NSE5_Exam A

What is the best approach to handle a hard disk failure on a FortiAnalyzer that supports hardware RAID?. Hot swap the disk. There is no need to do anything because the disk will self-recover. Shut down FortiAnalyzer and replace the disk. Run execute format disk to format and restart the FortiAnalyzer device.

Refer to the exhibit. Which statement is correct regarding the event displayed?. An incident was created from this event. The security risk was blocked or dropped. The security event risk is considered open. The risk source is isolated.

Which statement correctly describes the management extensions available on FortiAnalyzer?. Management extensions do not require additional licenses. Management extensions may require a minimum number of CPU cores to run. Management extensions allow FortiAnalyzer to act as a FortiSIEM supervisor. Management extensions require a dedicated VM for best performance.

In Log View, you can use the Chart Builder feature to build a dataset and chart based on the filtered search results. Similarly, which feature can you use for FortiView?. Export to Custom Chart. Export to PDF. Export to Chart Builder. Export to Report Chart.

Which daemon is responsible for enforcing the log file size?. logfiled. oftpd. sqlplugind. miglogd.

For which two SAML roles can the FortiAnalyzer be configured? (Choose two.). Principal. Identity provider. Identity collector. Service provider.

Which two elements are contained in a system backup created on FortiAnalyzer? (Choose two.). Report information. Database snapshot. System information. Logs from registered devices.

What is required to authorize a FortiGate on FortiAnalyzer using Fabric authorization?. A pre-shared key. The FortiGate serial number. A FortiGate ADOM. Valid FortiAnalyzer credentials.

Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two.). FortiAnalyzer HA can function without VRRP, and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster. FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings. All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector. FortiAnalyzer HA implementation is supported by all cloud providers.

Which FortiAnalyzer feature allows you to use a proactive approach when managing your network security?. FortiView Monitor. Threat hunting. Incidents dashboards. Outbreak alert services.

When working with FortiAnalyzer reports, what is the purpose of a dataset?. To set the data included in templates. To retrieve data from the database. To provide the layout used for reports. To define the chart type to be used.

Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.). Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy. A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end. Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.

Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.). By deploying different FortiAnalyzer devices in both modes, you can improve their overall performance. When in collector mode. FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format. When in collector mode. FortiAnalyzer supports event management and reporting features. Collector mode is the default operating mode.

Which statement is true about sending notifications with incident updates?. You can send notifications to multiple external platforms. If you use multiple fabric connectors, all connectors must have the same notification settings. Notifications can be sent only by email. Notifications can be sent only when an incident is updated or deleted.

Which SQL query is in the correct order to query the database in the FortiAnalyzer?. SELECT devid WHERE 'user'='USER1' FROM $log GROUP BY devid. FROM $log WHERE 'user'='USER1' SELECT devid GROUP BY devid. SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid. SELECT devid FROM $log GROUP BY devid WHERE 'user'='USER1'.

A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see what activity was performed by that rogue administrator on FortiAnalyzer. What can you do on FortiAnalyzer to accomplish this?. Click Task Monitor and view the tasks performed by that administrator. Click Fabric View and view the tasks performed by the rogue administrator. Click Log View and generate a report for that administrator. Click FortiView and generate a report for that administrator.

Which two statements are true regarding FortiAnalyzer log forwarding? (Choose two.). Both modes, forwarding and aggregation, support encryption of logs between devices. In aggregation mode, you can forward logs to syslog and CEF servers as well. Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time. Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.

After you have moved a registered logging device out of one ADOM and into a new ADOM. what is the purpose of running the following CLI command? execute sql-local rebuild-adom <new-ADOM-name>. To reset the disk quota enforcement to default. To migrate the archive logs to the new ADOM. To remove the analytics logs of the device from the old database. To populate the new ADOM with analytical logs for the moved device, so you can run reports.

Which statement is true regarding Macros on FortiAnalyzer?. Macros are predefined templates for reports and cannot be customized. Macros are useful in generating excel log files automatically based on the report settings. Macros are supported only on the FortiGate ADOM. Macros are ADOM specific and each ADOM has unique macros relevant to that ADOM.

What is the purpose of output variables?. To display details of the connectors used by a playbook. To store playbook execution statistics. To save all the task settings when a playbook is exported. To use the output of the previous task as the input of the current task.

Which two actions should an administrator take to view Compromised Hosts on FortiAnalyzer? (Choose two.). Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer. Make sure all endpoints are reachable by FortiAnalyzer. Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

A playbook contains five tasks in total. An administrator executed the playbook and four out of five tasks finished successfully, but one task failed. What will be the status of the playbook after its execution?. Failed. Success. Upstream_failed. Running.

