Fortianalyzer 6.4

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

How does the IOC work (what is the flow from which logs are recorded on a fortigate and sent to the FAZ to be analyzed) (5)

1) fortianalyzer downloads threat intelligence package every day (TDS) 2) fortigate sends security logs to fortianalyzer 3) fortianalyzer runs real-time threat detection when it receives the web filter logs 4) FAZ calculates a threat score for the end user based on the score in the TDS and gives a verdict for the IOC 5)customers can see consolidated view of compromised devices on FAZ fortiview

How to set up two factor with a remote server 2 steps

1) configure the remote (RADIUS) server to point to the fortiauthenticator 2) create the admin account and point it to the remote server (System settings > admin > administrator)

Why may not configuring a fortigate to send logs to two devices be feasible

1) it increases load on fortigate because the log daemon needs two TCP connections to send the logs (one for each device it's sending to) 2) smaller fortigate devices do not support this

Steps to upgrade HA cluster firmware (4)

1) log into the GUI of the primary 2) upgrade the primary device 3) when primary reboots the secondary will automatically be promoted to primary 4) when upgrade is complete repeat steps 1&2 5)repeat until all devices are upgraded

What are a few ways to troubleshoot communication issues (5)

1) execute ping to see if they can communicate 2) diag sniffer packet to see if traffic is leaving and if it's reaching the other device 3) show log fortianalyzer setting (FGT) 4) diagnose log test (FGT) Is fortigate capable of generating logs 5) diagnose test application oftpd 8 To see if fortianalyzer is capable of receiving logs

How can you ensure log integrity and prevent logs from being tampered with in storage and prevent MITM when uploaded (2)

Add a log checksum under the Config sys global command Or set custom OFTP certificate You can configure FAZ to record a log file hash value, time stamp, and authentication code when the log is rolled and archived and when the log is uploaded

How can you fine-tune the data set in love you in order to create a custom data set in chart with chart builder

Add more columns setting a group, order by, and sort filter setting a limit on results setting the device and time frame

Log data sync process

After the initial log sync, the cluster goes into real time log sync state. This is turned on by default on all devices in HA cluster. When turned on the primary device will forward logs in real time to the back up devices. If the primary fails the secondary that is selected to be the new primary will continue to sync logs with the backup devices.

Adom and purpose

Allow you to group devices to monitor and manage Divide administration of devices (restrict access) And more efficiently manage data policies and disk space allocation

Web service admin access protocol

Allows access to fortianalyzer from a web service such as SOAP (a messaging protocol that allows programs that run on a disparate OS)

Fortimanager admin access protocol

Allows fortianalyzer to be managed by a fortimanager

What is log fetching

Allows fortianalyzer to fetch archived logs of specified devices from another fortianalyzer which you can then run reports on

How does the fabric connectors enhance the fortiSOC SOAR playbook feature

Allows playbooks to perform tasks using connected devices (fortiOS, and forticlient EMS)

When configuring an event handler what is the generic text filter for

Allows precise control over which logs trigger an event. Use operators such as == != < etc. To make it easy you can copy a string from the raw log file that you want to match

How does log fetching simplify the generation of reports (3)

Allows the admin to select the devices and time period to be indexed Allows you to customize log retention on the pulled logs for reports Avoids log duplication

What does the chart builder tool do

Allows you to build a data set and chart automatically based on your filtered search results Set filters to return the locks you want then in the tools menu select chart builder to automatically billed the search into a data set in chart

What would you use RAID for

Allows you to have copies of your logs in case a critical event on FAZ occurs and a disk is damaged

Log view

Allows you to view traffic logs, event logs, and security logs for each ADOM Log view can be restricted to one or more devices in the ADOM or to a log group

A SQL SELECT query polls the _____ for specific information. Based on the ____, a subset of information stored in the logs is extracted. The subset of data populated a ___ and one or more ____ exist within a report

Database Query Chart Charts

What is required when creating a new chart

Dataset That will query the database for the information you want

What two elements do the FAZ report charts consists of:

Datasets - the SQL queries that extract specific data from the database Format - format in which the data is displayed (Pie, bar, tables)

How can you validate all custom data sets in one click

Datasets page > toolbar click validate all custom

What is the fabric ADOM

Default ADOM that all fortinet devices in a security fabric can be placed in regardless of type

Command what is the log receiver rate for all adoms

Di de en Diagnose fortilogd lograte-adom all

Command what is the log receive rate for a specific adom

Di de en Diagnose fortilogd lograte-adom {ADOM name}

Command what is the log rate for each log type?

Di de en Diagnose fortilogd lograte-type

Command what is the log volume for all ADOMS

Di de en Diagnose fortilogd logvol-adom all

Command what is the log volume for a specific adom

Di de en Diagnose fortilogd logvol-adom {ADOM name}

Command what is the device log usage for all logging devices

Di de en Diagnose log device

Command what is the SQL insertion status

Di de en Diagnose sql status sqlplugind

Command what is the device log rate?

Di de en Diagnose fortilogd lograte-device

Command what are the log recieve rate totals?

Di de en Diagnose fortilogd lograte-total

Command. What is the log receive rate for each second?

Diagnose debug enable Diagnose fortilogd lograte

Command what is the message recieve rate for each second?

Diagnose fortilogd msgrate Di de en

What command would you do to see detailed hardware information such as processor, swap memory, etc

Diagnose hardware info

Command to monitor log rate coming from each device

Diagnose log device

Command to show reserved disk space

Diagnose log device

Commands to troubleshoot report generation. What are the current SQL processes running (any log queries )

Diagnose sql process list

Commands to troubleshoot report generation. What is the hcache size on the file systwm

Diagnose sql show hcache-size

Commands to troubleshoot report generation. What is the SQL insertion status

Diagnose sql status sqlplugind

Commands to troubleshoot report generation. What are the SQL query connections and hcache status

Diagnose sql status sqlreportd

Commands to troubleshoot report generation. Is the hcache creation table able to catch up? What are the log file related activities (rolled,deleted, uploaded)

Diagnose test application logfiled 2

Commands to troubleshoot report generation. What is the state of the hcache

Diagnose test application sqlrptcached <level>

How can you reduce load on fortianalyzer fortview module (hint: DNS)

Disable the resolve-ip feature and have the fortigates resolve IPs instead

Fabric view identity center pane

Displays a list of users and endpoints in the network from relevant logs Correlated them to fortianalyzer modules Useful for user and endpoint mapping Gives you better viability when you analyze logs, events, and incidents

Show system ntp

Displays automatic time settings using the NTP server

Show system dns

Displays dns server addressss

Get system NTP

Displays how often fortianalyzer synchronizes it's time with the NTP server

Show system interface

Displays network interface config on device such as configured ports and ip addresses and admin protocols

Show system route

Displays static routing table entries on your fortianalyzer device

Get system status

Displays status of device

Best practices to manage logs (7)

Document what is being logged and why Ensuring data is being captured and not filtered for all devices and apps Centralizing log storage and standardizing format Synching time on all log devices Maintain backup of logs and implement log retention policy Design procedures to maintain data integrity Test incident response plan

Which logs are not forwarded for forwarding log mode

Does not forward content files (DLP, antivirus quarantine, and IPS)

If you use the "add device" wizard and ADOMS are enabled, what ADOM will the device be registered to

Either the device specific prebuilt ADOM or the custom ADOM that you are currently working in

You've created a custom chart but it's not showing up in the chart library

Enable the show custom button

What is the fabric view module

Enables you to create fabric connectors and view the list of endpoints

How can you protect log communication between devices

Encrypt them with OFTP (Optimized fabric transfer protocol)

Subtype of the event log type

Endpoint HA System User Router VPN Wireless

Example of additional information variables included in a handler filter

Endpoint ${groupby1} is infected by virus ${virus}. Variable must be enclosed by a pair of curly braces following a dollar sigb

How often does FAZ downloads the TDS fortiguard package

Every day

How often does logfiled check the other process to estimate space used by the SQL database

Every two minutes (unless system resources are high)

What devices can perform tasks according to a playbook configured on fortiSOC

FAZ Any device configured with a fortiSOC fabric connector

Since FAZ has a finite disk space what do you need to know (3)

FAZ disk quota and what is included How the quota is enforced What space is reserved and not available for storing logs

Why do I need to buy an IOC license? It seems to be working without one because I can see lists of compromised hosts in fortview

FAZ includes an evaluation license, but it is limited

Fortimanager log type

Event

Fortiweb log types

Event IPS Traffic

Where can you see alerts

Event manager Or configure to send alerts by an email, SNMP, or sys log

In order to populate a chart with data FAZ relies on what

An SQL SELECT query

When allowed disk space is full what happens

An alert message with generate internet the alert message console (dashboard > alert message console) with event level warning. Oldest logs will be over written.

