Fortianalyzer 6.4
How does the IOC work (what is the flow from which logs are recorded on a fortigate and sent to the FAZ to be analyzed) (5)
1) fortianalyzer downloads threat intelligence package every day (TDS) 2) fortigate sends security logs to fortianalyzer 3) fortianalyzer runs real-time threat detection when it receives the web filter logs 4) FAZ calculates a threat score for the end user based on the score in the TDS and gives a verdict for the IOC 5)customers can see consolidated view of compromised devices on FAZ fortiview
How to set up two factor with a remote server 2 steps
1) configure the remote (RADIUS) server to point to the fortiauthenticator 2) create the admin account and point it to the remote server (System settings > admin > administrator)
Why may not configuring a fortigate to send logs to two devices be feasible
1) it increases load on fortigate because the log daemon needs two TCP connections to send the logs (one for each device it's sending to) 2) smaller fortigate devices do not support this
Steps to upgrade HA cluster firmware (4)
1) log into the GUI of the primary 2) upgrade the primary device 3) when primary reboots the secondary will automatically be promoted to primary 4) when upgrade is complete repeat steps 1&2 5)repeat until all devices are upgraded
What are a few ways to troubleshoot communication issues (5)
1) execute ping to see if they can communicate 2) diag sniffer packet to see if traffic is leaving and if it's reaching the other device 3) show log fortianalyzer setting (FGT) 4) diagnose log test (FGT) Is fortigate capable of generating logs 5) diagnose test application oftpd 8 To see if fortianalyzer is capable of receiving logs
How can you ensure log integrity and prevent logs from being tampered with in storage and prevent MITM when uploaded (2)
Add a log checksum under the Config sys global command Or set custom OFTP certificate You can configure FAZ to record a log file hash value, time stamp, and authentication code when the log is rolled and archived and when the log is uploaded
How can you fine-tune the data set in love you in order to create a custom data set in chart with chart builder
Add more columns setting a group, order by, and sort filter setting a limit on results setting the device and time frame
Log data sync process
After the initial log sync, the cluster goes into real time log sync state. This is turned on by default on all devices in HA cluster. When turned on the primary device will forward logs in real time to the back up devices. If the primary fails the secondary that is selected to be the new primary will continue to sync logs with the backup devices.
Adom and purpose
Allow you to group devices to monitor and manage Divide administration of devices (restrict access) And more efficiently manage data policies and disk space allocation
Web service admin access protocol
Allows access to fortianalyzer from a web service such as SOAP (a messaging protocol that allows programs that run on a disparate OS)
Fortimanager admin access protocol
Allows fortianalyzer to be managed by a fortimanager
What is log fetching
Allows fortianalyzer to fetch archived logs of specified devices from another fortianalyzer which you can then run reports on
How does the fabric connectors enhance the fortiSOC SOAR playbook feature
Allows playbooks to perform tasks using connected devices (fortiOS, and forticlient EMS)
When configuring an event handler what is the generic text filter for
Allows precise control over which logs trigger an event. Use operators such as == != < etc. To make it easy you can copy a string from the raw log file that you want to match
How does log fetching simplify the generation of reports (3)
Allows the admin to select the devices and time period to be indexed Allows you to customize log retention on the pulled logs for reports Avoids log duplication
What does the chart builder tool do
Allows you to build a data set and chart automatically based on your filtered search results Set filters to return the locks you want then in the tools menu select chart builder to automatically billed the search into a data set in chart
What would you use RAID for
Allows you to have copies of your logs in case a critical event on FAZ occurs and a disk is damaged
Log view
Allows you to view traffic logs, event logs, and security logs for each ADOM Log view can be restricted to one or more devices in the ADOM or to a log group
A SQL SELECT query polls the _____ for specific information. Based on the ____, a subset of information stored in the logs is extracted. The subset of data populated a ___ and one or more ____ exist within a report
Database Query Chart Charts
What is required when creating a new chart
Dataset That will query the database for the information you want
What two elements do the FAZ report charts consists of:
Datasets - the SQL queries that extract specific data from the database Format - format in which the data is displayed (Pie, bar, tables)
How can you validate all custom data sets in one click
Datasets page > toolbar click validate all custom
What is the fabric ADOM
Default ADOM that all fortinet devices in a security fabric can be placed in regardless of type
Command what is the log receiver rate for all adoms
Di de en Diagnose fortilogd lograte-adom all
Command what is the log receive rate for a specific adom
Di de en Diagnose fortilogd lograte-adom {ADOM name}
Command what is the log rate for each log type?
Di de en Diagnose fortilogd lograte-type
Command what is the log volume for all ADOMS
Di de en Diagnose fortilogd logvol-adom all
Command what is the log volume for a specific adom
Di de en Diagnose fortilogd logvol-adom {ADOM name}
Command what is the device log usage for all logging devices
Di de en Diagnose log device
Command what is the SQL insertion status
Di de en Diagnose sql status sqlplugind
Command what is the device log rate?
Di de en Diagnose fortilogd lograte-device
Command what are the log recieve rate totals?
Di de en Diagnose fortilogd lograte-total
Command. What is the log receive rate for each second?
Diagnose debug enable Diagnose fortilogd lograte
Command what is the message recieve rate for each second?
Diagnose fortilogd msgrate Di de en
What command would you do to see detailed hardware information such as processor, swap memory, etc
Diagnose hardware info
Command to monitor log rate coming from each device
Diagnose log device
Command to show reserved disk space
Diagnose log device
Commands to troubleshoot report generation. What are the current SQL processes running (any log queries )
Diagnose sql process list
Commands to troubleshoot report generation. What is the hcache size on the file systwm
Diagnose sql show hcache-size
Commands to troubleshoot report generation. What is the SQL insertion status
Diagnose sql status sqlplugind
Commands to troubleshoot report generation. What are the SQL query connections and hcache status
Diagnose sql status sqlreportd
Commands to troubleshoot report generation. Is the hcache creation table able to catch up? What are the log file related activities (rolled,deleted, uploaded)
Diagnose test application logfiled 2
Commands to troubleshoot report generation. What is the state of the hcache
Diagnose test application sqlrptcached <level>
How can you reduce load on fortianalyzer fortview module (hint: DNS)
Disable the resolve-ip feature and have the fortigates resolve IPs instead
Fabric view identity center pane
Displays a list of users and endpoints in the network from relevant logs Correlated them to fortianalyzer modules Useful for user and endpoint mapping Gives you better viability when you analyze logs, events, and incidents
Show system ntp
Displays automatic time settings using the NTP server
Show system dns
Displays dns server addressss
Get system NTP
Displays how often fortianalyzer synchronizes it's time with the NTP server
Show system interface
Displays network interface config on device such as configured ports and ip addresses and admin protocols
Show system route
Displays static routing table entries on your fortianalyzer device
Get system status
Displays status of device
Best practices to manage logs (7)
Document what is being logged and why Ensuring data is being captured and not filtered for all devices and apps Centralizing log storage and standardizing format Synching time on all log devices Maintain backup of logs and implement log retention policy Design procedures to maintain data integrity Test incident response plan
Which logs are not forwarded for forwarding log mode
Does not forward content files (DLP, antivirus quarantine, and IPS)
If you use the "add device" wizard and ADOMS are enabled, what ADOM will the device be registered to
Either the device specific prebuilt ADOM or the custom ADOM that you are currently working in
You've created a custom chart but it's not showing up in the chart library
Enable the show custom button
What is the fabric view module
Enables you to create fabric connectors and view the list of endpoints
How can you protect log communication between devices
Encrypt them with OFTP (Optimized fabric transfer protocol)
Subtype of the event log type
Endpoint HA System User Router VPN Wireless
Example of additional information variables included in a handler filter
Endpoint ${groupby1} is infected by virus ${virus}. Variable must be enclosed by a pair of curly braces following a dollar sigb
How often does FAZ downloads the TDS fortiguard package
Every day
How often does logfiled check the other process to estimate space used by the SQL database
Every two minutes (unless system resources are high)
What devices can perform tasks according to a playbook configured on fortiSOC
FAZ Any device configured with a fortiSOC fabric connector
Since FAZ has a finite disk space what do you need to know (3)
FAZ disk quota and what is included How the quota is enforced What space is reserved and not available for storing logs
Why do I need to buy an IOC license? It seems to be working without one because I can see lists of compromised hosts in fortview
FAZ includes an evaluation license, but it is limited
Fortimanager log type
Event
Fortiweb log types
Event IPS Traffic
Where can you see alerts
Event manager Or configure to send alerts by an email, SNMP, or sys log
In order to populate a chart with data FAZ relies on what
An SQL SELECT query
When allowed disk space is full what happens
An alert message with generate internet the alert message console (dashboard > alert message console) with event level warning. Oldest logs will be over written.
