FortiAnalyzer Configuration

Questions and Answers

Which two statements accurately describe ADOM modes? (Choose two.)

• ADOM modes can only be altered through the Command Line Interface (CLI).
• In advanced ADOM mode, FortiGate VDOMs can be assigned from a single FortiGate device to multiple FortiAnalyzer ADOMs. (correct)
• In normal mode, the ADOM's disk quota is fixed and unchangeable; in advanced mode, the disk quota is flexible. (correct)
• Advanced mode is the default ADOM mode.

What is the primary function of the FortiAnalyzer command diagnose system print netstat?

• It provides the complete routing table, detailing directly connected routes and gateway information.
• It shows the static DNS table, along with hostname information and their expiration timers.
• It provides NTP server information, including server IPs, stratum, poll time, and latency.
• It displays network statistics for active connections, including protocols, IP addresses, and connection statuses. (correct)

When configuring a new administrator, what are two effects of enabling the 'Match all users on remote server' option? (Choose two.)

• It creates a wildcard administrator using the LDAP server for authentication. (correct)
• It permits user accounts on the LDAP server to enforce two-factor authentication.
• Administrators can access FortiAnalyzer using their credentials from the remote LDAP server. (correct)
• The user 'Remote-Admin' from the LDAP server can log in to FortiAnalyzer at any point.

A new device on FortiAnalyzer displays the connection status 'Unauthorized'. What does this status indicate?

The device's registration has not yet been accepted in FortiAnalyzer. (C)

What is the primary goal of configuring FortiAnalyzer with the settings displayed in the image?

To improve security (D)

Within FortiAnalyzer, what is the definition of 'offline logs'?

Compressed logs, also referred to as archive logs. (A)

Which two elements are included in a system backup created on FortiAnalyzer? (Choose two.)

Report information (A), System information (B)

Based on the partial outputs displayed, which devices can be members of a FortiAnalyzer Fabric?

FortiAnalyzer1 and FortiAnalyzer3 (D)

After registering a FortiGate device, only some of the expected logs are received on FortiAnalyzer. What is a likely cause?

The FortiGate's logging feature is not configured correctly. (B)

An administrator, 'fortinet', can view logs but cannot create a mail server to send alert emails. What is the likely problem?

'fortinet' is assigned the default Restricted_User administrative profile. (A)

Which two parameters influence the calculation of the Total Quota available on FortiAnalyzer? (Choose two.)

Reserved space (C), Total system storage (D)

What two settings must be configured on FortiAnalyzer to enable non-local administrators to authenticate with any user account in a single LDAP group? (Choose two.)

An administrator group (C), One or more remote LDAP servers (D)

After an administrator moves a FortiGate device from the root ADOM to ADOM1, which two statements are true regarding logs? (Choose two.)

Archived logs will automatically move to ADOM1 from the root ADOM. (B), Analytics logs will automatically move to ADOM1 from the root ADOM. (C)

Which statement accurately describes the communication between FortiGate high availability (HA) clusters and FortiAnalyzer?

If devices were registered to FortiAnalyzer before forming a cluster, they can be manually added together. (A)

What is the best approach to handling a hard disk failure on a FortiAnalyzer that supports hardware RAID?

Perform a hot swap of the disk. (C)

An administrator configures specified settings. What is the purpose of executing these commands?

To record the hash value and authentication code of log files. (C)

Which statement provides the correct description of RAID 10 (1+0) on FortiAnalyzer?

A configuration with four disks, each with 2 TB of capacity, provides a total space of 4 TB. (A)

The administrator wants to join this FortiAnalyzer to an existing HA cluster. Based on this configuration, what can you conclude?

This FortiAnalyzer will join the existing HA cluster as the secondary. (C)

The exhibit shows creating a new administrator on FortiAnalyzer with credentials stored on an LDAP server. Why configure a password for this account?

This password is used if the authentication server becomes unreachable. (B)

In a Fortinet Security Fabric, what makes an upstream FortiGate create traffic logs associated with sessions initiated on downstream FortiGate devices?

