Fortinet Fortinet Certifications NSE5_FAZ-7.0 Questions & Answers

• Question 21:

  You crested a playbook on FortiAnalyzer that uses a FortiOS connector

  When configuring the FortiGate side, which type of trigger must be used so that the actions in an automation stitch are available in the FortiOS connector?

  A. FortiAnalyzer Event Handler

  B. Incoming webhook

  C. FortiOS Event Log

  D. Fabric Connector event

  Correct Answer: B

  "One possible scenario is shown on the slide:

  1.

  Traffic flows through the FortiGate

  2.

  FortiGate sends logs to FortiAnalyzer

  3.

  FortiAnalyzer detects some suspicious traffic and generates an event

  4.

  The event triggers the execution of a playbook in FortiAnalyzer, which sends a webhook call to FortiGate so that it runs an automation stitch

  5.

  FortiGate runs the automation stitch with the corrective or preventive actions"

• Question 22:

  Which two methods can you use to send event notifications when an event occurs that matches a configured event handler? (Choose two.)

  A. SMS

  B. Email

  C. SNMP

  D. IM

  Correct Answer: BC

  Reference: https://help.fortinet.com/fa/faz50hlp/60/6-0-2/Content/FortiAnalyzer_Admin_Guide/1800_Events/0200_Event_handlers/0600_Create_event_han dlers.htm Reference: https://help.fortinet.com/fa/faz50hlp/60/6-0- 2/Content/FortiAnalyzer_Admin_Guide/1800_Events/0200_Event_handlers/0600_Create_e vent_handlers.htm

• Question 23:

  In the FortiAnalyzer FortiView, source and destination IP addresses from FortiGate devices are not resolving to a hostname.

  How can you resolve the source and destination IP addresses, without introducing any additional performance impact to FortiAnalyzer?

  A. Resolve IP addresses on a per-ADOM basis to reduce delay on FortiView while IPs resolve

  B. Configure # set resolve-ip enable in the system FortiView settings

  C. Configure local DNS servers on FortiAnalyzer

  D. Resolve IP addresses on FortiGate

  Correct Answer: D

  https://packetplant.com/fortigate-and-fortianalyzer-resolve-source-and-destination-ip/ "

  As a best practice, it is recommended to resolve IPs on the FortiGate end. This is because you get both source and destination, and it offloads the work from FortiAnalyzer. On FortiAnalyzer, this IP resolution does destination IPs only"

• Question 24:

  Which two statement are true regardless initial Logs sync and Log Data Sync for Ha on FortiAnalyzer?

  A. By default, Log Data Sync is disabled on all backup devise.

  B. Log Data Sync provides real-time log synchronization to all backup devices.

  C. With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.

  D. When Logs Data Sync is turned on, the backup device will reboot and then rebuilt the log database with the synchronized logs.

  Correct Answer: CD

• Question 25:

  Which two elements are contained in a system backup created on FortiAnalyzer? (Choose two.)

  A. System information

  B. Logs from registered devices

  C. Report information

  D. Database snapshot

  Correct Answer: AC

  What does the System Configuration backup include?

  System information, such as the device IP address and administrative user information.

  Device list, such as any devices you configured to allow log access.

  Report information, such as any configured report settings, as well as all your custom report details. These are not the actual reports.

  FortiAnalyzer_7.0_Study_Guide-Online pag. 29

• Question 26:

  What two things should an administrator do to view Compromised Hosts on FortiAnalyzer? (Choose two.)

  A. Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.

  B. Make sure all endpoints are reachable by FortiAnalyzer.

  C. Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer device.

  D. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

  Correct Answer: AD

  Compromised Hosts or Indicators of Compromise service (IOC) is a licensed feature.

  To view Compromised Hosts, you must turn on the UTM web filter of FortiGate devices and subscribe your FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard. Ref : https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration-guide/137635/viewing-compromised-hosts

• Question 27:

  Which tabs do not appear when FortiAnalyzer is operating in Collector mode?

  A. FortiView

  B. Event Management

  C. Device Manger

  D. Reporting

  Correct Answer: AD

• Question 28:

  How are logs forwarded when FortiAnalyzer is using aggregation mode?

  A. Logs are forwarded as they are received and content files are uploaded at a scheduled time.

  B. Logs and content files are stored and uploaded at a scheduled time.

  C. Logs are forwarded as they are received.

  D. Logs and content files are forwarded as they are received.

  Correct Answer: B

  https://www.fortinetguru.com/2020/07/log-forwarding-fortianalyzer-fortios-6-2-3/ https://docs.fortinet.com/document/fortianalyzer/6.2.0/administration-guide/420493/modes Reference: https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/63238/what-is- the-difference-between-log-forward-and-log-aggregation-modes

• Question 29:

  View the exhibit.

  

  What does the data point at 14:35 tell you?

  A. FortiAnalyzer is dropping logs.

  B. FortiAnalyzer is indexing logs faster than logs are being received.

  C. FortiAnalyzer has temporarily stopped receiving logs so older logs' can be indexed.

  D. The sqlplugind daemon is ahead in indexing by one log.

  Correct Answer: B

  Raw logs are received and then that log is indexed. So indexing can never be ahead of logs received. But it can be that at a certain point in time logs are being indexed faster than they are received.

  If you look at the study guide you will notice that there is something called Insert Lag Time. And in this example it's between 30-50 seconds. The point is the indexing of the logs can't be ahead if it gets processed a few seconds later.

  https://docs.fortinet.com/document/fortianalyzer/6.2.5/administration-guide/47690/insert- rate-vs-receive-rate-widget

• Question 30:

  Which statements are true regarding securing communications between FortiAnalyzer and FortiGate with SSL? (Choose two.)

  A. SSL is the default setting.

  B. SSL communications are auto-negotiated between the two devices.

  C. SSL can send logs in real-time only.

  D. SSL encryption levels are globally set on FortiAnalyzer.

  E. FortiAnalyzer encryption level must be equal to, or higher than, FortiGate.

  Correct Answer: AD