Fortinet FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Exam Practice Test

Use the execute sql-local rebuild-db command to rebuild all ADOM databases.

Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database.

Use the execute sql-report run ADOM1 command to run a report.

Use the execute sql-local rebuild-adom root command to rebuild the ADOM database.

A FortiGate ADOM

The FortiGate serial number

A pre-shared key

Valid FortiAnalyzer credentials

SQL FROM statement

SQL GET statement

SQL SELECT statement

SQL EXTRACT statement

To add a new chart under FortiView to be used in new reports

To build a dataset and chart automatically, based on the filtered search results

To add charts directly to generate reports in the current ADOM

To build a chart automatically based on the top 100 log entries

FortiAnalyzer overwrites the log files.

FortiAnalyzer stops logging.

FortiAnalyzer rolls the active log by renaming the file.

FortiAnalyzer forwards logs to syslog.

FortiAnalyzer is ensuring that the parity data of a redundant drive is valid

FortiAnalyzer is writing data to a newly added hard drive to restore it to an optimal state

FortiAnalyzer is writing to all of its hard drives to make the array fault tolerant

FortiAnalyzer is functioning normally

ADOMs are enabled by default.

ADOMs constrain other administrator’s access privileges to a subset of devices in the device list.

Once enabled, the Device Manager, FortiView, Event Management, and Reports tab display per ADOM.

All administrators can create ADOMs--not just the admin administrator.

Log type Traffic logs.

Logs that roll over when the log file reaches a specific size.

Logs that are indexed and stored in the SQL.

Raw logs that are compressed and saved to a log file.

First, upgrade the secondary device, and then upgrade the primary device.

Both FortiAnalyzer devices will be upgraded at the same time.

You can enable uninterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster firmware upgrades.

You can perform the firmware upgrade using only a console connection.

It sorts log data into tables

It extracts the database schema

It retrieves log data from the database

It injects log data into the database

Virtual domains

Administrative access profiles

Trusted hosts

Security Fabric

Both modes, forwarding and aggregation, support encryption of logs between devices.

In aggregation mode, you can forward logs to syslog and CEF servers as well.

Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.

Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.

They allow FortiAnalyzer to send logs in real-time to public cloud accounts.

You do not need an additional license to send logs to the cloud platform.

Fabric connectors allow you to improve redundancy.

Using fabric connectors is more efficient than using third-party polling with API.

Hot swap the disk

Replace the disk and rebuild the RAID manually

Take no action if the RAID level supports a failed disk

Shut down FortiAnalyzer and replace the disk

Both modes, forwarding and aggregation send logs as soon as they are received.

Aggregation mode requires two FortiAnalyzer devices.

Forwarding mode forwards logs to other FortiAnalyzer devices syslog servers, or CEF servers.

Forwarding mode requires configuration on the server side.

FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.

FortiAnalyzer HA active-passive mode can function without VRRP.

All devices in a FortiAnalyzer HA cluster must run in the same operation mode, either analyzer mode or collector mode.

All devices in a FortiAnalyzer HA cluster must have the same available disk space.

The hard drive is no longer being used by the RAID controller.

One or more drives are missing from the FortiAnalyzer unit.

The device is writing data to the disk to restore the volume to an optimal state.

FortiAnalyzer determined that the parity data in the disk is not valid.

All FortiGates can send logs to FortiAnalyzer using the store and upload option.

Only FortiGate models with hard disks can send logs to FortiAnalyzer using the store and upload option.

Both secure communications methods (SSL and IPsec) allow the store and upload option.

Disk logging is enabled on the FortiGate through the CLI only.

Disk logging is enabled by default on the FortiGate.

To record the hash value and authentication code of log files.

To encrypt log transfer between FortiAnalyzer and other devices.

To create the secure channel used by the OFTP process.

To verify the integrity of the log files received.

To properly correlate logs

To use real-time forwarding

To resolve host names

To improve DNS response times

The performance of FortiAnalyzer is below the baseline.

FortiAnalyzer is using its cache to avoid dropping logs.

The log insert lag time is increasing.

The sqlplugind service is caught up with new logs.

In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible.

You can change ADOM modes only through the CLI.

In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.

Normal mode is the default ADOM mode.

FortiAnalyzer resets the disk quota of the new ADOM to default.

FortiAnalyzer migrates archive logs to the new ADOM.

FortiAnalyzer migrates analytics logs to the new ADOM.

FortiAnalyzer removes logs from the old ADOM.

This FortiAnalyzer will join to the existing HA cluster as the primary.

This FortiAnalyzer is configured to receive logs in its port1.

This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds.

