Fortinet FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Exam Practice Test

FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.

FortiAnalyzer HA active-passive mode can function without VRRP.

All devices in a FortiAnalyzer HA cluster must run in the same operation mode, either analyzer mode or collector mode.

All devices in a FortiAnalyzer HA cluster must have the same available disk space.

sqlplugind

logfiled

miglogd

ofrpd

SQL FROM statement

SQL GET statement

SQL SELECT statement

SQL EXTRACT statement

Used storage

Retention policy

Reserved space

Total system storage

Antivirus logs

Web filter logs

IPS logs

Application control logs

The received rate is almost at its maximum for this device

The sqlplugind daemon is behind in log indexing by two logs

Logs are being dropped

Raw logs are reaching FortiAnalyzer faster than they can be indexed

The number of times in the logs where end users experienced slowness while accessing resources.

The amount of lag time that occurs when the administrator is rebuilding the ADOM database.

The amount of time that passes between the time a log was received and when it was indexed on FortiAnalyzer.

The amount of time FortiAnalyzer takes to receive logs from a registered device

To add a new chart under FortiView to be used in new reports

To build a dataset and chart automatically, based on the filtered search results

To add charts directly to generate reports in the current ADOM

To build a chart automatically based on the top 100 log entries

A local wildcard administrator account

A remote LDAP server

A trusted host profile that restricts access to the LDAP group

An administrator group

FortiAnalyzer HA can function without VRRP. and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster.

FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.

All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.

FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud.

The fetch client can retrieve logs from devices that are not added to its local Device Manager

You can use filters to include only logs from a single device.

The fetching profile must include a user with the Super_User profile.

The archive logs retrieved from the server become archive logs in the client.

If devices were registered to FortiAnalyzer before forming a cluster, you can manually add them together.

FortiAnalyzer distinguishes each cluster member by the IP addresses in log message headers.

If the HA primary device becomes unavailable, you must remove it from the HA cluster list on FortiAnalyzer.

The FortiGate HA cluster must be in active-passive mode in order to avoid conflict.

To properly correlate logs

To use real-time forwarding

To resolve host names

To improve DNS response times

First, upgrade the secondary device, and then upgrade the primary device.

Both FortiAnalyzer devices will be upgraded at the same time.

You can enable uninterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster firmware upgrades.

You can perform the firmware upgrade using only a console connection.

operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

operation-login & dstip==10.1.1.210 & userl-admin

operation-login & performed_on=="GUI(10.1.1.210)' & user!=admin

It can be used for fast data processing and log correlation

It can be used to facilitate communication between devices in same Security Fabric

It can include all Fortinet devices that are part of the same Security Fabric

It can include only FortiGate devices that are part of the same Security Fabric

The endpoint is marked as Compromised and. optionally, can be put in quarantine.

FortiAnalyzer flags the associated host for further analysis.

A new Infected entry is added for the corresponding endpoint.

The detection engine classifies those logs as Suspicious

Compressed logs, which are also known as archive logs, are considered to be offline logs.

When you restart FortiAnalyzer. all stored logs are considered to be offline logs.

Logs that are indexed and stored in the SQL database.

Logs that are collected from offline devices after they boot up.

To upload logs to an SFTP server

To prevent log modification during backup

To send an identical set of logs to a second logging server

To encrypt log communication between devices

You can export only one playbook at a time.

You can import a playbook even if there is another one with the same name in the destination.

Playbooks can be exported and imported only within the same FortiAnaryzer.

A playbook that was disabled when it was exported, will be disabled when it is imported.

Use static routes

Use administrative profiles

Use trusted hosts

Use secure protocols

Custom datasets

Report scheduling

Report settings

Output profiles

To reset the disk quota enforcement to default

To remove the analytics logs of the device from the old database

To migrate the archive logs to the new ADOM

To populate the new ADOM with analytical logs for the moved device, so you can run reports

Click FortiView and generate a report for that administrator.

Click Task Monitor and view the tasks performed by that administrator.

Click Log View and generate a report for that administrator.

View the tasks performed by the rogue administrator in Fabric View.

The hard drive is no longer being used by the RAID controller.

One or more drives are missing from the FortiAnalyzer unit.

The device is writing data to the disk to restore the volume to an optimal state.

FortiAnalyzer determined that the parity data in the disk is not valid.

FortiAnalyzer1 and FortiAnalyzer3

All devices listed can be members.

FortiAnalyzer1 and FortiAnalyzer2

FortiAnalyzer2 and FortiAnalyzer3

In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible.