RAID 1

An exact copy of a set of data one two or more disks. Performance and reliability are main goals. Includes fault tolerance. If one fails the other disk can keep working

What is a wildcard administrator A local administrator account that is used to permit group access Or An external administrator account that is used to permit group access

An external administrator account that is used to permit group access

Logs in the indexed phase are known as

Analytic logs

What kind of logs are displayed in fortview (analytical or archive)

Analytical

What is default mode

Analyzer

Two fortianalyzer operating modes

Analyzer and collector

What is fortiview

Another way to view log data. Real time and historical data in summary views Only data from analytical logs are available and not archive logs

How can logs be viewed on fortianalyzer

As a generated report or manually in the GUI

How can you restrict your administrators access to a subset of your organizations ADOM

Assigns the ADOMS to the admins account

What do the cloud out connectors allow you to do

Back up data (rolled logs) to public cloud accounts in Amazon S3, Microsoft azure and Google cloud

Why may you see unauthorized when you click test connection after configuring the fortianalyzer IP in the fortigate centraL management

Because the fortianalyzer admin has not accepted the register request

How can you change the design of a report

By adding separators, page breaks, images, and renaming charts

How can you edit a predefined template

By cloning it and making changes. You can't edit it directly

If an ORDER BY is not specified how are the rows returned?

By whoever order the system finds fastest

How can you drill down details on a compromised host

Double click the entry

What options does the admin have when authorizing a registration request for a device in fortianalyzer

Changing the device name and changing the ADOM

Command to set custom OFTP certificate and what is needed

Config system certificate OFTP Set custom enable Set certificate <PEM formatted cert> Set private-key <PEM KEY> PEM= privacy enhanced mail

Command to enable ip to hostname resolving in fortview

Config system fortiview settings Set resolve-ip enable

Command to set fortianalyzer encryption level

Config system global Set enc-algorithm <High* | low | medium>

Command to set log forwarding mode on both the client and server FAZs

Config system log-forward Edit <log aggregation ID> Set mode <aggregation, forwarding disable>

Command to configure FAZ server that logs are forwarded to

Config system log-forward-service Set accept-aggregation enable End

How can you configure report grouping

Config system report group Edit # Set ADOM Config group-by Edit <sql column> Next Edit vd Next End Set report-like <report name string> next End

What do fortigates with an SDD disk have that is beneficial when connection to FAZ Is lost and logs need to be buffered

Configurable buffer log so fortigate can buffer logs on disk if memory log buffer is full. When connection is restored they will be sent to Faz

SELECT statement

First word in the SQL SELECT query describing what dataset is to be pulled and displayed from the database

When is hcache automatically enabled

For scheduled reports

Diagnose ha force-cfg-resync

Force ha to resync config

Execute format disk and when should you do this

Formats disk and after resetting the configuration

Similar to the chart Builder feature in log view, where else can you export a chart from a custom view

Fort view Click top right door icon on toolbar and click export to report chart

Where is the incidents and events pane and what needs to be enabled on FAZ to have the pane

FortiSOC SOAR

Where can you view the status of playbook jobs

FortiSOC > automation > playbook monitor

Where do you create a new event handler

FortiSOC > handler > event handler list > create

What three devices can logs be forwarded to when aFAZ is in forwarding mode

Fortianalyzer Sys log server CEF server (common event format)

How do fabric connectors reduce performance degradation

Fortianalyzer will send out logs and notifications. This is more efficient than third party platforms polling information from fortianalyzer API in pre-defined intervals which could reduce performance

What two factor authentication is recommended

Fortiauthenticator and FortiToken

What are the four fortiview monitor dashboards for forticlient ST(AW)E

Forticlient software inventory Threat (forticlient) Applications and websites(forticlient) Endpoints(forticlient)

With which ADOM device type must you also select the firmware version

Fortigate

What devices will fortview display log data for (3)

Fortigate Forticarrier Forticlient EMS

What ADOMs are macros supported in (3)

Fortigate and forticarrier and fabric

In order to view fortigate event logs on Fortianalyzer what configuration is required Fortigate must be registered registered to the root ADOM or Fortigate logging settings must have event logging enabled

Fortigate logging settings must have event logging enabled

If ADOMS are disabled what device types are allows to be registered on fortianalyzer

Fortigate only. All device types accepted in ADOMS enabled

Fortilogd daemon

Fortigate/fortianalyzer real time forwarded logs

What devices are supported by fortianalyzer

Fortigate/forticarrier Fortianalyzer Forticache Fortiddos Fortimail Fortimanager Fortisandbox Fortiweb Sys log Chassis

What are the default primary and secondary dns server addresses

Fortiguard DNS

What tools does collector mode not support that analyzer mode does (4 + 1 setting feature)

Fortiview Fabric view Fortisoc Reports Event manager

What two panes does fortiview include

Fortiview Monitors

WhereCan you monitor fortigate administrator logins, system activity, and failed authentications

Fortiview > system > failed authentication attempts, admin logins, system events

Where can you monitor fortigate administrative activity (system and administrator-invoked events)

Fortiview > system > system events

To view reporting and historical audit of detections on malware, botnet, and intrusions where do you look

Fortview > threat report

Subtype of the traffic log type

Forward Local Sniffer

Diagnose test application uploadd 63

Gives details such as usage quota, total data upload, total number of files uploaded, number of days remaining until license expiry, and number of unloaded quests that were dropped

If you want to view local logs such as configuration changes and logins performed by a specific user how can you find them

Go to event log and filter by user

How can you monitor and view admin tasks, progress and status of tasks and what is displayed

Go to system settings > task monitor Shows the ID Source (device manager, reports, etc) descriptions (add/delete a device) user, status, time, ADOM, and start time Basically an audit log

Log lag time

How many seconds the database is behind in processing logs

What are the two cluster modes and how to change it

Hugh availability (active passive) Stand-alone System settings > HA

What can you do to customize a chart

If a pre-defined charge does not meet your requirements you can either clone and edit charts and data sets or create new charts and data sets from scratch

Why might a playbook job status be failed

If one or more tasks in the job were failed. There may be some successful tasks tho

What are the rules in selecting a new primary device

If primary goes down the device with the highest priority will be elected If the priorities are the same the device whose primary IP has the greatest value is selected (192.168.2.2 would be selected over 192.168.2.4)

Example of SELECT query with OFFSET and LIMIT clauses

If you place a limit of three records and an offset of one, the first record that would normally be returned is skipped and instead the second third and fourth records would be returned

How soon do configuration changes take effect

Immediately

Where is the chart builder tool located

In Longview and it looks like a wrench in the top right corner of the toolbar

Why is it recommended to clone and edit pre-defined reports instead of directly editing the report

In case your edits are not successful then the pre-defined report is preserved

Where can you view details about application logs

In log view > log browse > right click on app events > select display to see details

Where would you analyze SIEM logs

In log view search for fabric logs

How can you group remote authentication servers CLI, GUI, or both

In the CLI

Two subtypes for FAZ application logs

Incident management Automation playbooks

Why would you disable case sensitive search in log view

Increased search flexibility because you don't have to match case

IOC engine

Indicator of compromise Detects end users with suspicious web page usage compromises by checking new and historical web filter logs against IOC signatures (based on fortiguard sub)

What five clauses does FAZ use for SELECT queries in reports and what are they (bonus 6th)

FROM - selects table WHERE - sets conditions (all rows not justifying condition are eliminated GROUP BY - collects data across multiple records and groups the results by one or more columns ORDER BY - orders the results by rows (desc, ascend) LIMIT - limits number of records returned based on limit value OFFSET - used with LIMUT to offset the results by a set value

What options are there to upload a generated report to a server

FTP SFTP SCP

By default what is the ADOM type set to for root and when creating a new one

Fabric

What three panes are available in fabric view

Fabric connectors Identity center Assets

How to create a new fabric connectors

Fabric view > fabric connector > create new

True or false. Backup should be encrypted when working with fortinet support

False

True or false: multiple device types can be assigned to one ADOM if it is a custom ADOM

False Only one device type can be assigned to a specific ADOM for that device type whether it's a custom or default ADOM

True or false. The only option for fortigate devices in HA to be discovered is my manually adding cluster members

False FAZ will discover if the fortigates are in a cluster. Although If you don't configure HA until after the device is registered you can manually add the cluster member in device manager > enable ha cluster

true or false: reports are generated in the root ADOM

False each ADOM has it's own reports, libraries, and advanced settinfs

True or false an ha pair generates only one set of logs

False each member generates their own logs

True or false a playbook task can be configured with default inputs and inputs from the trigger ONLY

False it can take inputs from the trigger, default input values, or preceding tasks

True or false Reports provide recommendations and give indications of problems

False that must be analyzed and concluded by whoever is reviewing the report

Trusted hosts only apply to gui

False they apply to GUI and CLI

True or false: log groups have a separate SQL database but take up only a Minuit portion of disk space

False they are logical and do not have a SQL databases or take up additional disk space

True or false Clauses can be coded in whichever sequence

False they must be coded in a specific sequence

True or false you can delete default ADOMS

False you cannot

True or false templates contain data

False. Data is added to the report when it is generated

True or false - it is recommended to move devices between ADOMS if needed

False. Only if you HAVE to

What are the benefits of the security fabric adom

Fast data processing Log correlation Combines results for devices in: reports Fortiview Incidents & events/fortisoc

What is a fortiSOC playbook

Feature that allows you to configure triggers and a sequence of automated actions (almost like a button) they can be created from scratch or by a predefined template Playbook starts with a trigger and flows through the remaining tasks as defined by the routes in the playbook

Two types (statuses) of devices and what are each

Registered - devices authorized to store logs on fortianalyzer Unregistered - devices requesting to store logs on fortianalyzer

If the same or similar reports will be run against many different fortigate devices, what report feature can you use to improve report generation time

Report grouping

What does a check icon mean next to a scheduled report in the report calendar and what is the clock icon

Report has generated Clock icon is report is pending

When you hover your cursor over a scheduled report in the report calendar what is displayed

Report name Status Device type

How can you export and import reports

Report pages > right click

Three key features of fortianalyzer

Reporting Reports provide a clear picture of network events, activities, and trends occurring on supported devices Alerts System generated alerts when specific trigger conditions are met Content archiving Provides a way to simultaneously log and archive copies of data transmitted over the network. Prevents data leak (DLP) and also can be used to record network use.

