FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Questions and Answers

Centralized log repository

Cloud-based management

Reports

Virtual domains (VDOMs)

Option A

Option B

Option C

Option D

The log file is stored as a raw log and is available for analytic support.

The log file rolls over and is archived.

The log file is purged from the database.

The log file is overwritten.

Quota enforcement is acting on analytical data before a report is complete

Logs are rolling before the report is run

CPU resources are too high

Disk utilization for archive logs is set for 15 days

logfiled

oftpd

sqlplugind

miglogd

Logs must be purged or migrated before you can delete an ADOM.

ADOMs with registered devices cannot be deleted.

Default ADOMs cannot be deleted.

The status of the ADOMs must be unlocked.

Set the ADOM mode to Advanced

Assign the ADOMs to the administrator’s account

Configure trusted hosts

Assign the default Super_User administrator profile

A fabric ADOM can include all the device types supported by FortiAnalyzer.

When a FortiAnalyzer Fabric is implemented the default ADOM mode is set to advanced.

In normal mode, you cannot change the disk quota of the ADOM after its creation.

You can change the ADOM mode only through the GUI.

The security risk was blocked or dropped.

The security event risk is considered open.

An incident was created from this event.

The risk source is isolated.

FROM

LIMIT

WHERE

ORDER BY

This password is used if the authentication server becomes unreachable.

This password authenticates FortiAnalyzer aqainst the LDAP server.

This password is set to comply with FortiAnalvzer password policy

This password is required because this is a restricted user.

FortiAnalyzerl and FortiAnalyzer3

FortiAnalyzer1 and FortiAnalyzer2

All devices listed can be members

FortiAnalyzer2 and FortiAnalyzer3

FortiAnalyzer1 and FortiAnalyzer3

All devices listed can be members.

FortiAnalyzer1 and FortiAnalyzer2

FortiAnalyzer2 and FortiAnalyzer3

Output profile

Report scheduling

SFTP server

SNMP server

Analytics logs will be moved to ADOM1 from the root ADOM automatically.

Archived logs will be moved to ADOM1 from the root ADOM automatically.

Logs will be present in both ADOMs immediately after the move.

Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the database.

When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.

Collector mode is the default operating mode.

When in collector mode. FortiAnalyzer supports event management and reporting features.

By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting

Use the execute sql-local rebuild-db command to rebuild all ADOM databases.

Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database.

Use the execute sql-report run ADOM1 command to run a report.

Use the execute sql-local rebuild-adom root command to rebuild the ADOM database.

SQL FROM statement

SQL GET statement

SQL SELECT statement

SQL EXTRACT statement

FortiAnalyzer uses log fetching to retrieve the logs when back online

FortiGate uses the miglogd process to cache the logs

The logfiled process stores logs in offline mode

Logs are dropped

Option A

Option B

Option C

Option D

Configure local DNS servers on FortiAnalyzer

Resolve IPs on FortiGate

Configure # set resolve-ip enable in the system FortiView settings

Resolve IPs on a per-ADOM basis to reduce delay on FortiView while IPs resolve

Running

Failed

Upstream_failed

Success

It allows user accounts in the LDAP server to use two-factor authentication.

It creates a wildcard administrator using an LDAP server.

User Remote-Admin from the LDAP server will be able to log in to FortiAnalyzer at any time.

Administrators can log in to FortiAnalyzer using their credentials on the remote LDAP server.

Logs from registered devices

Database snapshot

Report information

System information

Remote logging must be enabled on FortiGate

Log encryption must be enabled

ADOMs must be enabled

FortiGate must be registered with FortiAnalyzer

Both modes, forwarding and aggregation send logs as soon as they are received.

Aggregation mode requires two FortiAnalyzer devices.

Forwarding mode forwards logs to other FortiAnalyzer devices syslog servers, or CEF servers.

Forwarding mode requires configuration on the server side.

The configured IP address is checked first.

The active port number is checked first.

The firmware version is checked first.

The configured priority is checked first

Improve report completion time.

Conserve disk space on FortiAnalyzer by grouping multiple similar reports.

Reduce the number of hcache tables and improve auto-hcache completion time.

Provides a better summary of reports.

The FortiAnalyzer stops logging once the disk log quota is met.

The FortiAnalyzer automatically sets the disk log quota based on the device.

The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.

The FortiAnalyzer disk log quota is configurable, but has a minimum o 100mb a maximum based on the reserved system space.

System information

Logs from registered devices

Report information

Database snapshot

The size of newly generated reports is optimized to conserve disk space.

FortiAnalyzer local cache is used to store generated reports.

When new logs are received, the hard-cache data is updated automatically.

The generation time for reports is decreased.

The endpoint is marked as Compromised and. optionally, can be put in quarantine.

FortiAnalyzer flags the associated host for further analysis.

A new Infected entry is added for the corresponding endpoint.

The detection engine classifies those logs as Suspicious

Fortinet is assigned the Standard_ User administrator profile.

A trusted host is configured.

ADOM mode is configured with Advanced mode.

Fortinet is assigned the Restricted_ User administrator profile.

It creates a wildcard administrator using LDAP and RADIUS servers.

Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.

Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.

It allows administrators to use two-factor authentication.

Ten events will be added.

No events will be added.

Five events will be added.

Thirteen events will be added.

You can export only one playbook at a time.

You can import a playbook even if there is another one with the same name in the destination.

Playbooks can be exported and imported only within the same FortiAnaryzer.

A playbook that was disabled when it was exported, will be disabled when it is imported.

FortiAnalyzer resets the disk quota of the new ADOM to default.

FortiAnalyzer migrates archive logs to the new ADOM.

FortiAnalyzer migrates analytics logs to the new ADOM.

FortiAnalyzer removes logs from the old ADOM.

An account that permits access to members of an LDAP group

An account that allows guest access with read-only privileges

An account that requires two-factor authentication

An account that validates against any user account on a FortiAuthenticator

FortiGate was added to the wrong ADOM type.

This FortiGate model is not fully supported.

FortiGate does not have logging configured correctly.

This FortiGate is part of an HA cluster but it is the secondary device.

Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.

Make sure all endpoints are reachable by FortiAnalyzer.

Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device.

Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

Log type Traffic logs.

Logs that roll over when the log file reaches a specific size.

Logs that are indexed and stored in the SQL.

Raw logs that are compressed and saved to a log file.

After joining the cluster, this FortiAnalyzer will forward received logs to its peers.

This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds.

This FortiAnalyzer is configured to route HA traffic through a gateway.

This FortiAnalyzer will join the existing HA cluster as the secondary.

They determine what data is retrieved from the database.

They provide the layout used for reports.

They are used to set the data included in templates.

They define the chart types to be used in reports.

Custom datasets

Report scheduling

Report settings

Output profiles

In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible.

You can change ADOM modes only through the CLI.

In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.

Normal mode is the default ADOM mode.

Report size will be optimized to conserve disk space on FortiAnalyzer.

Reports will be cached in the memory.

This feature is automatically enabled for scheduled reports.

Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.

A local wildcard administrator account

An administrator group

One or more remote LDAP servers

LDAP servers IP addresses added as trusted hosts

This command records the log file MD5 hash value.

This command records passwords in log files and encrypts them.

This command encrypts log transfer between FortiAnalyzer and other devices.

This command records the log file MD5 hash value and authentication code.

Chart Builder

Export to Report Chart

Dataset Library

Custom View

A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end.

Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version.

Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy.

Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.