Lead2pass.NSE5_FAZ-6.2.Premium.VCE.

51q

Number: NSE5_FAZ-6.2
Passing Score: 926
Time Limit: 120 min
File Version: 20.061

Vendor: Fortinet

Exam Code: NSE5_FAZ-6.2

Exam Name: Fortinet NSE 5 - FortiAnalyzer 6.2

Version: 20.061
Exam A

QUESTION 1
How are logs forwarded when FortiAnalyzer is using aggregation mode?

A. Logs and content files are stored and uploaded at a scheduled time
B. Logs and content files are forwarded as they are received
C. Logs are forwarded ad they are received
D. Logs are forwarded as they are received and content files are uploaded at a scheduled time

Correct Answer: A

QUESTION 2
DLP archiving gives the ability to store session transaction data on a FortiAnalyzer unit for which of the
following types of network traffic? (Select all that apply.)

A. SNMP
B. IPSec
C. SMTP
D. POP3
E. HTTP

Correct Answer: CDE

QUESTION 3
Which statements are true of Administrative Domains (ADOMs) in FortiAnalyzer? (Choose two)

A. ADOMs are enabled by default.

B. ADOMs constrain other administrator's access privileges to a subset of devices in the device list.
C. Once enabled, the Device Manager, FortiView, Event Management, and Reports tab display per
ADOM.
D. All administrators can create ADOMs - not just the admin administrator.

Correct Answer: BC

QUESTION 4
Which statement is correct? FortiAnalyzer collects and aggregates log data from:

A. Any supported device it is configured to monitor.

B. FortiGate devices only.
C. FortiAnalyzer's operating in collector mode only.
D. Any supported device it is configured to monitor, as long as it's not in the wide area network (WAN).

Correct Answer: A

QUESTION 5
What are two of the key features of FortiAnalyzer? (Choose two)

A. Centralized log repository

B. Cloud-based management
C. Reports
D. Virtual domains (VDOMs)

Correct Answer: AC

QUESTION 6
What statements are true regarding FortiAnalyzer's treatment of high availability (HA) clusters? (Choose
two)
A. FortiAnalyzer distinguishes different device by their serial number.
B. FortiAnalyzer receives logs from all devices in a cluster.
C. FortiAnalyzer receives logs only from the primary device in the cluster.
D. FortiAnalyzer only needs to know the serial number of the primary device in the cluster - it automatically
discovers the other devices.

Correct Answer: AC

QUESTION 7
What FortiGate process caches logs when FortiAnalyzer is not reachable?

A. oftpd
B. miglogd
C. sqlplugind
D. logfiled

Correct Answer: B

QUESTION 8
What is the purpose of the following CLI command?

A. To add the MD5's hash value and authentication code

B. To encrypt log communications
C. To add a unique tag to each log to provide that it came from this FortiAnalyzer
D. To add a log file checksum

Correct Answer: D

QUESTION 9
Consider the following scenario: The FortiAnalyzer administrator creates a custom dataset.
The Log type is set to Traffic and the Time Period is set to Last 30 days.
The following query is entered:

SELECT root_domain(hostname) as website, count(*) as totalnum, dstcountry FROM $log WHERE $filter
and hostname is not null GROUP BY hostname, dstcountry ORDER BY session desc LIMIT 25.

When the administrator tests the custom dataset, an error message is returned. Why?

A. The clauses are not coded in the correct sequence.

B. The database does not contain the data to make the SQL query work.
C. The database columns identified in the SELECT clause belong to the Virus log type, not the Traffic log
type.
D. The database column in the ORDER BY clause ("session") is not in the SELECT clause, and it has to
be in order for the query to work.

Correct Answer: B

QUESTION 10
By default, what happens when a log file reaches its maximum file size?

A. FortiAnalyzer overwrites the log files.

B. FortiAnalyzer stops logging.
C. FortiAnalyzer rolls the active log by renaming the file.
D. FortiAnalyzer forwards logs to syslog.

Correct Answer: C

QUESTION 11
What types of logs will FortiAnalyzer store? (Select one)

A. Traffic/Event/Security, Data Leak Prevention (DLP) archive, Quarantine, and IPS (Intrusion Protection
System) Packets.
B. Traffic/Event, Data Leak Prevention (DLP) archive, Quarantine, and IPS (Intrusion Protection System)
Packets.
C. Traffic/Event/Security, Data Leak Prevention (DLP) archive, Quarantine.
D. Data Leak Prevention (DLP) archive, Quarantine, and IPS (Intrusion Protection System) Packets.