Which of these modules does a fortianalyzer HA cluster synchronize during configuration synchronization Reports Incidents

Reports

What modules does the A-A HA mode enhance

Reports Fortiview NOC-SOC Does this by load balancing ina round-robin fashion to the secondary devices to improve performance. Reports will be available on all cluster members

How do you change the chart filters in a report

Reports Layout tab Right click chart Chart properties

While you can directly edit the layout of predefined ____ you cannot with predefined _____

Reports Templates

How to view graphical view of scheduled reports

Reports > advanced > report calendar

What two ways are there to attach a report to an incident

Reports > generated reports Manually after incident creation by right clicking the report and selecting "attach to incident" You can also manually attach by going to fortiSOC/ incidents and events > incidents and click the reports tab then click add Or automatically by a SOAR automation playbook

Where can you clone a report from

Reports > report definitions > all reports

Where can you create a new report from blank

Reports > report definitions > all reports

Where can you view reports

Reports > report definitions > all reports

Where can you create or clone and modify existing charts

Reports > report definitions > chart library

Where can you create or clone a data set

Reports > report definitions > datasets

SELECT * FROM $log

Reports > report definitions > datasets Query: SELECT * FROM $log This query will return everything from the log type you specify. It will achieve the column heading names and indicate what is available in the database schema for the selected type.

How do you search for specific logs in log view

Select the device where it says "all devices" in the top left corner Select the log type on the left hand side (traffic, security, event) Apply any filters such as category description for WEB filter logs, time, frame, source or destination ip, etc

Listen features of blank reports

Settings and lay out customizable Option to save it as a template However everything is blank so you must configure it

Diagnose ha stats

Shows ha stats

Diagnose ha status

Shows ha status

Log insert lag time

Shows the amount of time between when a log was received and when it was indexed Or Difference between log received and log inserted in the database

What is the insert vs receive rate graphs in system settings

Shows the rate at which raw logs reach the fortianalyzer (receive rate) and the rate at which they are indexed (insert rate) by the sql database and the sqlplugind daemon

What does the failed authentication section of fortiview display Fortiview > system > failed authentication attempts

Shows the source IP of login, login type (admin, SNMP, etc) interface and number of failed

What logs are collected (4)

Logs - traffic, event, security DLP archive - email, IM, web traffic, FTP, NNTP Quarantine - log files quarantines by device IPS packet log - logs the network packets containing the traffic matching IPS signatures

What is synced between ha members in a cluster

Logs and data and system and config settings applicable to HA

DLP archive

Logs information about sensitive data trying to get in or out of your network Email IM Web traffic FTP NNTP 1 of 4 types of collected logs

What is the default setting for securing log communication between FAZ and fortigate

OFTPS

How does log forwarding and communication with FAZ work for devices in an HA cluster

Only the primary communicates with FAZ. The secondary sends it's logs to the primary and the primary will forward to FAZ

OFTP

Optimized fabric transfer protocol used when information is synchronized between FortiAnalyzer and FortiGate. Listens in ports tcp/udp 514

OFTPs

Optimized fabric transfer protocol Listens on port TCP 514 and UDP 514 Default setting for securing communications between fortigate and fortanalyzer

Under what situation must ADOMS be enabled on fortianalyzer When a fortigate device wants to register with fortianalyzer When a fortimail device wants to register with fortianalyzer

When a fortimail device wants to register with fortianalyzer

Benefit of using the security fabric to set up fortianalyzer

When done on the upstream fortigate, any downstream fortigates will automatically receive the configuration for fortianalyzer and will all automatically request registration to fortianalyzer

When is fabric Sp used in SAML

When fortigate is acting as the Idp

When is data added to a report

When it is generates

When does hcache not need to be rebuilt

When no new logs are received for the reporting period

When are logs moved to archive

When the log file reaches a specific size it rolls over and is archived

How else can you customize log view besides adding filters and such?

You can add and remove columns by clicking the grid icon in the top right next to custom view You can view raw logs or formatted logs by clicking the wrench icon in the top right next to the column icon

Which statement about ADOM advanced mode is true You must assign fortigate and all of its VDOMS to a single ADOM You can assign the fortigate VDOMS from a single device to multiple fortianalyzer ADOMS

You can assign the fortigate VDOMS from a single device to multiple fortianalyzer ADOMS

Instead of creating a new chart what can you do it for the analyzer includes an existing chart that is very similar to the output that you want

You can clone and modify the chart

Fortiview monitors dashboard and widget features

You can create predefined or custom dashboards You can add, delete, move, or resize widgets You can add the same widget multiple times and apply different settings (such as chart type) to it You can resize widgets or display them in full screen

How can log view be restricted

You can display logs for one certain devices in the ADOM or to a log group

Features of a blank template

You can edit the layout but it is completely blank so you must configure it The toolbar allows you to insert existing charts and macros and let you add in format text as well as add images and links you can also save it as a new custom template and then use that template and reports

What is custom view used for in log view

You can save frequent searches as a custom view with the custom view icon on the toolbar

What must you know in order to create a query? (Hint it has to do with one of the two parts that comprise a chart)

You have to know what data/information is available to extract for the report (dataset) (database schema)

Why may advanced SQL knowledge be required

You may need to construct a custom SQL queries, known as dataset, to extract data you require from the database

What do you need to do after you configure report grouping using the config system report group CLI command

You must rebuild the report hcache tables with command| Exec sql-report hcache-build <ADOM name> >scheduled name> "<start time>" "<end time>"

What are event handlers Threats identified by Fortiguard Specific matched conditions in the raw logs

Specific matched conditions in the raw logs

Aside from increasing your disk log quota what can you do do to better manage you logs on disk and where can these be configured (2)

Specify a global log roll policy to roll or upload logs when the side exceeds a threshold System settings > advanced > device log settings Specify a global automatic deletion policy for all log files, quarantined files, reports, and content archive files on FAZ System settings > advanced > file management

Templates

Specify the layout, text, charts and macros to include in the report that uses it

If an administrative users job description requires them to manage devices but not system settings what is the most appropriate default admin profile to assign

Standard_user

Method 2 device registration

The fortianalyzer administrator uses the device registration wizard to register the device If the device is supported and the details are correct then the device is registered

What two ways can you log into fortianalyzer for the first time

The gui Or using terminal emulator for CLI

If a report is generating abnormal usernames what should you look at

The user obfuscate setting in the advanced report settinds

By default templates are associated with what kind of reports

Their predefined reports Ie template 360 degree security review is used by 360 degree security report

How are fabric connectors beneficial

They reduce storage costs, improve redundancy, and reduces performance degradation

What is hcache

They report generates the system builds the charts from pre-compiled SQL hard cache data or hcache

How do you decide if you should customize the template or the report

Think about the amount of customization required whether you want to preserve most of the report settings or whether you want to use the layout for one report or many reports

The purpose of the auto-cache setting on reports

To automatically update the hcache when new logs arrive

Why should hcache be enabled

To ensure reports are efficiently generated

Subsummaries of the threat summary for fortview (4)

Top threats Threat map Compromised hosts Fortisandbox detection

What information does device manager show

Total devices Total devices with down log statuses Total Storage used Per device: Name Ip Platform Log status Average log rate Device storage percent

What does the fortisoc events dashboard display (4)

Total events generated/mitigated/unhandled Events by severity Top Events by type Top events by handler

What does the fortisoc incidents dashboard display (3)

Total incidents Unsolved incidents And incidents timeline

What is included in the fortisoc playbook dashboard (5)

Total playbooks executed Total playbook actions executed Playbooks executed Overall time saved Total executed playbooks and actions

How is allocated space determined

by adding the archive and analytics quota for all ADOMs

True or false: each ADOM has it's own data analysis on fortiview

True

True or false: you can import and export reports and charts into a different ADOM within the Sam FAZ or a different FAZ BUT what must be the same

True The ADOM type must be the same

True or false. You can use fortianalyzer HA with different licenses

True but the license that allows for the smallest number of devices is used

True or false: you can store reports externally

True you can configure fortianalyzer to email generated reports to specific admins or upload to a syslog server

Feature to sent or permit access based on ip address

Trusted host

Diagnose ha debug-sync {on | off}

Turn on sync data debug to troubleshoot synching

When using PKI what are the authentication options (2)

Two factor Certificate only

what is required to use log fetcher

Two fortianalyzers running the same firmware

If datasets are not retrieving correct information what should you look at

check the SQL query associated with the dataset

What notification options are available for an event handler

Alert through fabric connector Alert email SNMP trap Sys log server alert

Admins with the super_user profile have access to All adoms Assigned adoms

All adoms

Name 5 predefined event handlers

Local device event Default-botnet-communication detection by threat Default-risky-app-detection-by-threat Default-malicious-file-detection-by-threat Default-risky-destination-detection-by-endpoint

Where do you enable remote logging to fortianalyzer in fortigate (2)

Log and report > log settings > remote logging and archiving > send logs to fortimanager/fortianalyzer Security fabric > fabric connectors > security fabric setup

Where can you download rolled logs

Log browse

What log feature is used to perform analysis on archived logs

Log fetch

Which fortianalyzer feature allows you to obtain the archive logs of specified devices from another fortianalyzer device Log forwarding in aggregation mode Log fetching

Log fetching

Two ways to enable fortianalyzer logging on fortigate

Log settings or security fabric

Where to create a log group

Log view > log group > create new

Execute lvm info

Provides a list fo available disks

What is the report calendar

Provides and overview of all you're scheduled reports

Which fortianalyzer feature becomes available when you subscribe to fortisoc service

SOAR

What is required to automatically attach a report to an incident

SOAR license

What language does fortianalyzer use for logging and reporting And what database does it use

SQL PostgreSQL

What is disabled by default when the fortianalyzer is in collector mode causing certain logs to not be available. How can this be fixed?

