NSE5 FortiAnalyzer 7.0

Refer to the exhibit. Laptop1 is used by several administrators to manage FortiAnalyzer. You want to configure a generic text filter that matches all login attempts to the web interface generated by any user other than “admin" and coming from Laptop1. Which filter will achieve the desired result?. A. operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin. B. operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin. C. operation-login & dstip==10.1.1.210 & userl-admin. D. operation-login & performed_on=="GUI(10.1.1.210)' & user!=admin.

Which two statements are true regarding ADOM modes? (Choose two.). A. You can change ADOM modes only through the CLI. B. In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible. C. In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs. D. Normal mode is the default ADOM mode.

Refer to the exhibit. The image displays the configuration of a FortiAnalyzer the administrator wants to join to an existing HA cluster. What can you conclude from the configuration displayed?. A. This FortiAnalyzer will join to the existing HA cluster as the primary. B. This FortiAnalyzer is configured to receive logs in its port1. C. This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds. D. After joining to the cluster, this FortiAnalyzer will keep an updated log database.

FAZ.6.2 You are using RAID with a FortiAnalyzer that supports software RAID, and one of the hard disks on FortiAnalyzer has failed. What is the recommended method to replace the disk?. A. Shut down FortiAnalyzer and then replace the disk. B. Downgrade your RAID level, replace the disk, and then upgrade your RAID level. C. Clear all RAID alarms and replace the disk while FortiAnalyzer is still running. D. Perform a hot swap.

How many events will be added to the incident created after running this playbook?. A. No events will be added. B. Ten events will be added. C. Five events will be added. D. Thirteen events will be added.

Refer to the exhibit. Which statement is correct regarding the event displayed?. A. An incident was created from this event. B. The security risk was blocked or dropped. C. The security event risk is considered open. D. The risk source is isolated.

What is the best approach to handle a hard disk failure on a FortiAnalyzer that supports hardware RAID?. A. Hot swap the disk. B. There is no need to do anything because the disk will self-recover. C. Shut down FortiAnalyzer and replace the disk. D. Run execute format disk to format and restart the FortiAnalyzer device.

Which statement is true when you are upgrading the firmware on an HA cluster made up of two FortiAnalyzer devices?. A. You can perform the firmware upgrade using only a console connection. B. First, upgrade the secondary device, and then upgrade the primary device. C. You can enable uninterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster firmware upgrades. D. Both FortiAnalyzer devices will be upgraded at the same time.

A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see what activity was performed by that rogue administrator on FortiAnalyzer. What can you do on FortiAnalyzer to accomplish this?. A. Click Task Monitor and view the tasks performed by that administrator. B. Click Fabric View and view the tasks performed by the rogue administrator. C. Click Log View and generate a report for that administrator. D. Click FortiView and generate a report for that administrator.

Which two actions should an administrator take to view Compromised Hosts on FortiAnalyzer? (Choose two.). A. Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer. B. Make sure all endpoints are reachable by FortiAnalyzer. C. Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device. D. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

What is required to authorize a FortiGate on FortiAnalyzer using Fabric authorization?. A. A pre-shared key. B. The FortiGate serial number. C. A FortiGate ADOM. D. Valid FortiAnalyzer credentials.

A playbook contains five tasks in total. An administrator executed the playbook and four out of five tasks finished successfully, but one task failed. What will be the status of the playbook after its execution?. A. Failed. B. Success. C. Upstream_failed. D. Running.

Which statement is true regarding Macros on FortiAnalyzer?. A. Macros are predefined templates for reports and cannot be customized. B. Macros are useful in generating excel log files automatically based on the report settings. C. Macros are supported only on the FortiGate ADOM. D. Macros are ADOM specific and each ADOM has unique macros relevant to that ADOM.

After you have moved a registered logging device out of one ADOM and into a new ADOM. what is the purpose of running the following CLI command? execute sql-local rebuild-adom <new-ADOM-name>. A. To reset the disk quota enforcement to default. B. To migrate the archive logs to the new ADOM. C. To remove the analytics logs of the device from the old database. D. To populate the new ADOM with analytical logs for the moved device, so you can run reports.

Which statement is true about sending notifications with incident updates?. A. You can send notifications to multiple external platforms. B. If you use multiple fabric connectors, all connectors must have the same notification settings. C. Notifications can be sent only by email. D. Notifications can be sent only when an incident is updated or deleted.

Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.). A. By deploying different FortiAnalyzer devices in both modes, you can improve their overall performance. B. When in collector mode. FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format. C. When in collector mode. FortiAnalyzer supports event management and reporting features. D. Collector mode is the default operating mode.

When working with FortiAnalyzer reports, what is the purpose of a dataset?. A. To set the data included in templates. B. To retrieve data from the database. C. To provide the layout used for reports. D. To define the chart type to be used.

