FCP_FAZ_AD-7.4 FCP - FortiAnalyzer 7.4 Administrator Questions and Answers

It can be used for fast data processing and log correlation

It can be used to facilitate communication between devices in same Security Fabric

It can include all Fortinet devices that are part of the same Security Fabric

It can include only FortiGate devices that are part of the same Security Fabric

SFTP, FTP, or SCP server

Mail server

Output profile

Report scheduling

When in collector mode, FortiAnalyzer offloads the log receiving task to the analyzer.

When in analyzer mode, FortiAnalyzer supports event management and reporting features.

For the collector, you should allocate most of the disk space to analytics logs.

Analyzer mode is the default operating mode.

An IPS log with action=pass.

A WebFilter log with action=dropped.

An AV log with action=quarantine.

An AppControl log with action=blocked.

Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.

Make sure all endpoints are reachable by FortiAnalyzer.

Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device.

Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

Logs that reached a specific size and were rolled over

Logs that can be used to create reports

Logs that can be viewed using Log Browse

Logs that are saved to disk, compressed, and available in FortiView

RAIDO

RAID 5

RAID1

RAID 6+0

RAID 0+0

A pre-shared key needs to be established on both sides.

The management computer does not have connectivity to the authorization IP address and port combination.

The Security Fabric root is unauthorized and needs to be added as a trusted host.

The fabric authorization settings on FortiAnalyzer are misconfigured.

Log upload

Indicators of Compromise

Log forwarding an aggregation mode

Log fetching

There is no need to do anything because the disk will self-recover.

Run execute format disk to format and restart the FortiAnalyzer device.

Perform a hot swap of the disk.

Shut down FortiAnalyzer and replace the disk.

The hard drive is no longer being used by the RAID controller.

One or more drives are missing from the FortiAnalyzer unit.

The device is writing data to the disk to restore the volume to an optimal state.

FortiAnalyzer determined that the parity data in the disk is not valid.

By default, Log Data Sync is disabled on all backup devise.

Log Data Sync provides real-time log synchronization to all backup devices.

With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.

When Logs Data Sync is turned on, the backup device will reboot and then rebuilt the log database with the synchronized logs.

To upload logs to an SFTP server

To prevent log modification during backup

To send an identical set of logs to a second logging server

To encrypt log communication between devices

The maximum disk utilization for each device in the ADOM

The maximum disk utilization for the FortiAnalyzer model

The maximum disk utilization for the ADOM type

The maximum disk utilization for all devices in the ADOM

To properly correlate logs

To use real-time forwarding

To resolve host names

To improve DNS response times

A local wildcard administrator account

An administrator group

One or more remote LDAP servers

LDAP servers IP addresses added as trusted hosts

New alerts are received by email.

Outbreak alerts are available on the root ADOM only.

An additional license is required.

It automatically downloads new event handlers and reports.

It sorts log data into tables

It extracts the database schema

It retrieves log data from the database

It injects log data into the database

In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results.

In Log View, this feature allows you to build a chart and chart automatically, on the top 100 log entries.

This feature allows you to build a chart under FortiView.

You can add charts to generated reports using this feature.

sqlplugind

logfiled

miglogd

ofrpd

To list the current SQL processes running

To check what is the database log insertion status

To display the SOL query connections and hcache status

To view the current hcache size

FortiAnalyzer needs that time to parse the new playbook.

FortiAnalyzer needs that time to back up the current playbooks.

FortiAnalyzer needs that time to ensure there are no other playbooks running.

FortiAnalyzer needs that time to debug the new playbook.

They determine what data is retrieved from the database.

They provide the layout used for reports.

They are used to set the data included in templates.

They define the chart types to be used in reports.

The size of newly generated reports is optimized to conserve disk space.

FortiAnalyzer local cache is used to store generated reports.

When new logs are received, the hard-cache data is updated automatically.

The generation time for reports is decreased.

