Fortinet nse5-faz-6-4 practice test
Fortinet NSE 5 - FortiAnalyzer 6.4 Exam
Last exam update: Apr 21 ,2025
Question 1
What two things should an administrator do to view Compromised Hosts on FortiAnalyzer? (Choose
two.)
- A. Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.
- B. Enable device detection on an interface on the FortiGate devices that are connected to the FortiAnalyzer.
- C. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up-to-date.
- D. Make sure all endpoints are reachable by FortiAnalyzer.
Answer:
BC
Explanation:
Reference:
https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration-
guide/137635/viewing-compromised-hosts
Question 2
An administrator has moved FortiGate A from the root ADOM to ADOM1.
Which two statements are true regarding logs? (Choose two.)
- A. Analytics logs will be moved to ADOM1 from the root ADOM automatically.
- B. Archived logs will be moved to ADOM1 from the root ADOM automatically.
- C. Logs will be presented in both ADOMs immediately after the move.
- D. Analytics logs will be moved to ADOM1 from the root ADOM after you rebuild the ADOM1 SQL database.
Answer:
B, D
Explanation:
Reference:
https://community.fortinet.com/t5/Fortinet-Forum/FW-Migration-between-ADOMs/m-
p/32683?m=158008
Question 3
Which two statements are true regarding high availability (HA) on FortiAnalyzer? (Choose two.)
- A. FortiAnalyzer HA can function without VRRP. and VRRP is required only if you have more than two FortiAnalyzer devices in a cluster.
- B. FortiAnalyzer HA supports synchronization of logs as well as some system and configuration settings.
- C. All devices in a FortiAnalyzer HA cluster must run in the same operation mode: analyzer or collector.
- D. FortiAnalyzer HA implementation is supported by many public cloud infrastructures such as AWS, Microsoft Azure, and Google Cloud.
Answer:
BC
Explanation:
Reference:
https://help.fortinet.com/fa/faz50hlp/60/6-0-2/Content/FMG-
FAZ/4600_HA/0000_HA.htm?TocPath=High%20Availability%7C_____0
Question 4
Refer to the exhibit.
Which two statements are true regarding enabling auto-cache on FortiAnalyzer? (Choose two.)
- A. Report size will be optimized to conserve disk space on FortiAnalyzer.
- B. Reports will be cached in the memory.
- C. This feature is automatically enabled for scheduled reports.
- D. Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.
Answer:
C, D
Explanation:
Reference:
https://help.fortinet.com/fa/faz50hlp/56/5-6-2/FMG-FAZ/2300_Reports/0025_Auto-
cache.htm
Question 5
The admin administrator is failing to register a FortiClient EMS on the FortiAnalyzer device.
What can be the reason for this failure?
- A. FortiAnalyzer is in an HA cluster.
- B. ADOM mode should be set to advanced, in order to register the FortiClient EMS device.
- C. ADOMs are not enabled on FortiAnalyzer.
- D. A separate license is required on FortiAnalyzer in order to register the FortiClient EMS device.
Answer:
C
Explanation:
Reference:
https://help.fortinet.com/fa/faz50hlp/56/5-6-2/FMG-
FAZ/0800_ADOMs/0015_FortiClient%20and%20ADOMs.htm
Question 6
A rogue administrator was accessing FortiAnalyzer without permission, and you are tasked to see
what activity was performed by that rogue administrator on FortiAnalyzer.
What can you do on FortiAnalyzer to accomplish this?
- A. Click FortiView and generate a report for that administrator.
- B. Click Task Monitor and view the tasks performed by that administrator.
- C. Click Log View and generate a report for that administrator.
- D. View the tasks performed by the rogue administrator in Fabric View.
Answer:
B
Explanation:
Reference:
https://docs.fortinet.com/document/fortimanager/6.4.1/administration-
guide/792943/task-monitor
Question 7
Refer to the exhibit.
The exhibit shows remoteservergroup is an authentication server group with LDAP and RADIUS
servers.
Which two statements express the significance of enabling Match all users on remote server when
configuring a new administrator? (Choose two.)
- A. It creates a wildcard administrator using LDAP and RADIUS servers.
- B. Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.
- C. Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.
- D. It allows administrators to use two-factor authentication.
Answer:
A, B
Explanation:
Reference:
https://docs.fortinet.com/document/fortimanager/7.0.1/administration-
guide/858351/creating-administrators
Question 8
Which two statements are true regarding FortiAnalyzer operating modes? (Choose two.)
