FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Question and Answers

Set the ADOM mode to Advanced

Assign the ADOMs to the administrator’s account

Configure trusted hosts

Assign the default Super_User administrator profile

Output profile

Report scheduling

SFTP server

SNMP server

Antivirus logs

Web filter logs

IPS logs

Application control logs

The configured IP address is checked first.

The active port number is checked first.

The firmware version is checked first.

The configured priority is checked first

To properly correlate logs

To use real-time forwarding

To resolve host names

To improve DNS response times

The security risk was blocked or dropped.

The security event risk is considered open.

An incident was created from this event.

The risk source is isolated.

Configure trusted hosts for that administrator.

Enable geo-location services on accessible interface.

Configure two-factor authentication with a remote RADIUS server.

Configure an ADOM for respective location.

Compressed logs, also known as archive logs

Logs that are indexed and stored in the SQL database

Any logs collected from offline devices after they boot up

Real-time logs that are not yet indexed

An IPS log with action=pass.

A WebFilter log with action=dropped.

An AV log with action=quarantine.

An AppControl log with action=blocked.

The connection between FortiGate and FortiAnalyzer is overloaded.

FortiGate has logs to send, but FortiAnalyzer is unavailable.

FortiGate is configured to send logs in batches.

FortiGate is sending logs again after it performed a reboot.

Mail server

Output profile

SFTP server

Report scheduling

By default, Log Data Sync is disabled on all backup devise.

Log Data Sync provides real-time log synchronization to all backup devices.

With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.

When Logs Data Sync is turned on, the backup device will reboot and then rebuilt the log database with the synchronized logs.

Management extensions do not require additional licenses.

Management extensions allow FortiAnalyzer to act as a ForbSIEM supervisor.

Management extensions require a dedicated VM for best performance.

Management extensions may require a minimum number of CPU cores to run.

It automatically updates the hcache when new logs arrive.

It provides diagnostics on report generation time.

It reduces the log insert lag rate.

It reduces report generation time.

A local wildcard administrator account

A remote LDAP server

A trusted host profile that restricts access to the LDAP group

An administrator group

FortiView

Event Management

Device Manger

Reporting

It allows user accounts in the LDAP server to use two-factor authentication.

It creates a wildcard administrator using an LDAP server.

User Remote-Admin from the LDAP server will be able to log in to FortiAnalyzer at any time.

Administrators can log in to FortiAnalyzer using their credentials on the remote LDAP server.

FortiAnalyzer distinguishes different devices by their serial number.

FortiAnalyzer receives logs from d devices in a duster.

FortiAnalyzer receives bgs only from the primary device in the cluster.

FortiAnalyzer only needs to know (he serial number of the primary device in the cluster-it automaticaly discovers the other devices.

CPU resources are too high

Logs in that ADOM are being forwarded, in real-time, to another FortiAnalyzer device

The total disk space is insufficient and you need to add other disk

The ADOM disk quota is set too low, based on log rates

Chart Builder

Export to Report Chart

Dataset Library

Custom View

An account that permits access to members of an LDAP group

An account that allows guest access with read-only privileges

An account that requires two-factor authentication

An account that validates against any user account on a FortiAuthenticator

3.6% of the system storage is already being used.

Some space is reserved for system use, such as storage of compression files, upload files, and temporary report files

The oftpd process has not archived the logs yet

The logfiled process is just estimating the total quota

In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results.

In Log View, this feature allows you to build a chart and chart automatically, on the top 100 log entries.

This feature allows you to build a chart under FortiView.

You can add charts to generated reports using this feature.

A pre-shared key needs to be established on both sides.

The management computer does not have connectivity to the authorization IP address and port combination.

The Security Fabric root is unauthorized and needs to be added as a trusted host.

The fabric authorization settings on FortiAnalyzer are misconfigured.

It is a device whose registration has not yet been accepted in FortiAnalvzer.

It is a device that has not yet been assigned an ADOM.

It is a device that is waiting for you to configure a pre-shared key.

