Fortinet NSE7_ADA-6.3 Exam Practice Test Instant Access

Question 1

Refer to the exhibit.

The exhibit shows the output of an SQL command that an administrator ran to view the natural_id value, after logging into the Postgres database.

What does the natural_id value identify?

AThe supervisor

BThe worker

CAn agent

DThe collector

Answer : D

The natural_id value identifies the collector in the FortiSIEM system. The natural_id is a unique identifier that is assigned to each collector during the registration process with the supervisor. The natural_id is used to associate events and performance data with the collector that collected them.

Question 2

Refer to the exhibit.

Is the Windows agent delivering event logs correctly?

AThe logs are buffered by the agent and will be sent once the status changes to managed.

BThe agent is registered and it is sending logs correctly.

CThe agent is not sending logs because it did not receive a monitoring template.

DBecause the agent is unmanaged. the logs are dropped silently by the supervisor.

Answer : D

The windows agent is not delivering event logs correctly because the agent is unmanaged, meaning it is not assigned to any organization or customer. The supervisor will drop the logs silently from unmanaged agents, as they are not associated with any valid license or CMDB.

Question 3

Refer to the exhibit.

An administrator runs an analytic search for all FortiGate SSL VPN logon failures. The results are grouped by source IP, reporting IP, and user. The administrator wants to restrict the results to only those rows where the COUNT >= 3.

Which user would meet that condition?

ASarah

BJan

CTom

DAdmin

Answer : C

The user who would meet that condition is Tom. Tom has four rows in the results where the COUNT is greater than or equal to three, meaning he had at least three SSL VPN logon failures from the same source IP and reporting IP. The other users have either less than three rows or less than three COUNT in each row.

Question 4

What happens to UEBA events when a user is off-net?

AThe agent will upload the events to the Worker if it cannot upload them to a FortiSIEM collector

BThe agent will cache events locally if it cannot upload them to a FortiSIEM collector

CThe agent will upload the events to the Supervisor if it cannot upload them to a FortiSIEM collector

DThe agent will drop the events if it cannot upload them to a FortiSIEM collector

Answer : B

When a user is off-net, meaning they are not connected to a network where a FortiSIEM collector is reachable, then UEBA events will be cached locally by the agent if it cannot upload them to a FortiSIEM collector. The agent will store up to 100 MB of events in a local database file and try to upload them when it detects a network change or every five minutes.

Question 5

Which three statements about collector communication with the FortiSIEM cluster are true? (Choose three.)

AThe only communication between the collector and the supervisor is during the registration process.

BCollectors communicate periodically with the supervisor node.

CThe supervisor periodically checks the health of the collector.

DThe supervisor does not initiate any connections to the collector node.

ECollectors upload event data to any node in the worker upload list, but report their health directly to the supervisor node.

Answer : B, C, E

The statements about collector communication with the FortiSIEM cluster that are true are:

Collectors communicate periodically with the supervisor node. Collectors send heartbeat messages to the supervisor every 30 seconds to report their status and configuration.

The supervisor periodically checks the health of the collector. The supervisor monitors the heartbeat messages from collectors and alerts if there is any issue with their connectivity or performance.

Collectors upload event data to any node in the worker upload list, but report their health directly to the supervisor node. Collectors use a round-robin algorithm to distribute event data among worker nodes in the worker upload list, which is provided by the supervisor during registration. However, collectors only report their health and status to the supervisor node.

Question 6

Why can collectors not be defined before the worker upload address is set on the supervisor?

ACollectors can only upload data to a worker, and the supervisor is not a worker

BTo ensure that the service provider has deployed at least one worker along with a supervisor

CCollectors receive the worker upload address during the registration process

DTo ensure that the service provider has deployed a NFS server

Answer : C

Collectors cannot be defined before the worker upload address is set on the supervisor because collectors receive the worker upload address during the registration process. The worker upload address is a list of IP addresses of worker nodes that can receive event data from collectors. The supervisor provides this list to collectors when they register with it, so that collectors can upload event data to any node in the list.

Question 7

Refer to the exhibit.

If the Z-score for this rule is greater than or equal to three, what does this mean?

AThe rate of firewall connection is optimum.

BThe rate of firewall connection is above the historical average value.

CThe rate of firewall connection is above the current average value.

DThe rate of firewall connection is below historical average value.

Answer : B

If the Z-score for this rule is greater than or equal to three, it means that the rate of firewall connection is above the historical average value. The Z-score is a measure of how many standard deviations a value is away from the mean of a distribution. A Z-score of three or more indicates that the value is significantly higher than the mean, which implies an anomaly or deviation from normal behavior.

Fortinet NSE7_ADA-6.3 Fortinet NSE 7 - Advanced Analytics 6.3 Exam Practice Test