SQL database is disabled so logs requiring the SQL database won't be available unless the SQL database is enabled in the CLI

When creating a new data set what do you need to write

SQL select query

What are requirements for devices can be in a cluster together

Same fortianalyzer series, firmware, and same operation mode

What must be the same to restore an encrypted backup

Same model and firmware version

When you edit the layout of a cloned report what option does it give you to make report creation simpler next time

Save as template

What features require system time to be set correctly

Scheduling Logging SSL dependent features

Sdwan performance monitor widgets

Sdwan performance status Jitter Latency Packet loss Sdwan utilization by application Bandwidth utilization by sdwan rules Sdwan link utilization Sdwan high and critical events And sdwan rules utilization

If a hard disk on a fortianalyzer that supports software raid fails what should you do

Shut down fortianalyzer and replace the disk

Depending on a: Small Medium Large Very large Disk size, what level is reserved for system usage

Small < 500 gb - 20% or 50Gb (whichever smaller) Medium 500-1000gb - 15% or 100 gb Large 1000-3000gb - 10% or 200 gb Very large 3000-5000gb - 5% or 500gb

Diagnose system disk errors

Smart error logs

Diagnose system disk health

Smart health status

Diagnose system disk info

Smart information

If you have a high volume of logs why should you consider increasing ADOM log quota

So oldest logs are not lost

Where is HA implementation not supported

Some public cloud infrastructures such as AWS, AZURE, and Google cloud platform

Vital difference between template and reports

Templates include only the details you can find under the layout tab of the report they don't include report settings

After you write an SQL select query for a custom data set what can you do to ensure the query is well formed

Test it with the test button

Your ADOM data policy is set to keep logs in archive for 365 days, but the logs are being deleted prematurely from that ADOM and cpu resources are also high. What is most likely the problem?

The ADOM disk quota is set too low based on log rates

Forti carrier log types

Traffic Event

Forticache log type

Traffic Event Antivirus Web filter

What are the three log types for fortigate

Traffic Event Security

Forticlient log types

Traffic Event

Supported device log types (3)

Traffic Event Security 1 of 4 types of collected logs

Diagnose fmupdate dbcontract fds

Used to find out about license validity and expiry details (SCPC is storage connector service)

Fabric view assets pane

Useful for incident response: check assets that are infected or vulnerable as part of SOC analysis And compliance: identify unknown and non compliant users and endpoints

If forticlient is not installed on endpoints what kind of information is not available for endpoints

User information OS version Avatar Social ID Etc

What does fortiview > system > admin logins display

User, duration, logins, failed logins, config changes

How can you protect your logs

Using RAID

How do you specify the criteria that dictates what data is extracted from the SQL database

Using a select statement followed by the clause

What kind of network does fortianalyzer HA only work (has to do with a protocol that is permitted) and what is that protocol for

VRRP virtual router redundancy protocol Used to eliminate a single point of failure by creating a virtual router

What is the maximum number of ADOMs

Varies by fortianalyzer model

Diagnose system disk attributes

Vendor specific smart attributes

Raid 5

Block-level striping with distributed parity. Data and parity are striped across three or more disks. Better performance than mirroring as well as fault tolerance from a single drive

Example of a generic text filter for custom event handler filter

Dstip==192.168.1.168 and hostname ~ "Facebook" Dstip==192.168.1.168 and ( dstport == 514 or dstport == 515 )

Which is the only mandatory clause in a SELECT statement

FROM

When creating a new chart what options does it have you select

Name Description Data set Resolve host name Chart type Data bindings table type Columns

What data does the CLI command # diagnose sql show hcache-size provide

Hcache size on the file system

Aside from keeping the level of detail of reports down to a minimum why else is it a good idea to shorten reports

Helps with performance because large reports affect CPU and memory

What information is needed to Fr watch a fetch profile for the fetch server on the fetch client

Name Server IP User Password

What information is required about a device when using the "add device" registration wizard in fortianalzyer (5)

IP address Serial number Device name Device model Firmware

What are some details that can are shown for a compromised hosts

IP and hostname Detection time Number of threats Detect pattern Threat type (ie malware) Threat name (sinkhole or CnC) Category Detection method # of events Security action Log type

True or false: the FAZ encryption level much match the fortigate for OFTP only

No the FAZ must have equal or less encryption than the fortigate

What are the three types of fabric connectors that can be created in fabric view and what are the connectors for each

ITSM- ServiceNow webhook Storage- AmazonS3 Microsoft Azure Blob Google Security fabric- Forticlient EMS

What two options does fortianalyzer have for acting in part with SAML (3)

IdP or SP or fabric SP

Does transfer of logs to a file server begin instantly

No the logs are compressed first and stored in archive

If you have one fortianalyzer can you log fetch?

No, You would have to export and import the log file

When would your turn log sync off

If you want to use fortianalyzer as a standby device and not a backup device

What os does the fortianalyzer server run in

Linux

Diagnose dvm ADOM list

List all adoms

What else can you use instead of a password, password and token, password and _____, and______ with PKI

Password and digital certificate Certificate

Three fortiSOC dashboards

Playbooks Incidents Events

Three steps to set up log forwarding

1) set log forwarding mode 2) configure the server 3) configure the client

Disk quota is assigned to the ____

ADOM

What determines how long logs are kept in analytics (AKA SQL database)

ADOM data policy

Are output profiles a global or ADOM specific setting

ADOM specific

What is required to be enabled if you want to register a non-fortigate device on fortianalyzer

ADOMS

When registered devices send logs to fortianalyzer how are the logs processed

1) raw logs are compressed and saved in a log file on the FAZ disk 2) logs are indexed on the SQL database

How many log fetching sessions can be established at once

1

How many wildcard Accounts are permitted when using two factor

1

Report workflow (5)

1) SQL database log files 2) SQL SELECT query (dataset) 3) results of dataset query 4) dataset creates chart 5) chart or charts make up report

Three ways to implement log redundancy

1) configure FAZ HA cluster 2) configure fortigate to send logs to a backup log server 3) set up log forwarding in aggregation mode

Steps to configure HA (6)

1) set operation mode 2) set preferred role 3) set cluster interface and virtual IP 4) specify the other peer members IP and serial number 5) specify group name, group ID, password 6) heart beat interval and priority settings

Steps to increase disk space on FAZ VM (4)

1) stop the FAZ VM and add a new disk 2) reboot FAZ and do command execute lvm info 3) run execute lvm extend <disk number> 4) reboot FAZ Run get sys status to see the new disk

Max number of trusted hosts

10

What is default HA priority

100

By default how much disk space is each ADOM allowed and what is the minimum configurable limit

1000MB No less than 100mb per ADOM

By default how many charts to the chart library contain

300

By default how many data sets does the data set library contain

400

Max number of HA members

5 1 primary and 4 secondary

The system reserves _____ of disk space for ______ and ______

5-20% System usage Unexpected overflow

How far back can you view history for IOC

7 days

How much disk space is actually available for allocation to drives

75% -95%

For fortianalyzer VMs what is the minimum memory recommended

8 GB

What percent of used disk quota will FAZ start removing raw and archive logs

95%

FortiAnalyzer uses the Optimized Fabric Transfer Protocol (OFTP) over SSL for what purpose? a. To encrypt log communication between devices b. To prevent log modification

A

What happens when a log file saved on FortiAnalyzer disks reaches the size specified in the device log settings? a. The log file rolls over and is archived. b. The log file is stored as a raw log an

A

What is the virtual IP for

A IP for the cluster as a whole to Provide redundancy. Devices will point to the virtual IP

If your fortianalyzer is a VM what can you also use as a configuration backup

A VM snapshot

What can fortianalyzer be described as

A central log repository that aggregates data from multiple fortinet devices into a single view

SQL select query

A command that selects specific read only data from the SQL database

What is needed in order to send logs to cloud platforms (2)

A fabric connector and a separate license for storage connector service

What is a FAZ report (simplify)

A set of data organized in charts

If uploaded logs reach data stored limitation prior to the storage connector service license expiration what is needed in order to continue to use this cloud service

A license renewal

What is created in HA and via what protocol

A virtual IP via VRRP and mac

What is a log group

A virtual grouping of devices placed together in a single logical object. They do not have SQL databases or occupy additional disk space

What must be enabled to collect logs from non fortigate devices

ADOMs

Which fortianalyzer feature allows you to group devices that adminstrators can monitor and manage