The upstream FortiGate is configured to do NAT. (B)

Flashcards

ADOM Disk Quota: Normal vs. Advanced

Normal mode has a fixed disk quota that cannot be modified, while advanced mode offers flexible disk quota settings.

FortiGate VDOMs in Advanced ADOM Mode

In advanced mode, assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.

FortiAnalyzer's netstat command

The FortiAnalyzer command diagnose system print netstat provides network statistics for active connections including protocols, IP addresses and connection states.

Effects of 'Match all users' on FortiAnalyzer

Enabling "Match all users on remote server" creates a wildcard administrator and allows users to log in using their LDAP credentials.

Unauthorized device status on FortiAnalyzer

It is a device whose registration has not yet been accepted in FortiAnalyzer.

Purpose of FortiAnalyzer Configuration

Configuring FortiAnalyzer with specific settings improves overall security posture

Offline logs on FortiAnalyzer

Compressed logs are stored as archive logs.

Elements in FortiAnalyzer System Backup

A system backup on FortiAnalyzer contains report and system information.

FortiAnalyzer Fabric Members

Only FortiAnalyzer1 and FortiAnalyzer3 can be members of a FortiAnalyzer Fabric.

Reason logs not arriving on FortiAnalyzer

The FortiGate does not have logging configured correctly.

fortinet admin issues

The admin profile fortinet is assigned the default Standard_User administrative profile.

Total Quota Value Calculation Parameters

Reserved space and Total system storage are two parameters used to calculate the Total Quota value available on FortiAnalyzer.

Settings for Non-Local Admin Authentication

Configure an administrator group and one or more remote LDAP servers in order to authenticate non-local admins on FortiAnalyzer.

Log movement with ADOMs

Archived logs will be moved to ADOM1 and the root ADOM automatically.

FortiGate HA Cluster Communication

If devices were registered to FortiAnalyzer before forming a cluster, you can add them together manually.

Approach to Handle Hard Disk Failure

The best approach to handle hard disk failure on FortiAnalyzer is to perform a hot swap of the disk.

Purpose of executing these commands

To record the hash value and authentication code of log files.

FortiGate session logs and NAT

The upstream FortiGate is configured to do NAT.

Initial Logs Sync with HA

With initial Logs Sync, the primary device synchronizes its logs with the backup device when you add a unit to an HA cluster.

FortiAnalyzer log forwarding modes

Aggregation mode requires two FortiAnalyzer devices, and forwarding modes forwards logs to other FortiAnalyzer devices, syslog servers or CEF servers.

Study Notes

ADOM Modes

• In normal mode, the ADOM disk quota is fixed, but in advanced mode, it is flexible
• ADOM modes can be changed through the CLI
• In advanced ADOM mode, FortiGate VDOMs from a single FortiGate device can be assigned to multiple FortiAnalyzer ADOMs
• Normal mode is the default ADOM mode

FortiAnalyzer Command: diagnose system print netstat

• The command provides network statistics for active connections
• The statistics include protocols, IP addresses, and connection states

New Administrator Configuration

• Enabling "Match all users on remote server" creates a wildcard administrator using an LDAP server
• Administrators can log in to FortiAnalyzer using their credentials on the remote LDAP server

Device Connection Status: Unauthorized

• The status means a device's registration has not yet been accepted in FortiAnalyzer

FortiAnalyzer Configuration Purpose

• It is to improve security

Offline Logs on FortiAnalyzer

• Offline logs are compressed logs
• They are also known as archive logs

System Backup Elements

• Report information is contained in the backup
• System information is too

FortiAnalyzer Fabric Members

• FortiAnalyzer1
• FortiAnalyzer3 can be members of a FortiAnalyzer Fabric

Log Arrival Issues on FortiAnalyzer

• FortiGate logging might not be configured correctly

Administrator Account Problem

• If an administrator (fortinet) is unable to create a mail server to send alert emails, it is because fortinet is assigned the default Standard_User administrative profile

