Q1

Which two statements are correct regarding the export and import of playbooks? (Choose two.)

A. You can import a playbook even if there is another one with the same name in the destination.

B. Playbooks can be exported and imported only within the same FortiAnalyzer device.

C. You can export only one playbook at a time.

D. A playbook that was disabled when it was exported will be disabled when it is imported.

Answer: A,D

Q2

A playbook contains five tasks in total. An administrator runs the playbook and four out of five tasks
finish successfully, but one task fails.

What will be the status of the playbook after it is run?

A. Running

B. Failed

C. Upstream_failed

D. Success

Answer: B

Q3

Which statement about the FortiSIEM management extension is correct?

A. Allows you to manage the entire life cycle of a threat or breach.

B. Its use of the available disk space is capped at 50%.

C. It requires a licensed FortiSIEM supervisor.

D. It can be installed as a dedicated VM.

Answer: C

Q4

Which two statements are true regarding the outbreak detection service? (Choose two.)

A. New alerts are received by email.

B. Outbreak alerts are available on the root ADOM only.

C. An additional license is required.

D. It automatically downloads new event handlers and reports.

Answer: C,D

Q5

What must you consider when using log fetching? (Choose two.)

A. The fetch client can retrieve logs from devices that are not added to its local Device Manager.

B. You can use filters to include only logs from a single device.

C. The fetching profile must include a user with the Super_User profile.

D. The archive logs retrieved from the server become archive logs in the client.

Answer: B,C

Q6

Which statement describes a dataset in FortiAnalyzer?

A. They determine what data is retrieved from the database.

B. They provide the layout used for reports.

C. They are used to set the data included in templates.

D. They define the chart types to be used in reports.

Answer: A

Q7

Refer to the exhibits.

How many events will be added to the incident created after running this playbook?

A. Thirteen events will be added.

B. Five events will be added.

C. No events will be added.

D. Ten events will be added. Most Vote

Answer: D

Q8

Refer to the exhibit.

What does the data point at 12:20 indicate?

A. The performance of FortiAnalyzer is below the baseline.

B. FortiAnalyzer is using its cache to avoid dropping logs.

C. The log insert lag time is increasing.

D. The sqlplugind service is caught up with new logs.

Answer: C

Explanation:
 Insert Rate vs. Receive Rate is a graph that shows the rate at which raw logs reach the FortiAnalyzer (receive rate) and
the rate at which they are indexed (insert rate) by the SQL database and the sqlplugind daemon. At minimum, the
difference between these parameters should be generally consistent.

Log Insert Lag Time shows the amount of time between when a log was received and when it was indexed. Ideally, this
parameter should be as small as possible with the occasional spikes according to the network activity being logged. A
good baseline should be created to allow for the identification of possible performance issues.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

Q9

Which two methods are the most common methods to control and restrict administrative access on

FortiAnalyzer? (Choose two.)

A. Virtual domains

B. Administrative access profiles

C. Trusted hosts

D. Security Fabric

Answer: B,C

Explanation:

Reference: https://docs2.fortinet.com/document/fortianalyzer/6.0.0/administrationguide/

219292/administrator-profiles

https://docs2.fortinet.com/document/fortianalyzer/6.0.0/administration-guide/581222/trusted-hosts

Q10

Which daemon is responsible for enforcing raw log file size?

A. logfiled

B. oftpd

C. sqlplugind

D. miglogd
Answer: A

Q11

An administrator has configured the following settings:

config system global

set log-checksum md5-auth

end

What is the significance of executing this command?

A. This command records the log file MD5 hash value.

B. This command records passwords in log files and encrypts them.

C. This command encrypts log transfer between FortiAnalyzer and other devices.

D. This command records the log file MD5 hash value and authentication code.

Answer: D

Explanation:

Reference: https://docs.fortinet.com/document/fortianalyzer/6.4.6/administrationguide/410387/appendix-b-log-
integrity-and-secure-log-transfer

Q12

Which two of the following must you configure on FortiAnalyzer to email a FortiAnalyzer report

externally?

