FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Questions and Answers

Improve report completion time.

Conserve disk space on FortiAnalyzer by grouping multiple similar reports.

Reduce the number of hcache tables and improve auto-hcache completion time.

Provides a better summary of reports.

Report size will be optimized to conserve disk space on FortiAnalyzer.

Reports will be cached in the memory.

This feature is automatically enabled for scheduled reports.

Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.

SELECT devid FROM Slog GROOP BY devid WHERE * user' =* USERl'

SELECT devid WHERE 'u3er'='USERl' FROM $ log GROUP BY devid

SELECT devid FROM Slog- WHERE *user' =' USERl' GROUP BY devid

FROM Slog WHERE 'user* =' USERl' SELECT devid GROUP BY devid

Running

Failed

Upstream_failed

Success

operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

operation-login & dstip==10.1.1.210 & userl-admin

operation-login & performed_on=="GUI(10.1.1.210)' & user!=admin

When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.

Collector mode is the default operating mode.

When in collector mode. FortiAnalyzer supports event management and reporting features.

By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting

Standalone

Manager

Analyzer

Collector

FortiAnalyzer uses log fetching to retrieve the logs when back online

FortiGate uses the miglogd process to cache the logs

The logfiled process stores logs in offline mode

Logs are dropped

FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.

FortiAnalyzer HA active-passive mode can function without VRRP.

All devices in a FortiAnalyzer HA cluster must run in the same operation mode, either analyzer mode or collector mode.

All devices in a FortiAnalyzer HA cluster must have the same available disk space.

An account that permits access to members of an LDAP group

An account that allows guest access with read-only privileges

An account that requires two-factor authentication

An account that validates against any user account on a FortiAuthenticator

It can be used for fast data processing and log correlation

It can be used to facilitate communication between devices in same Security Fabric

It can include all Fortinet devices that are part of the same Security Fabric

It can include only FortiGate devices that are part of the same Security Fabric

You enabled auto-cache with extended log filtering.

The logfiled service has not indexed all the expected logs.

The logs were overwritten by the data retention policy.

The time frame selected in the report is wrong.

ADOM mode is configured with Advanced mode.

A trusted host is configured.

fortinet is assigned the default Standard_User administrative profile.

fortinet is assigned the default Restricted_User administrative profile.

Success

Failed

Running

Upstream_failed

To increase reliability

To expand bandwidth

To maximize resiliency

To improve security

Configure local DNS servers on FortiAnalyzer

Resolve IPs on FortiGate

Configure # set resolve-ip enable in the system FortiView settings

Resolve IPs on a per-ADOM basis to reduce delay on FortiView while IPs resolve

Analytics logs will be moved to ADOM1 from the root ADOM automatically.

Archived logs will be moved to ADOM1 from the root ADOM automatically.

Logs will be presented in both ADOMs immediately after the move.

Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the ADOM1 SQL database.

Both modes, forwarding and aggregation, support encryption of logs between devices.

In aggregation mode, you can forward logs to syslog and CEF servers.

Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.

Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.

To provide the layout used for reports

To define the chart type to be used

To retrieve data from the database

To set the data included in templates

Fortinet is assigned the Standard_ User administrator profile.

A trusted host is configured.

ADOM mode is configured with Advanced mode.

Fortinet is assigned the Restricted_ User administrator profile.

Set the ADOM mode to Advanced

Assign the ADOMs to the administrator’s account

Configure trusted hosts

Assign the default Super_User administrator profile

FortiAnalyzer provides the ability to create custom reports.

FortiAnalyzer glows you to schedule reports to run.

FortiAnalyzer includes pre-defined reports only.

FortiAnalyzer allows reporting for FortiGate devices only.

FortiAnalyzer needs that time to parse the new playbook.

FortiAnalyzer needs that time to back up the current playbooks.

FortiAnalyzer needs that time to ensure there are no other playbooks running.

FortiAnalyzer needs that time to debug the new playbook.

Network analysis

Graphical reporting

Content archiving / data mining

Vulnerability assessment

Security log analysis / forensics

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To add the MD5 hash value and authentication code

To add a log file checksum

To encrypt log communications

Antivirus logs

Web filter logs

IPS logs

Application control logs

It creates a wildcard administrator using LDAP and RADIUS servers.

Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.

Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.

It allows administrators to use two-factor authentication.

This command records the log file MD5 hash value.

This command records passwords in log files and encrypts them.

This command encrypts log transfer between FortiAnalyzer and other devices.

This command records the log file MD5 hash value and authentication code.

The security risk was blocked or dropped.

The security event risk is considered open.

An incident was created from this event.

The risk source is isolated.

A local wildcard administrator account

A remote LDAP server

A trusted host profile that restricts access to the LDAP group

An administrator group

Notifications can be sent only when an incident is updated or deleted.

If you use multiple fabric connectors, all connectors must have the same notification settings

Notifications can be sent only by email.

You can send notifications to multiple external platforms

It automatically updates the hcache when new logs arrive.

It provides diagnostics on report generation time.

It reduces the log insert lag rate.

It reduces report generation time.

To reset the disk quota enforcement to default

To remove the analytics logs of the device from the old database

To migrate the archive logs to the new ADOM

To populate the new ADOM with analytical logs for the moved device, so you can run reports

It allows user accounts in the LDAP server to use two-factor authentication.

It creates a wildcard administrator using an LDAP server.

User Remote-Admin from the LDAP server will be able to log in to FortiAnalyzer at any time.

Administrators can log in to FortiAnalyzer using their credentials on the remote LDAP server.

Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM.

Macros are supported only on the FortiGate ADOM.

Macros are useful in generating excel log files automatically based on the reports settings.

Macros are predefined templates for reports and cannot be customized.

Logs must be purged or migrated before you can delete an ADOM.

ADOMs with registered devices cannot be deleted.

Default ADOMs cannot be deleted.

The status of the ADOMs must be unlocked.

It is a device whose registration has not yet been accepted in FortiAnalvzer.

It is a device that has not yet been assigned an ADOM.

It is a device that is waiting for you to configure a pre-shared key.

It is a device that FortiAnalvzer does not support.

The traffic destination is another FortiGate in the fabric.

The upstream FortiGate is configured to do NAT

Log redundancy is configured in the fabric.

The downstream device cannot connect to FortiAnalyzer.

CPU resources are too high

Logs in that ADOM are being forwarded, in real-time, to another FortiAnalyzer device

The total disk space is insufficient and you need to add other disk

The ADOM disk quota is set too low, based on log rates

This password is used if the authentication server becomes unreachable.

This password authenticates FortiAnalyzer aqainst the LDAP server.

This password is set to comply with FortiAnalvzer password policy

This password is required because this is a restricted user.

Allows you to manage the entire life cycle of a threat or breach.

Its use of the available disk space is capped at 50%.

It requires a licensed FortiSIEM supervisor.

It can be installed as a dedicated VM.

To list the current SQL processes running

To check what is the database log insertion status

To display the SOL query connections and hcache status

To view the current hcache size

In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results.

In Log View, this feature allows you to build a chart and chart automatically, on the top 100 log entries.

This feature allows you to build a chart under FortiView.

You can add charts to generated reports using this feature.

ADOMs are enabled by default.

ADOMs constrain other administrator’s access privileges to a subset of devices in the device list.

Once enabled, the Device Manager, FortiView, Event Management, and Reports tab display per ADOM.

All administrators can create ADOMs--not just the admin administrator.

It provides network statistics for active connections, including the protocols, IP addresses, and connection states.

It provides the complete routing table, including directly connected routes.

It provides the static DNS table, including the host names and their expiration timers.

It provides NTP server information, including server IPs. stratum, poll time, and latency.

Both modes, forwarding and aggregation, support encryption of logs between devices.

In aggregation mode, you can forward logs to syslog and CEF servers as well.

Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.

Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.

FortiAnalyzer is in an HA cluster.

ADOM mode should be set to advanced, in order to register the FortiClient EMS device.

ADOMs are not enabled on FortiAnalyzer.

A separate license is required on FortiAnalyzer in order to register the FortiClient EMS device.

Log correlation

Host name resolution

Log collection

Real-time forwarding