Which FortiAnalyzer feature allows you to use a proactive approach when managing your network security?. A. FortiView Monitor. B. Threat hunting. C. Incidents dashboard. D. Outbreak alert services.

What are offline logs on FortiAnalyzer?. A. Logs that are collected from offline devices after they boot up. B. Compressed logs, also known as archive logs, are considered to be offline logs. C. Logs that are indexed and stored in the SQL database. D. When you restart FortiAnalyzer, all stored logs are considered to be offline logs.

An administrator, fortinet, is able to view logs and perform device management tasks, such as adding and removing registered devices. However, administrator fortinet is not able to create a mail server that can be used to send alert emails. What can be the problem?. A. fortinet is assigned the Standard_User administrative profile. B. A trusted host is configured. C. ADOM mode is configured with Advanced mode. D. fortinet is assigned the Restricted_User administrative profile.

For which two purposes would you use the command set log checksum? (Choose two.). A. To prevent log modification or tampering. B. To send an identical set of logs to a second logging server. C. To encrypt log communications. D. To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server.

If the primary FortiAnalyzer in an HA cluster fails, how is the new primary elected?. A. The firmware version is checked first. B. The active port number is checked first. C. The configured IP address is checked first. D. The configured priority is checked first.

Which two statements are correct regarding the export and import of playbooks? (Choose two.). A. Playbooks can be exported and imported only within the same FortiAnalyzer. B. You can export only one playbook at a time. C. A playbook that was disabled when it was exported, will be disabled when it is imported. D. You can import a playbook even if there is another one with the same name in the destination.

You created a playbook on FortiAnalyzer that uses a FortiOS connector. When configuring the FortiGate side, which type of trigger must be used so that the actions in an automation stitch are available in the FortiOS connector?. A. FortiAnalyzer Event Handler. B. Incoming webhook. C. FortiOS Event Log. D. Fabric Connector event.

Refer to the exhibit. Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.). A. Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets. B. This feature is automatically enabled for scheduled reports. C. Reports will be cached in the memory. D. Report size will be optimized to conserve disk space on FortiAnalyzer.

What is the purpose of output variables?. A. To display details of the connectors used by a playbook. B. To store playbook execution statistics. C. To save all the task settings when a playbook is exported. D. To use the output of the previous task as the input of the current task.

Which two statements are true regarding FortiAnalyzer log forwarding? (Choose two.). A. Both modes, forwarding and aggregation, support encryption of logs between devices. B. In aggregation mode, you can forward logs to syslog and CEF servers as well. C. Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time. D. Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.

FAZ.6.2 Which two constraints can impact the amount of reserved disk space required by FortiAnalyzer? (Choose two.). A. License type. B. Disk size. C. Total quota. D. RAID level.

Which daemon is responsible for enforcing the log file size?. A. logfiled. B. oftpd. C. sqlplugind. D. miglogd.

FAZ.6.4 An administrator has configured the following settings: config system fortiview settings set resolve-ip enable end What is the significance of executing this command?. A. Use this command only if the source IP addresses are not resolved on FortiGate. B. It resolves the source and destination IP addresses to a hostname in FortiView on FortiAnalyzer. C. You must configure local DNS servers on FortiGate for this command to resolve IP addresses on FortiAnalyzer. D. It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer.

Which statement correctly describes the management extensions available on FortiAnalyzer?. A. Management extensions do not require additional licenses. B. Management extensions may require a minimum number of CPU cores to run. C. Management extensions allow FortiAnalyzer to act as a FortiSIEM supervisor. D. Management extensions require a dedicated VM for best performance.

In Log View, you can use the Chart Builder feature to build a dataset and chart based on the filtered search results. Similarly, which feature can you use for FortiView?. A. Export to Custom Chart. B. Export to PDF. C. Export to Chart Builder. D. Export to Report Chart.

For which two SAML roles can the FortiAnalyzer be configured? (Choose two.). A. Principal. B. Identity provider. C. Identity collector. D. Service provider.

Which two elements are contained in a system backup created on FortiAnalyzer? (Choose two.). A. Report information. B. Database snapshot. C. System information. D. Logs from registered devices.

Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two.). A. FortiAnalyzer HA can function without VRRP, and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster. B. FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings. C. All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector. D. FortiAnalyzer HA implementation is supported by all cloud providers.

Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.). A. Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy. B. A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end. C. Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version. D. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.

Which SQL query is in the correct order to query the database in the FortiAnalyzer?. A. SELECT devid WHERE 'user'='USER1' FROM $log GROUP BY devid. B. FROM $log WHERE 'user'='USER1' SELECT devid GROUP BY devid. C. SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid. D. SELECT devid FROM $log GROUP BY devid WHERE 'user'='USER1'.

