A. Logs compressed and saved in files with the .gz extension
B. Logs previously collected from devices that are offline
C. Logs a FortiAnalyzer administrator can access in FortiView
D. Logs that are indexed and stored in the SQL database
正解:A
解説:
Archive logs on FortiAnalyzer are logs that have been stored in files and, once a log file reaches its size limit, it is "rolled" and compressed, becoming offline logs. These compressed archive logs are saved as files, typically with the .gz extension, and are not immediately viewable or reportable in FortiView, Log View, or Reports panes. https://docs.fortinet.com/docume ... 1825/analytics-and- archive-logs
質問 # 42
What happens when the indicator of compromise (IOC) engine on FortiAnalyzer finds web logs that match blacklisted IP addresses?
A. The detection engine classifies those logs as Suspicious.
B. A new infected entry is added for the corresponding endpoint under Compromised Hosts.
C. The endpoint is marked as Compromised and, optionally, can be put in quarantine.
D. FortiAnalyzer flags the associated host for further analysis.
正解:B
質問 # 43
Which log will generate an event with the status Unhandled?
A. An AppControl log with action=blocked.
B. A WebFilter log will action=dropped.
C. An IPS log with action=pass.
D. An AV log with action=quarantine.
正解:C
解説:
In FortiOS 7.4.1 and FortiAnalyzer 7.4.1, the "Unhandled" status in logs typically signifies that the FortiGate encountered a security event but did not take any specific action to block or alter it. This usually occurs in the context of Intrusion Prevention System (IPS) logs.
* IPS logs with action=pass: When the IPS engine inspects traffic and determines that it does not match any known attack signatures or violate any configured policies, it assigns the action "pass". Since no action is taken to block or modify this traffic, the status is logged as "Unhandled." Let's look at why the other options are incorrect:
* An AV log with action=quarantine: Antivirus (AV) logs with the action "quarantine" indicate that a file was detected as malicious and moved to quarantine. This is a definitive action, so the status wouldn't be "Unhandled."
* A WebFilter log will action=dropped: WebFilter logs with the action "dropped" indicate that web traffic was blocked according to the configured web filtering policies. Again, this is a specific action taken, not an "Unhandled" event.
* An AppControl log with action=blocked: Application Control logs with the action "blocked" mean that an application was denied access based on the defined application control rules. This is also a clear action, not "Unhandled."
質問 # 44
Which two statements about local logs on FortiAnalyzer are true? (Choose two.)
A. They are not supported in FortiView.
B. Event logs are available only in the root ADOM.
C. You can view playbook logs for all ADOMs in the root ADOM.
D. Event logs show system-wide information, whereas application logs are ADOM specific.
正解:C、D
解説:
Playbook logs, which relate to automated incident response actions, can be viewed centrally in the root ADOM, allowing visibility across all ADOMs.
Event logs on FortiAnalyzer typically provide system-wide information applicable to the entire FortiAnalyzer unit, while application logs are specific to each ADOM, reflecting the logs related to devices and activities managed within that ADOM. https://docs.fortinet.com/docume ... 08717/enabling-and- disabling-the-adom-feature
質問 # 45
It is a best practice to upload FortiAnalyzer local logs to a remote server. Which three remote servers are supported for the upload? (Choose three.)