FortiAnalyzer uses log fetching to retrieve the logs when back online

FortiGate uses the miglogd process to cache the logs

The logfiled process stores logs in offline mode

Logs are dropped

FortiView

Event Management

Device Manger

Reporting

To reduce report generation time

To automatically update the hcache when new logs arrive

To reduce the log insert lag rate

To provide diagnostics on report generation time

It creates a wildcard administrator using LDAP and RADIUS servers.

Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.

Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.

It allows administrators to use two-factor authentication.

There is no need to do anything because the disk will self-recover.

Run execute format disk to format and restart the FortiAnalyzer device.

Perform a hot swap of the disk.

Shut down FortiAnalyzer and replace the disk.

Analytics logs will be moved to ADOM1 from the root ADOM automatically.

Archived logs will be moved to ADOM1 from the root ADOM automatically.

Logs will be presented in both ADOMs immediately after the move.

Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the ADOM1 SQL database.

To record the hash value and authentication code of log files.

To encrypt log transfer between FortiAnalyzer and other devices.

To create the secure channel used by the OFTP process.

To verify the integrity of the log files received.

FortiAnalyzer is using the device MAC addresses to differentiate their logs.

The logs belong to devices that are part of a high availability (HA) cluster.

FortiAnalyzer is receiving logs from the root FortiGate of a Security Fabric.

The device sending logs has two VDOMs in the same ADOM.

What devices and IP addresses are connecting to FortiAnalyzer

What logs, if any, are reaching FortiAnalyzer

What ADOMs are enabled and configured

What devices are registered and unregistered

The endpoint is marked as Compromised and. optionally, can be put in quarantine.

FortiAnalyzer flags the associated host for further analysis.

A new Infected entry is added for the corresponding endpoint.

The detection engine classifies those logs as Suspicious

Configuring fabric connectors to send notification to ITSM platform upon incident creation Is more efficient than third-party information from the FortiAnalyzer API.

Fabric connectors allow to save storage costs and improve redundancy.

Storage connector service does not require a separate license to send logs to cloud platform.

Cloud-Out connections allow you to send real-time logs to pubic cloud accounts like Amazon S3, Azure Blob , and Google Cloud.

RAIDO

RAID 5

RAID1

RAID 6+0

RAID 0+0

To properly correlate logs

To use real-time forwarding

To resolve host names

To improve DNS response times

FortiAnalyzer HA can function without VRRP. and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster.

FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.

All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.

FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud.

Log type Traffic logs.

Logs that roll over when the log file reaches a specific size.

Logs that are indexed and stored in the SQL.

Raw logs that are compressed and saved to a log file.

Set the ADOM mode to Advanced

Assign the ADOMs to the administrator’s account

Configure trusted hosts

Assign the default Super_User administrator profile

It can be used for fast data processing and log correlation

It can be used to facilitate communication between devices in same Security Fabric

It can include all Fortinet devices that are part of the same Security Fabric

It can include only FortiGate devices that are part of the same Security Fabric

To increase reliability

To expand bandwidth

To maximize resiliency

To improve security

It requires a FortiManager configured to manage FortiGate

It requires a dedicated FortiSOAR device or VM.

It does not include a limited trial by default.

It runs as a docker container on FortiAnalyzer

By attaching it to an event handler alert

By editing the settings of the desired report

From the properties of an existing incident

Saving it in JSON format, and then importing it

This command records the log file MD5 hash value.

This command records passwords in log files and encrypts them.

This command encrypts log transfer between FortiAnalyzer and other devices.

This command records the log file MD5 hash value and authentication code.

The traffic destination is another FortiGate in the fabric.

The upstream FortiGate is configured to do NAT

Log redundancy is configured in the fabric.

The downstream device cannot connect to FortiAnalyzer.

Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM.

Macros are supported only on the FortiGate ADOM.

Macros are useful in generating excel log files automatically based on the reports settings.

Macros are predefined templates for reports and cannot be customized.

An account that permits access to members of an LDAP group

An account that allows guest access with read-only privileges

An account that requires two-factor authentication

An account that validates against any user account on a FortiAuthenticator

The number of times in the logs where end users experienced slowness while accessing resources.

