freefiles

Fortinet NSE5_EDR-5.0 Exam Dumps & Practice Test Questions

Question 1:

What is the primary reason for locking an ADOM revision in FortiGate?

A. To block further edits via Device Manager
B. To turn off revision tracking
C. To stop the system from auto-deleting the revision
D. To lock access to the Policy and Objects section

Answer: C

Explanation:
In FortiGate, locking an ADOM revision is a useful feature when you want to ensure that the current configuration is preserved and cannot be automatically deleted or overwritten by the system. When an ADOM (Administrative Domain) revision is locked, it prevents the system from performing auto-deletion of revisions that would typically occur in an attempt to clean up old or unnecessary revisions. This is crucial in environments where configuration stability is a priority, and previous working configurations need to be maintained securely.

Option A is incorrect because locking a revision does not block edits through Device Manager; instead, it prevents auto-deletion of the revision.
 Option B is incorrect because revision tracking is still enabled, and locking only pertains to preventing auto-deletion.
 Option D is incorrect because locking a revision does not prevent access to the Policy and Objects section, it only locks the revision from being deleted.

Therefore, the primary purpose of locking an ADOM revision is to stop the system from auto-deleting the revision, ensuring that a particular configuration is preserved.

Question 2:

Which two output methods can be used for sending report event notifications? (Select two)

A. SMS alerts
B. Send to another FortiAnalyzer unit
C. Transfer to a remote server
D. Email notifications

Answer: B, D

Explanation:
FortiGate and FortiAnalyzer offer several methods for sending report event notifications. The two correct options for sending event notifications are:

  • B: Send to another FortiAnalyzer unit: FortiAnalyzer can be configured to send event logs or notifications to another FortiAnalyzer unit, which can be useful in larger deployments for centralized log aggregation and processing.

  • D: Email notifications: FortiGate devices can send email notifications for specific events or reports to administrators or relevant stakeholders, helping them stay informed about critical events in the system.

Option A is incorrect because SMS alerts are not a primary method for sending report event notifications from FortiGate or FortiAnalyzer. While SMS can be used for alerting, it's not typically used for sending detailed report notifications.
 Option C is incorrect because transferring to a remote server is not a direct method for sending notifications; it refers more to log forwarding or data export, which is not specifically about event notifications.

Thus, the correct output methods for sending report event notifications are sending to another FortiAnalyzer unit and email notifications.

Question 3:

Which two statements correctly describe the "Import All Objects" option in the Import Policy Wizard? (Select two)

A. Imports both used and unused objects into the ADOM database
B. Only imports objects referenced in existing policies
C. Only policy-related objects are allowed to be imported
D. Unused FortiGate objects are deleted after the initial policy synchronization

Answer: A, D

Explanation:
The "Import All Objects" option in the Import Policy Wizard is designed to bring all the objects related to the FortiGate configuration into the ADOM (Administrative Domain) database, including both objects actively used in policies and those that are not currently being referenced. This is useful for ensuring that all available objects are brought into the FortiGate system for potential future use and to maintain a complete inventory of objects.

  • A: Imports both used and unused objects into the ADOM database: This statement is correct because the "Import All Objects" option will bring in both used and unused objects, providing a full picture of the available resources from the FortiGate unit.

  • D: Unused FortiGate objects are deleted after the initial policy synchronization: This is also correct because unused objects are typically removed during subsequent policy synchronization to keep the database clean and organized. Therefore, after the initial import, unused objects may be deleted if they are not referenced.

Option B is incorrect because "Import All Objects" includes both used and unused objects, not just those referenced in policies.
 Option C is incorrect because it’s not limited to just policy-related objects—it can include any object that exists within the FortiGate configuration.

Question 4:

Which statement accurately reflects the licensing of FortiAnalyzer models?

A. All physical units support the same log volume per day
B. Both virtual and hardware models use the same licensing file
C. All hardware appliances offer identical storage capacities
D. Virtual appliance licenses define device count and log throughput

Answer: D

Explanation:
The licensing model for FortiAnalyzer virtual appliances is typically based on specific metrics, such as device count (how many FortiGate or other devices can be managed) and log throughput (how much data the device can handle). Virtual appliances are usually licensed according to the capacity of logs that can be processed and stored, which is different from the physical appliances.

  • D: Virtual appliance licenses define device count and log throughput: This is correct because virtual FortiAnalyzer licenses are often defined by device count (how many devices can be monitored or managed) and the log throughput (how many logs the appliance can process and store per day). These licensing parameters are key to determining the scale and performance of virtual FortiAnalyzer.

