Fortinet Fortinet Certifications NSE7_ADA-6.3 Questions & Answers

• Question 1:

  Which two statements about the maximum device limit on FortiSIEM are true? (Choose two.)

  A. The device limit is defined per customer and every customer is assigned a fixed number of device limit by the service provider.

  B. The device limit is only applicable to enterprise edition.

  C. The device limit is based on the license type that was purchased from Fortinet.

  D. The device limit is defined for the whole system and is shared by every customer on a service provider edition.

  Correct Answer: BC

  Explanation: The device limit is a feature of the enterprise edition of FortiSIEM that restricts the number of devices that can be added to the system based on the license type. The device limit does not apply to the service provider edition, which allows unlimited devices per customer. The device limit is determined by the license type that was purchased from Fortinet, such as 100 devices, 500 devices, or unlimited devices.

• Question 2:

  Refer to the exhibit.

  

  Why was this incident auto cleared?

  A. Within five minutes the packet loss percentage dropped to a level where the reporting IP is the same as the host IP

  B. The original rule did not trigger within five minutes

  C. Within five minutes, the packet loss percentage dropped to a level where the reporting IP is same as the source IP

  D. Within five minutes, the packet loss percentage dropped to a level where the host IP of the original rule matches the host IP of the clear condition pattern

  Correct Answer: D

  Explanation: The incident was auto cleared because within five minutes, the packet loss percentage dropped to a level where the host IP of the original rule matches the host IP of the clear condition pattern. The clear condition pattern specifies that if there is an event with a packet loss percentage less than or equal to 10% and a host IP that matches any host IP in this incident, then clear this incident.

• Question 3:

  Which three statements about collector communication with the FortiSIEM cluster are true? (Choose three.)

  A. The only communication between the collector and the supervisor is during the registration process.

  B. Collectors communicate periodically with the supervisor node.

  C. The supervisor periodically checks the health of the collector.

  D. The supervisor does not initiate any connections to the collector node.

  E. Collectors upload event data to any node in the worker upload list, but report their health directly to the supervisor node.

  Correct Answer: BCE

  Explanation: The statements about collector communication with the FortiSIEM cluster that are true are:

  Collectors communicate periodically with the supervisor node. Collectors send heartbeat messages to the supervisor every 30 seconds to report their status and configuration.

  The supervisor periodically checks the health of the collector. The supervisor monitors the heartbeat messages from collectors and alerts if there is any issue with their connectivity or performance.

  Collectors upload event data to any node in the worker upload list, but report their health directly to the supervisor node. Collectors use a round-robin algorithm to distribute event data among worker nodes in the worker upload list, which is

  provided by the supervisor during registration. However, collectors only report their health and status to the supervisor node.

• Question 4:

  On which disk are the SQLite databases that are used for the baselining stored?

  A. Disk1

  B. Disk4

  C. Disk2

  D. Disk3

  Correct Answer: D

  Explanation: The SQLite databases that are used for the baselining are stored on Disk3 of the FortiSIEM server. Disk3 is also used for storing raw event data and CMDB data.

• Question 5:

  Refer to the exhibit.

  

  An administrator deploys a new collector for the first time, and notices that all the processes except the phMonitor are down. How can the administrator bring the processes up?

  A. The administrator needs to run the command phtools --start all on the collector.

  B. Rebooting the collector will bring up the processes.

  C. The processes will come up after the collector is registered to the supervisor.

  D. The collector was not deployed properly and must be redeployed.

  Correct Answer: C

  Explanation: The collector processes are dependent on the registration with the supervisor. The phMonitor process is responsible for registering the collector to the supervisor and monitoring the health of other processes. After the registration is successful, the phMonitor will start the other processes on the collector.

• Question 6:

  What happens to UEBA events when a user is off-net?

  A. The agent will upload the events to the Worker if it cannot upload them to a FortiSIEM collector

  B. The agent will cache events locally if it cannot upload them to a FortiSIEM collector

  C. The agent will upload the events to the Supervisor if it cannot upload them to a FortiSIEM collector

  D. The agent will drop the events if it cannot upload them to a FortiSIEM collector

  Correct Answer: B

  Explanation: When a user is off-net, meaning they are not connected to a network where a FortiSIEM collector is reachable, then UEBA events will be cached locally by the agent if it cannot upload them to a FortiSIEM collector. The agent will store up to 100 MB of events in a local database file and try to upload them when it detects a network change or every five minutes.

• Question 7:

  Why can collectors not be defined before the worker upload address is set on the supervisor?

  A. Collectors can only upload data to a worker, and the supervisor is not a worker

  B. To ensure that the service provider has deployed at least one worker along with a supervisor

  C. Collectors receive the worker upload address during the registration process

  D. To ensure that the service provider has deployed a NFS server

  Correct Answer: C

  Explanation: Collectors cannot be defined before the worker upload address is set on the supervisor because collectors receive the worker upload address during the registration process. The worker upload address is a list of IP addresses of worker nodes that can receive event data from collectors. The supervisor provides this list to collectors when they register with it, so that collectors can upload event data to any node in the list.

• Question 8:

  Refer to the exhibit.

  

  If the Z-score for this rule is greater than or equal to three, what does this mean?

  A. The rate of firewall connection is optimum.

  B. The rate of firewall connection is above the historical average value.

  C. The rate of firewall connection is above the current average value.

  D. The rate of firewall connection is below historical average value.

  Correct Answer: B

  Explanation: If the Z-score for this rule is greater than or equal to three, it means that the rate of firewall connection is above the historical average value. The Z-score is a measure of how many standard deviations a value is away from the mean of a distribution. A Z-score of three or more indicates that the value is significantly higher than the mean, which implies an anomaly or deviation from normal behavior.

• Question 9:

  Refer to the exhibit. Click on the calculator button.

  

  Based on the information provided in the exhibit, calculate the unused events for the next three minutes for a 520 EPS license.

  A. 72460

  B. 73460

  C. 74460

  D. 71460

  Correct Answer: B

  Explanation: The unused events for the next three minutes for a 520 EPS license can be calculated by multiplying the licensed EPS by the time interval and subtracting the total number of events received in that interval. In this case, the calculation is: 520 x 180 - 27000 = 73460

• Question 10:

  Refer to the exhibit.

  

  The exhibit shows the output of an SQL command that an administrator ran to view the natural_id value, after logging into the Postgres database. What does the natural_id value identify?

  A. The supervisor

  B. The worker

  C. An agent

  D. The collector

  Correct Answer: D

  Explanation: The natural_id value identifies the collector in the FortiSIEM system. The natural_id is a unique identifier that is assigned to each collector during the registration process with the supervisor. The natural_id is used to associate events and performance data with the collector that collected them.