After joining to the cluster, this FortiAnalyzer will keep an updated log database.

The total disk space is insufficient and you need to add other disk.

CPU resources are too high.

The ADOM disk quota is set too low based on log rates.

Logs in that ADOM are being forwarded in real-time to another FortiAnalyzer device.

FortiAnalyzer is in an HA cluster.

ADOM mode should be set to advanced, in order to register the FortiClient EMS device.

ADOMs are not enabled on FortiAnalyzer.

A separate license is required on FortiAnalyzer in order to register the FortiClient EMS device.

Management extensions do not require additional licenses.

Management extensions allow FortiAnalyzer to act as a ForbSIEM supervisor.

Management extensions require a dedicated VM for best performance.

Management extensions may require a minimum number of CPU cores to run.

By attaching it to an event handler alert

By editing the settings of the desired report

From the properties of an existing incident

Saving it in JSON format, and then importing it

A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end.

Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version.

Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy.

Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.

operation-login & dstip==10.1.1.210 & user!-admin

operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

operation-login & performed_on=="GUI(10.1.1.210)" & user!=admin

operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

Log upload

Indicators of Compromise

Log forwarding an aggregation mode

Log fetching

There is no need to do anything because the disk will self-recover.

Run execute format disk to format and restart the FortiAnalyzer device.

Perform a hot swap of the disk.

Shut down FortiAnalyzer and replace the disk.

FortiGate was added to the wrong ADOM type.

This FortiGate model is not fully supported.

FortiGate does not have logging configured correctly.

This FortiGate is part of an HA cluster but it is the secondary device.

Antivirus logs

Web filter logs

IPS logs

Application control logs

To increase reliability

To expand bandwidth

To maximize resiliency

To improve security

SSL is the default setting.

SSL communications are auto-negotiated between the two devices.

SSL can send logs in real-time only.

SSL encryption levels are globally set on FortiAnalyzer.

FortiAnalyzer encryption level must be equal to, or higher than, FortiGate.

oftpd

miglogd

sqlplugind

logfiled

The traffic destination is another FortiGate in the fabric.

The upstream FortiGate is configured to do NAT

Log redundancy is configured in the fabric.

The downstream device cannot connect to FortiAnalyzer.

A configuration with four disks, each with 2 TB of capacity, provides a total space of 4 TB.

B It combines mirroring striping and distributed parity to provide performance and fault tolerance

A configuration with four disks, each with 2 TB of capacity, provides a total space of 2 TB.

It uses striping to provide performance and fault tolerance.

FROM

LIMIT

WHERE

ORDER BY

SFTP, FTP, or SCP server

Mail server

Output profile

Report scheduling

The security risk was blocked or dropped.

The security event risk is considered open.

An incident was created from this event.

The risk source is isolated.

An administrator with the default standard_User profile can create ADOMs.

Disk quotas can be defined per device inside the ADOM.

FortiAnalyzer creates default ADOMs when ADOMs are enabled.

The ADOM type you create must match the device type you are planning to add.

RAIDO

RAID 5

RAID1

RAID 6+0

RAID 0+0

FortiAnalyzer provides the ability to create custom reports.

FortiAnalyzer glows you to schedule reports to run.

FortiAnalyzer includes pre-defined reports only.

FortiAnalyzer allows reporting for FortiGate devices only.

To reset the disk quota enforcement to default

To remove the analytics logs of the device from the old database

To migrate the archive logs to the new ADOM

To populate the new ADOM with analytical logs for the moved device, so you can run reports

The configured IP address is checked first.

The active port number is checked first.

The firmware version is checked first.

The configured priority is checked first

Output profiles

Report settings

Report scheduling

Custom datasets

To introduce redundancy to your log data

To provide data separation between ADOMs

To separate analytical and archive data

To back up your logs

Use DNS

Use host name resolution

Use real-time forwarding

Use an NTP server

The endpoint is marked as Compromised and. optionally, can be put in quarantine.

FortiAnalyzer flags the associated host for further analysis.

A new Infected entry is added for the corresponding endpoint.

The detection engine classifies those logs as Suspicious

Configure local DNS servers on FortiAnalyzer

Resolve IPs on FortiGate

Configure # set resolve-ip enable in the system FortiView settings

Resolve IPs on a per-ADOM basis to reduce delay on FortiView while IPs resolve

FortiAnalyzer distinguishes different devices by their serial number.

FortiAnalyzer receives logs from d devices in a duster.

FortiAnalyzer receives bgs only from the primary device in the cluster.

FortiAnalyzer only needs to know (he serial number of the primary device in the cluster-it automaticaly discovers the other devices.