The amount of lag time that occurs when the administrator is rebuilding the ADOM database.

The amount of time that passes between the time a log was received and when it was indexed on FortiAnalyzer.

The amount of time FortiAnalyzer takes to receive logs from a registered device

Remote logging must be enabled on FortiGate

Log encryption must be enabled

ADOMs must be enabled

FortiGate must be registered with FortiAnalyzer

To reset all settings from flash except the current IP addresses and routes.

To erase all device settings and images, databases, and log data from the disk, but preserve the IP and routing info.

To perform a low-level format of the disk overwriting the hard disk with random data.

To reset to factory default settings from flash.

Option A

Option B

Option C

Option D

Management extensions do not require additional licenses.

Management extensions allow FortiAnalyzer to act as a ForbSIEM supervisor.

Management extensions require a dedicated VM for best performance.

Management extensions may require a minimum number of CPU cores to run.

SFTP, FTP, or SCP server

Mail server

Output profile

Report scheduling

Success

Failed

Running

Upstream_failed

RADIUS

Local

LDAP

PKI

TACACS+

A configuration with four disks, each with 2 TB of capacity, provides a total space of 4 TB.

B It combines mirroring striping and distributed parity to provide performance and fault tolerance

A configuration with four disks, each with 2 TB of capacity, provides a total space of 2 TB.

It uses striping to provide performance and fault tolerance.

In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advanced mode, the disk quota of the ADOM is flexible.

You can change ADOM modes only through the CLI.

In an advanced mode ADOM, you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.

Normal mode is the default ADOM mode.

It provides network statistics for active connections, including the protocols, IP addresses, and connection states.

It provides the complete routing table, including directly connected routes.

It provides the static DNS table, including the host names and their expiration timers.

It provides NTP server information, including server IPs. stratum, poll time, and latency.

Total quota

License type

RAID level

Disk size

Output profile

Report scheduling

SFTP server

SNMP server

A pre-shared key needs to be established on both sides.

The management computer does not have connectivity to the authorization IP address and port combination.

The Security Fabric root is unauthorized and needs to be added as a trusted host.

The fabric authorization settings on FortiAnalyzer are misconfigured.

operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

operation-login & dstip==10.1.1.210 & userl-admin

operation-login & performed_on=="GUI(10.1.1.210)' & user!=admin

The received rate is almost at its maximum for this device

The sqlplugind daemon is behind in log indexing by two logs

Logs are being dropped

Raw logs are reaching FortiAnalyzer faster than they can be indexed

Output profiles

Report settings

Report scheduling

Custom datasets

Standalone

Manager

Analyzer

Collector

Click FortiView and generate a report for that administrator.

Click Task Monitor and view the tasks performed by that administrator.

Click Log View and generate a report for that administrator.

View the tasks performed by the rogue administrator in Fabric View.

CPU resources are too high

Logs in that ADOM are being forwarded, in real-time, to another FortiAnalyzer device

The total disk space is insufficient and you need to add other disk

The ADOM disk quota is set too low, based on log rates

You enabled auto-cache with extended log filtering.

The logfiled service has not indexed all the expected logs.

The logs were overwritten by the data retention policy.

The time frame selected in the report is wrong.

FortiAnalyzer provides the ability to create custom reports.

FortiAnalyzer glows you to schedule reports to run.

FortiAnalyzer includes pre-defined reports only.

FortiAnalyzer allows reporting for FortiGate devices only.

FortiAnalyzer overwrites the log files.

FortiAnalyzer stops logging.

FortiAnalyzer rolls the active log by renaming the file.

FortiAnalyzer forwards logs to syslog.

Log correlation

Host name resolution

Log collection

Real-time forwarding

Resolve IP addresses on a per-ADOM basis to reduce delay on FortiView while IPs resolve

Configure # set resolve-ip enable in the system FortiView settings

Configure local DNS servers on FortiAnalyzer

Resolve IP addresses on FortiGate

Configure trusted hosts for that administrator.

Enable geo-location services on accessible interface.

Configure two-factor authentication with a remote RADIUS server.

Configure an ADOM for respective location.