RAID 1
An exact copy of a set of data one two or more disks. Performance and reliability are main goals. Includes fault tolerance. If one fails the other disk can keep working
What is a wildcard administrator A local administrator account that is used to permit group access Or An external administrator account that is used to permit group access
An external administrator account that is used to permit group access
Logs in the indexed phase are known as
Analytic logs
What kind of logs are displayed in fortview (analytical or archive)
Analytical
What is default mode
Analyzer
Two fortianalyzer operating modes
Analyzer and collector
What is fortiview
Another way to view log data. Real time and historical data in summary views Only data from analytical logs are available and not archive logs
How can logs be viewed on fortianalyzer
As a generated report or manually in the GUI
How can you restrict your administrators access to a subset of your organizations ADOM
Assigns the ADOMS to the admins account
What do the cloud out connectors allow you to do
Back up data (rolled logs) to public cloud accounts in Amazon S3, Microsoft azure and Google cloud
Why may you see unauthorized when you click test connection after configuring the fortianalyzer IP in the fortigate centraL management
Because the fortianalyzer admin has not accepted the register request
How can you change the design of a report
By adding separators, page breaks, images, and renaming charts
How can you edit a predefined template
By cloning it and making changes. You can't edit it directly
If an ORDER BY is not specified how are the rows returned?
By whoever order the system finds fastest
How can you drill down details on a compromised host
Double click the entry
What options does the admin have when authorizing a registration request for a device in fortianalyzer
Changing the device name and changing the ADOM
Command to set custom OFTP certificate and what is needed
Config system certificate OFTP Set custom enable Set certificate <PEM formatted cert> Set private-key <PEM KEY> PEM= privacy enhanced mail
Command to enable ip to hostname resolving in fortview
Config system fortiview settings Set resolve-ip enable
Command to set fortianalyzer encryption level
Config system global Set enc-algorithm <High* | low | medium>
Command to set log forwarding mode on both the client and server FAZs
Config system log-forward Edit <log aggregation ID> Set mode <aggregation, forwarding disable>
Command to configure FAZ server that logs are forwarded to
Config system log-forward-service Set accept-aggregation enable End
How can you configure report grouping
Config system report group Edit # Set ADOM Config group-by Edit <sql column> Next Edit vd Next End Set report-like <report name string> next End
What do fortigates with an SDD disk have that is beneficial when connection to FAZ Is lost and logs need to be buffered
Configurable buffer log so fortigate can buffer logs on disk if memory log buffer is full. When connection is restored they will be sent to Faz
SELECT statement
First word in the SQL SELECT query describing what dataset is to be pulled and displayed from the database
When is hcache automatically enabled
For scheduled reports
Diagnose ha force-cfg-resync
Force ha to resync config
Execute format disk and when should you do this
Formats disk and after resetting the configuration
Similar to the chart Builder feature in log view, where else can you export a chart from a custom view
Fort view Click top right door icon on toolbar and click export to report chart
Where is the incidents and events pane and what needs to be enabled on FAZ to have the pane
FortiSOC SOAR
Where can you view the status of playbook jobs
FortiSOC > automation > playbook monitor
Where do you create a new event handler
FortiSOC > handler > event handler list > create
What three devices can logs be forwarded to when aFAZ is in forwarding mode
Fortianalyzer Sys log server CEF server (common event format)
How do fabric connectors reduce performance degradation
Fortianalyzer will send out logs and notifications. This is more efficient than third party platforms polling information from fortianalyzer API in pre-defined intervals which could reduce performance
What two factor authentication is recommended
Fortiauthenticator and FortiToken
What are the four fortiview monitor dashboards for forticlient ST(AW)E
Forticlient software inventory Threat (forticlient) Applications and websites(forticlient) Endpoints(forticlient)
With which ADOM device type must you also select the firmware version
Fortigate
What devices will fortview display log data for (3)
Fortigate Forticarrier Forticlient EMS
What ADOMs are macros supported in (3)
Fortigate and forticarrier and fabric
In order to view fortigate event logs on Fortianalyzer what configuration is required Fortigate must be registered registered to the root ADOM or Fortigate logging settings must have event logging enabled
Fortigate logging settings must have event logging enabled
If ADOMS are disabled what device types are allows to be registered on fortianalyzer
Fortigate only. All device types accepted in ADOMS enabled
Fortilogd daemon
Fortigate/fortianalyzer real time forwarded logs
What devices are supported by fortianalyzer
Fortigate/forticarrier Fortianalyzer Forticache Fortiddos Fortimail Fortimanager Fortisandbox Fortiweb Sys log Chassis
What are the default primary and secondary dns server addresses
Fortiguard DNS
What tools does collector mode not support that analyzer mode does (4 + 1 setting feature)
Fortiview Fabric view Fortisoc Reports Event manager
What two panes does fortiview include
Fortiview Monitors
WhereCan you monitor fortigate administrator logins, system activity, and failed authentications
Fortiview > system > failed authentication attempts, admin logins, system events
Where can you monitor fortigate administrative activity (system and administrator-invoked events)
Fortiview > system > system events
To view reporting and historical audit of detections on malware, botnet, and intrusions where do you look
Fortview > threat report
Subtype of the traffic log type
Forward Local Sniffer
Diagnose test application uploadd 63
Gives details such as usage quota, total data upload, total number of files uploaded, number of days remaining until license expiry, and number of unloaded quests that were dropped
If you want to view local logs such as configuration changes and logins performed by a specific user how can you find them
Go to event log and filter by user
How can you monitor and view admin tasks, progress and status of tasks and what is displayed
Go to system settings > task monitor Shows the ID Source (device manager, reports, etc) descriptions (add/delete a device) user, status, time, ADOM, and start time Basically an audit log
Log lag time
How many seconds the database is behind in processing logs
What are the two cluster modes and how to change it
Hugh availability (active passive) Stand-alone System settings > HA
What can you do to customize a chart
If a pre-defined charge does not meet your requirements you can either clone and edit charts and data sets or create new charts and data sets from scratch
Why might a playbook job status be failed
If one or more tasks in the job were failed. There may be some successful tasks tho
What are the rules in selecting a new primary device
If primary goes down the device with the highest priority will be elected If the priorities are the same the device whose primary IP has the greatest value is selected (192.168.2.2 would be selected over 192.168.2.4)
Example of SELECT query with OFFSET and LIMIT clauses
If you place a limit of three records and an offset of one, the first record that would normally be returned is skipped and instead the second third and fourth records would be returned
How soon do configuration changes take effect
Immediately
Where is the chart builder tool located
In Longview and it looks like a wrench in the top right corner of the toolbar
Why is it recommended to clone and edit pre-defined reports instead of directly editing the report
In case your edits are not successful then the pre-defined report is preserved
Where can you view details about application logs
In log view > log browse > right click on app events > select display to see details
Where would you analyze SIEM logs
In log view search for fabric logs
How can you group remote authentication servers CLI, GUI, or both
In the CLI
Two subtypes for FAZ application logs
Incident management Automation playbooks
Why would you disable case sensitive search in log view
Increased search flexibility because you don't have to match case
IOC engine
Indicator of compromise Detects end users with suspicious web page usage compromises by checking new and historical web filter logs against IOC signatures (based on fortiguard sub)
What five clauses does FAZ use for SELECT queries in reports and what are they (bonus 6th)
FROM - selects table WHERE - sets conditions (all rows not justifying condition are eliminated GROUP BY - collects data across multiple records and groups the results by one or more columns ORDER BY - orders the results by rows (desc, ascend) LIMIT - limits number of records returned based on limit value OFFSET - used with LIMUT to offset the results by a set value
What options are there to upload a generated report to a server
FTP SFTP SCP
By default what is the ADOM type set to for root and when creating a new one
Fabric
What three panes are available in fabric view
Fabric connectors Identity center Assets
How to create a new fabric connectors
Fabric view > fabric connector > create new
True or false. Backup should be encrypted when working with fortinet support
False
True or false: multiple device types can be assigned to one ADOM if it is a custom ADOM
False Only one device type can be assigned to a specific ADOM for that device type whether it's a custom or default ADOM
True or false. The only option for fortigate devices in HA to be discovered is my manually adding cluster members
False FAZ will discover if the fortigates are in a cluster. Although If you don't configure HA until after the device is registered you can manually add the cluster member in device manager > enable ha cluster
true or false: reports are generated in the root ADOM
False each ADOM has it's own reports, libraries, and advanced settinfs
True or false an ha pair generates only one set of logs
False each member generates their own logs
True or false a playbook task can be configured with default inputs and inputs from the trigger ONLY
False it can take inputs from the trigger, default input values, or preceding tasks
True or false Reports provide recommendations and give indications of problems
False that must be analyzed and concluded by whoever is reviewing the report
Trusted hosts only apply to gui
False they apply to GUI and CLI
True or false: log groups have a separate SQL database but take up only a Minuit portion of disk space
False they are logical and do not have a SQL databases or take up additional disk space
True or false Clauses can be coded in whichever sequence
False they must be coded in a specific sequence
True or false you can delete default ADOMS
False you cannot
True or false templates contain data
False. Data is added to the report when it is generated
True or false - it is recommended to move devices between ADOMS if needed
False. Only if you HAVE to
What are the benefits of the security fabric adom
Fast data processing Log correlation Combines results for devices in: reports Fortiview Incidents & events/fortisoc
What is a fortiSOC playbook
Feature that allows you to configure triggers and a sequence of automated actions (almost like a button) they can be created from scratch or by a predefined template Playbook starts with a trigger and flows through the remaining tasks as defined by the routes in the playbook
Two types (statuses) of devices and what are each
Registered - devices authorized to store logs on fortianalyzer Unregistered - devices requesting to store logs on fortianalyzer
If the same or similar reports will be run against many different fortigate devices, what report feature can you use to improve report generation time
Report grouping
What does a check icon mean next to a scheduled report in the report calendar and what is the clock icon
Report has generated Clock icon is report is pending
When you hover your cursor over a scheduled report in the report calendar what is displayed
Report name Status Device type
How can you export and import reports
Report pages > right click
Three key features of fortianalyzer
Reporting Reports provide a clear picture of network events, activities, and trends occurring on supported devices Alerts System generated alerts when specific trigger conditions are met Content archiving Provides a way to simultaneously log and archive copies of data transmitted over the network. Prevents data leak (DLP) and also can be used to record network use.