ADOMs

Two HA modes

Active active Active passive

How is used space determined

Adding the archive and analytics logs and all the system files mounted on the drive

What is the simple task that a chart does

All the chart does is convert the text pace results of a query into a graphical format of your choosing

Which logs are considered online and offer immediate support

Analytic (indexed) logs

What type of logs are restored in the SQL database

Raw logs

What does disk quota include (3)

Raw logs Archive files SQL database tables

Daemon for receive rate

Raw receiving rate to FAZ Fortilogd

After completing initial configuration what should you do as a best practice

Back up the configuration

How does FAZ create a report

Based on configured parameters FAZ analyzes logs collected from the managed devices and presents the information in a graphical or tabular format

Why are logs from AV/IPS not used for FAZ IOC feature

Because AV and IPS is detected and prevented by the fortigate

What are contained in the meta fields in system settings

Contact email and phone for admins Company/organization Contact email Phone Address for devices

Two CLI options

CLI widget on dashboard or a terminal emulation program

Fortigate miglogd process

Caches logs on fortigate when fortianalyzer is not reachable There is a max cache size so it will drop logs if it is reached Intended for if you need to upgrade firmware not for a lengthy outage

What is the additional info box used for when creating a new event handler filter

Can be used to change the default event handler queries and create custom messages/notifications Provide custom information including specific details from fields and variables This can be included in email notifications or passed to fabric connectors such as ITSM service now

For security reasons, what is one of the first tasks you should do and where to do it

Change admin password under system settings > admin > administrators > right click admin user > change password

~

Contained

Command to set fortigate encryption level for FAZ log transfer

Config log fortianalzyer setting Set end-algorithm <high-medium | high* | low>

CLI command to enable ADOM

Config sys global Set ADOM-status enable

How to enable or disabled auto completion for log view

Config sys global Set default-logview-auto-completion (enable|disable)

What to do if a major changes are required to existing templates or reports meaning no report meets your needs

Create a new template or report from scratch

What are new or cloned data sets, charts, templates, and reports categorized as

Custom

What is a clone chart categorized as

Custom chart

How do you see more details on an event under the all event monitor in fortiSOC (2)

Double click the event to see details such as associated logs Or right click to acknowledge or add comments

How do you view more information about a log in log view

Double click the log and the details pane appears

Name some default reports

Detailed user report Forticlient report DNS report Email report Sandbox detection report Admin and sys events report Cyber bullying indicators report Application and risk control report

What is included in content files

DLP AV Quarantine IPS

5 security recommendations for deploying fortianalyzer

Deploy in private network Use trusted hosts Use https and ssh Use secure passwords Store password somewhere safe

What are the 7 FAZ panes

Device manage Fortiview Log view Fabric view FortiSOC Reports Settinfs

After a device is registered where does it appear in it's ADOM

Device manager

Fortianalyzer synchronizes the configuration of what modules to all cluster devices

Device manager Event manager Reports, Most system settings

How to manually configure device as HA cluster

Device manager > ha cluster enable > add serial of cluster member

Diagnose ha dump-datalog

Dump ha datalog

==

Equal

Why do you need to examine log chains instead of an individual log

Examine all to get a full picture of the forensic evidence to understand what is going on and how a breach occured

What are log group reports useful for

Examining large networks as a whole Grouping devices by purpose (geolocation etc)

What protocols are supported for backing up logs to a filer server

FTP SCP SFTP

>

Greater than

Fortimail log types

History Event Antivirus Email filter

When is HA not supported

If fortimanager features are enabled on fortianalyzer

What RAID levels are supported

Linear 0 1 1 +spare 5 5 +spare 6 6 +spare 10 50 60

Where can you insert macros

Into custom templates or into the layout of reports

Which value is used to select a new primary device in the event of a fortianalyzer HA failure Serial number Ip address

Ip address

You are looking through the fortianalyzer panes and can't find Fortview? What happened and how can you fix it

It can be enabled and disabled in the CLI for performance tuning. Command to disable it is Config sys global Set disable-module fortiview-noc

What is an administrative profile and how to make/edit

It defines administrative privileges and are required for each admin account System settings > admin > profile

A macro in fortianalyzer is____

It defines which data is to be selected from a log it represents a data set queries in an abbreviated form

Why does the license information widget show a value lower than the disk quota

It includes only raw longs uploaded from fortigate to fortianalyzer in one day

What is fortisoc and what does it enable

It is a subscription service that enables security orchestration, automation, and response (SOAR) and security information and event management (SIEM) capabilities and provides incident management with playbook automation to accelerate incident response

What is a predefined report

It is associated with a predefined template (layout). The report comes with basic default settings configured and define the time period to run the report, what devices to run on, and whether is generates a single or multiple reports

What is a wildcard admin account

It is the "match all users on remote server" option under administrators It allows multiple remote admin accounts to match one local admin account

Is Hcache is not built when you run the report what must happen

It must create hcache first

What is playbook monitor

It shows the status of playbook jobs

When will the OFTPS protocol be used to secure log Communication

It's default set to auto negotiate so it is used only if being used by the connecting fortigate

<

Less than

IPS packet log

Logs the network packets containing the traffic matching ips signature 1 of 4 types of collected logs

What is a good way to break up ADOMS (has to do with disk quota)

Low volume log devices vs high volume log devices so that the disk quota enforcement doesn't affect the low volume devices

What are macros

Macro specify what data to extract from the logs they represent data set queries in abbreviated forms. you can insert macros as data in Your reports without having to use a chart to display the data

What can you insert as data in your reports without having to use a chart to display the data

Macros

Which one of the following statements about macros is true Macros are abbreviated data set queries Macros cannot be customized

Macros are abbreviated data set queries

Fortisandbox log types

Malware Network alerts

Two spots to manually attach a report to an incident

Manually after incident creation by right clicking the report and selecting "attach to incident" You can also manually attach by going to fortiSOC/ incidents and events > incidents and click the reports tab then click add

Preferred roles for HA and what each means

Master and slave If set to master the device will become Primary if it is configured first in the cluster. If there is an existing primary device then it will become backup

Which log checksum algorithms are available

Md5-record log file hash Md5-auth- record log file and authentication code None

Features of password policy

Min length Specify if characters and numbers must be included Password expiry (make sure you change pass before it expires)

What is minimum raid

Mirror or stripe of two drives

RAID 10 level comprises of what data format

Mirroring and striping

Can you Delete a pre-defined report

Mo

What is cluster status pane and what information is displayed

Monitors the status of fortianalyzer devices in an HA cluster Displays information about the role of each cluster device, the HA status, and configuration of the cluster Role, serial number, IP, host name, uptime/downtime, initial logs sync, configurations sync, and message

Local system performance monitor and what are the widgets

Monitors the system performance of the fortianalyzer unit running the fortiview module and not the logging devices CPU and memory usage Multi core COU usage Insert rate vs receive rate Receive rate vs forwarding rate Disk IO Resource usage average Resource usage peak Failed authentication attempts System events Admin logins

What does a raid array require

Multiple identical drives (at least two that are the same size)

Are ADOMS enabled by default

No

Are local credentials required is a remote server is being used?

No

Is raid a replacement for backing up logs

No

Is raid supported on all fortianalyzer models

No

Is there a password recovery option for fortianalyzer and what two things can you doif you forget your password

No 1) Factory reset the VM/appliance Run the execute migrate command Default admin pass can be used 2) format the flash and reload the image from the BIOS config menu

Can you dynamically add disk space with FAZ hardware

No disk space is fixed so you have to add a new disk

On fortianalyzer devices that support RAID do you have to power off the device to replace a failed drive

No it is hot swappable on raid hardware only

If fortianalyzer has software raid does it support hot swapping

No it should be powered down

True or false. It's required to separate Devices in ADOMS by ForitOS version

No. Your not pushing configs so the fortiOS doesn't matter. Just need to separate by device type (unless it's default fabric ADOM)

What two modes can ADOMS operate in and what is the difference

Normal and advanced Normal means fortigate VDOMS on a single device cannot be assigned to different ADOMS Advanced means that fortigate VDOMS from a single device can be assigned to different ADOMs

!~

Not contained

!=

Not equal

How are local administrators logins validated

On the fortianalyzer

How many triggers can a playbook include

One

Difference between log rate and message rate commands for troubleshooting

One log message can consists of multiple logs in LZ4 format

Compromised hosts monitor widget (pane names)

One widget with two panes Compromised hosts and compromised hosts incidents

In order to configure IOC what is required (3)

One year subscription to IOC Web filter services subscription on fortigates Web filter policies on fortigates that send traffic to fortianalyzer

Where can you view administrator activity and what user profile is able to see this

Only super user System settings > event log

What is aggregation mode

Only supported by two fortianalyzer devices One acts as a collector and the other analyzer bigger FAZ) The collector will compare it's logs to the Analyzer and send a delta (incremental changes) of the logs Provides a level of redundancy because if analyzer fails collector can repopulate analyzer and limits traffic sent

When you apply filters to a report chart which reports for sit affect

Only the chart within the one report

What two things does the fortianalyzer features available depend on

Operating mode and the profile logged in (restricted users and standard users won't have full access privilege)

How are the SQL database tables distributed

Per ADOM

How is disk space allocation set? Globally or per adom

Per ADOM

How are raw and archive logs distributed

Per device

Get system performance

Performance stats on fortianalyzer

Allocating insufficient quota to an ADOM can cause problems: (3)