NSE5_FAZ-6.4 Which clause is considered mandatory in SELECT statements used by the FortiAnalyzer to generate reports?. A. FROM. B. ORDER BY. C. LIMIT. D. WHERE.

NSE5_FAZ-6.4 If a hard disk on FortiAnalyzer that supports hardware RAID fails, what can be done on FortiAnalyzer?. A. Shut down FortiAnalyzer and replace the disk. B. Run execute format disk to format and restart the FortiAnalyzer device. C. No need to do anything because the disk will self-recover. D. Hot swap the disk.

NSE5_FAZ-6.4 Which two methods are the most common methods to control and restrict administrative access on FortiAnalyzer? (Choose two.). A. Virtual domains. B. Administrative access profiles. C. Trusted hosts. D. Security Fabric.

NSE5_FAZ-6.4 Which daemon is responsible for enforcing raw log file size?. A. logfiled. B. oftpd. C. sqlplugind. D. miglogd.

What is the purpose of a predefined template on the FortiAnalyzer?. A. It specifies the report layout which contains predefined texts, charts, and macros. B. It specifies report settings which contains time period, device selection, and schedule. C. It contains predefined data to generate mock reports. D. It can be edited and modified as required.

NSE5_FAZ-6.4 An administrator has configured the following settings: config system global set log-checksum md5-auth end What is the significance of executing this command?. A. This command records the log file MD5 hash value. B. This command records passwords in log files and encrypts them. C. This command encrypts log transfer between FortiAnalyzer and other devices. D. This command records the log file MD5 hash value and authentication code.

NSE5_FAZ-6.4 Which two methods can you use to send event notifications when an event occurs that matches a configured event handler? (Choose two.). A. SNMP. B. IM. C. SMS. D. Email.

NSE5_FAZ-6.4 What are offline logs on FortiAnalyzer?. A. Compressed logs, which are also known as archive logs, are considered to be offline logs. B. When you restart FortiAnalyzer, all stored logs are considered to be offline logs. C. Logs that are indexed and stored in the SQL database. D. Logs that are collected from offline devices after they boot up.

NSE5_FAZ-6.4 Refer to the exhibit. What does the data point at 14:35 tell you?. A. FortiAnalyzer has temporary stopped receiving logs so older logs can be indexed. B. FortiAnalyzer is indexing logs faster than logs are being received. C. The fortilogd daemon is ahead in indexing by one log. D. FortiAnalyzer is dropping logs.

Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.). A. A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end. B. Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version. C. Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy. D. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.

NSE5_FAZ-6.4 An administrator has configured the following settings: config system fortiview settings set resolve-ip enable end What is the significance of executing this command?. A. Use this command only if the source IP addresses are not resolved on FortiGate. B. It resolves the source and destination IP addresses to a hostname in FortiView on FortiAnalyzer. C. You must configure local DNS servers on FortiGate for this command to resolve IP addresses on FortiAnalyzer. D. It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer.

NSE5_FAZ-6.4 Refer to the exhibit. Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.). A. Report size will be optimized to conserve disk space on FortiAnalyzer. B. Reports will be cached in the memory. C. This feature is automatically enabled for scheduled reports. D. Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.

NSE5_FAZ-6.2 FortiAnalyzer reports are dropping analytical data from 15 days ago, even though the data policy setting for analytics logs is 60 days. What is the most likely problem?. A. Quota enforcement is acting on analytical data before a report is complete. B. Logs are rolling before the report is run. C. CPU resources are too high. D. Disk utilization for archive logs is set for 15 days.

NSE5_FAZ-6.2 Which log type does the FortiAnalyzer indicators of compromise feature use to identify infected hosts?. A. Antivirus logs. B. Web filter logs. C. IPS logs. D. Application control logs.

NSE5_FAZ-6.2 What is the purpose of a predefined template on the FortiAnalyzer?. A. It can be edited and modified as required. B. It specifies the report layout which contains predefined texts, charts, and macros. C. It specifies report settings which contains time period, device selection, and schedule. D. It contains predefined data to generate mock reports.

NSE5_FAZ-6.2 What is the purpose of the following CLI command?. A. To add the MD5's hash value and authentication code. B. To encrypt log communications. C. To add a unique tag to each log to provide that it came from this FortiAnalyzer. D. To add a log file checksum.

NSE5_FAZ-6.2 Which FortiAnalyzer feature allows you to retrieve the archived logs matching a specific timeframe, from another FortiAnalyzer device?. A. Log fetching. B. Indicators of compromise. C. Log forwarding in aggregation mode. D. Log upload.

