NSE5_FAZ-7.2

Which two actions should an administrator take to view Compromised Hosts on FortiAnalyzer? (Choose two.). Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date. Make sure all endpoints are reachable by FortiAnalyzer. Enable device detection on the FortiGate devices that are sending logs to FortiAnalyzer.

Which two statements are correct regarding the export and import of playbooks? (Choose two.). You can import a playbook even if there is another one with the same name in the destination. Playbooks can be exported and imported only within the same FortiAnalyzer device. You can export only one playbook at a time. A playbook that was disabled when it was exported will be disabled when it is imported.

A playbook contains five tasks in total. An administrator runs the playbook and four out of five tasks finish successfully, but one task fails. What will be the status of the playbook after it is run?. Running. Failed. Upstream_failed. Success.

Which statement about the FortiSIEM management extension is correct?. Allows you to manage the entire life cycle of a threat or breach. Its use of the available disk space is capped at 50%. It requires a licensed FortiSIEM supervisor. It can be installed as a dedicated VM.

Which two statements are true regarding the outbreak detection service? (Choose two.). New alerts are received by email. Outbreak alerts are available on the root ADOM only. An additional license is required. It automatically downloads new event handlers and reports.

What must you consider when using log fetching? (Choose two.) Rev. The fetch client can retrieve logs from devices that are not added to its local Device Manager. You can use filters to include only logs from a single device. The fetching profile must include a user with the Super_User profile. The archive logs retrieved from the server become archive logs in the client.

Which statement describes a dataset in FortiAnalyzer?. They determine what data is retrieved from the database. They provide the layout used for reports. They are used to set the data included in templates. They define the chart types to be used in reports.

How many events will be added to the incident created after running this playbook?. Thirteen events will be added. Five events will be added. No events will be added. Ten events will be added.

What does the data point at 12:20 indicate?. The performance of FortiAnalyzer is below the baseline. FortiAnalyzer is using its cache to avoid dropping logs. The log insert lag time is increasing. The sqlplugind service is caught up with new logs.

You created a playbook on FortiAnalyzer that uses a FortiOS connector. When configuring the FortiGate side, which type of trigger must be used so that the actions in an automation stitch are available in the FortiOS connector?. FortiAnalyzer Event Handler. Incoming webhook. Fabric Connector event. FortiOS Event Log.

Which FortiAnalyzer feature allows you to use a proactive approach when managing your network security?. Outbreak alert services. FortiView Monitor. Threat hunting. Incidents dashboard.

Which log will generate an event with the status Contained?. An IPS log with action=pass. AWebFilter log with action=dropped. An AV log with action=quarantine. An AppControl log with action=blocked.

What is the purpose of trigger variables?. To display statistics about the playbook runtime. To use information from the trigger to filter the action in a task. To provide the trigger information to make the playbook start running. To store the start times of playbooks with On_Schedule triggers.

Which daemon is responsible for enforcing raw log file size?. logfiled. oftpd. sqlplugind. miglogd.

What is one of the operating modes of FortiAnalyzer? Select one: Primary. Analyzer. Advanced. Member.

What is included in the disk quota for each ADOM on FortiAnalyzer? Select one: SQL tables and Analytics logs. Raw logs and Analytics logs. Raw logs and Archive files. Archive logs and Analytics logs.

Which two external servers can you configure to validate administrator logins? (Choose two.) Select one or more: Only locally by FortiAnalyzer. Syslog. RADIUS. LDAP.

What should you always do after erasing the FortiAnalyzer configuration from the flash memory? Select one: Run the execute reboot command. Perform a system backup. Run the execute reset all-settings command. Run the execute format disk command.

Which database language does FortiAnalyzer support for the purposes of logging and reporting? Select one: LDAP. SQL. SSH. XML.

When you move a FortiGate device from one ADOM to a new ADOM, what is the purpose of rebuilding the new ADOM database? Select one: To migrate the archive logs to the new ADOM. To run reports on the device analytics logs in the new ADOM. To reset the disk quota enforcement to the default settings. To remove the device analytics logs from the old ADOM.

What is the main purpose of deploying RAID with FortiAnalyzer? Select one: To make an identical copy of log data on two separate physical drives. To store data in chunks across multiple drives. To back up your logs. To provide redundancy of your log data.

What is true about a FortiAnalyzer Fabric? rev Select one: Fabric members must be in the same time zone as the supervisor. Fabric members and the supervisor support high availability (HA). All fabric members must run in collector mode except the supervisor. Fabric members forward their logs to the supervisor.