It is a device that FortiAnalvzer does not support.

There is no need to do anything because the disk will self-recover.

Run execute format disk to format and restart the FortiAnalyzer device.

Perform a hot swap of the disk.

Shut down FortiAnalyzer and replace the disk.

It creates a wildcard administrator using LDAP and RADIUS servers.

Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.

Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.

It allows administrators to use two-factor authentication.

FortiAnalyzer is dropping logs.

FortiAnalyzer is indexing logs faster than logs are being received.

FortiAnalyzer has temporarily stopped receiving logs so older logs’ can be indexed.

The sqlplugind daemon is ahead in indexing by one log.

Notifications can be sent only when an incident is updated or deleted.

If you use multiple fabric connectors, all connectors must have the same notification settings

Notifications can be sent only by email.

You can send notifications to multiple external platforms

Use this command only if the source IP addresses are not resolved on FortiGate.

It resolves the source and destination IP addresses to a hostname in FortiView on FortiAnalyzer.

You must configure local DNS servers on FortiGate for this command to resolve IP addresses on Forti Analyzer.

It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer.

Generated reports

Device list

Authorized devices logs

System information

Log correlation

Host name resolution

Log collection

Real-time forwarding

logfiled

oftpd

sqlplugind

miglogd

FROM

LIMIT

WHERE

ORDER BY

Configure trusted hosts.

Limit access to specific virtual domains.

Fabric connectors to external LDAP servers.

Use administrator profiles.

Export to Report Chart

Export to PDF

Export to Chart Builder

Export to Custom Chart

To display statistics about the playbook runtime

To use information from the trigger to filter the action in a task

To provide the trigger information to make the playbook start running

To store the start times of playbooks with On_Schedule triggers

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To add the MD5 hash value and authentication code

To add a log file checksum

To encrypt log communications

FortiAnalyzer is using the device MAC addresses to differentiate their logs.

The logs belong to devices that are part of a high availability (HA) cluster.

FortiAnalyzer is receiving logs from the root FortiGate of a Security Fabric.

The device sending logs has two VDOMs in the same ADOM.

The endpoint is marked as Compromised and. optionally, can be put in quarantine.

FortiAnalyzer flags the associated host for further analysis.

A new Infected entry is added for the corresponding endpoint.

The detection engine classifies those logs as Suspicious

FortiAnalyzer provides the ability to create custom reports.

FortiAnalyzer glows you to schedule reports to run.

FortiAnalyzer includes pre-defined reports only.

FortiAnalyzer allows reporting for FortiGate devices only.

SSL is the default setting.

SSL communications are auto-negotiated between the two devices.

SSL can send logs in real-time only.

SSL encryption levels are globally set on FortiAnalyzer.

FortiAnalyzer encryption level must be equal to, or higher than, FortiGate.

Quota enforcement is acting on analytical data before a report is complete

Logs are rolling before the report is run

CPU resources are too high

Disk utilization for archive logs is set for 15 days

A local wildcard administrator account

An administrator group

One or more remote LDAP servers

LDAP servers IP addresses added as trusted hosts

Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM.

Macros are supported only on the FortiGate ADOM.

Macros are useful in generating excel log files automatically based on the reports settings.

Macros are predefined templates for reports and cannot be customized.

It sorts log data into tables

It extracts the database schema

It retrieves log data from the database

It injects log data into the database

The maximum disk utilization for each device in the ADOM

The maximum disk utilization for the FortiAnalyzer model

The maximum disk utilization for the ADOM type

The maximum disk utilization for all devices in the ADOM

operation-login & dstip==10.1.1.210 & user!-admin

operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

operation-login & performed_on=="GUI(10.1.1.210)" & user!=admin

operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

RAIDO

RAID 5

RAID1

RAID 6+0

RAID 0+0

There is no need to do anything because the disk will self-recover.

Run execute format disk to format and restart the FortiAnalyzer device.

Perform a hot swap of the disk.

Shut down FortiAnalyzer and replace the disk.