Which of these modules does a fortianalyzer HA cluster synchronize during configuration synchronization Reports Incidents
Reports
What modules does the A-A HA mode enhance
Reports Fortiview NOC-SOC Does this by load balancing ina round-robin fashion to the secondary devices to improve performance. Reports will be available on all cluster members
How do you change the chart filters in a report
Reports Layout tab Right click chart Chart properties
While you can directly edit the layout of predefined ____ you cannot with predefined _____
Reports Templates
How to view graphical view of scheduled reports
Reports > advanced > report calendar
What two ways are there to attach a report to an incident
Reports > generated reports Manually after incident creation by right clicking the report and selecting "attach to incident" You can also manually attach by going to fortiSOC/ incidents and events > incidents and click the reports tab then click add Or automatically by a SOAR automation playbook
Where can you clone a report from
Reports > report definitions > all reports
Where can you create a new report from blank
Reports > report definitions > all reports
Where can you view reports
Reports > report definitions > all reports
Where can you create or clone and modify existing charts
Reports > report definitions > chart library
Where can you create or clone a data set
Reports > report definitions > datasets
SELECT * FROM $log
Reports > report definitions > datasets Query: SELECT * FROM $log This query will return everything from the log type you specify. It will achieve the column heading names and indicate what is available in the database schema for the selected type.
How do you search for specific logs in log view
Select the device where it says "all devices" in the top left corner Select the log type on the left hand side (traffic, security, event) Apply any filters such as category description for WEB filter logs, time, frame, source or destination ip, etc
Listen features of blank reports
Settings and lay out customizable Option to save it as a template However everything is blank so you must configure it
Diagnose ha stats
Shows ha stats
Diagnose ha status
Shows ha status
Log insert lag time
Shows the amount of time between when a log was received and when it was indexed Or Difference between log received and log inserted in the database
What is the insert vs receive rate graphs in system settings
Shows the rate at which raw logs reach the fortianalyzer (receive rate) and the rate at which they are indexed (insert rate) by the sql database and the sqlplugind daemon
What does the failed authentication section of fortiview display Fortiview > system > failed authentication attempts
Shows the source IP of login, login type (admin, SNMP, etc) interface and number of failed
What logs are collected (4)
Logs - traffic, event, security DLP archive - email, IM, web traffic, FTP, NNTP Quarantine - log files quarantines by device IPS packet log - logs the network packets containing the traffic matching IPS signatures
What is synced between ha members in a cluster
Logs and data and system and config settings applicable to HA
DLP archive
Logs information about sensitive data trying to get in or out of your network Email IM Web traffic FTP NNTP 1 of 4 types of collected logs
What is the default setting for securing log communication between FAZ and fortigate
OFTPS
How does log forwarding and communication with FAZ work for devices in an HA cluster
Only the primary communicates with FAZ. The secondary sends it's logs to the primary and the primary will forward to FAZ
OFTP
Optimized fabric transfer protocol used when information is synchronized between FortiAnalyzer and FortiGate. Listens in ports tcp/udp 514
OFTPs
Optimized fabric transfer protocol Listens on port TCP 514 and UDP 514 Default setting for securing communications between fortigate and fortanalyzer
Under what situation must ADOMS be enabled on fortianalyzer When a fortigate device wants to register with fortianalyzer When a fortimail device wants to register with fortianalyzer
When a fortimail device wants to register with fortianalyzer
Benefit of using the security fabric to set up fortianalyzer
When done on the upstream fortigate, any downstream fortigates will automatically receive the configuration for fortianalyzer and will all automatically request registration to fortianalyzer
When is fabric Sp used in SAML
When fortigate is acting as the Idp
When is data added to a report
When it is generates
When does hcache not need to be rebuilt
When no new logs are received for the reporting period
When are logs moved to archive
When the log file reaches a specific size it rolls over and is archived
How else can you customize log view besides adding filters and such?
You can add and remove columns by clicking the grid icon in the top right next to custom view You can view raw logs or formatted logs by clicking the wrench icon in the top right next to the column icon
Which statement about ADOM advanced mode is true You must assign fortigate and all of its VDOMS to a single ADOM You can assign the fortigate VDOMS from a single device to multiple fortianalyzer ADOMS
You can assign the fortigate VDOMS from a single device to multiple fortianalyzer ADOMS
Instead of creating a new chart what can you do it for the analyzer includes an existing chart that is very similar to the output that you want
You can clone and modify the chart
Fortiview monitors dashboard and widget features
You can create predefined or custom dashboards You can add, delete, move, or resize widgets You can add the same widget multiple times and apply different settings (such as chart type) to it You can resize widgets or display them in full screen
How can log view be restricted
You can display logs for one certain devices in the ADOM or to a log group
Features of a blank template
You can edit the layout but it is completely blank so you must configure it The toolbar allows you to insert existing charts and macros and let you add in format text as well as add images and links you can also save it as a new custom template and then use that template and reports
What is custom view used for in log view
You can save frequent searches as a custom view with the custom view icon on the toolbar
What must you know in order to create a query? (Hint it has to do with one of the two parts that comprise a chart)
You have to know what data/information is available to extract for the report (dataset) (database schema)
Why may advanced SQL knowledge be required
You may need to construct a custom SQL queries, known as dataset, to extract data you require from the database
What do you need to do after you configure report grouping using the config system report group CLI command
You must rebuild the report hcache tables with command| Exec sql-report hcache-build <ADOM name> >scheduled name> "<start time>" "<end time>"
What are event handlers Threats identified by Fortiguard Specific matched conditions in the raw logs
Specific matched conditions in the raw logs
Aside from increasing your disk log quota what can you do do to better manage you logs on disk and where can these be configured (2)
Specify a global log roll policy to roll or upload logs when the side exceeds a threshold System settings > advanced > device log settings Specify a global automatic deletion policy for all log files, quarantined files, reports, and content archive files on FAZ System settings > advanced > file management
Templates
Specify the layout, text, charts and macros to include in the report that uses it
If an administrative users job description requires them to manage devices but not system settings what is the most appropriate default admin profile to assign
Standard_user
Method 2 device registration
The fortianalyzer administrator uses the device registration wizard to register the device If the device is supported and the details are correct then the device is registered
What two ways can you log into fortianalyzer for the first time
The gui Or using terminal emulator for CLI
If a report is generating abnormal usernames what should you look at
The user obfuscate setting in the advanced report settinds
By default templates are associated with what kind of reports
Their predefined reports Ie template 360 degree security review is used by 360 degree security report
How are fabric connectors beneficial
They reduce storage costs, improve redundancy, and reduces performance degradation
What is hcache
They report generates the system builds the charts from pre-compiled SQL hard cache data or hcache
How do you decide if you should customize the template or the report
Think about the amount of customization required whether you want to preserve most of the report settings or whether you want to use the layout for one report or many reports
The purpose of the auto-cache setting on reports
To automatically update the hcache when new logs arrive
Why should hcache be enabled
To ensure reports are efficiently generated
Subsummaries of the threat summary for fortview (4)
Top threats Threat map Compromised hosts Fortisandbox detection
What information does device manager show
Total devices Total devices with down log statuses Total Storage used Per device: Name Ip Platform Log status Average log rate Device storage percent
What does the fortisoc events dashboard display (4)
Total events generated/mitigated/unhandled Events by severity Top Events by type Top events by handler
What does the fortisoc incidents dashboard display (3)
Total incidents Unsolved incidents And incidents timeline
What is included in the fortisoc playbook dashboard (5)
Total playbooks executed Total playbook actions executed Playbooks executed Overall time saved Total executed playbooks and actions
How is allocated space determined
by adding the archive and analytics quota for all ADOMs
True or false: each ADOM has it's own data analysis on fortiview
True
True or false: you can import and export reports and charts into a different ADOM within the Sam FAZ or a different FAZ BUT what must be the same
True The ADOM type must be the same
True or false. You can use fortianalyzer HA with different licenses
True but the license that allows for the smallest number of devices is used
True or false: you can store reports externally
True you can configure fortianalyzer to email generated reports to specific admins or upload to a syslog server
Feature to sent or permit access based on ip address
Trusted host
Diagnose ha debug-sync {on | off}
Turn on sync data debug to troubleshoot synching
When using PKI what are the authentication options (2)
Two factor Certificate only
what is required to use log fetcher
Two fortianalyzers running the same firmware
If datasets are not retrieving correct information what should you look at
check the SQL query associated with the dataset
What notification options are available for an event handler
Alert through fabric connector Alert email SNMP trap Sys log server alert
Admins with the super_user profile have access to All adoms Assigned adoms
All adoms
Name 5 predefined event handlers
Local device event Default-botnet-communication detection by threat Default-risky-app-detection-by-threat Default-malicious-file-detection-by-threat Default-risky-destination-detection-by-endpoint
Where do you enable remote logging to fortianalyzer in fortigate (2)
Log and report > log settings > remote logging and archiving > send logs to fortimanager/fortianalyzer Security fabric > fabric connectors > security fabric setup
Where can you download rolled logs
Log browse
What log feature is used to perform analysis on archived logs
Log fetch
Which fortianalyzer feature allows you to obtain the archive logs of specified devices from another fortianalyzer device Log forwarding in aggregation mode Log fetching
Log fetching
Two ways to enable fortianalyzer logging on fortigate
Log settings or security fabric
Where to create a log group
Log view > log group > create new
Execute lvm info
Provides a list fo available disks
What is the report calendar
Provides and overview of all you're scheduled reports
Which fortianalyzer feature becomes available when you subscribe to fortisoc service
SOAR
What is required to automatically attach a report to an incident
SOAR license
What language does fortianalyzer use for logging and reporting And what database does it use
SQL PostgreSQL
What is disabled by default when the fortianalyzer is in collector mode causing certain logs to not be available. How can this be fixed?
