Fortinet FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Exam Practice Test

The Fabric supervisor collects logs from the Fabric members.

Logging devices can register to the Fabric supervisor or to Fabric members.

Fabric members support HA.

Administrators can create new incidents from the Fabric supervisor.

Used storage

Retention policy

Reserved space

Total system storage

From the VM host manager, add an additional virtual disk and use the #execute lvm extend command to expand the storage

From the VM host manager, expand the size of the existing virtual disk

From the VM host manager, expand the size of the existing virtual disk and use the # execute format disk command to reformat the disk

From the VM host manager, add an additional virtual disk and rebuild your RAID array

A local wildcard administrator account

A remote LDAP server

A trusted host profile that restricts access to the LDAP group

An administrator group

Ten events will be added.

No events will be added.

Five events will be added.

Thirteen events will be added.

FortiGate was added to the wrong ADOM type.

This FortiGate model is not fully supported.

FortiGate does not have logging configured correctly.

This FortiGate is part of an HA cluster but it is the secondary device.

FortiAnalyzer is using the device MAC addresses to differentiate their logs.

The logs belong to devices that are part of a high availability (HA) cluster.

FortiAnalyzer is receiving logs from the root FortiGate of a Security Fabric.

The device sending logs has two VDOMs in the same ADOM.

You can export only one playbook at a time.

You can import a playbook even if there is another one with the same name in the destination.

Playbooks can be exported and imported only within the same FortiAnaryzer.

A playbook that was disabled when it was exported, will be disabled when it is imported.

operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

operation-login & dstip==10.1.1.210 & userl-admin

operation-login & performed_on=="GUI(10.1.1.210)' & user!=admin

FortiAnalyzer is dropping logs.

FortiAnalyzer is indexing logs faster than logs are being received.

FortiAnalyzer has temporarily stopped receiving logs so older logs’ can be indexed.

The sqlplugind daemon is ahead in indexing by one log.

Allows you to manage the entire life cycle of a threat or breach.

Its use of the available disk space is capped at 50%.

It requires a licensed FortiSIEM supervisor.

It can be installed as a dedicated VM.

oftpd

miglogd

sqlplugind

logfiled

Antivirus logs

Web filter logs

IPS logs

Application control logs

It can be used for fast data processing and log correlation

It can be used to facilitate communication between devices in same Security Fabric

It can include all Fortinet devices that are part of the same Security Fabric

It can include only FortiGate devices that are part of the same Security Fabric

Quota enforcement is acting on analytical data before a report is complete

Logs are rolling before the report is run

CPU resources are too high

Disk utilization for archive logs is set for 15 days

Chart Builder

Export to Report Chart

Dataset Library

Custom View

A pre-shared key needs to be established on both sides.

The management computer does not have connectivity to the authorization IP address and port combination.

The Security Fabric root is unauthorized and needs to be added as a trusted host.

The fabric authorization settings on FortiAnalyzer are misconfigured.

Configuring fabric connectors to send notification to ITSM platform upon incident creation Is more efficient than third-party information from the FortiAnalyzer API.

Fabric connectors allow to save storage costs and improve redundancy.

Storage connector service does not require a separate license to send logs to cloud platform.

Cloud-Out connections allow you to send real-time logs to pubic cloud accounts like Amazon S3, Azure Blob , and Google Cloud.

Log type Traffic logs.

Logs that roll over when the log file reaches a specific size.

Logs that are indexed and stored in the SQL.

Raw logs that are compressed and saved to a log file.

The log file is stored as a raw log and is available for analytic support.

The log file rolls over and is archived.

The log file is purged from the database.

The log file is overwritten.

System information

Logs from registered devices

Report information

Database snapshot

To add a new chart under FortiView to be used in new reports

To build a dataset and chart automatically, based on the filtered search results

To add charts directly to generate reports in the current ADOM

To build a chart automatically based on the top 100 log entries

Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.

Make sure all endpoints are reachable by FortiAnalyzer.

Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device.

Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

It allows user accounts in the LDAP server to use two-factor authentication.

It creates a wildcard administrator using an LDAP server.

User Remote-Admin from the LDAP server will be able to log in to FortiAnalyzer at any time.

Administrators can log in to FortiAnalyzer using their credentials on the remote LDAP server.

To display statistics about the playbook runtime

To use information from the trigger to filter the action in a task

To provide the trigger information to make the playbook start running

To store the start times of playbooks with On_Schedule triggers

To add a log file checksum

To add the MD’s hash value and authentication code

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To encrypt log communications

ADOMs are enabled by default.