It is a best practice to upload FortiAnalyzer local logs to a remote server. Which two remote servers are supported for the upload? (Choose two.) Select one or more: FTP. UDP. SFTP. TCP.

What is another name for FortiAnalyzer archive logs? rev Select one: Backed-up logs. Compressed logs. Aggregated logs. Rolled-over logs.

Which statement correctly describes the management extensions available on FortiAnalyzer?. Management extensions do not require additional licenses. Management extensions may require a minimum number of CPU cores to run. Management extensions allow FortiAnalyzer to act as a FortiSIEM supervisor. Management extensions require a dedicated VM for best performance.

If the primary FortiAnalyzer in an HA cluster fails, how is the new primary elected?. The firmware version is checked first. The active port number is checked first. The configured IP address is checked first. The configured priority is checked first.

A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see what activity was performed by that rogue administrator on FortiAnalyzer. What can you do on FortiAnalyzer to accomplish this?. Click Task Monitor and view the tasks performed by that administrator. Click Fabric View and view the tasks performed by the rogue administrator. Click Log View and generate a report for that administrator. Click FortiView and generate a report for that administrator.

Which SQL query is in the correct order to query the database in the FortiAnalyzer?. SELECT devid WHERE 'user'='USER1' FROM $log GROUP BY devid. FROM $log WHERE 'user'='USER1' SELECT devid GROUP BY devid. SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid. SELECT devid FROM $log GROUP BY devid WHERE 'user'='USER1'.

Which statement is correct regarding the event displayed?. An incident was created from this event. The security risk was blocked or dropped. The security event risk is considered open. The risk source is isolated.

Which statement is correct regarding the event displayed?. An incident was created from this event. The security risk was blocked or dropped. The security event risk is considered open. The risk source is isolated.

Why run the command diagnose sql status sqlplugind?. To list the current SQL processes running. To check what is the database log insertion status. To display the SQL query connections and hcache status. To view the current hcache size.

For which two purposes would you use the command set log checksum? (Choose two.). To prevent log modification or tampering. To send an identical set of logs to a second logging server. To encrypt log communications. To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server.

What is the purpose of using prefilters when configuring event handlers?. They limit which logs are checked for matches by the other filters. They can filter the logs before they are processed by FortiAnalyzer. They download new filters to be used in event handlers. They are common filters applied simultaneously to all event handlers.

What are offline logs on FortiAnalyzer?. Logs that are collected from offline devices after they boot up. Compressed logs, also known as archive logs, are considered to be offline logs. Logs that are indexed and stored in the SQL database. When you restart FortiAnalyzer, all stored logs are considered to be offline logs.

Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.). By deploying different FortiAnalyzer devices in both modes, you can improve their overall performance. When in collector mode. FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format. When in collector mode. FortiAnalyzer supports event management and reporting features. Collector mode is the default operating mode.

which fortianalyzer tools can refer to the cyber kill chain stages and allow you to identify which Fortinet products can protect you against new vulnerabilities. Threat hunting SIEM table. Fortiview monitor top threats. FortiSOC dashboard. Outbreak detection services.

Which statement about sending notifications with incident updates is true?. Notifications can be sent only when an incident is created or deleted. You must configure an output profile to send notifications by email. Each incident can send notifications to a single external platform. Each connector used can have different notification settings.

Which statement is true about sending notifications with incident updates?. You can send notifications to multiple external platforms. If you use multiple fabric connectors, all connectors must have the same notification settings. Notifications can be sent only by email. Notifications can be sent only when an incident is updated or deleted.

What is required to authorize a FortiGate on FortiAnalyzer using Fabric authorization?. A pre-shared key. The FortiGate serial number. A FortiGate ADOM. Valid FortiAnalyzer credentials.

What is the purpose of using the Chart Builder feature on FortiAnalyzer?. In Log View, this feature allows you to build a dataset and chart automatically, based on the filtered search results. In Log View, this feature allows you to build a chart and chart automatically, on the top 100 log entries. This feature allows you to build a chart under FortiView. You can add charts to generated reports using this feature.

Which two methods can you use to send event notifications when an event occurs that matches a configured event handler? (Choose two.). SNMP. IM. SMS. Email.

An administrator, fortinet, is able to view logs and perform device management tasks, such as adding and removing registered devices. However, administrator fortinet is not able to create a mail server that can be used to send alert emails. What can be the problem?. fortinet is assigned the Standard_User administrative profile. A trusted host is configured. ADOM mode is configured with Advanced mode. fortinet is assigned the Restricted_User administrative profile.