SQL database is disabled so logs requiring the SQL database won't be available unless the SQL database is enabled in the CLI
When creating a new data set what do you need to write
SQL select query
What are requirements for devices can be in a cluster together
Same fortianalyzer series, firmware, and same operation mode
What must be the same to restore an encrypted backup
Same model and firmware version
When you edit the layout of a cloned report what option does it give you to make report creation simpler next time
Save as template
What features require system time to be set correctly
Scheduling Logging SSL dependent features
Sdwan performance monitor widgets
Sdwan performance status Jitter Latency Packet loss Sdwan utilization by application Bandwidth utilization by sdwan rules Sdwan link utilization Sdwan high and critical events And sdwan rules utilization
If a hard disk on a fortianalyzer that supports software raid fails what should you do
Shut down fortianalyzer and replace the disk
Depending on a: Small Medium Large Very large Disk size, what level is reserved for system usage
Small < 500 gb - 20% or 50Gb (whichever smaller) Medium 500-1000gb - 15% or 100 gb Large 1000-3000gb - 10% or 200 gb Very large 3000-5000gb - 5% or 500gb
Diagnose system disk errors
Smart error logs
Diagnose system disk health
Smart health status
Diagnose system disk info
Smart information
If you have a high volume of logs why should you consider increasing ADOM log quota
So oldest logs are not lost
Where is HA implementation not supported
Some public cloud infrastructures such as AWS, AZURE, and Google cloud platform
Vital difference between template and reports
Templates include only the details you can find under the layout tab of the report they don't include report settings
After you write an SQL select query for a custom data set what can you do to ensure the query is well formed
Test it with the test button
Your ADOM data policy is set to keep logs in archive for 365 days, but the logs are being deleted prematurely from that ADOM and cpu resources are also high. What is most likely the problem?
The ADOM disk quota is set too low based on log rates
Forti carrier log types
Traffic Event
Forticache log type
Traffic Event Antivirus Web filter
What are the three log types for fortigate
Traffic Event Security
Forticlient log types
Traffic Event
Supported device log types (3)
Traffic Event Security 1 of 4 types of collected logs
Diagnose fmupdate dbcontract fds
Used to find out about license validity and expiry details (SCPC is storage connector service)
Fabric view assets pane
Useful for incident response: check assets that are infected or vulnerable as part of SOC analysis And compliance: identify unknown and non compliant users and endpoints
If forticlient is not installed on endpoints what kind of information is not available for endpoints
User information OS version Avatar Social ID Etc
What does fortiview > system > admin logins display
User, duration, logins, failed logins, config changes
How can you protect your logs
Using RAID
How do you specify the criteria that dictates what data is extracted from the SQL database
Using a select statement followed by the clause
What kind of network does fortianalyzer HA only work (has to do with a protocol that is permitted) and what is that protocol for
VRRP virtual router redundancy protocol Used to eliminate a single point of failure by creating a virtual router
What is the maximum number of ADOMs
Varies by fortianalyzer model
Diagnose system disk attributes
Vendor specific smart attributes
Raid 5
Block-level striping with distributed parity. Data and parity are striped across three or more disks. Better performance than mirroring as well as fault tolerance from a single drive
Example of a generic text filter for custom event handler filter
Dstip==192.168.1.168 and hostname ~ "Facebook" Dstip==192.168.1.168 and ( dstport == 514 or dstport == 515 )
Which is the only mandatory clause in a SELECT statement
FROM
When creating a new chart what options does it have you select
Name Description Data set Resolve host name Chart type Data bindings table type Columns
What data does the CLI command # diagnose sql show hcache-size provide
Hcache size on the file system
Aside from keeping the level of detail of reports down to a minimum why else is it a good idea to shorten reports
Helps with performance because large reports affect CPU and memory
What information is needed to Fr watch a fetch profile for the fetch server on the fetch client
Name Server IP User Password
What information is required about a device when using the "add device" registration wizard in fortianalzyer (5)
IP address Serial number Device name Device model Firmware
What are some details that can are shown for a compromised hosts
IP and hostname Detection time Number of threats Detect pattern Threat type (ie malware) Threat name (sinkhole or CnC) Category Detection method # of events Security action Log type
True or false: the FAZ encryption level much match the fortigate for OFTP only
No the FAZ must have equal or less encryption than the fortigate
What are the three types of fabric connectors that can be created in fabric view and what are the connectors for each
ITSM- ServiceNow webhook Storage- AmazonS3 Microsoft Azure Blob Google Security fabric- Forticlient EMS
What two options does fortianalyzer have for acting in part with SAML (3)
IdP or SP or fabric SP
Does transfer of logs to a file server begin instantly
No the logs are compressed first and stored in archive
If you have one fortianalyzer can you log fetch?
No, You would have to export and import the log file
When would your turn log sync off
If you want to use fortianalyzer as a standby device and not a backup device
What os does the fortianalyzer server run in
Linux
Diagnose dvm ADOM list
List all adoms
What else can you use instead of a password, password and token, password and _____, and______ with PKI
Password and digital certificate Certificate
Three fortiSOC dashboards
Playbooks Incidents Events
Three steps to set up log forwarding
1) set log forwarding mode 2) configure the server 3) configure the client
Disk quota is assigned to the ____
ADOM
What determines how long logs are kept in analytics (AKA SQL database)
ADOM data policy
Are output profiles a global or ADOM specific setting
ADOM specific
What is required to be enabled if you want to register a non-fortigate device on fortianalyzer
ADOMS
When registered devices send logs to fortianalyzer how are the logs processed
1) raw logs are compressed and saved in a log file on the FAZ disk 2) logs are indexed on the SQL database
How many log fetching sessions can be established at once
1
How many wildcard Accounts are permitted when using two factor
1
Report workflow (5)
1) SQL database log files 2) SQL SELECT query (dataset) 3) results of dataset query 4) dataset creates chart 5) chart or charts make up report
Three ways to implement log redundancy
1) configure FAZ HA cluster 2) configure fortigate to send logs to a backup log server 3) set up log forwarding in aggregation mode
Steps to configure HA (6)
1) set operation mode 2) set preferred role 3) set cluster interface and virtual IP 4) specify the other peer members IP and serial number 5) specify group name, group ID, password 6) heart beat interval and priority settings
Steps to increase disk space on FAZ VM (4)
1) stop the FAZ VM and add a new disk 2) reboot FAZ and do command execute lvm info 3) run execute lvm extend <disk number> 4) reboot FAZ Run get sys status to see the new disk
Max number of trusted hosts
10
What is default HA priority
100
By default how much disk space is each ADOM allowed and what is the minimum configurable limit
1000MB No less than 100mb per ADOM
By default how many charts to the chart library contain
300
By default how many data sets does the data set library contain
400
Max number of HA members
5 1 primary and 4 secondary
The system reserves _____ of disk space for ______ and ______
5-20% System usage Unexpected overflow
How far back can you view history for IOC
7 days
How much disk space is actually available for allocation to drives
75% -95%
For fortianalyzer VMs what is the minimum memory recommended
8 GB
What percent of used disk quota will FAZ start removing raw and archive logs
95%
FortiAnalyzer uses the Optimized Fabric Transfer Protocol (OFTP) over SSL for what purpose? a. To encrypt log communication between devices b. To prevent log modification
A
What happens when a log file saved on FortiAnalyzer disks reaches the size specified in the device log settings? a. The log file rolls over and is archived. b. The log file is stored as a raw log an
A
What is the virtual IP for
A IP for the cluster as a whole to Provide redundancy. Devices will point to the virtual IP
If your fortianalyzer is a VM what can you also use as a configuration backup
A VM snapshot
What can fortianalyzer be described as
A central log repository that aggregates data from multiple fortinet devices into a single view
SQL select query
A command that selects specific read only data from the SQL database
What is needed in order to send logs to cloud platforms (2)
A fabric connector and a separate license for storage connector service
What is a FAZ report (simplify)
A set of data organized in charts
If uploaded logs reach data stored limitation prior to the storage connector service license expiration what is needed in order to continue to use this cloud service
A license renewal
