NSE5_FAZ-7.2 Fortinet NSE 5 - FortiAnalyzer 7.2 Questions and Answers

You can export only one playbook at a time.

You can import a playbook even if there is another one with the same name in the destination.

Playbooks can be exported and imported only within the same FortiAnaryzer.

A playbook that was disabled when it was exported, will be disabled when it is imported.

Both modes, forwarding and aggregation, support encryption of logs between devices.

In aggregation mode, you can forward logs to syslog and CEF servers as well.

Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.

Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.

Configure trusted hosts for that administrator.

Enable geo-location services on accessible interface.

Configure two-factor authentication with a remote RADIUS server.

Configure an ADOM for respective location.

Must configure the FortiAnalyzer end of the tunnel only--the FortiGate end is auto-negotiated.

Must establish an IPsec tunnel ID and pre-shared key.

IPsec cannot be enabled if SSL is enabled as well.

IPsec is only enabled through the CLI on FortiAnalyzer.

Configuring fabric connectors to send notification to ITSM platform upon incident creation Is more efficient than third-party information from the FortiAnalyzer API.

Fabric connectors allow to save storage costs and improve redundancy.

Storage connector service does not require a separate license to send logs to cloud platform.

Cloud-Out connections allow you to send real-time logs to pubic cloud accounts like Amazon S3, Azure Blob , and Google Cloud.

SELECT devid FROM Slog GROOP BY devid WHERE * user' =* USERl'

SELECT devid WHERE 'u3er'='USERl' FROM $ log GROUP BY devid

SELECT devid FROM Slog- WHERE *user' =' USERl' GROUP BY devid

FROM Slog WHERE 'user* =' USERl' SELECT devid GROUP BY devid

Shut down FortiAnalyzer and then replace the disk

Downgrade your RAID level, replace the disk, and then upgrade your RAID level

Clear all RAID alarms and replace the disk while FortiAnalyzer is still running

Perform a hot swap

The performance of FortiAnalyzer is below the baseline.

FortiAnalyzer is using its cache to avoid dropping logs.

The log insert lag time is increasing.

The sqlplugind service is caught up with new logs.

Option A

Option B

Option C

Option D

You enabled auto-cache with extended log filtering.

The logfiled service has not indexed all the expected logs.

The logs were overwritten by the data retention policy.

The time frame selected in the report is wrong.

This FortiAnalyzer will join to the existing HA cluster as the primary.

This FortiAnalyzer is configured to receive logs in its port1.

This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds.

After joining to the cluster, this FortiAnalyzer will keep an updated log database.

SQL FROM statement

SQL GET statement

SQL SELECT statement

SQL EXTRACT statement

Output profile

Report scheduling

SFTP server

SNMP server

To add a log file checksum

To add the MD’s hash value and authentication code

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To encrypt log communications

By default, Log Data Sync is disabled on all backup devise.

Log Data Sync provides real-time log synchronization to all backup devices.

With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.

When Logs Data Sync is turned on, the backup device will reboot and then rebuilt the log database with the synchronized logs.

New alerts are received by email.

Outbreak alerts are available on the root ADOM only.

An additional license is required.

It automatically downloads new event handlers and reports.

FortiAnalyzer overwrites the log files.

FortiAnalyzer stops logging.

FortiAnalyzer rolls the active log by renaming the file.

FortiAnalyzer forwards logs to syslog.

The FortiAnalyzer stops logging once the disk log quota is met.

The FortiAnalyzer automatically sets the disk log quota based on the device.

The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.

The FortiAnalyzer disk log quota is configurable, but has a minimum o 100mb a maximum based on the reserved system space.

The fetch client can retrieve logs from devices that are not added to its local Device Manager

You can use filters to include only logs from a single device.

The fetching profile must include a user with the Super_User profile.

The archive logs retrieved from the server become archive logs in the client.

A FortiGate ADOM

The FortiGate serial number

A pre-shared key

Valid FortiAnalyzer credentials

It can be edited and modified as required

It specifies the report layout which contains predefined texts, charts, and macros

It specifies report settings which contains time period, device selection, and schedule

It contains predefined data to generate mock reports

Running

Failed

Upstream_failed

Success

The size of newly generated reports is optimized to conserve disk space.

FortiAnalyzer local cache is used to store generated reports.

When new logs are received, the hard-cache data is updated automatically.

The generation time for reports is decreased.

Antivirus logs

Web filter logs

IPS logs

Application control logs

3.6% of the system storage is already being used.

Some space is reserved for system use, such as storage of compression files, upload files, and temporary report files

The oftpd process has not archived the logs yet

The logfiled process is just estimating the total quota

To add a new chart under FortiView to be used in new reports

To build a dataset and chart automatically, based on the filtered search results

To add charts directly to generate reports in the current ADOM

To build a chart automatically based on the top 100 log entries

Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM.

Macros are supported only on the FortiGate ADOM.

Macros are useful in generating excel log files automatically based on the reports settings.

Macros are predefined templates for reports and cannot be customized.

You can only change ADOM modes through CLI.

In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advance mode, the disk quota of the ADOM is flexible because new devices are added to the ADOM.

In an advanced mode ADOM. you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.

Normal mode is the default ADOM mode.

One or more drives are missing from the FortiAnalyzer unit. The drive is no longer available to the operating system.

The FortiAnalyzer device is writing to all the hard drives on the device in order to make the array fault tolerant.

The FortiAnalyzer device is writing data to a newly added hard drive in order to restore the hard drive to an optimal state.

The hard driveiIs no longer being used by the RAID controller

Quota enforcement is acting on analytical data before a report is complete

Logs are rolling before the report is run

CPU resources are too high

Disk utilization for archive logs is set for 15 days

Compressed logs, which are also known as archive logs, are considered to be offline logs.

When you restart FortiAnalyzer. all stored logs are considered to be offline logs.

Logs that are indexed and stored in the SQL database.

Logs that are collected from offline devices after they boot up.

It sorts log data into tables

It extracts the database schema

It retrieves log data from the database

It injects log data into the database

The security risk was blocked or dropped.

The security event risk is considered open.

An incident was created from this event.

The risk source is isolated.

Network analysis

Graphical reporting

Content archiving / data mining

Vulnerability assessment

Security log analysis / forensics

To upload logs to an SFTP server

To prevent log modification during backup

To send an identical set of logs to a second logging server

To encrypt log communication between devices

Centralized log repository

Cloud-based management

Reports

Virtual domains (VDOMs)

Standalone

Manager

Analyzer

Collector

Notifications can be sent only when an incident is created or deleted.

You must configure an output profile to send notifications by email.

Each incident can send notifications to a single external platform.

Each connector used can have different notification settings.