(Choose two.)

A. Mail server

B. Output profile

C. SFTP server

D. Report scheduling

Answer: A,B

Explanation:
Reference: https://docs.fortinet.com/document/fortianalyzer/6.0.2/administrationguide/598322/
creating-output-profiles

Q13

For which two purposes would you use the command set log checksum? (Choose two.)

A. To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP

server

B. To prevent log modification or tampering

C. To encrypt log communications

D. To send an identical set of logs to a second logging server

Answer: A, B

Explanation:

To prevent logs from being tampered with while in storage, you can add a log checksum using the config

system global command. You can configure FortiAnalyzer to record a log file hash value, timestamp, and

authentication code when the log is rolled and archived and when the log is uploaded (if that feature is

enabled). This can also help against man-in-the-middle only for the transmission from FortiAnalyzer to

an SSH File Transfer Protocol (SFTP) server during log upload.

FortiAnalyzer_7.0_Study_Guide-Online page 149

Q14

Which two methods are the most common methods to control and restrict administrative access on

FortiAnalyzer? (Choose two.)

A. Virtual domains

B. Administrative access profiles

C. Trusted hosts

D. Security Fabric
Answer: B,C

Explanation:

Reference: https://docs2.fortinet.com/document/fortianalyzer/6.0.0/administrationguide/219292/
administrator-profiles

https://docs2.fortinet.com/document/fortianalyzer/6.0.0/administration-guide/581222/trustedhosts

Q15

Which daemon is responsible for enforcing raw log file size?

A. logfiled

B. oftpd

C. sqlplugind

D. miglogd

Answer: A

Q16

An administrator has configured the following settings:

config system global

set log-checksum md5-auth

end

What is the significance of executing this command?

A. This command records the log file MD5 hash value.

B. This command records passwords in log files and encrypts them.

C. This command encrypts log transfer between FortiAnalyzer and other devices.

D. This command records the log file MD5 hash value and authentication code.
Answer: D

Explanation:

Reference: https://docs.fortinet.com/document/fortianalyzer/6.4.6/administrationguide/410387/
appendix-b-log-integrity-and-secure-log-transfer

Q17

Which two of the following must you configure on FortiAnalyzer to email a FortiAnalyzer report

externally?(Choose two.)

A. Mail server

B. Output profile

C. SFTP server

D. Report scheduling

Answer: A,B

Explanation:

Reference: https://docs.fortinet.com/document/fortianalyzer/6.0.2/administrationguide/598322/
creating-output-profiles

Q18

For which two purposes would you use the command set log checksum? (Choose two.)

A. To help protect against man-in-the-middle attacks during log upload from FortiAnalyzer to an SFTP

server

B. To prevent log modification or tampering

C. To encrypt log communications

D. To send an identical set of logs to a second logging server

Answer: A, B

Explanation:
To prevent logs from being tampered with while in storage, you can add a log checksum using the

config system global command. You can configure FortiAnalyzer to record a log file hash value,
timestamp,

and authentication code when the log is rolled and archived and when the log is uploaded (if that
feature

is enabled). This can also help against man-in-the-middle only for the transmission from FortiAnalyzer

to an SSH File Transfer Protocol (SFTP) server during log upload.

FortiAnalyzer_7.0_Study_Guide-Online page 149

Q19

When working with FortiAnalyzer reports, what is the purpose of a dataset?

A. To provide the layout used for reports

B. To define the chart type to be used

C. To retrieve data from the database

D. To set the data included in templates

Answer: C

Explanation:

Another common way to load data into a DataSet is to use the DataAdapter class to retrieve data

from the database.

Q20

Refer to the exhibit. The image displays the configuration of a FortiAnalyzer the administrator

wants to join to an existing HA cluster.

What can you conclude from the configuration displayed?