What is created in HA and via what protocol
A virtual IP via VRRP and mac
What is a log group
A virtual grouping of devices placed together in a single logical object. They do not have SQL databases or occupy additional disk space
What must be enabled to collect logs from non fortigate devices
ADOMs
Which fortianalyzer feature allows you to group devices that adminstrators can monitor and manage
ADOMs
Two HA modes
Active active Active passive
How is used space determined
Adding the archive and analytics logs and all the system files mounted on the drive
What is the simple task that a chart does
All the chart does is convert the text pace results of a query into a graphical format of your choosing
Which logs are considered online and offer immediate support
Analytic (indexed) logs
What type of logs are restored in the SQL database
Raw logs
What does disk quota include (3)
Raw logs Archive files SQL database tables
Daemon for receive rate
Raw receiving rate to FAZ Fortilogd
After completing initial configuration what should you do as a best practice
Back up the configuration
How does FAZ create a report
Based on configured parameters FAZ analyzes logs collected from the managed devices and presents the information in a graphical or tabular format
Why are logs from AV/IPS not used for FAZ IOC feature
Because AV and IPS is detected and prevented by the fortigate
What are contained in the meta fields in system settings
Contact email and phone for admins Company/organization Contact email Phone Address for devices
Two CLI options
CLI widget on dashboard or a terminal emulation program
Fortigate miglogd process
Caches logs on fortigate when fortianalyzer is not reachable There is a max cache size so it will drop logs if it is reached Intended for if you need to upgrade firmware not for a lengthy outage
What is the additional info box used for when creating a new event handler filter
Can be used to change the default event handler queries and create custom messages/notifications Provide custom information including specific details from fields and variables This can be included in email notifications or passed to fabric connectors such as ITSM service now
For security reasons, what is one of the first tasks you should do and where to do it
Change admin password under system settings > admin > administrators > right click admin user > change password
~
Contained
Command to set fortigate encryption level for FAZ log transfer
Config log fortianalzyer setting Set end-algorithm <high-medium | high* | low>
CLI command to enable ADOM
Config sys global Set ADOM-status enable
How to enable or disabled auto completion for log view
Config sys global Set default-logview-auto-completion (enable|disable)
What to do if a major changes are required to existing templates or reports meaning no report meets your needs
Create a new template or report from scratch
What are new or cloned data sets, charts, templates, and reports categorized as
Custom
What is a clone chart categorized as
Custom chart
How do you see more details on an event under the all event monitor in fortiSOC (2)
Double click the event to see details such as associated logs Or right click to acknowledge or add comments
How do you view more information about a log in log view
Double click the log and the details pane appears
Name some default reports
Detailed user report Forticlient report DNS report Email report Sandbox detection report Admin and sys events report Cyber bullying indicators report Application and risk control report
What is included in content files
DLP AV Quarantine IPS
5 security recommendations for deploying fortianalyzer
Deploy in private network Use trusted hosts Use https and ssh Use secure passwords Store password somewhere safe
What are the 7 FAZ panes
Device manage Fortiview Log view Fabric view FortiSOC Reports Settinfs
After a device is registered where does it appear in it's ADOM
Device manager
Fortianalyzer synchronizes the configuration of what modules to all cluster devices
Device manager Event manager Reports, Most system settings
How to manually configure device as HA cluster
Device manager > ha cluster enable > add serial of cluster member
Diagnose ha dump-datalog
Dump ha datalog
==
Equal
Why do you need to examine log chains instead of an individual log
Examine all to get a full picture of the forensic evidence to understand what is going on and how a breach occured
What are log group reports useful for
Examining large networks as a whole Grouping devices by purpose (geolocation etc)
What protocols are supported for backing up logs to a filer server
FTP SCP SFTP
>
Greater than
Fortimail log types
History Event Antivirus Email filter
When is HA not supported
If fortimanager features are enabled on fortianalyzer
What RAID levels are supported
Linear 0 1 1 +spare 5 5 +spare 6 6 +spare 10 50 60
Where can you insert macros
Into custom templates or into the layout of reports
Which value is used to select a new primary device in the event of a fortianalyzer HA failure Serial number Ip address
Ip address
You are looking through the fortianalyzer panes and can't find Fortview? What happened and how can you fix it
It can be enabled and disabled in the CLI for performance tuning. Command to disable it is Config sys global Set disable-module fortiview-noc
What is an administrative profile and how to make/edit
It defines administrative privileges and are required for each admin account System settings > admin > profile
A macro in fortianalyzer is____
It defines which data is to be selected from a log it represents a data set queries in an abbreviated form
Why does the license information widget show a value lower than the disk quota
It includes only raw longs uploaded from fortigate to fortianalyzer in one day
What is fortisoc and what does it enable
It is a subscription service that enables security orchestration, automation, and response (SOAR) and security information and event management (SIEM) capabilities and provides incident management with playbook automation to accelerate incident response
What is a predefined report
It is associated with a predefined template (layout). The report comes with basic default settings configured and define the time period to run the report, what devices to run on, and whether is generates a single or multiple reports
What is a wildcard admin account
It is the "match all users on remote server" option under administrators It allows multiple remote admin accounts to match one local admin account
Is Hcache is not built when you run the report what must happen
It must create hcache first
What is playbook monitor
It shows the status of playbook jobs
When will the OFTPS protocol be used to secure log Communication
It's default set to auto negotiate so it is used only if being used by the connecting fortigate
<
Less than
IPS packet log
Logs the network packets containing the traffic matching ips signature 1 of 4 types of collected logs
What is a good way to break up ADOMS (has to do with disk quota)
Low volume log devices vs high volume log devices so that the disk quota enforcement doesn't affect the low volume devices
What are macros
Macro specify what data to extract from the logs they represent data set queries in abbreviated forms. you can insert macros as data in Your reports without having to use a chart to display the data
What can you insert as data in your reports without having to use a chart to display the data
Macros
Which one of the following statements about macros is true Macros are abbreviated data set queries Macros cannot be customized
Macros are abbreviated data set queries
Fortisandbox log types
Malware Network alerts
Two spots to manually attach a report to an incident
Manually after incident creation by right clicking the report and selecting "attach to incident" You can also manually attach by going to fortiSOC/ incidents and events > incidents and click the reports tab then click add
Preferred roles for HA and what each means
Master and slave If set to master the device will become Primary if it is configured first in the cluster. If there is an existing primary device then it will become backup
Which log checksum algorithms are available
Md5-record log file hash Md5-auth- record log file and authentication code None
Features of password policy
Min length Specify if characters and numbers must be included Password expiry (make sure you change pass before it expires)
What is minimum raid
Mirror or stripe of two drives
RAID 10 level comprises of what data format
Mirroring and striping
Can you Delete a pre-defined report
Mo
What is cluster status pane and what information is displayed
Monitors the status of fortianalyzer devices in an HA cluster Displays information about the role of each cluster device, the HA status, and configuration of the cluster Role, serial number, IP, host name, uptime/downtime, initial logs sync, configurations sync, and message
Local system performance monitor and what are the widgets
Monitors the system performance of the fortianalyzer unit running the fortiview module and not the logging devices CPU and memory usage Multi core COU usage Insert rate vs receive rate Receive rate vs forwarding rate Disk IO Resource usage average Resource usage peak Failed authentication attempts System events Admin logins
What does a raid array require
Multiple identical drives (at least two that are the same size)
Are ADOMS enabled by default
No
Are local credentials required is a remote server is being used?
