FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Questions and Answers

When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.

Collector mode is the default operating mode.

When in collector mode. FortiAnalyzer supports event management and reporting features.

By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting

After joining the cluster, this FortiAnalyzer will forward received logs to its peers.

This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds.

This FortiAnalyzer is configured to route HA traffic through a gateway.

This FortiAnalyzer will join the existing HA cluster as the secondary.

Running

Failed

Upstream_failed

Success

The FortiAnalyzer stops logging once the disk log quota is met.

The FortiAnalyzer automatically sets the disk log quota based on the device.

The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.

The FortiAnalyzer disk log quota is configurable, but has a minimum o 100mb a maximum based on the reserved system space.

It can be used for fast data processing and log correlation

It can be used to facilitate communication between devices in same Security Fabric

It can include all Fortinet devices that are part of the same Security Fabric

It can include only FortiGate devices that are part of the same Security Fabric

Virtual domains

Administrative access profiles

Trusted hosts

Security Fabric

To reset the disk quota enforcement to default

To remove the analytics logs of the device from the old database

To migrate the archive logs to the new ADOM

To populate the new ADOM with analytical logs for the moved device, so you can run reports

An account that permits access to members of an LDAP group

An account that allows guest access with read-only privileges

An account that requires two-factor authentication

An account that validates against any user account on a FortiAuthenticator

To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server

To prevent log modification or tampering

To encrypt log communications

To send an identical set of logs to a second logging server

License type

Disk size

Total quota

RAID level

Configure trusted hosts.

Limit access to specific virtual domains.

Fabric connectors to external LDAP servers.

Use administrator profiles.

You can perform the firmware upgrade using only a console connection.

All FortiAnalyzer devices will be upgraded at the same time.

Enabling uninterruptible-upgrade prevents normal operations from being interrupted during the upgrade.

First, upgrade the secondary devices, and then upgrade the primary device.

SQL FROM statement

SQL GET statement

SQL SELECT statement

SQL EXTRACT statement

Principal

Service provider

Identity collector

Identity provider

The configured IP address is checked first.

The active port number is checked first.

The firmware version is checked first.

The configured priority is checked first

This password is used if the authentication server becomes unreachable.

This password authenticates FortiAnalyzer aqainst the LDAP server.

This password is set to comply with FortiAnalvzer password policy

This password is required because this is a restricted user.

Mail server

Output profile

SFTP server

Report scheduling

By default, Log Data Sync is disabled on all backup devise.

Log Data Sync provides real-time log synchronization to all backup devices.

With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.

When Logs Data Sync is turned on, the backup device will reboot and then rebuilt the log database with the synchronized logs.

System information

Logs from registered devices

Report information

Database snapshot

To introduce redundancy to your log data

To provide data separation between ADOMs

To separate analytical and archive data

To back up your logs

ADOM mode is configured with Advanced mode.

A trusted host is configured.

fortinet is assigned the default Standard_User administrative profile.

fortinet is assigned the default Restricted_User administrative profile.

Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM.

Macros are supported only on the FortiGate ADOM.

Macros are useful in generating excel log files automatically based on the reports settings.

Macros are predefined templates for reports and cannot be customized.

Generated reports

Device list

Authorized devices logs

System information

FortiAnalyzer uses log fetching to retrieve the logs when back online

FortiGate uses the miglogd process to cache the logs

The logfiled process stores logs in offline mode

Logs are dropped

If devices were registered to FortiAnalyzer before forming a cluster, you can manually add them together.

FortiAnalyzer distinguishes each cluster member by the IP addresses in log message headers.

If the HA primary device becomes unavailable, you must remove it from the HA cluster list on FortiAnalyzer.

The FortiGate HA cluster must be in active-passive mode in order to avoid conflict.

Hot swap the disk

Replace the disk and rebuild the RAID manually

Take no action if the RAID level supports a failed disk

Shut down FortiAnalyzer and replace the disk

Management extensions do not require additional licenses.

Management extensions allow FortiAnalyzer to act as a ForbSIEM supervisor.

Management extensions require a dedicated VM for best performance.

Management extensions may require a minimum number of CPU cores to run.

Analytics logs will be moved to ADOM1 from the root ADOM automatically.