ADOMs constrain other administrator’s access privileges to a subset of devices in the device list.

Once enabled, the Device Manager, FortiView, Event Management, and Reports tab display per ADOM.

All administrators can create ADOMs--not just the admin administrator.

To remove the analytics logs of the device from the old database

To populate the new ADOM with analytical logs for the moved device, so you can run reports

To reset the ADOM disk quota enforcement to its default value

To migrate the archive logs to the new ADOM

New alerts are received by email.

Outbreak alerts are available on the root ADOM only.

An additional license is required.

It automatically downloads new event handlers and reports.

Logs are forwarded as they are received and content files are uploaded at a scheduled time.

Logs and content files are stored and uploaded at a scheduled time.

Logs are forwarded as they are received.

Logs and content files are forwarded as they are received.

To reset the disk quota enforcement to default

To remove the analytics logs of the device from the old database

To migrate the archive logs to the new ADOM

To populate the new ADOM with analytical logs for the moved device, so you can run reports

What devices and IP addresses are connecting to FortiAnalyzer

What logs, if any, are reaching FortiAnalyzer

What ADOMs are enabled and configured

What devices are registered and unregistered

Management extensions do not require additional licenses.

Management extensions allow FortiAnalyzer to act as a ForbSIEM supervisor.

Management extensions require a dedicated VM for best performance.

Management extensions may require a minimum number of CPU cores to run.

Use static routes

Use administrative profiles

Use trusted hosts

Use secure protocols

Configure trusted hosts.

Limit access to specific virtual domains.

Fabric connectors to external LDAP servers.

Use administrator profiles.

SMS

Email

SNMP

IM

It creates a wildcard administrator using LDAP and RADIUS servers.

Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.

Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.

It allows administrators to use two-factor authentication.

Both modes, forwarding and aggregation, support encryption of logs between devices.

In aggregation mode, you can forward logs to syslog and CEF servers as well.

Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.

Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.

An IPS log with action=pass.

A WebFilter log with action=dropped.

An AV log with action=quarantine.

An AppControl log with action=blocked.

SFTP, FTP, or SCP server

Mail server

Output profile

Report scheduling

It is a device whose registration has not yet been accepted in FortiAnalvzer.

It is a device that has not yet been assigned an ADOM.

It is a device that is waiting for you to configure a pre-shared key.

It is a device that FortiAnalvzer does not support.

SSL is the default setting.

SSL communications are auto-negotiated between the two devices.

SSL can send logs in real-time only.

SSL encryption levels are globally set on FortiAnalyzer.

FortiAnalyzer encryption level must be equal to, or higher than, FortiGate.

It can be edited and modified as required

It specifies the report layout which contains predefined texts, charts, and macros

It specifies report settings which contains time period, device selection, and schedule

It contains predefined data to generate mock reports

In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results.

In Log View, this feature allows you to build a chart and chart automatically, on the top 100 log entries.

This feature allows you to build a chart under FortiView.

You can add charts to generated reports using this feature.

ADOM mode is configured with Advanced mode.

A trusted host is configured.

fortinet is assigned the default Standard_User administrative profile.

fortinet is assigned the default Restricted_User administrative profile.

FortiView

Event Management

Device Manger

Reporting

The endpoint is marked as Compromised and. optionally, can be put in quarantine.

FortiAnalyzer flags the associated host for further analysis.

A new Infected entry is added for the corresponding endpoint.

The detection engine classifies those logs as Suspicious

The performance of FortiAnalyzer is below the baseline.

FortiAnalyzer is using its cache to avoid dropping logs.

The log insert lag time is increasing.

The sqlplugind service is caught up with new logs.

The fetch client can retrieve logs from devices that are not added to its local Device Manager

You can use filters to include only logs from a single device.

The fetching profile must include a user with the Super_User profile.

The archive logs retrieved from the server become archive logs in the client.

Centralized log repository

Cloud-based management

Reports

Virtual domains (VDOMs)

When in collector mode, FortiAnalyzer offloads the log receiving task to the analyzer.

When in analyzer mode, FortiAnalyzer supports event management and reporting features.

For the collector, you should allocate most of the disk space to analytics logs.

Analyzer mode is the default operating mode.

FortiAnalyzer Event Handler

Incoming webhook

FortiOS Event Log

Fabric Connector event

Running

Failed

Upstream_failed

Success

RAIDO

RAID 5

RAID1

RAID 6+0

RAID 0+0