Refer to the exhibit. Which image corresponds to the packet capture shown in the exhibit?. A. B. C. D.

Refer to the exhibit. Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.). Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets. This feature is automatically enabled for scheduled reports. Reports will be cached in the memory. Report size will be optimized to conserve disk space on FortiAnalyzer.

You created a playbook on FortiAnalyzer that uses a FortiOS connector. When configuring the FortiGate side, which type of trigger must be used so that the actions in an automation stitch are available in the FortiOS connector?. FortiAnalyzer Event Handler. Incoming webhook. FortiOS Event Log. Fabric Connector event.

Refer to the exhibits. How many events will be added to the incident created after running this playbook?. No events will be added. Ten events will be added. Five events will be added. Thirteen events will be added.

Which two statements are correct regarding the export and import of playbooks? (Choose two.). Playbooks can be exported and imported only within the same FortiAnalyzer. You can export only one playbook at a time. A playbook that was disabled when it was exported, will be disabled when it is imported. You can import a playbook even if there is another one with the same name in the destination.

If the primary FortiAnalyzer in an HA cluster fails, how is the new primary elected?. The firmware version is checked first. The active port number is checked first. The configured IP address is checked first. The configured priority is checked first.

Refer to the exhibit. The image displays the configuration of a FortiAnalyzer the administrator wants to join to an existing HA cluster. What can you conclude from the configuration displayed?. This FortiAnalyzer will join to the existing HA cluster as the primary. This FortiAnalyzer is configured to receive logs in its port1. This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds. After joining to the cluster, this FortiAnalyzer will keep an updated log database.

For which two purposes would you use the command set log checksum? (Choose two.). To prevent log modification or tampering. To send an identical set of logs to a second logging server. To encrypt log communications. To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP server.

Which statement is true when you are upgrading the firmware on an HA cluster made up of two FortiAnalyzer devices?. You can perform the firmware upgrade using only a console connection. First, upgrade the secondary device, and then upgrade the primary device. You can enable uninterruptible-upgrade so that the normal FortiAnalyzer operations are not interrupted while the cluster firmware upgrades. Both FortiAnalyzer devices will be upgraded at the same time.

Which two statements are true regarding ADOM modes? (Choose two.). You can change ADOM modes only through the CLI. In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible. In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs. Normal mode is the default ADOM mode.

An administrator, fortinet, is able to view logs and perform device management tasks, such as adding and removing registered devices. However, administrator fortinet is not able to create a mail server that can be used to send alert emails. What can be the problem?. fortinet is assigned the Standard_User administrative profile. A trusted host is configured. ADOM mode is configured with Advanced mode. fortinet is assigned the Restricted_User administrative profile.

What are offline logs on FortiAnalyzer?. Logs that are collected from offline devices after they boot up. Compressed logs, also known as archive logs, are considered to be offline logs. Logs that are indexed and stored in the SQL database. When you restart FortiAnalyzer, all stored logs are considered to be offline logs.

Refer to the exhibit. Laptop1 is used by several administrators to manage FortiAnalyzer. You want to configure a generic text filter that matches all login attempts to the web interface generated by any user other than “admin" and coming from Laptop1. Which filter will achieve the desired result?. operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin. operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin. operation-login & dstip==10.1.1.210 & userl-admin. operation-login & performed_on=="GUI(10.1.1.210)' & user!=admin.

Which two items must you configure on FortiAnalyzer to email a FortiAnalyzer report externally? (Choose two). output profile. SFTP, FTP, or SCP server. Mail server. Report Scheduling.

Which statement is true about sending notifications with incident updates?. You can send notifications to multiple external platforms. If you use multiple fabric connectors, all connectors must have the same notification settings. Notifications can be sent only when an incident is updated or deleted. Notifications can be sent only by email.

What is the purpose of predefined report templates onFortiAnalyzer?. They can be customized to meet your needs. They can be created by saving reports as template. They specify the layout used in reports. They include the data used in reports charts.

Which two statements are true regarding fabric connectors? (Choose two.). Fabric connectors allow you to save storage costs and improve redundancy. Configuring fabric connectors is more efficient than third-party polling information from the FortiAnalyzer API. The storage connector service does not require a separate license to send logs to the cloud platform. Cloud-out connectors allow you to send real-time logs to public cloud accounts like Amazon S3,Azure Blob, and Google Cloud.