Option A is incorrect because not all physical units support the same log volume. Different FortiAnalyzer models have different licensing tiers, which directly affect log volume support.
 Option B is incorrect because virtual and hardware models do not use the same licensing file. They are licensed separately based on their respective platforms (virtual or physical).
 Option C is incorrect because hardware appliances vary in storage capacity depending on the model and the specific configuration. Therefore, not all hardware appliances offer identical storage capacities.

Thus, virtual appliance licenses defining device count and log throughput is the accurate description of FortiAnalyzer licensing.

Question 5:

Which two statements about disk log quotas on FortiAnalyzer are correct? (Select two)

A. Logging stops once the disk quota limit is reached
B. Disk log quota is auto-set based on the connected device
C. Logging can either stop or overwrite old logs when the quota is full
D. Disk log quota can be manually set, with limits based on reserved system storage

Answer: C, D

Explanation:
When configuring disk log quotas on FortiAnalyzer, there are a few essential considerations that administrators need to understand. Disk log quotas determine how much storage is allocated for logs, and understanding how the system handles situations when the storage reaches its limit is important.

Option A suggests that logging stops once the disk quota limit is reached, which is not accurate. FortiAnalyzer offers different configurations for how it manages log data once the quota is full. Logging does not necessarily stop; instead, it can either stop or overwrite old logs, depending on the configuration. This is better reflected in Option C, where it is mentioned that logging can either stop or overwrite old logs when the quota is full. Administrators can select the behavior they want based on their storage and retention needs.

Option B claims that the disk log quota is auto-set based on the connected device. This is not the case, as FortiAnalyzer requires administrators to manually configure log quotas. There isn't an automatic setting tied to the specific device connection that determines the quota. Therefore, Option B is not correct.

Option D, however, is correct. FortiAnalyzer allows administrators to manually set the disk log quota and define limits, which can also be based on reserved system storage. This ensures that the system can prioritize essential functions without filling up the disk with log data. Setting a quota manually provides administrators with the flexibility to allocate sufficient space for logs while reserving critical system storage for other operations.

In summary, the two correct options are C and D because they accurately describe how FortiAnalyzer handles disk log quotas and the flexibility it provides for administrators.

Question 6:

What best defines the difference between raw and formatted log formats?

A. Raw logs are accessible only via CLI
B. Raw logs appear exactly as saved in the log files
C. Raw logs are more readable than formatted ones
D. Raw logs are not exportable as CSV files

Answer: B

Explanation:
The primary difference between raw and formatted log formats lies in how the log data is stored, presented, and accessed. Raw logs capture the log data exactly as it is generated, without any additional processing or organization. This means the log entries in their raw form are stored in a way that mirrors the exact data received, without modification. This is reflected in Option B, which correctly states that raw logs appear exactly as saved in the log files.

Option A suggests that raw logs are accessible only via the CLI (Command Line Interface). While raw logs are more frequently accessed through CLI due to their unprocessed format, they are not strictly limited to it. Administrators may also access raw logs through the GUI or other means, so this statement is not entirely accurate. Therefore, Option A is incorrect.

Option C claims that raw logs are more readable than formatted logs. This is false because raw logs are typically more difficult to interpret compared to formatted logs. Formatted logs are processed, organized, and structured in a way that makes them easier to read and understand, as they often include readable timestamps, labels, and fields. In contrast, raw logs may be dense and less user-friendly, with information displayed in a more unstructured format.

Option D states that raw logs are not exportable as CSV files. This is incorrect. Raw logs can be exported in various formats, including CSV, depending on the tools and settings used in FortiAnalyzer. The main difference between raw and formatted logs is their structure and presentation, not their exportability.

In conclusion, Option B is the correct answer because it accurately describes the nature of raw logs, which capture data exactly as saved without processing or formatting.

Question 7:

Which two statements are true regarding admin users and accounts? (Select two)

A. Admin accounts can be created locally or linked to remote servers
B. Admin login credentials are visible to all other admins through the GUI
C. Every admin must be given an admin profile
D. Admin access is solely managed through assigned admin profiles

Answer: A, C

Explanation:
Admin user management is critical in network devices such as FortiAnalyzer and FortiGate because it helps control access and secure the system. Admin accounts must be set up in a way that ensures both flexibility and security, depending on the organization’s needs.

Option A is correct because admin accounts can either be created locally on the device or linked to remote servers. Linking to remote servers is particularly useful in larger environments where organizations want to centralize user authentication. This can be achieved using technologies like LDAP or RADIUS. Using a remote server simplifies user management across multiple devices since a single set of credentials can be used across different platforms, allowing centralized control over authentication and user access.

Option B is incorrect because admin login credentials should never be visible to other admins through the GUI. Doing so would pose a significant security risk. In systems like FortiAnalyzer or FortiGate, admin credentials are masked, and only authorized users can authenticate, but they cannot see each other's login details in plain text. The GUI ensures that sensitive information is protected and not exposed to unauthorized personnel.