NSE5_FAZ-6.2 After you have moved a registered logging device out of one ADOM and into a new ADOM, what is the purpose of running the following CLI command? execute sql-local rebuild-adom <new-ADOM-name>. A. To reset the disk quota enforcement to default. B. To remove the analytics logs of the device from the old database. C. To migrate the archive logs to the new ADOM. D. To populate the new ADOM with analytical logs for the moved device, so you can run reports.

NSE5_FAZ-6.2 Why should you use an NTP server on FortiAnalyzer and all registered devices that log into FortiAnalyzer?. A. To properly correlate logs. B. To use real-time forwarding. C. To resolve host names. D. To improve DNS response times.

NSE5_FAZ-6.0 Which FortiAnalyzer feature allows you to retrieve the archived logs matching a specific timeframe from another FortiAnalyzer device?. A. Log upload. B. Indicators of Compromise. C. Log forwarding an aggregation mode. D. Log fetching.

Training FAZ 7.0 Which database language does FortiAnalyzer support for the purposes of logging and reporting? Select one: SSH. SQL. LDAP. XML.

Training FAZ 7.0 What should you always do after erasing the FortiAnalyzer configuration from the flash memory? Select one: Run the execute format disk command. Run the execute reset all-settings command. Perform a system backup. Run the execute reboot command.

Training FAZ 7.0 Which two external servers can you configure to validate administrator logins? (Choose two.) Select one or more: Only locally by FortiAnalyzer. LDAP. RADIUS. Syslog.

Training FAZ 7.0 What is the main purpose of deploying RAID with FortiAnalyzer? Select one: To store data in chunks across multiple drives. To provide redundancy of your log data. To back up your logs. To make an identical copy of log data on two separate physical drives.

Training FAZ 7.0 What is included in the disk quota for each ADOM on FortiAnalyzer? Select one: Archive logs and Analytics logs. Raw logs and Analytics logs. Raw logs and Archive files. SQL tables and Analytics logs.

Training FAZ 7.0 When you move a FortiGate device from one ADOM to a new ADOM, what is the purpose of rebuilding the new ADOM database? Select one: To run reports on the device analytics logs in the new ADOM. To remove the device analytics logs from the old ADOM. To migrate the archive logs to the new ADOM. To reset the disk quota enforcement to the default settings.

Training FAZ 7.0 It is a best practice to upload FortiAnalyzer local logs to a remote server. Which three remote servers are supported for the upload? (Choose three.) Select one or more: TCP. SCP. UDP. FTP. SFTP.

Training FAZ 7.0 What are event handlers? Select one: Threats identified by FortiGuard. SNMP traps. Alert notifications. Specific matched conditions in the raw logs.

Training FAZ 7.0 Which two FortiAnalyzer features allow you to build a dataset and a chart automatically, based on a filtered search result? (Choose two.) Select one or more: Chart Builder. Dataset Library. Custom View. Export to Report Chart (FortiView).

Training FAZ 7.0 When generating reports on FortiAnalyzer, macros can be used to include additional data. Which two statements about macros are true? (Choose two.) Select one or more: Macros are abbreviated dataset queries. Macros cannot be customized. Macros do not need to be associated with a chart. Macros are supported on FortiGate ADOMs only.

Training FAZ 7.0 When is the execution of a playbook considered as failed? Select one: When all the tasks fail. When the playbook is disabled. When at least one of the tasks fails. When the playbook is imported from another ADOM.

Training FAZ 7.0 What allows one task to use the output of a previous task as its input? Select one: Exported tasks. Output variables. Trigger variables.

Training FAZ 7.0 Which connector type is enabled by default to be used in playbooks? Select one: FortiOS. EMS. FAZ Localhost. Fabric.

Training FAZ 7.0 Which two items are automatically downloaded by the Outbreak Alerts service? (Choose two) Select one or more: Customized playbook. Report Template. Event Handler. Incident template.

Training FAZ 7.0 What must be configured to be able to send notifications about incident updates? Select one: Back-end email server. Fabric connector. A playbook using an Incident_Trigger. Output profile.

NSE5_FAZ-6.2 Which two settings must you configure on FortiAnalyzer to allow non-local administrators to authenticate to FortiAnalyzer with any user account in a single LDAP group? (Choose two.). A. A local wildcard administrator account. B. A remote LDAP server. C. A trusted host profile that restricts access to the LDAP group. D. An administrator group.

NSE5_FAZ-6.0 What FortiView tool can you use to automatically build a dataset and chart based on a filtered search result?. A. Chart Builder. B. Export to Report Chart. C. Dataset Library. D. Custom View.

NSE5_FAZ-7.0 Refer to the exhibit Which image corresponds to the packet capture shown in the exhibit?. A. B. C. D.

What must you configure on FortiAnalyzer to upload a FortiAnalyzer report to a supported external server? (Choose two.). A. SFTP, FTP, or SCP server. B. Mail server. C. Output profile. D. Report scheduling.