FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Questions and Answers

They determine what data is retrieved from the database.

They provide the layout used for reports.

They are used to set the data included in templates.

They define the chart types to be used in reports.

Option A

Option B

Option C

Option D

By attaching it to an event handler alert

By editing the settings of the desired report

From the properties of an existing incident

Saving it in JSON format, and then importing it

Forwarded logs cannot be filtered to match specific criteria.

Logs are forwarded in real-time only.

The client retains a local copy of the logs after forwarding.

You can use aggregation mode only with another FortiAnalyzer.

CPU resources are too high

Logs in that ADOM are being forwarded, in real-time, to another FortiAnalyzer device

The total disk space is insufficient and you need to add other disk

The ADOM disk quota is set too low, based on log rates

Compressed logs, which are also known as archive logs, are considered to be offline logs.

When you restart FortiAnalyzer. all stored logs are considered to be offline logs.

Logs that are indexed and stored in the SQL database.

Logs that are collected from offline devices after they boot up.

Report size will be optimized to conserve disk space on FortiAnalyzer.

Reports will be cached in the memory.

This feature is automatically enabled for scheduled reports.

Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.

Chart Builder

Export to Report Chart

Dataset Library

Custom View

FortiAnalyzer Event Handler

Incoming webhook

FortiOS Event Log

Fabric Connector event

Use static routes

Use administrative profiles

Use trusted hosts

Use secure protocols

You enabled auto-cache with extended log filtering.

The logfiled service has not indexed all the expected logs.

The logs were overwritten by the data retention policy.

The time frame selected in the report is wrong.

It sorts log data into tables

It extracts the database schema

It retrieves log data from the database

It injects log data into the database

Both modes, forwarding and aggregation send logs as soon as they are received.

Aggregation mode requires two FortiAnalyzer devices.

Forwarding mode forwards logs to other FortiAnalyzer devices syslog servers, or CEF servers.

Forwarding mode requires configuration on the server side.

Logs from registered devices

Database snapshot

Report information

System information

New alerts are received by email.

Outbreak alerts are available on the root ADOM only.

An additional license is required.

It automatically downloads new event handlers and reports.

To reset all settings from flash except the current IP addresses and routes.

To erase all device settings and images, databases, and log data from the disk, but preserve the IP and routing info.

To perform a low-level format of the disk overwriting the hard disk with random data.

To reset to factory default settings from flash.

FortiAnalyzer is dropping logs.

FortiAnalyzer is indexing logs faster than logs are being received.

FortiAnalyzer has temporarily stopped receiving logs so older logs’ can be indexed.

The sqlplugind daemon is ahead in indexing by one log.

You can only change ADOM modes through CLI.

In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advance mode, the disk quota of the ADOM is flexible because new devices are added to the ADOM.

In an advanced mode ADOM. you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.

Normal mode is the default ADOM mode.

A local wildcard administrator account

A remote LDAP server

A trusted host profile that restricts access to the LDAP group

An administrator group

Serial number

Pre-shared key

Fabric Authorization

Request from the device

In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible.

You can change ADOM modes only through the CLI.

In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.

Normal mode is the default ADOM mode.

A fabric ADOM can include all the device types supported by FortiAnalyzer.

When a FortiAnalyzer Fabric is implemented the default ADOM mode is set to advanced.

In normal mode, you cannot change the disk quota of the ADOM after its creation.

You can change the ADOM mode only through the GUI.

License type

Disk size

Total quota

RAID level

SSL is the default setting.

SSL communications are auto-negotiated between the two devices.

SSL can send logs in real-time only.

SSL encryption levels are globally set on FortiAnalyzer.

FortiAnalyzer encryption level must be equal to, or higher than, FortiGate.

It can be used for fast data processing and log correlation

It can be used to facilitate communication between devices in same Security Fabric

It can include all Fortinet devices that are part of the same Security Fabric

It can include only FortiGate devices that are part of the same Security Fabric

Analytics logs will be moved to ADOM1 from the root ADOM automatically.

Archived logs will be moved to ADOM1 from the root ADOM automatically.

Logs will be present in both ADOMs immediately after the move.

Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the database.

Logs that are saved in the active log file with the. log extension.

Logs that are compressed and saved to a log file with the, gz extension.