Prevent you from reaching your log retention objective Cause unnecessary CPU resources enforcing quota with log deletion and database trim Adversely affect reporting if the quota enforcement acts on analytical data before a report is complete

Diagnose system print certificate

Print ipsec certificate

Diagnose system print netstat

Print network statistics for active internet connections Proto Local address Remote address State

Diagnose system print partitions

Print partition information of the system

Diagnose system print loadavg

Print the Avg load of the system

Diagnose system print cpuinfo

Print the cpu information Processor Vendor id Cpu family Model Model name Cpu mhz Cache size Physical ID

Diagnose system print df

Print the file system disk space usage

Diagnose system print route

Print the main route list Destination Gateway Gateway mask Flags Metric Reference Use

Diagnose system print hosts

Print the static table lookup for host names

What external authentication servers are supported

RADIUS LDAP TACACS+ PKI

Different raid levels

RAID 0 - striping RAID 1 - mirroring RAID 5 - striping with parity RAID 6 - striping with double parity RAID 10 - combining mirroring and striping

Diagnose system raid alarms

Raid alarm logs

Diagnose system raid hwinfo

Raid controller hardware info

Diagnose system raid status

Raid status including raid level raid size and hard disk information

Insert rate

Rate at which logs are indexed by SQL database by the sqlplugind daemon

Receive rate

Rate at which raw logs are reaching FAZ

What type of logs do event handlers work in (raw or database)

Raw

What are the 6 raid disk statuses and what each mean

Ready - functioning normally Rebuilding - writing data to Newley added hard drive. Not fully redundant until complete Initializing - writing too all hard drives in the device in order to make array fault tolerant Verifying - ensuring the parity data of a redundant drive is valid Degraded - hard drive is no longer being used by raid controller Inoperable - one or more drives are missing. The drive is no longer available to the OS. Data in inoperable state cannot be accessed

What does HA provide (3)

Real time redundancy Synchronize logs and data between members Alleviate the load on the primary device by load balancing processes on secondary devices

benefit of FAZ HA cluster

Real time redundancy If primary fails another device will take over Data is synchronized securely among cluster members Provides load balancing for processes such as report running

Forwarding log mode

Real-time or near real-time log forwarding to servers (forwarded as logs are received) Does not forward content files (DLP, antivirus quarantine, and IPS)

If you move a device from one ADOM to another and the devices analytic logs are required for reports in the new ADOM what do you do and how

Rebuild the SQL database Exec sql-local rebuild-adom <new ADOM name>

If you move a device from one ADOM to another and you don't want the devices analytic logs in the old ADOM what do you do and how

Rebuild the SQL database Exec sql-local rebuild-adom <new ADOM name>

Why is it better to resolve IPs on fortigate side instead of on fortianalyzer side (2)

Reduces load and latency on FAZ Allows source and destination IPs to be resolved instead of just the destination

RAID

Redundant Array of Independent Disks Storage solution to provide redundant copy of log data by combining multiple drives into a logical unit

Swap memory

Refers to the space available to use when the physical memory is full and the system requires more memory. Basically emergency memory. System takes data stored in RAM that hasn't been used recently and swaps it into the virtual swap space memory to make more space in RAM

In order to start collecting logs a device must be _____

Registered

If the disk quota (raw + SQL) is estimated to be above 95%, what does FAZ do

Remove the raw logs and corresponding archive logs until the disk quota is down to 85%

Where do you enable auto-cache for reports

Report > report definitions > all reports > report name > settings

Where can you clone a template

Report > report definitions > template

Where can you obtain the schema for a specific log type?

Reports > report definitions > datasets Query: SELECT * FROM $log This query will return everything from the log type you specify. It will achieve the column heading names and indicate what is available in the database schema for the selected type.

Where can you see the pre-defined macros or create custom macros

Reports > report definitions > macro library

Where do you specify a log group to run reports on

Reports > report definitions > select report > settings > devices > specify log group

Where can you create a new template

Reports > report definitions > templates

Where can you view templates

Reports > report definitions > templates

Method 1 device registration

Request from supported device The administrator of the device requests the registration Fortianalyzer admin accepts or denies request

Trusted hosts and max number

Restrict login access to specific IP or subnet and apply to both gui and cli 10

What can you do if you find a specific log with interesting data and you want to display all other logs with that same interesting data

Right click the interesting data (column and row) and select add filter

Unregistered device appear in the ______ until registered and assigned to an ______

Root ADOM ADOM

If reports are taking long to generate what can you do to troubleshoot (4)

Run diagnostics on report to view the report summary at the end of report. Look at hcache time to see how long it took to build Check log rates to see volume of logs Check the insert rate, receive rate, and log insert lag Enable auto-cache in the report settings

Diagnose ha restart-int-sync

Run on master Restart ha initial sync

Diagnose ha failover

Run on master, force ha failover

What feature allows you to look at log data from a group as if it were a single device

Run reports on log groups

When you move a device from one ADOM to another what is the point of rebuilding the database Run reports on the devices analytic logs in the new ADOM To migrate the archived logs to the new ADOM database

Run reports on the devices analytic logs in the new ADOM

What should you always do after erasing the configuration on flash

Run the execute format disk command

Statuses for the playbook monitor

Running Success Failed

Besides local, and remote authentication, (and 2FA) what other option is available for authentication under the admin settinfs

SAML SSO

What is SAML

SAML SSO (single sign on) Security assertion markup language is an XML standard that allows for maintaining a single repository for authentication amongst internal/external systems There are IdP (identity provided aka the main Authenticator) and SP (service provider) when someone logs into a SP the SP will forward request to the IdP for authentication

Which is the only SQL statement used to populate reports

SELECT

Which is the only file server upload protocol that can use the log checksum to prevent MITM attacks

SFTP using SSH

If ADOMS are enabled what do you need to do when you log in

Select the ADOM you want to view

How does FAZ distinguish different devices (hint these are found in the headers for all the different log messages)

Serial number

What command under configure system report group controls which reports that will be contained in the report group function

Set report-like <report name string>

If you want to send alerts through emails for things such as event handlers what must need to be set up on the FAZ and where can it be set up

Set up a mail server in system settings > advanced > mail server

How to create a new admin

Settings > admin > administrators > new

How do you configure the report display color on the report calendar page

Settings > advanced settings

In a cloned report what two tabs are editable

Settings AND layout

What does event monitor display in fortiSOC

Shows all events, by endpoint, by threat, and system events Shows all events generated by your enabled and configured event handlers

Diagnose log device

Shows disk log usage (allocated and available and reserved) and shows usage for each ADOM

Diagnose ha load-balance

Shows ha load balance status

Daemon for insert rate

Sql insertion rate Sqlplugind

What does the storage connector service license include

Storage limitation: amount of data that can be uploaded to cloud platform Expiration date: date up to which the storage data can be sent

Aggregation log mode

Stores Logs and content files and uploads them at scheduled time Only available between two FAZs

Two raid operation types and what do each mean

Striping - combines two or more drives into a single logical drive and stores data in chunks across all drives Mirroring - makes identical copies of data on two or more separate physical drives

How is the total quota value determined

Subtracting reserved space from total system storage

What is the purpose of reports

Summarize large amounts of logged data based on configured parameters It makes it easier to analyze multiple log files and cross reference to different data points

What permission is needed to configure ADOM

Super user

Be default what profile is allowed to enable ADOMs

Super_user

By default only what type of admin can see the complete administrator list

Super_user

Three preinstalled default admin profiles and there's access levels

Super_user- all system priv, all device priv Standard_user - read/write access to device priv, no system priv Restricted_user - no system priv, read only for device priv

What is admin type group

Supports multiple remote servers. You can create different ones and then group them together in the CLI if you select group as type under the admin then they need to authenticate with credentials to either of the servers within the group

Why may report generation be slow the first time you run a report

System has to create hcache

Config backups contain: and what does it not contain

System information (device ip and admin info) Device list (any devices configured to allow logs) Report information (any configured report settings or custom reports) Does not contain actual logs and generated reports

What happens immediately after you enable ADOMs and why

System logs you out do it can reinitialize with the new settings

Where can you view the status of each disk in the raid array and disk space usage

System settings > RAID management

How can you Gentrify which users are currently logged in

System settings > admin > administrators Green check mark next to logged in users

Where do you configure external authentication servers

System settings > admin > remote authentication server

How to change ADOM mode in GUI and CLI

System settings > advanced > advanced settings Config sys global Set ADOM mode (advanced | normal)

How can you configured for the analyzer to upload or email generated reports

System settings > advanced > mail server Configure for each report Select "enable notification" Output profile "email and server profile" Reports > advanced > output profile Edit "email and server profile" Add the preconfigured mail server

How would you move devices from one ADOM to another

System settings > all ADOMS Edit ADOM you want to move device to Select add device Click the device in the other ADOM you want to move from

Where can you adjust your disk quota if ADOMS are enabled Where can you adjust if ADOMS are not enabled

System settings > all ADOMS Log view > system storage

Where do you set disk quotas if ADOM are enabled

System settings > all adoms System settings > storage info

How to set the mode

System settings > dashboard

Where can you see a visual representation of insert and receive rates

System settings > dashboard

Which FAZ plays the role of the client in log forwarding and which as the server

The FAZ that forward logs to another plays the client and the recipient plays the role of the server