Correct Answer: A

QUESTION 12
What statements are true regarding encryption settings and levels? (Choose three)

A. The default encryption level is 128-bit and larger key length algorithms.
B. High level encryption requires additional CPU resources.
C. AES is an example of a high level encryption.
D. The default encryption level on FortiAnalyzer is set at the same default encryption level as FortiGate.
E. "Set enc-algorithm, <encryption level>" is the command used to set the encryption level on
FortiAnalyzer.

Correct Answer: BCE

QUESTION 13
What database language does FortiAnalyzer use for logging and reporting?

A. XQuery
B. XML
C. SQL
D. Java

Correct Answer: C

QUESTION 14
What statements are true regarding the "store and upload" log transfer option between FortiAnalyzer and
FortiGate? (Choose three)

A. All FortiGates can send logs to FortiAnalyzer using the store and upload option.
B. Only FortiGate models with hard disks can send logs to FortiAnalyzer using the store and upload
option.
C. Both secure communications methods (SSL and Ipsec) allow the store and upload option.
D. Disk logging is enabled on the FortiGate through the CLI only.
E. Disk logging is enabled by default on the FortiGate

Correct Answer: BCD

QUESTION 15
What are the methods available to register a device? (Choose two)

A. A supported device can request registration.

B. An Administrator from a supported device can use a CLI command to automatically connect to
FortiAnalyzer without intervention from a FortiAnalyzer administrator.
C. A FortiAnalyzer administrator can register a supported device through the Device Registration wizard.
D. A FortiAnalyzer automatically registers all supported devices on the same Local Area Network (LAN)
by default.

Correct Answer: AC

QUESTION 16
In FortiAnalyzer's FortiView, source and destination IP addresses from FortiGate devices are not resolving
to a hostname. How can you resolve the source and destination IPs, without introducing any additional
performance impact to FortiAnalyzer?

A. Configure # set resolve-ip enable in the system FortiView settings

B. Resolve IPs on FortiGate
C. Configure local DNS servers on FortiAnalyzer
D. Resolve IPs on a per-ADOM basis to reduce delay on FortiView while IPs resolve

Correct Answer: B

QUESTION 17
What is the purpose of employing RAID with FortiAnalyzer?

A. To provide data separation between ADOMs

B. To separate analytical and archive data
C. To back up your logs
D. To introduce redundancy to your log data

Correct Answer: D

QUESTION 18
What happens when a log file saved on FortiAnalyzer disks reaches the size specified in the device log
settings?

A. The log file is stored as a raw log and is available for analytic support
B. The log file rolls over and is archived
C. The log file is purged from the database
D. The log file is overwritten

Correct Answer: B

QUESTION 19
View the exhibit. Why is the total quota less than the total system storage?
A. The oftpd process has not archived the logs yet
B. The logfiled process is just estimating the total quota
C. Some space is reserved for system use, such as storage of compression files, upload files, and
temporary report files
D. 3.6% of the system storage is already being used

Correct Answer: C

QUESTION 20
In order for FortiAnalyzer to collect logs from a FortiGate device, what configuration is required? (Choose
two.)

A. ADOMs must be enabled

B. Log encryption must be enabled
C. FortiGate must be registered with FortiAnalyzer
D. Remote logging must be enabled on FortiGate

Correct Answer: CD

QUESTION 21
What can the CLI command # diagnose test application oftpd 3 help you to determine?

A. What logs, if any, are reaching FortiAnalyzer

B. What ADOMs are enabled and configured
C. What devices and IP addresses are connecting to FortiAnalyzer
D. What devices are registered and unregistered

Correct Answer: C

QUESTION 22
If you upgrade your FortiAnalyzer firmware, what report elements can be affected?

A. Report settings
B. Report scheduling
C. Output profiles
D. Custom datasets

Correct Answer: D

QUESTION 23
On FortiAnalyzer, what is a wildcard administrator account?

A. An account that permits access to members of a LDAP group

B. An account that allows guest access with read-only privileges
C. An account that requires two-factor authentication
D. An account that validates against any user account on a FortiAuthenticator

Correct Answer: A

QUESTION 24
Which FortiAnalyzer feature allows you to retrieve the archived logs matching a specific timeframe from
another FortiAnalyzer device?

A. Log forwarding in aggregation mode

B. Log upload
C. Log fetching
D. Indicators of Compromise
Correct Answer: C

QUESTION 25
FortiAnalyzer uses the Optimized Fabric Transfer Protocol (OFTP) over SSL for what purpose?

