Availability and Status section, explains the criteria for assigning different statuses based on performance metrics such as packet loss.
Question #15
An administrator is configuring FortiSIEM to discover network devices and receive syslog from network devices.
Which statement is correct?
- A . FortiSIEM uses privileged credentials to tog in to devices and make network configuration changes.
- B . FortiSIEM automatically configures network devices to send syslog using the auto log discovery process.
- C . FortiSIEM automatically configures network devices to send syslog using the GUI discovery process
- D . Syslog configuration must be done manually on devices by the network administrator.
Correct Answer: D
D
Explanation:
Syslog Configuration in FortiSIEM: For FortiSIEM to receive syslog messages from network devices, those devices need to be properly configured to send syslog data to FortiSIEM.
Manual Configuration Requirement: FortiSIEM does not automatically configure network devices to send syslog messages. Instead, this configuration must be performed manually by the network administrator.
Process Overview: The network administrator must access each device and set up the syslog parameters to direct log data to the FortiSIEM collector’s IP address.
Discovery Process: While FortiSIEM can discover network devices using SNMP, WMI, and other protocols, the configuration of syslog on these devices is beyond its scope and requires manual intervention.
Reference: FortiSIEM 6.3 User Guide, Device Configuration and Syslog Integration sections, which explain the requirements and steps for setting up syslog forwarding on network devices.
D
Explanation:
Syslog Configuration in FortiSIEM: For FortiSIEM to receive syslog messages from network devices, those devices need to be properly configured to send syslog data to FortiSIEM.
Manual Configuration Requirement: FortiSIEM does not automatically configure network devices to send syslog messages. Instead, this configuration must be performed manually by the network administrator.
Process Overview: The network administrator must access each device and set up the syslog parameters to direct log data to the FortiSIEM collector’s IP address.
Discovery Process: While FortiSIEM can discover network devices using SNMP, WMI, and other protocols, the configuration of syslog on these devices is beyond its scope and requires manual intervention.
Reference: FortiSIEM 6.3 User Guide, Device Configuration and Syslog Integration sections, which explain the requirements and steps for setting up syslog forwarding on network devices.