You can change ADOM modes only through the CLI.

In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.

Normal mode is the default ADOM mode.

Compressed logs, also known as archive logs

Logs that are indexed and stored in the SQL database

Any logs collected from offline devices after they boot up

Real-time logs that are not yet indexed

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To add the MD5 hash value and authentication code

To add a log file checksum

To encrypt log communications

The maximum disk utilization for each device in the ADOM

The maximum disk utilization for the FortiAnalyzer model

The maximum disk utilization for the ADOM type

The maximum disk utilization for all devices in the ADOM

Configuring fabric connectors to send notification to ITSM platform upon incident creation Is more efficient than third-party information from the FortiAnalyzer API.

Fabric connectors allow to save storage costs and improve redundancy.

Storage connector service does not require a separate license to send logs to cloud platform.

Cloud-Out connections allow you to send real-time logs to pubic cloud accounts like Amazon S3, Azure Blob , and Google Cloud.

SMS

Email

SNMP

IM

After joining the cluster, this FortiAnalyzer will forward received logs to its peers.

This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds.

This FortiAnalyzer is configured to route HA traffic through a gateway.

This FortiAnalyzer will join the existing HA cluster as the secondary.

logfiled

sqlplugind

oftpd

miglogd

Success

Failed

Running

Upstream_failed

Allows you to manage the entire life cycle of a threat or breach.

Its use of the available disk space is capped at 50%.

It requires a licensed FortiSIEM supervisor.

It can be installed as a dedicated VM.

The size of newly generated reports is optimized to conserve disk space.

FortiAnalyzer local cache is used to store generated reports.

When new logs are received, the hard-cache data is updated automatically.

The generation time for reports is decreased.

Set the ADOM mode to Advanced

Assign the ADOMs to the administrator’s account

Configure trusted hosts

Assign the default Super_User administrator profile

A pre-shared key needs to be established on both sides.

The management computer does not have connectivity to the authorization IP address and port combination.

The Security Fabric root is unauthorized and needs to be added as a trusted host.

The fabric authorization settings on FortiAnalyzer are misconfigured.

When in collector mode, FortiAnalyzer offloads the log receiving task to the analyzer.

When in analyzer mode, FortiAnalyzer supports event management and reporting features.

For the collector, you should allocate most of the disk space to analytics logs.

Analyzer mode is the default operating mode.

FortiGate was added to the wrong ADOM type.

This FortiGate model is not fully supported.

FortiGate does not have logging configured correctly.

This FortiGate is part of an HA cluster but it is the secondary device.

By default, Log Data Sync is disabled on all backup devise.

Log Data Sync provides real-time log synchronization to all backup devices.

With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.

When Logs Data Sync is turned on, the backup device will reboot and then rebuilt the log database with the synchronized logs.

Log upload

Indicators of Compromise

Log forwarding an aggregation mode

Log fetching

The connection between FortiGate and FortiAnalyzer is overloaded.

FortiGate has logs to send, but FortiAnalyzer is unavailable.

FortiGate is configured to send logs in batches.

FortiGate is sending logs again after it performed a reboot.

To reduce report generation time

To automatically update the hcache when new logs arrive

To reduce the log insert lag rate

To provide diagnostics on report generation time

logfiled

oftpd

sqlplugind

miglogd

Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.

Make sure all endpoints are reachable by FortiAnalyzer.

Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device.

Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

You can perform the firmware upgrade using only a console connection.

All FortiAnalyzer devices will be upgraded at the same time.

Enabling uninterruptible-upgrade prevents normal operations from being interrupted during the upgrade.

First, upgrade the secondary devices, and then upgrade the primary device.

CPU resources are too high

Logs in that ADOM are being forwarded, in real-time, to another FortiAnalyzer device

The total disk space is insufficient and you need to add other disk

The ADOM disk quota is set too low, based on log rates

It allows user accounts in the LDAP server to use two-factor authentication.

It creates a wildcard administrator using an LDAP server.

User Remote-Admin from the LDAP server will be able to log in to FortiAnalyzer at any time.

Administrators can log in to FortiAnalyzer using their credentials on the remote LDAP server.

SELECT devid FROM Slog GROOP BY devid WHERE * user' =* USERl'

SELECT devid WHERE 'u3er'='USERl' FROM $ log GROUP BY devid

SELECT devid FROM Slog- WHERE *user' =' USERl' GROUP BY devid

FROM Slog WHERE 'user* =' USERl' SELECT devid GROUP BY devid