Which statement is true regarding Macros on FortiAnalyzer?. Macros are predefined templates for reports and cannot be customized. Macros are useful in generating excel log files automatically based on the report settings. Macros are supported only on the FortiGate ADOM. Macros are ADOM specific and each ADOM has unique macros relevant to that ADOM.

Which item must you configure on FortiAnalyzer to email generated reports automatically?. Output profile. Report scheduling. SFTP server. SNMP server.

What is the purpose of output variables?. To display details of the connectors used by a playbook. To store playbook execution statistics. To save all the task settings when a playbook is exported. To use the output of the previous task as the input of the current task.

In Log View, you can use the Chart Builder feature to build a dataset and chart based on the filtered search results. Similarly, which feature can you use for FortiView?. Export to Custom Chart. Export to PDF. Export to Chart Builder. Export to Report Chart.

What are two benefits of using fabric connectors? (Choose two.). They allow FortiAnalyzer to send logs in real-time to public cloud accounts. You do not need an additional license to send logs to the cloud platform. Fabric connectors allow you to improve redundancy. Using fabric connectors is more efficient than using third-party polling with API.

Which two statements are true regarding ADOM modes? (Choose two.). You can change ADOM modes only through the CLI. In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible. In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs. Normal mode is the default ADOM mode.

Which statement describes archive logs on FortiAnalyzer?. Logs compressed and saved in files with the .gz extension. Logs that are indexed and stored in the SQL database. Logs a FortiAnalyzer administrator can access in FortiView. Logs previously collected from devices that are offline.

Which two settings must you configure on FortiAnalyzer to allow non-local administrators to authenticate to FortiAnalyzer with any user account in a single LDAP group? (Choose two.). A local wildcard administrator account. A remote LDAP server. A trusted host profile that restricts access to the LDAP group. An administrator group.

Which two of the following must you configure on FortiAnalyzer to email a FortiAnalyzer report externally? (Choose two.). Mail server. Output profile. SFTP server. Report scheduling.

Which statement is true when you are upgrading the firmware on an HA cluster made up of two FortiAnalyzer devices?. You can perform the firmware upgrade using only a console connection. First, upgrade the secondary device, and then upgrade the primary device. You can enable uninterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster firmware upgrades. Both FortiAnalyzer devices will be upgraded at the same time.

Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two.). FortiAnalyzer HA can function without VRRP, and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster. FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings. All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector. FortiAnalyzer HA implementation is supported by all cloud providers.

What can you do on FortiAnalyzer to restrict administrative access from specific locations?. Configure trusted hosts for that administrator. Enable geo-location services on accessible interface. Configure two-factor authentication with a remote RADIUS server. Configure an ADOM for respective location.

You are looking for a playbook that was exported by a junior administrator. You perform a search and find the files listed below Which file would you choose to perform an import operation?. Exported_playbook.sql. Exported_playbook.csv. Exported_playbook.txt. Exported_playbook.json.

Which statement about the FortiSOAR management extension is correct?. It requires a FortiManager configured to manage FortiGate. It requires a dedicated FortiSOAR device or VM. It does not include a limited trial by default. It runs as a docker container on FortiAnalyzer.

Why run the command diagnose sql status sqlplugind?. To list the current SQL processes running. To check what is the database log insertion status. To display the SOL query connections and hcache status. To view the current hcache size.

What are two effects of enabling auto-cache in a FortiAnalyzer report? (Choose two.). The size of newly generated reports is optimized to conserve disk space. FortiAnalyzer local cache is used to store generated reports. When new logs are received, the hard-cache data is updated automatically. The generation time for reports is decreased.

Why must you wait for several minutes before you run a playbook that you just created?. FortiAnalyzer needs that time to parse the new playbook. FortiAnalyzer needs that time to back up the current playbooks. FortiAnalyzer needs that time to ensure there are no other playbooks running. FortiAnalyzer needs that time to debug the new playbook.

Based on the partial outputs displayed, which devices can be members of a FortiAnalyzer Fabric?. FortiAnalyzer1 and FortiAnalyzer3. FortiAnalyzer1 and FortiAnalyzer2. All devices listed can be members. FortiAnalyzer2 and FortiAnalyzer3.

What is the best approach to handle a hard disk failure on a FortiAnalyzer that supports hardware RAID?. There is no need to do anything because the disk will self-recover. Hot swap the disk. Shut down FortiAnalyzer and replace the disk. Run execute format disk to format and restart the FortiAnalyzer device.