Logs that are rolled over when the log file reaches a specific size.

Logs that are indexed and stored in the SQL database.

Configure trusted hosts for that administrator.

Enable geo-location services on accessible interface.

Configure two-factor authentication with a remote RADIUS server.

Configure an ADOM for respective location.

They limit which logs are checked for matches by the other filters.

They can filter the logs before they are processed by FortiAnalyzer

They download new filters to be used in event handlers.

They are common filters applied simultaneously to all event handlers.

It is a device whose registration has not yet been accepted in FortiAnalvzer.

It is a device that has not yet been assigned an ADOM.

It is a device that is waiting for you to configure a pre-shared key.

It is a device that FortiAnalvzer does not support.

FortiAnalyzer HA can function without VRRP. and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster.

FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.

All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.

FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud.

If devices were registered to FortiAnalyzer before forming a cluster, you can manually add them together.

FortiAnalyzer distinguishes each cluster member by the IP addresses in log message headers.

If the HA primary device becomes unavailable, you must remove it from the HA cluster list on FortiAnalyzer.

The FortiGate HA cluster must be in active-passive mode in order to avoid conflict.

Logs that reached a specific size and were rolled over

Logs that can be used to create reports

Logs that can be viewed using Log Browse

Logs that are saved to disk, compressed, and available in FortiView

Notifications can be sent only when an incident is updated or deleted.

If you use multiple fabric connectors, all connectors must have the same notification settings

Notifications can be sent only by email.

You can send notifications to multiple external platforms

To add a log file checksum

To add the MD’s hash value and authentication code

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To encrypt log communications

Log correlation

Host name resolution

Log collection

Real-time forwarding

To list the current SQL processes running

To check what is the database log insertion status

To display the SOL query connections and hcache status

To view the current hcache size

SELECT devid FROM Slog GROOP BY devid WHERE * user' =* USERl'

SELECT devid WHERE 'u3er'='USERl' FROM $ log GROUP BY devid

SELECT devid FROM Slog- WHERE *user' =' USERl' GROUP BY devid

FROM Slog WHERE 'user* =' USERl' SELECT devid GROUP BY devid

Antivirus logs

Web filter logs

IPS logs

Application control logs

Both modes, forwarding and aggregation, support encryption of logs between devices.

In aggregation mode, you can forward logs to syslog and CEF servers.

Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.

Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.

The connection between FortiGate and FortiAnalyzer is overloaded.

FortiGate has logs to send, but FortiAnalyzer is unavailable.

FortiGate is configured to send logs in batches.

FortiGate is sending logs again after it performed a reboot.

Use DNS

Use host name resolution

Use real-time forwarding

Use an NTP server

This password is used if the authentication server becomes unreachable.

This password authenticates FortiAnalyzer aqainst the LDAP server.

This password is set to comply with FortiAnalvzer password policy

This password is required because this is a restricted user.

Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM.

Macros are supported only on the FortiGate ADOM.

Macros are useful in generating excel log files automatically based on the reports settings.

Macros are predefined templates for reports and cannot be customized.

The FortiAnalyzer stops logging once the disk log quota is met.

The FortiAnalyzer automatically sets the disk log quota based on the device.

The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.

The FortiAnalyzer disk log quota is configurable, but has a minimum o 100mb a maximum based on the reserved system space.

ADOMs are enabled by default.

ADOMs constrain other administrator’s access privileges to a subset of devices in the device list.

Once enabled, the Device Manager, FortiView, Event Management, and Reports tab display per ADOM.

All administrators can create ADOMs--not just the admin administrator.

After joining the cluster, this FortiAnalyzer will forward received logs to its peers.

This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds.

This FortiAnalyzer is configured to route HA traffic through a gateway.

This FortiAnalyzer will join the existing HA cluster as the secondary.

A pre-shared key needs to be established on both sides.

The management computer does not have connectivity to the authorization IP address and port combination.

The Security Fabric root is unauthorized and needs to be added as a trusted host.

The fabric authorization settings on FortiAnalyzer are misconfigured.

Used storage

Retention policy

Reserved space

Total system storage

The size of newly generated reports is optimized to conserve disk space.

FortiAnalyzer local cache is used to store generated reports.

When new logs are received, the hard-cache data is updated automatically.

The generation time for reports is decreased.