No
Is raid a replacement for backing up logs
No
Is raid supported on all fortianalyzer models
No
Is there a password recovery option for fortianalyzer and what two things can you doif you forget your password
No 1) Factory reset the VM/appliance Run the execute migrate command Default admin pass can be used 2) format the flash and reload the image from the BIOS config menu
Can you dynamically add disk space with FAZ hardware
No disk space is fixed so you have to add a new disk
On fortianalyzer devices that support RAID do you have to power off the device to replace a failed drive
No it is hot swappable on raid hardware only
If fortianalyzer has software raid does it support hot swapping
No it should be powered down
True or false. It's required to separate Devices in ADOMS by ForitOS version
No. Your not pushing configs so the fortiOS doesn't matter. Just need to separate by device type (unless it's default fabric ADOM)
What two modes can ADOMS operate in and what is the difference
Normal and advanced Normal means fortigate VDOMS on a single device cannot be assigned to different ADOMS Advanced means that fortigate VDOMS from a single device can be assigned to different ADOMs
!~
Not contained
!=
Not equal
How are local administrators logins validated
On the fortianalyzer
How many triggers can a playbook include
One
Difference between log rate and message rate commands for troubleshooting
One log message can consists of multiple logs in LZ4 format
Compromised hosts monitor widget (pane names)
One widget with two panes Compromised hosts and compromised hosts incidents
In order to configure IOC what is required (3)
One year subscription to IOC Web filter services subscription on fortigates Web filter policies on fortigates that send traffic to fortianalyzer
Where can you view administrator activity and what user profile is able to see this
Only super user System settings > event log
What is aggregation mode
Only supported by two fortianalyzer devices One acts as a collector and the other analyzer bigger FAZ) The collector will compare it's logs to the Analyzer and send a delta (incremental changes) of the logs Provides a level of redundancy because if analyzer fails collector can repopulate analyzer and limits traffic sent
When you apply filters to a report chart which reports for sit affect
Only the chart within the one report
What two things does the fortianalyzer features available depend on
Operating mode and the profile logged in (restricted users and standard users won't have full access privilege)
How are the SQL database tables distributed
Per ADOM
How is disk space allocation set? Globally or per adom
Per ADOM
How are raw and archive logs distributed
Per device
Get system performance
Performance stats on fortianalyzer
Allocating insufficient quota to an ADOM can cause problems: (3)
Prevent you from reaching your log retention objective Cause unnecessary CPU resources enforcing quota with log deletion and database trim Adversely affect reporting if the quota enforcement acts on analytical data before a report is complete
Diagnose system print certificate
Print ipsec certificate
Diagnose system print netstat
Print network statistics for active internet connections Proto Local address Remote address State
Diagnose system print partitions
Print partition information of the system
Diagnose system print loadavg
Print the Avg load of the system
Diagnose system print cpuinfo
Print the cpu information Processor Vendor id Cpu family Model Model name Cpu mhz Cache size Physical ID
Diagnose system print df
Print the file system disk space usage
Diagnose system print route
Print the main route list Destination Gateway Gateway mask Flags Metric Reference Use
Diagnose system print hosts
Print the static table lookup for host names
What external authentication servers are supported
RADIUS LDAP TACACS+ PKI
Different raid levels
RAID 0 - striping RAID 1 - mirroring RAID 5 - striping with parity RAID 6 - striping with double parity RAID 10 - combining mirroring and striping
Diagnose system raid alarms
Raid alarm logs
Diagnose system raid hwinfo
Raid controller hardware info
Diagnose system raid status
Raid status including raid level raid size and hard disk information
Insert rate
Rate at which logs are indexed by SQL database by the sqlplugind daemon
Receive rate
Rate at which raw logs are reaching FAZ
What type of logs do event handlers work in (raw or database)
Raw
What are the 6 raid disk statuses and what each mean
Ready - functioning normally Rebuilding - writing data to Newley added hard drive. Not fully redundant until complete Initializing - writing too all hard drives in the device in order to make array fault tolerant Verifying - ensuring the parity data of a redundant drive is valid Degraded - hard drive is no longer being used by raid controller Inoperable - one or more drives are missing. The drive is no longer available to the OS. Data in inoperable state cannot be accessed
What does HA provide (3)
Real time redundancy Synchronize logs and data between members Alleviate the load on the primary device by load balancing processes on secondary devices
benefit of FAZ HA cluster
Real time redundancy If primary fails another device will take over Data is synchronized securely among cluster members Provides load balancing for processes such as report running
Forwarding log mode
Real-time or near real-time log forwarding to servers (forwarded as logs are received) Does not forward content files (DLP, antivirus quarantine, and IPS)
If you move a device from one ADOM to another and the devices analytic logs are required for reports in the new ADOM what do you do and how
Rebuild the SQL database Exec sql-local rebuild-adom <new ADOM name>
If you move a device from one ADOM to another and you don't want the devices analytic logs in the old ADOM what do you do and how
Rebuild the SQL database Exec sql-local rebuild-adom <new ADOM name>
Why is it better to resolve IPs on fortigate side instead of on fortianalyzer side (2)
Reduces load and latency on FAZ Allows source and destination IPs to be resolved instead of just the destination
RAID
Redundant Array of Independent Disks Storage solution to provide redundant copy of log data by combining multiple drives into a logical unit
Swap memory
Refers to the space available to use when the physical memory is full and the system requires more memory. Basically emergency memory. System takes data stored in RAM that hasn't been used recently and swaps it into the virtual swap space memory to make more space in RAM
In order to start collecting logs a device must be _____
Registered
If the disk quota (raw + SQL) is estimated to be above 95%, what does FAZ do
Remove the raw logs and corresponding archive logs until the disk quota is down to 85%
Where do you enable auto-cache for reports
Report > report definitions > all reports > report name > settings
Where can you clone a template
Report > report definitions > template
Where can you obtain the schema for a specific log type?
Reports > report definitions > datasets Query: SELECT * FROM $log This query will return everything from the log type you specify. It will achieve the column heading names and indicate what is available in the database schema for the selected type.
Where can you see the pre-defined macros or create custom macros
Reports > report definitions > macro library
Where do you specify a log group to run reports on
Reports > report definitions > select report > settings > devices > specify log group
Where can you create a new template
Reports > report definitions > templates
Where can you view templates
Reports > report definitions > templates
Method 1 device registration
Request from supported device The administrator of the device requests the registration Fortianalyzer admin accepts or denies request
Trusted hosts and max number
Restrict login access to specific IP or subnet and apply to both gui and cli 10
What can you do if you find a specific log with interesting data and you want to display all other logs with that same interesting data
Right click the interesting data (column and row) and select add filter
Unregistered device appear in the ______ until registered and assigned to an ______
Root ADOM ADOM
If reports are taking long to generate what can you do to troubleshoot (4)
Run diagnostics on report to view the report summary at the end of report. Look at hcache time to see how long it took to build Check log rates to see volume of logs Check the insert rate, receive rate, and log insert lag Enable auto-cache in the report settings
Diagnose ha restart-int-sync
Run on master Restart ha initial sync
Diagnose ha failover
Run on master, force ha failover
What feature allows you to look at log data from a group as if it were a single device
Run reports on log groups
When you move a device from one ADOM to another what is the point of rebuilding the database Run reports on the devices analytic logs in the new ADOM To migrate the archived logs to the new ADOM database
Run reports on the devices analytic logs in the new ADOM
What should you always do after erasing the configuration on flash
Run the execute format disk command
Statuses for the playbook monitor
Running Success Failed
Besides local, and remote authentication, (and 2FA) what other option is available for authentication under the admin settinfs
SAML SSO
What is SAML
SAML SSO (single sign on) Security assertion markup language is an XML standard that allows for maintaining a single repository for authentication amongst internal/external systems There are IdP (identity provided aka the main Authenticator) and SP (service provider) when someone logs into a SP the SP will forward request to the IdP for authentication
Which is the only SQL statement used to populate reports
SELECT
Which is the only file server upload protocol that can use the log checksum to prevent MITM attacks
SFTP using SSH
If ADOMS are enabled what do you need to do when you log in
Select the ADOM you want to view
How does FAZ distinguish different devices (hint these are found in the headers for all the different log messages)
Serial number
What command under configure system report group controls which reports that will be contained in the report group function
Set report-like <report name string>
If you want to send alerts through emails for things such as event handlers what must need to be set up on the FAZ and where can it be set up
Set up a mail server in system settings > advanced > mail server
How to create a new admin
Settings > admin > administrators > new
How do you configure the report display color on the report calendar page
Settings > advanced settings
In a cloned report what two tabs are editable
Settings AND layout
What does event monitor display in fortiSOC
Shows all events, by endpoint, by threat, and system events Shows all events generated by your enabled and configured event handlers
Diagnose log device
Shows disk log usage (allocated and available and reserved) and shows usage for each ADOM
Diagnose ha load-balance
Shows ha load balance status
Daemon for insert rate
Sql insertion rate Sqlplugind
What does the storage connector service license include
Storage limitation: amount of data that can be uploaded to cloud platform Expiration date: date up to which the storage data can be sent
Aggregation log mode
Stores Logs and content files and uploads them at scheduled time Only available between two FAZs
Two raid operation types and what do each mean
Striping - combines two or more drives into a single logical drive and stores data in chunks across all drives Mirroring - makes identical copies of data on two or more separate physical drives
How is the total quota value determined
Subtracting reserved space from total system storage
What is the purpose of reports
Summarize large amounts of logged data based on configured parameters It makes it easier to analyze multiple log files and cross reference to different data points
What permission is needed to configure ADOM
Super user
Be default what profile is allowed to enable ADOMs
Super_user
By default only what type of admin can see the complete administrator list
Super_user
Three preinstalled default admin profiles and there's access levels
Super_user- all system priv, all device priv Standard_user - read/write access to device priv, no system priv Restricted_user - no system priv, read only for device priv
What is admin type group