Archived logs will be moved to ADOM1 from the root ADOM automatically.

Logs will be presented in both ADOMs immediately after the move.

Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the ADOM1 SQL database.

Click FortiView and generate a report for that administrator.

Click Task Monitor and view the tasks performed by that administrator.

Click Log View and generate a report for that administrator.

View the tasks performed by the rogue administrator in Fabric View.

CPU resources are too high

Logs in that ADOM are being forwarded, in real-time, to another FortiAnalyzer device

The total disk space is insufficient and you need to add other disk

The ADOM disk quota is set too low, based on log rates

The maximum disk utilization for each device in the ADOM

The maximum disk utilization for the FortiAnalyzer model

The maximum disk utilization for the ADOM type

The maximum disk utilization for all devices in the ADOM

Improve report completion time.

Conserve disk space on FortiAnalyzer by grouping multiple similar reports.

Reduce the number of hcache tables and improve auto-hcache completion time.

Provides a better summary of reports.

When in collector mode, FortiAnalyzer offloads the log receiving task to the analyzer.

When in analyzer mode, FortiAnalyzer supports event management and reporting features.

For the collector, you should allocate most of the disk space to analytics logs.

Analyzer mode is the default operating mode.

FortiAnalyzer overwrites the log files.

FortiAnalyzer stops logging.

FortiAnalyzer rolls the active log by renaming the file.

FortiAnalyzer forwards logs to syslog.

Configure trusted hosts for that administrator.

Enable geo-location services on accessible interface.

Configure two-factor authentication with a remote RADIUS server.

Configure an ADOM for respective location.

Set the ADOM mode to Advanced

Assign the ADOMs to the administrator’s account

Configure trusted hosts

Assign the default Super_User administrator profile

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To add the MD5 hash value and authentication code

To add a log file checksum

To encrypt log communications

The number of times in the logs where end users experienced slowness while accessing resources.

The amount of lag time that occurs when the administrator is rebuilding the ADOM database.

The amount of time that passes between the time a log was received and when it was indexed on FortiAnalyzer.

The amount of time FortiAnalyzer takes to receive logs from a registered device

operation-login & dstip==10.1.1.210 & user!-admin

operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

operation-login & performed_on=="GUI(10.1.1.210)" & user!=admin

operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

The received rate is almost at its maximum for this device

The sqlplugind daemon is behind in log indexing by two logs

Logs are being dropped

Raw logs are reaching FortiAnalyzer faster than they can be indexed

FROM

LIMIT

WHERE

ORDER BY

Quota enforcement is acting on analytical data before a report is complete

Logs are rolling before the report is run

CPU resources are too high

Disk utilization for archive logs is set for 15 days

The total disk space is insufficient and you need to add other disk.

CPU resources are too high.

The ADOM disk quota is set too low based on log rates.

Logs in that ADOM are being forwarded in real-time to another FortiAnalyzer device.

SSL is the default setting.

SSL communications are auto-negotiated between the two devices.

SSL can send logs in real-time only.

SSL encryption levels are globally set on FortiAnalyzer.

FortiAnalyzer encryption level must be equal to, or higher than, FortiGate.

Analytics logs will be moved to ADOM1 from the root ADOM automatically.

Archived logs will be moved to ADOM1 from the root ADOM automatically.

Logs will be present in both ADOMs immediately after the move.

Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the database.

The traffic destination is another FortiGate in the fabric.

The upstream FortiGate is configured to do NAT

Log redundancy is configured in the fabric.

The downstream device cannot connect to FortiAnalyzer.

Centralized log repository

Cloud-based management

Reports

Virtual domains (VDOMs)

FortiAnalyzer Event Handler

Incoming webhook

FortiOS Event Log

Fabric Connector event

An administrator with the default standard_User profile can create ADOMs.

Disk quotas can be defined per device inside the ADOM.

FortiAnalyzer creates default ADOMs when ADOMs are enabled.

The ADOM type you create must match the device type you are planning to add.

A pre-shared key needs to be established on both sides.

The management computer does not have connectivity to the authorization IP address and port combination.

The Security Fabric root is unauthorized and needs to be added as a trusted host.

The fabric authorization settings on FortiAnalyzer are misconfigured.