Which two methods can be used to restrict administrative access on FortiAnatyzer? (Choose two). Use administrator profiles. Limit access to specific virtual domains. Configure trusted hosts. Add custom Security Fabric connectors.

Refer to the exhibit The exhibit shows “remoteservergroup" is an authentication server group with LDAP and RADIUS servers Which two statements express the significance of enabling Match all users on remote server when configuring a new administrator? (Choose two ). User remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at any time. Administrators can log in to FortiAnalyzer using their credentials on remote LDAP and RADIUS servers. It creates a wildcard administrator using LDAP and RADIUS servers. It allows administrators to use two-factor authentication.

An administrator has moved FortiGate A from the root ADOM to ADOM1 Which two statements are true regarding logs? (Choose two.). Logs will be present in both ADOMs immediately after the move. Analytics logs will be moved to ADOMI from the root ADOM automatically. Analytics logs will be moved to ADOMI from the root ADOM after you rebuild the ADOM1 SQL database. Archived logs will be moved to ADOMI from the root ADOM automatically.

Which statement is true about using aggregation mode on FortiAnalyzer?. Aggregation mode supports log filters. In aggregation mode, logs and content files are forwarded in real time. Aggregation mode can be configured only on the CLI. Aggregation mode can work with syslog servers.

What does the disk status Degraded mean for RAID management. One or more drives are missing from the FortiAnalyzer unit The drive is no longer available to the operating system. The FortiAnalyzer device is writing data to a newly added hard drive in order to restore the hard drive to an optimal state. The hard drive is no longer being used by the RAID controller. the FortiAnalyzer device is wnting to all the hard drives on the device in order to make the array fault tolerant.

What can you do on FortiAnalyzer to restrict administrative access from specific locations?. Configure an ADOM for a respective location. Configure two-factor authentication with a remote RADIUS serves. Configure trusted hosts for that administrator. Enable geo-location services on accessible interfaces.

Which two statements are true regarding the outbreak alert service? (Choose two.). Outbreak alerts are available on the root ADOM only. An additional license is required. It automatically downloads new event handlers and reports. New alerts are received by email.

Refer to the exhibit What does the data point at 10:15 42 indicate?. FortiAnalyzer has temporanly stopped receiving logs so older logs can be indexed. The fortilogd daemon is ahead in indexing by one log. FortiAnalyzer is indexing logs faster than logs are being received. FortiAnalyzer is dropping logs.

What are two advantages of grouping similar reports? (Choose two.). Improves report completion time. Conserves disk space on FortiAnalyzer by grouping multiple similar reports. Provides a better summary of reports. Reduces the number of hcache tables and improves auto-hcache completion time.

What are analytics logs on I oitiAnaly/er?. Log type Traffic logs. Logs that are indexed and stored in the SQL. Logs that are compressed and saved to a log file. Logs that roll over when the log file reaches a specific size.

Which two settings must you configure on FortiAnalyzer to allow non-local administrators to authenticate on FortiAnalyzer with any user account in a single 1DAP group? (Choose two). A trusted host profile that restncts access to the LDAP group. A remote LDAP server. An administrator group. Alocal wildcard administrator account.

An administrator has configured the following settings config system fortiview settings set resolve-ip enable en What is the significance of executing this command?. It resolves the destination IP address to a hostname in FortiView on FortiAnalyze. Use this command only if the source IP addresses are not resolved on FortiGate. You must configure local DNS servers on FortiGate for this command to resolve IP addresses on FortiAnalyzer. lt resolves the source and destination IP addresses to a hostname in FortiView on FortiAnalyzer.

What statement is correct regarding the FortiSOAR management extension?. It includes a limited trial by default. lt runs as a VM. lt requires a FortiManager configured to manage FortiGate. lt requires a dedicated FortiSOAR appliance or VM.

Which two parameters impact the amount of reserved disk space required by FortiAnalyzer? (Choose two). Disk size. License type. Total quota. RAID level.

An administrator has configured the following settings config system global set log-checksum md5-auth end What is the significance of executing these commands?. These commands record the MD5 hash value and authentication code of log files. These commands create the secure channel used by the OFTP process. These commands verify the integrity of the log files received. These commands encrypt log transfer between FortiAnalyzer and other devices.

Which daemon is responsible for enforcing the iog file size. logfiled. sqlplugind. miglogd. oftpd.

Which two elements are contained in a system backup created on FortiAnalyzer (Choose two). Database snapshot. Report information. System information. Logs from registered devices.