Total Quota Calculation Parameters

• Reserved space
• Total system storage

Non-Local Administrator Authentication

• An administrator group is required
• One or more remote LDAP servers are too

FortiGate Device Move between ADOMs

• Archived logs will be moved to ADOM1 from the root ADOM automatically

FortiGate HA Clusters and FortiAnalyzer

• If devices were registered to FortiAnalyzer before forming a cluster, you can manually add them together

Handling Hard Disk Failure on FortiAnalyzer with RAID

• Perform a hot swap of the disk

Command Purpose

• The command serves to record the hash value and authentication code of log files

RAID 10 (1+0) on FortiAnalyzer

• It's a configuration with four disks, each with 2 TB capacity, providing a total space of 4 TB

Joining HA Cluster

• The FortiAnalyzer will join the existing HA cluster as the secondary

Parameters Impacting Reserved Disk Space

• RAID level
• Disk size

New Administrator on FortiAnalyzer with LDAP Server

• This password is used if the authentication server becomes unreachable

Fortinet Security Fabric and Traffic Logs

• The upstream FortiGate is configured to do NAT

High Availability (HA) on FortiAnalyzer

• FortiAnalyzer HA supports synchronization of logs, system, and configuration settings
• All devices in a FortiAnalyzer HA cluster must operate in the same mode (analyzer or collector)

Deleting ADOMs

• ADOMs with registered devices cannot be deleted
• Default ADOMs cannot be deleted

Single IP Address in Log Capture

• Logs belong to devices that are part of a high availability (HA) cluster

Disk Status: Degraded

• The hard drive is no longer being used by the RAID controller

Process Enforcing Log File Size

• logfiled is responsible

FortiAnalyzer Operating Modes

• When in analyzer mode, FortiAnalyzer supports event management and reporting features
• Analyzer mode is the default operating mode

Log Forwarding Modes

• Both forwarding and aggregation support encryption of logs between devices
• Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time

Authorization Request Issues

• The management computer does not have connectivity to the authorization IP address and port combination
• The fabric authorization settings on FortiAnalyzer are misconfigured

Restricting Administrative Access on FortiAnalyzer

• Configure trusted hosts
• Use administrator profiles

Firmware Upgrade on HA Cluster

• First, upgrade the secondary devices, and then upgrade the primary device

RAID Configurations Providing Fault Tolerance

• RAID 5
• RAID 1
• RAID 6+0 provide fault tolerance

Connection Status

• The connection between FortiGate and FortiAnalyzer is overloaded

Analytics Logs on FortiAnalyzer

• Analytics logs are indexed and stored in the SQL database

Process Caching Logs

• miglogd process caches logs on FortiGate when FortiAnalyzer is not reachable

Log Synchronization States for HA

• With Initial Logs Sync, when adding a unit to an HA cluster, the primary device synchronizes its logs with the backup device.
• Log Data Sync provides real-time log synchronization to all backup devices

Log Forwarding Modes

• Aggregation mode requires two FortiAnalyzer devices.
• Forwarding mode forwards logs to other FortiAnalyzer devices, syslog servers, or CEF servers

Logging Status

• FortiGate has logs to send, but FortiAnalyzer is unavailable

Creating ADOMs

• FortiAnalyzer creates default ADOMs when ADOMs are enabled
• The ADOM type you create must match the device type you are planning to add

Device Registration Methods

• Serial number registration will place the device automatically in its assigned ADOM
• Pre-shared key registration will too

SAML Roles

• Identity provider
• Service provider can be configured for the FortiAnalyzer

FortiAnalyzer Command: execute format disk

• Intended to earase all device settings and images, databases, and log data from the disk, but preserve the IP and routing info

ADOMs

• A fabric ADOM can include all the device types supported by FortiAnalyzer

FortiAnalyzer Fabric

• Fabric members support HA

Primary FortiAnalyzer Failure in HA Cluster

• The configured priority is checked first

Command: set log-checksum

• To prevent log modification or tampering
• To protect log data from man-in-the-middle attacks

Command: execute sql-local rebuild-adom

• Populates the new ADOM with analytical logs for the moved device, so you can run reports