Supports multiple remote servers. You can create different ones and then group them together in the CLI if you select group as type under the admin then they need to authenticate with credentials to either of the servers within the group
Why may report generation be slow the first time you run a report
System has to create hcache
Config backups contain: and what does it not contain
System information (device ip and admin info) Device list (any devices configured to allow logs) Report information (any configured report settings or custom reports) Does not contain actual logs and generated reports
What happens immediately after you enable ADOMs and why
System logs you out do it can reinitialize with the new settings
Where can you view the status of each disk in the raid array and disk space usage
System settings > RAID management
How can you Gentrify which users are currently logged in
System settings > admin > administrators Green check mark next to logged in users
Where do you configure external authentication servers
System settings > admin > remote authentication server
How to change ADOM mode in GUI and CLI
System settings > advanced > advanced settings Config sys global Set ADOM mode (advanced | normal)
How can you configured for the analyzer to upload or email generated reports
System settings > advanced > mail server Configure for each report Select "enable notification" Output profile "email and server profile" Reports > advanced > output profile Edit "email and server profile" Add the preconfigured mail server
How would you move devices from one ADOM to another
System settings > all ADOMS Edit ADOM you want to move device to Select add device Click the device in the other ADOM you want to move from
Where can you adjust your disk quota if ADOMS are enabled Where can you adjust if ADOMS are not enabled
System settings > all ADOMS Log view > system storage
Where do you set disk quotas if ADOM are enabled
System settings > all adoms System settings > storage info
How to set the mode
System settings > dashboard
Where can you see a visual representation of insert and receive rates
System settings > dashboard
Which FAZ plays the role of the client in log forwarding and which as the server
The FAZ that forward logs to another plays the client and the recipient plays the role of the server
How to ADOMS make administration more secure
The admins will only be able to monitor and manage devices in their assigned ADOM
Mode collector
The collects logs from multiple devices and forwards the logs in their original format to another device (fortianalyzer in analyzer mode, a sys log server, or CES server - common event server )
Why may your search filters not return any results even if the log data does exist and what are three ways to fix it
The filter may be poorly formatted. Since FAZ looks for an exact match in the log the SQL query must be formatted correctly Make search case sensitive search is enabled, add columns to add the proper filter name to the filter list, right click data in the log table to set a filter for that data
What do the output profiles specify
The format of the report such as PDF HTMLXML and CSV Whether to email generated reports or upload to a server Whether to delete the report locally after uploading to the server
What must be configured for the initial fortianalyzer set up
The ip and netmask Management ports Default gateway
In a clone template what can you edit
The layout
What data does the CLI command # diagnose fortilogd lograte provide The log receive rate per second The message receive rate per second
The log receive rate per second
If there are more than one fortianalyzer in the network what must be configured differently on each
The management port must have a unique address
What is the ADOM disk quota and what is the default max
The max storage space for the ADOM to store logs (not per individual device) Default max is 50 GB
What are the five summary views for fortiview and what two formats can you view them in
Threats Traffic Applications and websites VPN System Can be viewed in tabular or graphical format
When should you use cloning to make changes for reports and templates
To make minor to moderate changes
Sub summaries for the traffic summary on fortimanager (7)
Top sources Top source addresses Top destinations Top destination addresses Top country/region Policy hits Dns logs
What are the threat monitor widgets 5Ts
Top threat designations Top threats Threat map Top threats by weight and count Top virus incidents over time
True or false: a FAZ can operate as fetch server or fetch client
True
Event handlers
Under fortiSOC. They are specific matched conditions in the raw logs and they determine what events are to be generated
After a register request is made form the fortigate where will the fortigate request appear on fortianalyzer
Under the root ADOM on device manager
If you are wanting to see both local event logs and the application logs of the root ADOM where do you look and why
Under the root ADOM, log view, fortianalyzer, application Because other adoms only show application logs and not local logs for the FAZ
Logging best practices (4)
Upload FAZ local logs to a remote server Increase local event logging level to debug configure snmp traps for critical system events Configure log upload for rolled logs on a daily basis
What is a best practice for how fortianalyzer should be plugged into power
Use a UPS
What is a quick way to build a custom data set and chart
Use the chart builder tool
You want to permit administrator Logins on fortanalyzer from specific locations only. How can you configure this on fortianalyzer
Use trusted hosts
Oftpd process
Used for disk quota enforcement Enforces the archive file size
Sqlplugind
Used for disk quota enforcement Enforces the sql database size
Non standard admin access protocols (2)
Web service Fortimanager
What can the CLI command # diagnose test application oftpd 3 help you to determine What ADOMS are enabled and configured What devices and IP addresses are connecting to FAZ
What devices and IP addresses are connecting to FAZ
Diagnose test application oftpd 3
What devices and IPs are connecting to fortianalyzer? Is fortianalyzer receiving logs?
Diagnose dvm device list
What devices or VDOMS are currently registered and unregistered
When are the following reports enabled: Fortiauthenticator Carrier Cache Client Ddos Deceptor Manager Mail NAC Proxy Sandbox Web
When ADOMs are enabled
When is the fortiSOC module activated and when can users access SOAR features
When FAZ has a valid subscription license
Can you delete a clones report?
Yes
Can you delete cloned templates
Yes
Is it possible to use third party RADIUS and RSA tokens?
Yes
Is auto completion enabled by default? What is it,
Yes, It sets the filter value in log view
RAID 6
extends RAID 5 by adding another parity block; thus, it uses block-level striping with two parity blocks distributed across all member disks. System can remain operational even if two disks fail
True or false: IOC will work without Fortiguard sub
false because IOC uses the fortiguard threat intelligence to compare IOC signatures to new and historical web filter logs
<=
less than or equal to
Fortianalyzer SIEM
parse, normalize, and correlate logs from fortinet products and the security event log of windows and linux hosts (with fabric agent integration) the SIEM logs are displayed as fabric logs in fortview
To determine what datasets are associated with a chart what two places do you look
right click the chart in the template and click clone chart OR go to report definitions > datasets
What happens if you add a new disk and your previous disks are configured in a RAID
you need to rebuild the RAID array
What back and requirements are there to use any external storage method for reports (2)
1) configure a mail server for emailed reports 2) configure an output profile
Debug command to troubleshooting communication issues between FAZ and FGT (3)
1) on FAZ: diag debug en Diag debug application oftpd 8 <FGT IP> 2) on FGT: diagnose log test 3) review output
What ADOMS can devices be assigned to
ADOMS with the device type you are adding
Fine tuning a predefined report (4)
Adding log message filters to refine the data that is included Enable queries to an LDAP server to an an LDAP query to the report (Advanced) Configuring report language, print settings, customize cover page, print device lists, obfuscate users, set color code
Default username and password Default port and IP address Default management access
Admin No pass Port 1 192.168.1.99/24 HTTPS ssh
Three ways to control and restrict administrative access
Admin profiles ADOMS Trusted hosts
When should you always validate your custom data sets
After a firmware upgrade
What two modes can log forwarding run in
Aggregation Forwarding
Subtypes of the system log type
Application control Antivirus DLP Anti spam Web filtering IPS Anomaly (DOS) WAF
What logs are moved to the new ADOM when you move a device
Archive (compressed) logs only The analytic logs (indexed ) logs stay in the old ADOM until you rebuild the SQL database
Default data retention for archive and analytical logs
Archive 365, analytical 60
What is not included in the license information logging
Archive logs Fortigate store and forward logs FAZ aggregated logs Forticlient logs SQL tables
Logs in the compressed phase are known as the ______ logs
Archived
What are logs in the compressed phase known as
Archived logs
Where can you apply a filter (2) do reports
At the report level and at the chart level within the report
How can you add historical data to an incident
Attach a report to an incident
Four considerations before creating a report
Audience Purpose Leave of detail Format
What does fortianalyzer application logs include
Audit logs for SIEM and SOAR applications
Two factor authentication
Authenticating with something you know and something you have
To boost report performance and reduced report generation time what can you enable
Auto-cache in the settings of the report so that hcache is automatically updated when new logs come in and new log tables are generated
In FAZ what is a dataset: A The database schema B A specific SQL SELECT query that retrieves data from the database
B
Which log forwarding mode stores logs and content files and uploads to another FortiAnalyzer server at a scheduled time? a. Forwarding mode b. Aggregation mode
B
Command to disable fortview for performance tuning
Config sys global Set disable-module fortiview-noc
What are the two major types of intelligence that determine the verdict for a compromised hosts
Black lists that include malicious IPs for botnets and DNS sinkholes and domain names generated by DGA Suspicious lists where each URL is associated with a ranked score based on the threat intelligence processed daily
Troubleshooting tips if you run a report and it's empty(5)
Check the time frame covered by report Compare the time frame to the logs and verify that you have the log file for the time in question Verify that you have logs from the time the report was run and from the device that the report was run for Test the datasets to ensure they are retrieving the desired information if not then check the SQL query associated with the dataset Check the reports advanced settings and verify that logs match the filters you have set for the report
Fortianalyzer includes an existing data set that is very similar to what you want what can you do rather than creating a brand new one
Clone or modify an existing
For minor or moderate changes to existing templates or reports what can you use to customize them Or what can you do for reports o my
Cloning and then edit the clone or for reports only you can create a new report but based on an existing template then edit that new report to suit your requirements
Which operating mode in fortanalyzer is used to collect logs from multiple devices and then forward those logs to another device
Collector
Raid 60
Combines block level striping of raid 0 with distributed double parity of raid 6 Write performance is affected but there is enhanced redundancy with 8 drives Allows failure of two disks in each raid 6 array
Raid 50
Combines block level striping of raid 0 with distributed parity of raid 5 Fault tolerant against two drive fails (requires 6 drives)
Raid 10
Combines raid 1 and raid 0 by striping across two drives and then mirroring to another two drives. Can be fault tolerant against two drive fails depending on which two fail Requires 4 drives
Archived logs