A. This FortiAnalyzer will join to the existing HA cluster as the primary.

B. This FortiAnalyzer is configured to receive logs in its port1.

C. This FortiAnalyzer will trigger a failover after losing communication with its peers for 10 seconds.

D. After joining to the cluster, this FortiAnalyzer will keep an updated log database.

Answer: B

Explanation:

In the Cluster Virtual IP section, you need to select the interface and type the IP address for

which the FAZ device is to provide redundancy. This is the IP that other devices need to point to

send their logs once the cluster is up.

Q21
You crested a playbook on FortiAnalyzer that uses a FortiOS connector.

When configuring the FortiGate side, which type of trigger must be used so that the actions in an

automation stitch are available in the FortiOS connector?

A. FortiAnalyzer Event Handler

B. Incoming webhook

C. FortiOS Event Log

D. Fabric Connector event

Answer: B

Explanation:

Automation webhook stitches

The Automation menu contains eight webhook automation stitches, including an Incoming Webhook
Quarantine trigger for API calls to the FortiGate, as well as a predefined License Expired Notification that
replaces the existing license expiry alerts.

The automation stitches are available in new FortiGate installations by default. To install the stitches on
an existing device, perform a factory reset.

Q4

What must you consider when using log fetching? (Choose two.)

A. The fetch client can retrieve logs from devices that are not added to its local Device Manager

B. You can use filters to include only logs from a single device.

C. The fetching profile must include a user with the Super_User profile.

D. The archive logs retrieved from the server become archive logs in the client.

Answer: B,C

Explanation:

https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/651442/log-fetching

The fetching FortiAnalyzer can query the server FortiAnalyzer and retrieve the log data for a specified
device and time period, based on specified filters.

https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/559986/fetch-requests

The data policy for the local ADOM on the client must also support fetching logs from the specified time
period. It must keep both archive and analytics logs long enough so they will not be deleted in
accordance with the policy. For example: Today is July 1, the ADOM's data policy is configured to keep
analytics logs for 30 days (June 1 - 30), and you need to fetch logs from the first week of May. The data
policy of the ADOM must be adjusted to keep analytics and archive logs for at least 62 days to cover the
entire time span. Otherwise, the fetched logs will be automatically deleted after they are fetched.

Q22

Which two statements are true regarding the outbreak detection service? (Choose two.)

A. New alerts are received by email.

B. Outbreak alerts are available on the root ADOM only.

C. An additional license is required.

D. It automatically downloads new event handlers and reports.

Answer: C,D

Explanation:

C. An additional license is required. The Outbreak Detection Service is a licensed feature that

must be purchased separately.

D. It automatically downloads new event handlers and reports. When a new outbreak is detected,

the Outbreak Detection Service will automatically download the associated event handlers and

reports to the FortiAnalyzer.

Q23

What are two effects of enabling auto-cache in a FortiAnalyzer report? (Choose two.)

A. The size of newly generated reports is optimized to conserve disk space.

B. FortiAnalyzer local cache is used to store generated reports.

C. When new logs are received, the hard-cache data is updated automatically.

D. The generation time for reports is decreased.

Answer: CD

Explanation:

Auto-cache is a feature that allows you to store the results of a report in a hard-cache database.

This can significantly reduce the time it takes to generate the report, as the FortiAnalyzer does

not need to re-run the query each time the report is requested.

The hard-cache database is updated automatically when new logs are received. This ensures

that the report always reflects the latest data.

Q24

Why must you wait for several minutes before you run a playbook that you just created?

A. FortiAnalyzer needs that time to parse the new playbook.

B. FortiAnalyzer needs that time to back up the current playbooks.

C. FortiAnalyzer needs that time to ensure there are no other playbooks running.

D. FortiAnalyzer needs that time to debug the new playbook.

Answer: A

Explanation:

When you create a new playbook, FortiAnalyzer needs to parse the playbook file to understand

the commands and tasks that it contains. This can take a few minutes, depending on the size and

complexity of the playbook.

Q25
Which statement describes online logs on FortiAnalyzer?