A. To prevent log modification during backup

B. To send an identical set of logs to a second logging server
C. To encrypt log communication between devices
D. To upload logs to a SFTP server

Correct Answer: C

QUESTION 26
What is the recommended method of expanding disk space on a FortiAnalyzer VM?

A. From the VM host manager, add an additional virtual disk and use the #execute lvm extend <disk
number> command to expand the storage
B. From the VM host manager, expand the size of the existing virtual disk
C. From the VM host manager, add an additional disk and rebuild your RAID array
D. From the VM host manager, expand the size of the existing virtual disk and use the # execute
command to reformat the disk
format disk

Correct Answer: A

QUESTION 27
What must you configure on FortiAnalyzer to upload a Fortianalyzer report to a supported external server?
(Choose two.)

A. Report scheduling
B. Output profile
C. SFTP, FTP, or SCP server
D. Mail server

Correct Answer: BC

QUESTION 28
View the exhibit. What does the 1000 MB maximum for disk utilization refer to?

A. The disk quota for each device in the ADOM

B. The disk quota for the ADOM type
C. The disk quota for all devices in the ADOM
D. The disk quota for the FortiAnalyzer model
Correct Answer: C

QUESTION 29
What purposes does the auto-cache setting on reports serve? (Choose two.)

A. To automatically update the hcache when new logs arrive

B. To provide diagnostics on report generation time
C. To reduce the log insert lag rate
D. To reduce report generation time

Correct Answer: AD

QUESTION 30
View the exhibit. What does the data point at 14:35 tell you?

A. The sqlplugind daemon is ahead in indexing by one log

B. FortiAnalyzer is indexing logs faster than logs are being received
C. FortiAnalyzer is dropping logs
D. FortiAnalyzer has temporarily stopped receiving logs so older logs can be indexed

Correct Answer: A

QUESTION 31
You've moved a registered logging device out of one ADOM and into a new ADOM. What happens when
you rebuild the new ADOM database?

A. FortiAnalyzer resets the disk quota of the new ADOM to default

B. FortiAnalyzer migrates analytics logs to the new ADOM
C. FortiAnalyzer removes analytics logs from the old ADOM
D. FortiAnalyzer migrates archive logs to the new ADOM

Correct Answer: C

QUESTION 32
How can you configure FortiAnalyzer to permit administrator logins from only specific locations?

A. Use trusted hosts

B. Use administrative profiles
C. Use secure protocols
D. Use static routes

Correct Answer: A
QUESTION 33
Which statement is true regarding FortiAnalyzer models?

A. All physical appliances can support the same number of GB per day of logs.
B. Both physical and virtual appliances have same license file.
C. All physical appliances have the same storage capacity.
D. The virtual appliance license determines the number of devices supported and the amount of traffic can
be collected.

Correct Answer: D

QUESTION 34
How does FortiAnalyzer retrieve specific log data from the database?

A. SQL FROM statement

B. SQL GET statement
C. SQL SELECT statement
D. SQL EXTRACT statement

Correct Answer: C

QUESTION 35
Logs are being deleted from one of your ADOMs earlier than the configured setting for archiving in your
data policy. What is the most likely problem?

A. Logs in that ADOM are being forwarded in real-time to another FortiAnalyzer device
B. CPU resources are too high
C. The ADOM disk quota is set too low based on log rates
D. The total disk space is insufficient and you need to add other disk

Correct Answer: C

QUESTION 36
How do you restrict an administrator's access to a subset of your organization's ADOMs?

A. Set the ADOM mode to Advanced

B. Configure trusted hosts
C. Assign the ADOMs to the administrator's account
D. Assign the default Super_User administrator profile

Correct Answer: C

QUESTION 37
What FortiView tool can you use to automatically build a dataset and chart based on a filtered search
result?

A. Chart Builder
B. Dataset Library
C. Custom View
D. Export to Report Chart

Correct Answer: D

QUESTION 38
What remote authentication servers can you configure to validate your FortiAnalyzer administrator logons?
(Choose three)
A. RADIUS
B. Local
C. LDAP
D. PKI
E. TACACS+

Correct Answer: ACE

QUESTION 39
Which statements are correct regarding FortiAnalyzer reports? (Choose two)

A. FortiAnalyzer provides the ability to create custom reports.

B. FortiAnalyzer glows you to schedule reports to run.
C. FortiAnalyzer includes pre-defined reports only.
D. FortiAnalyzer allows reporting for FortiGate devices only.

