NSE6_FSR-7.3 Fortinet NSE 6 - FortiSOAR 7.3 Administrator Questions and Answers

In FortiSOAR, system-level logs that can be purged include both "Audit logs" and "Executed Playbook logs." These types of logs can be configured to be purged periodically to free up storage space and ensure that unnecessary logs do not impact system performance. The application configuration allows administrators to schedule automatic purges, which can be especially useful in high-activityenvironments where log data accumulates quickly. Purging these logs helps maintain a cleaner and more efficient system​.

To audit and restrict a user’s access within FortiSOAR, particularly in response to unauthorized access reports, it's necessary to review the user’s effective role permissions. This involves checking which roles grant the user access to the System Configuration module and adjusting as needed. Additionally, reviewing the user's team hierarchy ensures that the user’s access aligns with the organization’s policies. Misconfigurations in team relationships can sometimes inadvertently provide elevated access; hence, confirming that the team setup is correct is a critical part of the auditing process​.

When deleting a user account in FortiSOAR, the user ID must be entered into the usersToDelete.txt file. This file is specifically used to list users that are marked for deletion. Once the user IDs are listed in this file, the system can process the deletion of these accounts as part of its user management operations. This method ensures that only specified users are deleted, as referenced in FortiSOAR's administrative controls​.

In a FortiSOAR HA configuration, certain ports must be open for communication between nodes. Port 5432 is required for PostgreSQL database communication, which is essential for data replication between HA nodes. Port 9200 is used by Elasticsearch, which FortiSOAR leverages for indexing and search functions across the nodes. These ports must be accessible between nodes to ensure seamless operation and data consistency within the cluster​.

In FortiSOAR's War Room, users can perform several actions to manage incidents effectively. They can view a graphical representation of records linked to an incident in the Artifacts lab, which helps visualize connections and dependencies. Additionally, the War Room supports tagging investigation results as evidence, allowing for a structured approach to incident documentation. Users can also manage tasks via the Task Manager tab, facilitating task creation, assignment, and tracking within the incident response workflow​.