FortiAnalyzer provides the ability to create custom reports.

FortiAnalyzer glows you to schedule reports to run.

FortiAnalyzer includes pre-defined reports only.

FortiAnalyzer allows reporting for FortiGate devices only.

The traffic destination is another FortiGate in the fabric.

The upstream FortiGate is configured to do NAT

Log redundancy is configured in the fabric.

The downstream device cannot connect to FortiAnalyzer.

Set the ADOM mode to Advanced

Assign the ADOMs to the administrator’s account

Configure trusted hosts

Assign the default Super_User administrator profile

Output profiles

Report settings

Report scheduling

Custom datasets

Hot swap the disk

Replace the disk and rebuild the RAID manually

Take no action if the RAID level supports a failed disk

Shut down FortiAnalyzer and replace the disk

FortiAnalyzer HA can function without VRRP. and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster.

FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.

All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.

FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud.

FortiAnalyzerl and FortiAnalyzer3

FortiAnalyzer1 and FortiAnalyzer2

All devices listed can be members

FortiAnalyzer2 and FortiAnalyzer3

Log type Traffic logs.

Logs that roll over when the log file reaches a specific size.

Logs that are indexed and stored in the SQL.

Raw logs that are compressed and saved to a log file.

To provide the layout used for reports

To define the chart type to be used

To retrieve data from the database

To set the data included in templates

Configure trusted hosts.

Limit access to specific virtual domains.

Fabric connectors to external LDAP servers.

Use administrator profiles.

FortiAnalyzer is ensuring that the parity data of a redundant drive is valid

FortiAnalyzer is writing data to a newly added hard drive to restore it to an optimal state

FortiAnalyzer is writing to all of its hard drives to make the array fault tolerant

FortiAnalyzer is functioning normally

FROM

LIMIT

WHERE

ORDER BY

To store playbook execution statistics

To use the output of the previous task as the input of the current task

To display details of the connectors used by a playbook

To save all the task settings when a playbook is exported

Logs from registered devices

Database snapshot

Report information

System information

They limit which logs are checked for matches by the other filters.

They can filter the logs before they are processed by FortiAnalyzer

They download new filters to be used in event handlers.

They are common filters applied simultaneously to all event handlers.

FortiAnalyzer resets the disk quota of the new ADOM to default.

FortiAnalyzer migrates archive logs to the new ADOM.

FortiAnalyzer migrates analytics logs to the new ADOM.

FortiAnalyzer removes logs from the old ADOM.

The log file is stored as a raw log and is available for analytic support.

The log file rolls over and is archived.

The log file is purged from the database.

The log file is overwritten.

FortiAnalyzer is dropping logs.

FortiAnalyzer is indexing logs faster than logs are being received.

FortiAnalyzer has temporarily stopped receiving logs so older logs’ can be indexed.

The sqlplugind daemon is ahead in indexing by one log.

A local wildcard administrator account

A remote LDAP server

A trusted host profile that restricts access to the LDAP group

An administrator group

It creates a wildcard administrator using LDAP and RADIUS servers.

Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.

Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.

It allows administrators to use two-factor authentication.

The FortiAnalyzer stops logging once the disk log quota is met.

The FortiAnalyzer automatically sets the disk log quota based on the device.

The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.

The FortiAnalyzer disk log quota is configurable, but has a minimum o 100mb a maximum based on the reserved system space.

Option A

Option B

Option C

Option D

After joining the cluster, this FortiAnalyzer will forward received logs to its peers.

This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds.

This FortiAnalyzer is configured to route HA traffic through a gateway.

This FortiAnalyzer will join the existing HA cluster as the secondary.

A configuration with four disks, each with 2 TB of capacity, provides a total space of 4 TB.

B 11 combines mirroring striping and distributed parity to provide performance and fault tolerance

A configuration with four disks, each with 2 TB of capacity, provides a total space of 2 TB.

It uses striping to provide performance and fault tolerance.