Correct Answer: AB

QUESTION 40
What are the operating modes of FortiAnalyzer? (Choose two)

A. Standalone
B. Manager
C. Analyzer
D. Collector

Correct Answer: CD

QUESTION 41
What s 'hot swapping'?

A. Hot swapping means administrators can confine FortiAnalyzer to write to all hard device in order to
make the array fault tolerant.
B. Hot swapping means administrators can replace a failed disk on devices that support software RAID
while the device is still running.
C. Hot swapping means administrators can ensue the parity data of a redundant drive is valid while the
device is still running.
D. Hot swapping means administrators can replace a fated d* on devices that support hardware RAID
while the device is still running.

Correct Answer: D

QUESTION 42
Which tabs do not appear when FortiAnalyzer is operating in Collector mode? (Choose two.)

A. FortiView
B. Event Management
C. Device Manger
D. Reporting

Correct Answer: AD

QUESTION 43
When performing a log search on a FortiAnalyzer, it is generally recommended to use the Quick Search
option.
What is a valid reason for using the Full Search option, instead?

A. The search items you are looking for are not contained in indexed log fields.
B. A quick search only searches data received within the last 24 hours.
C. You want the search to include the FortiAnalyzer's local logs.
D. You want the search to include content archive data as well.

Correct Answer: A

QUESTION 44
Both the FortiGate and FortiAnalyzer units can notify administrators when certain alert conditions are met.
Considering this, which of the following statements is NOT correct?

A. On a FortiGate device, the alert condition is based either on the severity level or on the log type, but not
on a combination of the two.
B. On a FortiAnalyzer device, the alert condition is based either on the severity level or on the log type,
but not on a combination of the two.
C. Only a FortiAnalyzer device can send the alert notification in the form of a syslog message.
D. Both the FortiGate and FortiAnalyzer devices can send alert notifications in the form of an email alert.

Correct Answer: A

QUESTION 45
For proper log correlation between the logging devices and FortiAnalyzer, FortiAnalyzer and all registered
devices should:

A. Use DNS
B. Use host name resolution
C. Use an NTP server
D. Use real-time forwarding

Correct Answer: C

QUESTION 46
FortiAnalyzer centralizes which functions? (Choose three)

A. Network analysis
B. Graphical reporting
C. Content archiving / data mining
D. Vulnerability assessment
E. Security log analysis / forensics

Correct Answer: BCE

QUESTION 47
What statements are true regarding FortiAnalyzer 's treatment of high availability (HA) dusters? (Choose
two)

A. FortiAnalyzer distinguishes different devices by their serial number.

B. FortiAnalyzer receives logs from d devices in a duster.
C. FortiAnalyzer receives bgs only from the primary device in the cluster.
D. FortiAnalyzer only needs to know (he serial number of the primary device in the cluster-it automaticaly
discovers the other devices.

Correct Answer: AC

QUESTION 48
What statements are true regarding disk log quota? (Choose two)

A. The FortiAnalyzer stops logging once the disk log quota is met.
B. The FortiAnalyzer automatically sets the disk log quota based on the device.
C. The FortiAnalyzer can overwrite the oldest logs or stop logging once the disk log quota is met.
D. The FortiAnalyzer disk log quota is configurable, but has a minimum o 100mb a maximum based on the
reserved system space.

Correct Answer: CD

QUESTION 49
A portion of the device listing for a FortiAnalyzer unit is displayed in the exhibit.

Which of the following statements best describes the reason why the FortiGate 60B unit is unable to
archive data to the FortiAnalyzer unit?

A. The FortiGate unit is considered an unregistered device.

B. The FortiGate unit has been blocked from sending archive data to the FortiAnalyzer device by the
administrator.
C. The FortiGate unit has insufficient privileges. The administrator should edit the device entry in the
FortiAnalyzer and modify the privileges.
D. The FortiGate unit is being treated as a syslog device and is only permitted to send log data.

Correct Answer: A

QUESTION 50
A FortiAnalyzer device could use which security method to secure the transfer of log data from FortiGate
devices?

A. SSL
B. IPSec
C. direct serial connection
D. S/MIME

Correct Answer: B

QUESTION 51
An administrator configures a FortiGate unit in Transparent mode on the 192.168.11.0 subnet. Automatic
Discovery is enabled to detect any available FortiAnalyzers on the network.
Which of the following FortiAnalyzers will be detected? (Select all that apply.)

A. 192.168.11.100
B. 192.168.11.251
C. 192.168.10.100
D. 192.168.10.251

Correct Answer: AB