A. Logs that reached a specific size and were rolled over

B. Logs that can be used to create reports

C. Logs that can be viewed using Log Browse

D. Logs that are saved to disk, compressed, and available in FortiView

Answer: B

Q26

How can you attach a report to an incident?

A. By attaching it to an event handler alert

B. By editing the settings of the desired report

C. From the properties of an existing incident

D. Saving it in JSON format, and then importing it

Answer: C

Explanation:

To do this, follow these steps:

1. Go to Incidents & Events > Incidents.

2. Select the incident that you want to attach the report to.

3. Click the Properties tab.

4. In the Reports section, click Add.

5. Select the report that you want to attach.

6. Click OK.

The report will be attached to the incident.

Q27
Which item must you configure on FortiAnalyzer to email generated reports automatically?

A. Output profile

B. Report scheduling

C. SFTP server

D. SNMP server

Answer: A

Explanation:

The Output profile specifies the email server that will be used to send the reports, as well as the

email address that will receive the reports.

Q28

Which statement about the FortiSOAR management extension is correct?

A. It requires a FortiManager configured to manage FortiGate

B. It requires a dedicated FortiSOAR device or VM.

C. It does not include a limited trial by default.

D. It runs as a docker container on FortiAnalyzer

Answer: D

Explanation:

The FortiSOAR management extension is a software application that runs on FortiManager. It

allows you to manage FortiSOAR instances, including creating and managing playbooks, tasks,

and automations.

Q29

Why run the command diagnose sql status sqlplugind?

A. To list the current SQL processes running

B. To check what is the database log insertion status

C. To display the SQL query connections and hcache status

D. To view the current hcache size

Answer: B

Explanation:

The diagnose sql command is a set of commands that can be used to diagnose the SQL

database on a FortiAnalyzer. The status subcommand displays the current status of the SQL

database, including the number of active query connections and the hcache status.

The sqlplugind parameter specifies that the status of the SQL plugin should be displayed. The

SQL plugin is responsible for handling SQL queries on the FortiAnalyzer.

Q30

What are two benefits of using fabric connectors? (Choose two.)

A. They allow FortiAnalyzer to send logs in real-time to public cloud accounts.

B. You do not need an additional license to send logs to the cloud platform.

C. Fabric connectors allow you to improve redundancy.

D. Using fabric connectors is more efficient than using third-party polling with API.

Answer: C,D

Q31

Which log will generate an event with the status Contained?

A. An IPS log with action=pass.

B. A WebFilter log with action=dropped.

C. An AV log with action=quarantine.

D. An AppControl log with action=blocked.

Answer: C

Explanation:

The contained status is used to indicate that an event has been detected and mitigated. In the

case of an AV log with action=quarantine, the malware has been detected and isolated from the

system.

Q32

QUESTION 15

Refer to the exhibit. Laptop1 is used by several administrators to manage FortiAnalyzer. You

want to configure a generic text filter that matches all login attempts to the web interface

generated by any user other than "admin", and coming from Laptop1.

Which filter will achieve the desired result?

A. operation-login & dstip==10.1.1.210 & user!-admin

B. operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

C. operation-login & performed_on=="GUI(10.1.1.210)" & user!=admin

D. operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

Answer: D
Q33

QUESTION 16

After generating a report, you notice the information you were expecting to see is not included in

it. What are two possible reasons for this scenario? (Choose two.)

A. You enabled auto-cache with extended log filtering.

B. The logfiled service has not indexed all the expected logs.

C. The logs were overwritten by the data retention policy.

D. The time frame selected in the report is wrong.

Answer: B,C

Explanation:

B. The logfiled service has not indexed all the expected logs. The logfiled service is responsible

for indexing the logs that are received by FortiAnalyzer. If the logfiled service has not indexed all

the expected logs, then the information from those logs will not be included in the report.

C. The logs were overwritten by the data retention policy. FortiAnalyzer has a data retention

policy that specifies how long logs are kept. If the logs that you are interested in were overwritten

by the data retention policy, then they will not be included in the report.