How to ADOMS make administration more secure

The admins will only be able to monitor and manage devices in their assigned ADOM

Mode collector

The collects logs from multiple devices and forwards the logs in their original format to another device (fortianalyzer in analyzer mode, a sys log server, or CES server - common event server )

Why may your search filters not return any results even if the log data does exist and what are three ways to fix it

The filter may be poorly formatted. Since FAZ looks for an exact match in the log the SQL query must be formatted correctly Make search case sensitive search is enabled, add columns to add the proper filter name to the filter list, right click data in the log table to set a filter for that data

What do the output profiles specify

The format of the report such as PDF HTMLXML and CSV Whether to email generated reports or upload to a server Whether to delete the report locally after uploading to the server

What must be configured for the initial fortianalyzer set up

The ip and netmask Management ports Default gateway

In a clone template what can you edit

The layout

What data does the CLI command # diagnose fortilogd lograte provide The log receive rate per second The message receive rate per second

The log receive rate per second

If there are more than one fortianalyzer in the network what must be configured differently on each

The management port must have a unique address

What is the ADOM disk quota and what is the default max

The max storage space for the ADOM to store logs (not per individual device) Default max is 50 GB

What are the five summary views for fortiview and what two formats can you view them in

Threats Traffic Applications and websites VPN System Can be viewed in tabular or graphical format

When should you use cloning to make changes for reports and templates

To make minor to moderate changes

Sub summaries for the traffic summary on fortimanager (7)

Top sources Top source addresses Top destinations Top destination addresses Top country/region Policy hits Dns logs

What are the threat monitor widgets 5Ts

Top threat designations Top threats Threat map Top threats by weight and count Top virus incidents over time

True or false: a FAZ can operate as fetch server or fetch client

True

Event handlers

Under fortiSOC. They are specific matched conditions in the raw logs and they determine what events are to be generated

After a register request is made form the fortigate where will the fortigate request appear on fortianalyzer

Under the root ADOM on device manager

If you are wanting to see both local event logs and the application logs of the root ADOM where do you look and why

Under the root ADOM, log view, fortianalyzer, application Because other adoms only show application logs and not local logs for the FAZ

Logging best practices (4)

Upload FAZ local logs to a remote server Increase local event logging level to debug configure snmp traps for critical system events Configure log upload for rolled logs on a daily basis

What is a best practice for how fortianalyzer should be plugged into power

Use a UPS

What is a quick way to build a custom data set and chart

Use the chart builder tool

You want to permit administrator Logins on fortanalyzer from specific locations only. How can you configure this on fortianalyzer

Use trusted hosts

Oftpd process

Used for disk quota enforcement Enforces the archive file size

Sqlplugind

Used for disk quota enforcement Enforces the sql database size

Non standard admin access protocols (2)

Web service Fortimanager

What can the CLI command # diagnose test application oftpd 3 help you to determine What ADOMS are enabled and configured What devices and IP addresses are connecting to FAZ

What devices and IP addresses are connecting to FAZ

Diagnose test application oftpd 3

What devices and IPs are connecting to fortianalyzer? Is fortianalyzer receiving logs?

Diagnose dvm device list

What devices or VDOMS are currently registered and unregistered

When are the following reports enabled: Fortiauthenticator Carrier Cache Client Ddos Deceptor Manager Mail NAC Proxy Sandbox Web

When ADOMs are enabled

When is the fortiSOC module activated and when can users access SOAR features

When FAZ has a valid subscription license

Can you delete a clones report?

Yes

Can you delete cloned templates

Yes

Is it possible to use third party RADIUS and RSA tokens?

Yes

Is auto completion enabled by default? What is it,

Yes, It sets the filter value in log view

RAID 6

extends RAID 5 by adding another parity block; thus, it uses block-level striping with two parity blocks distributed across all member disks. System can remain operational even if two disks fail

True or false: IOC will work without Fortiguard sub

false because IOC uses the fortiguard threat intelligence to compare IOC signatures to new and historical web filter logs

<=

less than or equal to

Fortianalyzer SIEM

parse, normalize, and correlate logs from fortinet products and the security event log of windows and linux hosts (with fabric agent integration) the SIEM logs are displayed as fabric logs in fortview

To determine what datasets are associated with a chart what two places do you look

right click the chart in the template and click clone chart OR go to report definitions > datasets

What happens if you add a new disk and your previous disks are configured in a RAID

you need to rebuild the RAID array

What back and requirements are there to use any external storage method for reports (2)

1) configure a mail server for emailed reports 2) configure an output profile

Debug command to troubleshooting communication issues between FAZ and FGT (3)

1) on FAZ: diag debug en Diag debug application oftpd 8 <FGT IP> 2) on FGT: diagnose log test 3) review output

What ADOMS can devices be assigned to

ADOMS with the device type you are adding

Fine tuning a predefined report (4)

Adding log message filters to refine the data that is included Enable queries to an LDAP server to an an LDAP query to the report (Advanced) Configuring report language, print settings, customize cover page, print device lists, obfuscate users, set color code

Default username and password Default port and IP address Default management access

Admin No pass Port 1 192.168.1.99/24 HTTPS ssh

Three ways to control and restrict administrative access

Admin profiles ADOMS Trusted hosts

When should you always validate your custom data sets

After a firmware upgrade

What two modes can log forwarding run in

Aggregation Forwarding

Subtypes of the system log type

Application control Antivirus DLP Anti spam Web filtering IPS Anomaly (DOS) WAF

What logs are moved to the new ADOM when you move a device

Archive (compressed) logs only The analytic logs (indexed ) logs stay in the old ADOM until you rebuild the SQL database

Default data retention for archive and analytical logs

Archive 365, analytical 60

What is not included in the license information logging

Archive logs Fortigate store and forward logs FAZ aggregated logs Forticlient logs SQL tables

Logs in the compressed phase are known as the ______ logs

Archived

What are logs in the compressed phase known as

Archived logs

Where can you apply a filter (2) do reports

At the report level and at the chart level within the report

How can you add historical data to an incident

Attach a report to an incident

Four considerations before creating a report

Audience Purpose Leave of detail Format

What does fortianalyzer application logs include

Audit logs for SIEM and SOAR applications

Two factor authentication

Authenticating with something you know and something you have

To boost report performance and reduced report generation time what can you enable

Auto-cache in the settings of the report so that hcache is automatically updated when new logs come in and new log tables are generated

In FAZ what is a dataset: A The database schema B A specific SQL SELECT query that retrieves data from the database

B

Which log forwarding mode stores logs and content files and uploads to another FortiAnalyzer server at a scheduled time? a. Forwarding mode b. Aggregation mode

B

Command to disable fortview for performance tuning

Config sys global Set disable-module fortiview-noc

What are the two major types of intelligence that determine the verdict for a compromised hosts

Black lists that include malicious IPs for botnets and DNS sinkholes and domain names generated by DGA Suspicious lists where each URL is associated with a ranked score based on the threat intelligence processed daily

Troubleshooting tips if you run a report and it's empty(5)

Check the time frame covered by report Compare the time frame to the logs and verify that you have the log file for the time in question Verify that you have logs from the time the report was run and from the device that the report was run for Test the datasets to ensure they are retrieving the desired information if not then check the SQL query associated with the dataset Check the reports advanced settings and verify that logs match the filters you have set for the report

Fortianalyzer includes an existing data set that is very similar to what you want what can you do rather than creating a brand new one

Clone or modify an existing

For minor or moderate changes to existing templates or reports what can you use to customize them Or what can you do for reports o my

Cloning and then edit the clone or for reports only you can create a new report but based on an existing template then edit that new report to suit your requirements

Which operating mode in fortanalyzer is used to collect logs from multiple devices and then forward those logs to another device

Collector

Raid 60

Combines block level striping of raid 0 with distributed double parity of raid 6 Write performance is affected but there is enhanced redundancy with 8 drives Allows failure of two disks in each raid 6 array

Raid 50

Combines block level striping of raid 0 with distributed parity of raid 5 Fault tolerant against two drive fails (requires 6 drives)

Raid 10

Combines raid 1 and raid 0 by striping across two drives and then mirroring to another two drives. Can be fault tolerant against two drive fails depending on which two fail Requires 4 drives

Archived logs

Compressed logs that are considered offline and offer no immediate analytical support

What is the reserved system usage disk space used for (3)

Compression files Upload files Temporary report files

Command to configure log file checksum

Config sys global Set log-checksum <md5 | md5-auth | none>

Command to enable ADOMS in cli

Config sys global Set ADOM status enable

How can you increase security of your admin accounts

Configure a global password policy System settings > admin > admin settings

IP addresses are not resolving to host names in fortview what do you do (2)

Configure a local DNS server in the system settings and going to network Then go to CLI and use the following command to enable in fortview Config system fortiview settings Set resolve-ip enable Or just do it on the fortigate side

What is a good option to add additional security to external administrators

Configure two factor authentication

Auto discovery fortianalyzer and how to enable

Confiig on fortigate When enabled the fortigate will send hello packets to locate a fortianalyzer within the same subnet. If one is found the fortigate will automatically enable logging to the faz and begin sending log data config log fortianalyzer setting set status [enable | disable] set server <ip_address> set gui-display [enable | disable] set address-mode auto-discovery end

