Fortinet NSE7_ADA-6.3 Online Practice Questions and Exam Preparation

Fortinet NSE7_ADA-6.3 Online Questions & Answers

• Question 1:

  Which three statements about phRuleMaster are true? (Choose three.)

  A. phRuleMaster queues up the data being received from the phRuleWorkers into buckets.
  B. phRuleMaster is present on the supervisor and workers.
  C. phRuleMaster is present on the supervisor only
  D. phRuleMaster wakes up to evaluate all the rule data in series, every 30 seconds.
  E. phRuleMaster wakes up to evaluate all the rule data in parallel, even/ 30 seconds
  A. phRuleMaster queues up the data being received from the phRuleWorkers into buckets.
  B. phRuleMaster is present on the supervisor and workers.
  E. phRuleMaster wakes up to evaluate all the rule data in parallel, even/ 30 seconds

  ---

  explanation:

  Explanation/Reference:

  phRuleMaster is a process that performs rule evaluation and incident generation on FortiSIEM. phRuleMaster queues up the data being received from the phRuleWorkers into buckets based on time intervals, such as one minute, five minutes, or ten minutes. phRuleMaster is present on both the supervisor and workers nodes of a FortiSIEM cluster. phRuleMaster wakes up every 30 seconds to evaluate all the rule data in parallel using multiple threads.

• Question 2:

  How do customers connect to a shared multi-tenant instance on FortiSOAR?

  A. The MSSP must provide secure network connectivity between the FortiSOAR manager node and the customer devices.
  B. The MSSP must install a Secure Message Exchange node to connect to the customer's shared multi-tenant instance.
  C. The customer must install a tenant node to connect to the MSSP shared multi-tenant instance.
  D. The MSSP must install an agent node on the customer's network to connect to the customer's shared multi-tenant instance.
  D. The MSSP must install an agent node on the customer's network to connect to the customer's shared multi-tenant instance.

  ---

  explanation:

  Explanation/Reference:

  To connect to a shared multi-tenant instance on FortiSOAR, the MSSP must install an agent node on the customer's network. The agent node acts as a proxy between the customer's devices and the FortiSOAR manager node. The agent node also performs data collection, enrichment, and normalization for the customer's data sources. References: Fortinet NSE 7 - Advanced Analytics 6.3 Exam Description, page 11

• Question 3:

  In the event of a WAN link failure between the collector and the supervisor, by default, what is the maximum number of event files stored on the collector?

  A. 30.000
  B. 10.000
  C. 40.000
  D. 20.000
  B. 10.000

  ---

  explanation:

  Explanation/Reference:

  By default, the maximum number of event files stored on the collector in the event of a WAN link failure between the collector and the supervisor is 10.000. This value can be changed in the collector.properties file by modifying the parameter max_event_files_to_store. References: Fortinet NSE 7 - Advanced Analytics 6.3 Exam Description, page 13

• Question 4:

  Refer to the exhibit.

  

  The rule evaluates multiple VPN logon failures within a ten-minute window. Consider the following VPN failure events received within a ten-minute window:

  

  How many incidents are generated?

  A. 1
  B. 2
  D. 3
  B. 2

  ---

  explanation:

  Explanation/Reference:

  The rule evaluates multiple VPN logon failures within a ten-minute window. The rule will generate an incident if there are more than three VPN logon failures from the same source IP address within a ten-minute window. Based on the VPN

  failure events received within a ten-minute window, there are two incidents generated:

  One incident for source IP address 10.10.10.10, which has four VPN logon failures at 09:01, 09:02, 09:03, and 09:04.

  One incident for source IP address 10.10.10.11, which has four VPN logon failures at 09:06, 09:07, 09:08, and 09:09.

• Question 5:

  Refer to the exhibit.

  

  An administrator runs an analytic search for all FortiGate SSL VPN logon failures. The results are grouped by source IP, reporting IP, and user. The administrator wants to restrict the results to only those rows where the COUNT >= 3. Which user would meet that condition?

  A. Sarah
  B. Jan
  C. Tom
  D. Admin
  C. Tom

  ---

  explanation:

  Explanation/Reference:

  The user who would meet that condition is Tom. Tom has four rows in the results where the COUNT is greater than or equal to three, meaning he had at least three SSL VPN logon failures from the same source IP and reporting IP. The other users have either less than three rows or less than three COUNT in each row.

• Question 6:

  Refer to the exhibit.

  

  Which statement about the rule filters events shown in the exhibit is true?

  A. The rule filters events with an event type that belong to the Domain Account Locked CMDB group or a reporting IP that belong to the Domain Controller applications group.
  B. The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting |P that belong to the Domain Controller applications group.
  C. The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a user that belongs to the Domain Controller applications group.
  D. The rule filters events with an event type that equals Domain Account Locked and a reporting IP that equals Domain Controller applications.
  B. The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting |P that belong to the Domain Controller applications group.

  ---

  explanation:

  Explanation/Reference:

  The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting IP that belong to the Domain Controller applications group. This means that only events that have both criteria met will be processed by this rule. The event type and reporting IP are joined by an AND operator, which requires both conditions to be true.

• Question 7:

  Which three processes are collector processes? (Choose three.)

  A. phAgentManaqer
  B. phParser
  C. phRuleMaster
  D. phReportM aster
  E. phMonitorAgent
  B. phParser
  C. phRuleMaster
  E. phMonitorAgent

  ---

  explanation:

  Explanation/Reference:

  The collector processes are responsible for receiving, parsing, normalizing, correlating, and monitoring events from various sources. The collector processes are phParser, phRuleMaster, and phMonitorAgent.

• Question 8:

  Refer to the exhibit.

  

  Is the Windows agent delivering event logs correctly?

  A. The logs are buffered by the agent and will be sent once the status changes to managed.
  B. The agent is registered and it is sending logs correctly.
  C. The agent is not sending logs because it did not receive a monitoring template.
  D. Because the agent is unmanaged. the logs are dropped silently by the supervisor.
  D. Because the agent is unmanaged. the logs are dropped silently by the supervisor.

  ---

  explanation:

  Explanation/Reference:

  The windows agent is not delivering event logs correctly because the agent is unmanaged, meaning it is not assigned to any organization or customer. The supervisor will drop the logs silently from unmanaged agents, as they are not associated with any valid license or CMDB.

• Question 9:

  Identify the processes associated with Machine Learning/Al on FortiSIEM. (Choose two.)

  A. phFortiInsightAI
  B. phReportMaster
  C. phRuleMaster
  D. phAnomaly
  E. phRuleWorker
  A. phFortiInsightAI
  D. phAnomaly

  ---

  explanation:

  Explanation/Reference:

  The processes associated with Machine Learning/AI on FortiSIEM are phFortiInsightAI and phAnomaly. phFortiInsightAI is responsible for detecting anomalous user behavior using UEBA (User and Entity Behavior Analytics) techniques. phAnomaly is responsible for detecting anomalous network behavior using NTA (Network Traffic Analysis) techniques.

• Question 10:

  From where does the rule engine load the baseline data values?

  A. The profile report
  B. The daily database
  C. The profile database
  D. The memory
  C. The profile database

  ---

  explanation:

  Explanation/Reference:

  The rule engine loads the baseline data values from the profile database. The profile database contains historical data that is used for baselining calculations, such as minimum, maximum, average, standard deviation, and percentile values for various metrics.