- A. When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.
- B. Collector mode is the default operating mode.
- C. When in collector mode. FortiAnalyzer supports event management and reporting features.
- D. By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting
Answer:
AD
Explanation:
Reference:
https://docs.fortinet.com/document/fortianalyzer/7.0.0/administration-
guide/227478/collector-mode
https://docs.fortinet.com/document/fortianalyzer/7.0.0/administration-guide/312644/analyzer-
collector-collaboration
Question 9
Which statement is true regarding Macros on FortiAnalyzer?
- A. Macros are ADOM specific and each ADOM will have unique macros relevant to that ADOM.
- B. Macros are supported only on the FortiGate ADOM.
- C. Macros are useful in generating excel log files automatically based on the reports settings.
- D. Macros are predefined templates for reports and cannot be customized.
Answer:
A
Explanation:
Reference:
https://docs2.fortinet.com/document/fortianalyzer/6.2.3/administration-
guide/617380/creating-macros
Question 10
An administrator has moved FortiGate A from the root ADOM to ADOM1. However, the
administrator is not able to generate reports for FortiGate A in ADOM1.
What should the administrator do to solve this issue?
- A. Use the execute sql-local rebuild-db command to rebuild all ADOM databases.
- B. Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database.
- C. Use the execute sql-report run ADOM1 command to run a report.
- D. Use the execute sql-local rebuild-adom root command to rebuild the ADOM database.
Answer:
B
Explanation:
Reference:
https://help.fortinet.com/fmgr/cli/5-6-1/FortiManager_CLI_Reference/700_execute/sql-
local+.htm
Question 11
Which two statements are true regarding FortiAnalyzer log forwarding? (Choose two.)
- A. In aggregation mode, you can forward logs to syslog and CEF servers as well.
- B. Forwarding mode forwards logs in real time only to other FortiAnalyzer devices.
- C. Aggregation mode stores logs and content files and uploads them to another FortiAnalyzer device at a scheduled time.
- D. Both modes, forwarding and aggregation, support encryption of logs between devices.
Answer:
B, C
Explanation:
Reference:
https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/63238/what-is-the-
difference-between-log-forward-and-log-aggregation-modes
Question 12
Which two statements are true regarding ADOM modes? (Choose two.)
- A. You can only change ADOM modes through CLI.
- B. In normal mode, the disk quota of the ADOM is fixed and cannot be modified, but in advance mode, the disk quota of the ADOM is flexible because new devices are added to the ADOM.
- C. In an advanced mode ADOM. you can assign FortiGate VDOMs from a single FortiGate device to multiple FortiAnalyzer ADOMs.
- D. Normal mode is the default ADOM mode.
Answer:
CD
Explanation:
Reference:
https://help.fortinet.com/fa/faz50hlp/56/5-6-1/FMG-
FAZ/0800_ADOMs/0400_ADOM%20Device%20Modes.htm
Question 13
An administrator has configured the following settings:
config system fortiview settings
set resolve-ip enable
end
What is the significance of executing this command?
- A. Use this command only if the source IP addresses are not resolved on FortiGate.
- B. It resolves the source and destination IP addresses to a hostname in FortiView on FortiAnalyzer.
- C. You must configure local DNS servers on FortiGate for this command to resolve IP addresses on Forti Analyzer.
- D. It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer.
Answer:
D
Explanation:
Reference:
https://community.fortinet.com/t5/Fortinet-Forum/Hostnames-in-FortiAnalyzer/m-
p/95351?m=156950
Question 14
Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.)
- A. A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same FortiAnalyzer devices at the other end.
- B. Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version.
- C. Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy.
- D. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer device and sending them to another FortiAnalyzer device.
Answer:
B, D
Explanation:
Reference:
https://docs.fortinet.com/document/fortianalyzer/7.0.1/administration-
guide/651442/fetcher-management
Question 15
What are offline logs on FortiAnalyzer?
- A. Compressed logs, which are also known as archive logs, are considered to be offline logs.
- B. When you restart FortiAnalyzer. all stored logs are considered to be offline logs.
- C. Logs that are indexed and stored in the SQL database.
- D. Logs that are collected from offline devices after they boot up.
Answer:
A
Explanation:
Reference:
https://help.fortinet.com/fa/faz50hlp/56/5-6-
6/Content/FortiAnalyzer_Admin_Guide/0300_Key_concepts/0600_Log_Storage/0400_Archive_anal
ytics_logs.htm