FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Questions and Answers

An IPS log with action=pass.

A WebFilter log with action=dropped.

An AV log with action=quarantine.

An AppControl log with action=blocked.

Logs that are saved in the active log file with the. log extension.

Logs that are compressed and saved to a log file with the, gz extension.

Logs that are rolled over when the log file reaches a specific size.

Logs that are indexed and stored in the SQL database.

logfiled

oftpd

sqlplugind

miglogd

FortiAnalyzer overwrites the log files.

FortiAnalyzer stops logging.

FortiAnalyzer rolls the active log by renaming the file.

FortiAnalyzer forwards logs to syslog.

The maximum disk utilization for each device in the ADOM

The maximum disk utilization for the FortiAnalyzer model

The maximum disk utilization for the ADOM type

The maximum disk utilization for all devices in the ADOM

The security risk was blocked or dropped.

The security event risk is considered open.

An incident was created from this event.

The risk source is isolated.

Log upload

Indicators of Compromise

Log forwarding an aggregation mode

Log fetching

The endpoint is marked as Compromised and. optionally, can be put in quarantine.

FortiAnalyzer flags the associated host for further analysis.

A new Infected entry is added for the corresponding endpoint.

The detection engine classifies those logs as Suspicious

To remove the analytics logs of the device from the old database

To populate the new ADOM with analytical logs for the moved device, so you can run reports

To reset the ADOM disk quota enforcement to its default value

To migrate the archive logs to the new ADOM

To provide the layout used for reports

To define the chart type to be used

To retrieve data from the database

To set the data included in templates

Forwarded logs cannot be filtered to match specific criteria.

Logs are forwarded in real-time only.

The client retains a local copy of the logs after forwarding.

You can use aggregation mode only with another FortiAnalyzer.

RAIDO

RAID 5

RAID1

RAID 6+0

RAID 0+0

Log correlation

Host name resolution

Log collection

Real-time forwarding

A configuration with four disks, each with 2 TB of capacity, provides a total space of 4 TB.B It combines mirroring striping and distributed parity to provide performance and fault tolerance

A configuration with four disks, each with 2 TB of capacity, provides a total space of 2 TB.

It uses striping to provide performance and fault tolerance.

A fabric ADOM can include all the device types supported by FortiAnalyzer.

When a FortiAnalyzer Fabric is implemented the default ADOM mode is set to advanced.

In normal mode, you cannot change the disk quota of the ADOM after its creation.

You can change the ADOM mode only through the GUI.

To store playbook execution statistics

To use the output of the previous task as the input of the current task

To display details of the connectors used by a playbook

To save all the task settings when a playbook is exported

New alerts are received by email.

Outbreak alerts are available on the root ADOM only.

An additional license is required.

It automatically downloads new event handlers and reports.

The traffic destination is another FortiGate in the fabric.

The upstream FortiGate is configured to do NAT

Log redundancy is configured in the fabric.

The downstream device cannot connect to FortiAnalyzer.

The connection between FortiGate and FortiAnalyzer is overloaded.

FortiGate has logs to send, but FortiAnalyzer is unavailable.

FortiGate is configured to send logs in batches.

FortiGate is sending logs again after it performed a reboot.

Configure trusted hosts.

Limit access to specific virtual domains.

Fabric connectors to external LDAP servers.

Use administrator profiles.

Centralized log repository

Cloud-based management

Reports

Virtual domains (VDOMs)

FortiAnalyzer distinguishes different devices by their serial number.

FortiAnalyzer receives logs from d devices in a duster.

FortiAnalyzer receives bgs only from the primary device in the cluster.

FortiAnalyzer only needs to know (he serial number of the primary device in the cluster-it automaticaly discovers the other devices.

It creates a wildcard administrator using LDAP and RADIUS servers.

Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.

Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.

It allows administrators to use two-factor authentication.

Serial number

Pre-shared key

Fabric Authorization

Request from the device

Incidents dashboards

Threat hunting

FortiView Monitor

Outbreak alert services

Mail server

Output profile

SFTP server

Report scheduling

Click FortiView and generate a report for that administrator.

Click Task Monitor and view the tasks performed by that administrator.

Click Log View and generate a report for that administrator.

View the tasks performed by the rogue administrator in Fabric View.

You can perform the firmware upgrade using only a console connection.

All FortiAnalyzer devices will be upgraded at the same time.

Enabling uninterruptible-upgrade prevents normal operations from being interrupted during the upgrade.

First, upgrade the secondary devices, and then upgrade the primary device.

You enabled auto-cache with extended log filtering.

The logfiled service has not indexed all the expected logs.

The logs were overwritten by the data retention policy.

The time frame selected in the report is wrong.

To encrypt log communications and data

To prevent log modification or tampering

To send an identical set of logs to a second logging server

To protect log data from man-in-the-middle attacks

FortiAnalyzer Event Handler

Incoming webhook

FortiOS Event Log

Fabric Connector event

Export to Report Chart

Export to PDF

Export to Chart Builder

Export to Custom Chart

To add a log file checksum

To add the MD’s hash value and authentication code

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To encrypt log communications

Chart Builder

Export to Report Chart

Dataset Library

Custom View

The received rate is almost at its maximum for this device

The sqlplugind daemon is behind in log indexing by two logs

Logs are being dropped

Raw logs are reaching FortiAnalyzer faster than they can be indexed

It requires a FortiManager configured to manage FortiGate

It requires a dedicated FortiSOAR device or VM.

It does not include a limited trial by default.

It runs as a docker container on FortiAnalyzer

It allows user accounts in the LDAP server to use two-factor authentication.

It creates a wildcard administrator using an LDAP server.

User Remote-Admin from the LDAP server will be able to log in to FortiAnalyzer at any time.

Administrators can log in to FortiAnalyzer using their credentials on the remote LDAP server.

Use the execute sql-local rebuild-db command to rebuild all ADOM databases.

Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database.

Use the execute sql-report run ADOM1 command to run a report.

Use the execute sql-local rebuild-adom root command to rebuild the ADOM database.

Running

Failed

Upstream_failed

Success

Use static routes

Use administrative profiles

Use trusted hosts

Use secure protocols

Network analysis

Graphical reporting

Content archiving / data mining

Vulnerability assessment

Security log analysis / forensics

This command records the log file MD5 hash value.

This command records passwords in log files and encrypts them.

This command encrypts log transfer between FortiAnalyzer and other devices.

This command records the log file MD5 hash value and authentication code.

To reset the disk quota enforcement to default

To remove the analytics logs of the device from the old database

To migrate the archive logs to the new ADOM

To populate the new ADOM with analytical logs for the moved device, so you can run reports

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To add the MD5 hash value and authentication code

To add a log file checksum

To encrypt log communications

Use DNS

Use host name resolution

Use real-time forwarding

Use an NTP server

Antivirus logs

Web filter logs

IPS logs

Application control logs

License type

Disk size

Total quota

RAID level

Resolve IP addresses on a per-ADOM basis to reduce delay on FortiView while IPs resolve

Configure # set resolve-ip enable in the system FortiView settings

Configure local DNS servers on FortiAnalyzer

Resolve IP addresses on FortiGate

To properly correlate logs

To use real-time forwarding

To resolve host names

To improve DNS response times

RADIUS

Local

LDAP

PKI

TACACS+

FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.

FortiAnalyzer HA active-passive mode can function without VRRP.

All devices in a FortiAnalyzer HA cluster must run in the same operation mode, either analyzer mode or collector mode.

All devices in a FortiAnalyzer HA cluster must have the same available disk space.