When your resetting the configuration should you do it in the GUI or CLI

Connect to console port and use CLI

Why may tou want to use the GUI instead of CLI during upgrade process

Connecting to CLI over SSH may be slow but you can connect to console

What report elements can be affected by a firmware upgrade

Custom datasets

What is a handy log view feature that makes it so you don't have to reapply a bunch of features every time you look

Custom view Set the filters and time and devices and then save it as a custom view to look at quickly next time

What can you do if I predefined report doesn't meet your requirements and neither does fine tuning

Customize report

What is distributed paritt

Data is distributed among multiple drives and requires three or more disks. It combines data on two drives and stores the combination on a third

RAID 0

Data split evenly across two or more disks. Goal is speed and performance. No parity information and no redundancy. No fault tolerance. If one disk fails the entire array is affected

Mode analyzer

Devices acts as a central log aggregator for one or more log collectors (such as forti devices or fortianalyzer in collector mode)

What is required if you want to resolve hostnames in logs

DNS server configured on fortianalyzer

What system settings are synchronized between cluster members

Dashboard > ADOM widget All ADOMS Admin Certificates > CA certificates Certificates > CRL Log forwarding Task manager Advanced > mail server Advanced > sys log server

What panes are available in fortiSOC

Dashboards Automation Event monitor Handlers Incidents

Templates do not contain ______

Data

After you select your data set and chart type in a new chart creation what section is automatically adjusted based on those selections

Data bindings

Fortiview monitors pane and what monitor dashboards are available (13) T(AW)C FEF VW ST(AW) LEGS

Designed for use in a NOC or SOC environment where multiple dashboards are displayed on large monitors and helps you effectively monitor network events, threats, and security alerts It displays both real time and historical trends The monitors displayed can be customized: Traffic Applications and websites Compromised hosts Fortisandbox detections Endpoints Fabric state of security Vpn Wifi Forticlient software inventory Threat (forticlient) Applications and websites(forticlient) Local system performance Endpoints(forticlient) Global threat research Secure sdwan

What do log messages contain

Details about specific events that occur on a network including: Load on network devices Service usage Evidence of a breach on the network

How are endpoints detected and displayed in fabric view

Detected based on MAC address and displayed by IP address

HA priority settings

Determines the selection of primary devices Can assign 80-120 High number = higher priority

Devices can be registered only with their _____ ADOM

Device-specific

If ADOMS are enabled, when can you first have the option to move and unregistered device to a new ADOM

During the authorization process you can choose to keep in root ADOM or add it to a custom ADOM

By right clicking the report name on the report calendar what can you do (4)

Edit Disable Delete Download

What can the DLP engine examine

Email Ftp NNTP web traffic

Execute reset all-settings

Erases the show config on flash, containing ip addresses and routes

Execute reset all-except-ip

Erases the show configuration in flash except the ip and route settings

How to turn off fortianalyzer

Exec shutdown

Commands to troubleshoot report generation. What is the configuration status of all configured reports

Exec sql-report list-schedule <ADOM>

Command to view report grouping information

Exec sql-report list-schedule <adom name>

What is the forticlient EMS connector for

Execute EMS operations on endpoints. When configured fabric connector enrich incident response related actions in assets and fortisoc

Command to back up logs in the CLI

Execute backup logs <device name| all> <ftp|sftp|scp> <serverip> <username> <pass> <loc on server>

Command to restore logs to FAZ

Execute restore logs <device name| all> <ftp|sftp|scp> <serverip> <username> <pass> <loc on server>

Since you can't export templates and datasets how can you copy a template or dataset from one ADOM to another indirectly

Export the report and then save the layout of the report as a template Export the chart and then save the dataset

Which for the analyzer feature allows you to automatically build a data set and chart based on a filtered search result

Export to report chart in fortiview Chart builder in log view

What three fabric connector options are there to allow fortianalyzer to send out logs or notifications events

External cloud platforms: AWS, azure, Google ITSM: service now, web hook Security fabric: forticlient EMS

What other options are there for validating administrator logins

External servers RADIUS LDAP TACACS+ PKI

How can you back up logs on FAZ (3)

GUI CLI FTP, SCP, SFTP server

What command would you do to see CPU Memory hard disk and flash disk usage and availability

Get sys performance

Command to see: Platform Version Serial number BIOS ver Hostname Max ADOMS ADOM status Time Disk usage License status

Get sys status

Which CLI command can you use to find FAZ ADOM status Get system status Show system performance

Get system status

Benefit of customizing charts and data sets

Give you the flexibility to pull unique combination of data from the database that doesn't exist in any default chart or data set

>=

Greater than or equal to

What must be configured the same for each member in HA cluster to allow them to function together

Group name Group ID Password

Besides enabling auto cache what else can you do to improve report generation time

Group similar reports to reduce the number of hcache tables and improve auto-cache completion and report completion time

What formats can you review reports in

HTML PDF CSV XML

What formats can a report be viewed in (4)

HTML PDF XML CSV

Diagnose hardware info

Hardware stats for CPU, memory, disk, and raid

Instead of overwriting the oldest logs when allowed disk space is full what can you change this behavior to What is the command

Have fortianalyzer stop logging when disk space is full Config system locallog disk setting Set diskfull nolog

By default what encryption level is used for OFTP fort fortigate and fortianalyzer

High level

What two verdicts are given to an end device in the compromised hosts fortiview

Infected- indicates a real breach, a match or matches of the blacklisted IPs or domain generation algorithms have been found in the web logs Highly suspicious - indicates a possible breach

What two states does fortianalyzer synchronize logs in

Initial sync Real-time sync (log data sync)

Where can you download a specific filtered view for logs

Log view > log type > download

Where do you set disk quota if ADOMS are disabled

Log view > system storage

3 processes used for disk quota enforcement

Logfiled Sqlplugind Oftpd

Once registered, fortianalyzer automatically has permission to collect logs. What else needs to be done for fortianalyzer to be able to collect the logs

Logging must be enabled on the fortigate

If a device with a higher priority or lower ip (greater value) joins the cluster will it become the new primary

No not unless the primary goes down

Log data sync option in HA (default or no)

On by default Provides real-time log sync among cluster members after the initial log synch

What two options are available for running a report

On demand or on a schedule

After enabling remote server authentication, where do you apply the setting to allow an admin to use their remote server credentials to login to fortianalzyer

On the admins account System settings > admin > administrators > select account Select admin type And server

Where can you move devices after registration

On the system settings > all ADOMS

When does a playbook task run and for how long

Starts when the playbook is triggered and until all subsequent tasks in the playbook are completed

How can you ensure proper log correlation between fortianalyzer and all registered devices

Sync everything with an NTP server

Where can you schedule upload of rolled logs

System settings > advanced > device log settign

Where to enable ADOMS

System settings > dashboard Cli

Where do you turn on ADOMs

System settings > dashboard > administrative domain

Where to view raid failures

System settings > dashboard > alert message control A log message will appear if there are failures or you can check the raid management

Where can you see the storage connector service license details

System settings > dashboard > license information

How to back up configuration in GUI

System settings > dashboard > system configuration

Once the Storage connector service license is uploaded where can you enable the upload logs to cloud storage feature

System settings > device log settings > cloud storage platforms

Steps to fetch logs on a FAZ

System settings > fetch management Create profile for fetch server on the fetch client Send a request on the fetch client

How to configure the client for the FAZ log forwarder and specify which logs get forwarded

System settings > log forwarder

How to check if raid is supported and where to configure

System settings > raid management

You can import and export reports and charts but what can't you export

Templates and datasets

What is done to logs before then are sent and uploaded to a file server

They are compressed and stored in archive

How long are logs kept in archive

They are deleted at a time specified by the ADOM data policy

After analytic logs are purged from the SQL database based on a specified time frame in the ADOM policy, where do they go

They are purged but remain in the compressed archive

What basic report settings can be configured

Time period Devices Type (single report or multi report)

Logfild process

Used for disk quota enforcement Monitors raw log file size, SQL database size, and archive file size and then it sends commands to other daemons to process Enforces raw log file size

Initial HA sync process

Used for the initial setup of the HA cluster. When turned on, and a device is added the primary device syncs it's logs with the new device. After it's completed the backup device automatically reboots. When it comes back up the device will rebuild it's log database with the synchronized logs

What can you do on the IOC fortview

View compromised hosts Drill down for details on the compromise by double clicking entry Acknowledge the event by clicking ACK

How do you retrieve diagnostics on a report

View report and right click the report name and click retrieve diagnostics

Which charts and datasets are used in a report

View the template associated with the report The template includes all the charts included in the report To determine what datasets are associated with a chart, right click the chart in the template and click clone chart OR go to report definitions > datasets

If you select the report time period as last 7 days or last <n> day what is the last day that will be included In the report

Yesterday. Does not include the current day


Ensembles d'études connexes

POSI 2310: Topic 3.5 Ch.10 Interest Groups

View Set

Chapter 8 Cryptography - Study Material

View Set

McGraw-Hill Connect Epithelial Tissue Homework

View Set

Small Test - Economics EOC (GSE) UPDATED Domain: Macroeconomic Concepts

View Set

chapter 14 vision and perception

View Set

NURS 3270 Fundamentals Evolve -- Mod 9

View Set

Micro Chapter 3 Demand Launchpad Questions

View Set