Compressed logs that are considered offline and offer no immediate analytical support
What is the reserved system usage disk space used for (3)
Compression files Upload files Temporary report files
Command to configure log file checksum
Config sys global Set log-checksum <md5 | md5-auth | none>
Command to enable ADOMS in cli
Config sys global Set ADOM status enable
How can you increase security of your admin accounts
Configure a global password policy System settings > admin > admin settings
IP addresses are not resolving to host names in fortview what do you do (2)
Configure a local DNS server in the system settings and going to network Then go to CLI and use the following command to enable in fortview Config system fortiview settings Set resolve-ip enable Or just do it on the fortigate side
What is a good option to add additional security to external administrators
Configure two factor authentication
Auto discovery fortianalyzer and how to enable
Confiig on fortigate When enabled the fortigate will send hello packets to locate a fortianalyzer within the same subnet. If one is found the fortigate will automatically enable logging to the faz and begin sending log data config log fortianalyzer setting set status [enable | disable] set server <ip_address> set gui-display [enable | disable] set address-mode auto-discovery end
When your resetting the configuration should you do it in the GUI or CLI
Connect to console port and use CLI
Why may tou want to use the GUI instead of CLI during upgrade process
Connecting to CLI over SSH may be slow but you can connect to console
What report elements can be affected by a firmware upgrade
Custom datasets
What is a handy log view feature that makes it so you don't have to reapply a bunch of features every time you look
Custom view Set the filters and time and devices and then save it as a custom view to look at quickly next time
What can you do if I predefined report doesn't meet your requirements and neither does fine tuning
Customize report
What is distributed paritt
Data is distributed among multiple drives and requires three or more disks. It combines data on two drives and stores the combination on a third
RAID 0
Data split evenly across two or more disks. Goal is speed and performance. No parity information and no redundancy. No fault tolerance. If one disk fails the entire array is affected
Mode analyzer
Devices acts as a central log aggregator for one or more log collectors (such as forti devices or fortianalyzer in collector mode)
What is required if you want to resolve hostnames in logs
DNS server configured on fortianalyzer
What system settings are synchronized between cluster members
Dashboard > ADOM widget All ADOMS Admin Certificates > CA certificates Certificates > CRL Log forwarding Task manager Advanced > mail server Advanced > sys log server
What panes are available in fortiSOC
Dashboards Automation Event monitor Handlers Incidents
Templates do not contain ______
Data
After you select your data set and chart type in a new chart creation what section is automatically adjusted based on those selections
Data bindings
Fortiview monitors pane and what monitor dashboards are available (13) T(AW)C FEF VW ST(AW) LEGS
Designed for use in a NOC or SOC environment where multiple dashboards are displayed on large monitors and helps you effectively monitor network events, threats, and security alerts It displays both real time and historical trends The monitors displayed can be customized: Traffic Applications and websites Compromised hosts Fortisandbox detections Endpoints Fabric state of security Vpn Wifi Forticlient software inventory Threat (forticlient) Applications and websites(forticlient) Local system performance Endpoints(forticlient) Global threat research Secure sdwan
What do log messages contain
Details about specific events that occur on a network including: Load on network devices Service usage Evidence of a breach on the network
How are endpoints detected and displayed in fabric view
Detected based on MAC address and displayed by IP address
HA priority settings
Determines the selection of primary devices Can assign 80-120 High number = higher priority
Devices can be registered only with their _____ ADOM
Device-specific
If ADOMS are enabled, when can you first have the option to move and unregistered device to a new ADOM
During the authorization process you can choose to keep in root ADOM or add it to a custom ADOM
By right clicking the report name on the report calendar what can you do (4)
Edit Disable Delete Download
What can the DLP engine examine
Email Ftp NNTP web traffic
Execute reset all-settings
Erases the show config on flash, containing ip addresses and routes
Execute reset all-except-ip
Erases the show configuration in flash except the ip and route settings
How to turn off fortianalyzer
Exec shutdown
Commands to troubleshoot report generation. What is the configuration status of all configured reports
Exec sql-report list-schedule <ADOM>
Command to view report grouping information
Exec sql-report list-schedule <adom name>
What is the forticlient EMS connector for
Execute EMS operations on endpoints. When configured fabric connector enrich incident response related actions in assets and fortisoc
Command to back up logs in the CLI
Execute backup logs <device name| all> <ftp|sftp|scp> <serverip> <username> <pass> <loc on server>
Command to restore logs to FAZ
Execute restore logs <device name| all> <ftp|sftp|scp> <serverip> <username> <pass> <loc on server>
Since you can't export templates and datasets how can you copy a template or dataset from one ADOM to another indirectly
Export the report and then save the layout of the report as a template Export the chart and then save the dataset
Which for the analyzer feature allows you to automatically build a data set and chart based on a filtered search result
Export to report chart in fortiview Chart builder in log view
What three fabric connector options are there to allow fortianalyzer to send out logs or notifications events
External cloud platforms: AWS, azure, Google ITSM: service now, web hook Security fabric: forticlient EMS
What other options are there for validating administrator logins
External servers RADIUS LDAP TACACS+ PKI
How can you back up logs on FAZ (3)
GUI CLI FTP, SCP, SFTP server
What command would you do to see CPU Memory hard disk and flash disk usage and availability
Get sys performance
Command to see: Platform Version Serial number BIOS ver Hostname Max ADOMS ADOM status Time Disk usage License status
Get sys status
Which CLI command can you use to find FAZ ADOM status Get system status Show system performance
Get system status
Benefit of customizing charts and data sets
Give you the flexibility to pull unique combination of data from the database that doesn't exist in any default chart or data set
>=
Greater than or equal to
What must be configured the same for each member in HA cluster to allow them to function together
Group name Group ID Password
Besides enabling auto cache what else can you do to improve report generation time
Group similar reports to reduce the number of hcache tables and improve auto-cache completion and report completion time
What formats can you review reports in
HTML PDF CSV XML
What formats can a report be viewed in (4)
HTML PDF XML CSV
Diagnose hardware info
Hardware stats for CPU, memory, disk, and raid
Instead of overwriting the oldest logs when allowed disk space is full what can you change this behavior to What is the command
Have fortianalyzer stop logging when disk space is full Config system locallog disk setting Set diskfull nolog
By default what encryption level is used for OFTP fort fortigate and fortianalyzer
High level
What two verdicts are given to an end device in the compromised hosts fortiview
Infected- indicates a real breach, a match or matches of the blacklisted IPs or domain generation algorithms have been found in the web logs Highly suspicious - indicates a possible breach
What two states does fortianalyzer synchronize logs in
Initial sync Real-time sync (log data sync)
Where can you download a specific filtered view for logs
Log view > log type > download
Where do you set disk quota if ADOMS are disabled
Log view > system storage
3 processes used for disk quota enforcement
Logfiled Sqlplugind Oftpd
Once registered, fortianalyzer automatically has permission to collect logs. What else needs to be done for fortianalyzer to be able to collect the logs
Logging must be enabled on the fortigate
If a device with a higher priority or lower ip (greater value) joins the cluster will it become the new primary
No not unless the primary goes down
Log data sync option in HA (default or no)
On by default Provides real-time log sync among cluster members after the initial log synch
What two options are available for running a report
On demand or on a schedule
After enabling remote server authentication, where do you apply the setting to allow an admin to use their remote server credentials to login to fortianalzyer
On the admins account System settings > admin > administrators > select account Select admin type And server
Where can you move devices after registration
On the system settings > all ADOMS
When does a playbook task run and for how long
Starts when the playbook is triggered and until all subsequent tasks in the playbook are completed
How can you ensure proper log correlation between fortianalyzer and all registered devices
Sync everything with an NTP server
Where can you schedule upload of rolled logs
System settings > advanced > device log settign
Where to enable ADOMS
System settings > dashboard Cli
Where do you turn on ADOMs
System settings > dashboard > administrative domain
Where to view raid failures
System settings > dashboard > alert message control A log message will appear if there are failures or you can check the raid management
Where can you see the storage connector service license details
System settings > dashboard > license information
How to back up configuration in GUI
System settings > dashboard > system configuration
Once the Storage connector service license is uploaded where can you enable the upload logs to cloud storage feature
System settings > device log settings > cloud storage platforms
Steps to fetch logs on a FAZ
System settings > fetch management Create profile for fetch server on the fetch client Send a request on the fetch client
How to configure the client for the FAZ log forwarder and specify which logs get forwarded
System settings > log forwarder
How to check if raid is supported and where to configure
System settings > raid management
You can import and export reports and charts but what can't you export
Templates and datasets
What is done to logs before then are sent and uploaded to a file server
They are compressed and stored in archive
How long are logs kept in archive
They are deleted at a time specified by the ADOM data policy
After analytic logs are purged from the SQL database based on a specified time frame in the ADOM policy, where do they go
They are purged but remain in the compressed archive
What basic report settings can be configured
Time period Devices Type (single report or multi report)
Logfild process
Used for disk quota enforcement Monitors raw log file size, SQL database size, and archive file size and then it sends commands to other daemons to process Enforces raw log file size
Initial HA sync process
Used for the initial setup of the HA cluster. When turned on, and a device is added the primary device syncs it's logs with the new device. After it's completed the backup device automatically reboots. When it comes back up the device will rebuild it's log database with the synchronized logs
What can you do on the IOC fortview
View compromised hosts Drill down for details on the compromise by double clicking entry Acknowledge the event by clicking ACK
How do you retrieve diagnostics on a report
View report and right click the report name and click retrieve diagnostics
Which charts and datasets are used in a report
View the template associated with the report The template includes all the charts included in the report To determine what datasets are associated with a chart, right click the chart in the template and click clone chart OR go to report definitions > datasets
If you select the report time period as last 7 days or last <n> day what is the last day that will be included In the report
Yesterday. Does not include the current day