Option C is correct because every admin must be assigned an admin profile. Admin profiles define what an administrator can and cannot do within the system. For example, profiles can provide read-only access, full configuration permissions, or limited access to certain areas of the device. Admin profiles are critical for defining roles and ensuring that each user has the correct level of access. This step is essential for maintaining the security and integrity of the system.

Option D is misleading because admin access is not solely managed through admin profiles. While admin profiles are essential for controlling what actions an administrator can perform, there are also other factors, such as role-based access control (RBAC) and authentication methods (like local or remote authentication), that contribute to managing admin access. So, admin access is not entirely dependent on profiles alone.

In summary, A and C are the correct answers. These options reflect how admin accounts can be managed (both locally and remotely) and how admin profiles are necessary for defining user permissions and access levels.

Question 8:

In FortiEDR, which two components must be available for real-time communication between the endpoints and the management platform? (Choose 2.)

A. FortiEDR Aggregator service
B. FortiEDR Collector service on each endpoint
C. FortiEDR Core cloud license server
D. FortiAnalyzer Fabric connector
E. FortiEDR Overlay tunnel interface

Answer: A, B

Explanation:
FortiEDR provides endpoint detection and response capabilities that protect endpoints from threats and facilitate real-time monitoring. For effective communication between the endpoints and the central management platform, certain components must be in place to ensure smooth data collection and analysis.

Option A is correct. The FortiEDR Aggregator service plays a key role in real-time communication between the endpoints and the management platform. This service collects data from the endpoints and sends it to the centralized management platform for further analysis. Without this service, event and log data from the endpoints cannot be transmitted to the management platform, preventing real-time detection and response.

Option B is also correct. The FortiEDR Collector service must be installed on each endpoint to collect data (such as events, logs, and behaviors) from the endpoint and forward it to the management platform. It ensures that the endpoint communicates continuously with the central platform, allowing for real-time visibility and control over endpoint activities.

Option C is incorrect. The FortiEDR Core cloud license server is used for managing licenses for FortiEDR. It is important for licensing purposes but does not affect the real-time communication between the endpoints and the management platform. The core license server only ensures that FortiEDR is activated and functioning but does not directly handle endpoint data transmission.

Option D is incorrect. The FortiAnalyzer Fabric connector is used for integration with FortiAnalyzer, which is a tool for log analysis and reporting. While it is crucial for analyzing post-event data, the Fabric connector does not impact the real-time communication that is required between the endpoints and the management platform.

Option E is incorrect. The FortiEDR Overlay tunnel interface is used for specific network scenarios, like tunneling, but it is not a primary requirement for real-time communication between the endpoints and the management platform. The overlay tunnel interface typically supports network connections in specific configurations but is not directly involved in the core real-time communication flow.

In conclusion, A and B are the correct answers. The FortiEDR Aggregator and Collector services are critical for ensuring that real-time communication is established between endpoints and the management platform, enabling timely detection and response to security events.

Question 9:

You want FortiEDR to quarantine a workstation automatically when ransomware behavior is detected, while still allowing security analysts to investigate remotely. Which two profile settings achieve this requirement? (Choose 2.)

A. Enable Network Isolation action in the Realtime Protection policy
B. Set Mitigation Mode = Suspicious in the Communication Control policy
C. Configure the Contain playbook step in an automatic incident-response rule
D. Turn on Advanced Remediation – Remove malware artifacts in the security policy
E. Add the SOC subnet to Isolation Exceptions so only analysts can access the host

Answer: A, E

Explanation:
In a FortiEDR setup, when ransomware is detected, it is critical to quarantine the affected workstation automatically to prevent further damage, but at the same time, you want security analysts to retain the ability to remotely investigate the issue. There are a couple of key profile settings that help achieve this dual requirement.

Option A is correct because enabling the Network Isolation action in the Realtime Protection policy ensures that when ransomware or other suspicious behavior is detected, the workstation can be isolated from the network. This prevents the spread of the malicious activity, effectively quarantining the affected system. Importantly, network isolation can be configured to be automatic, so the action is taken immediately when the system exhibits ransomware-like behavior.

However, in this scenario, it is also necessary to allow security analysts to access the system remotely. This is where Option E becomes essential. By adding the SOC subnet to Isolation Exceptions, security analysts’ systems can bypass the isolation and still maintain access to the quarantined host. This means that while the workstation is isolated from the broader network, it remains accessible for investigation from authorized security analysts, ensuring that their work is not interrupted by the quarantine.

Option B suggests setting Mitigation Mode = Suspicious in the Communication Control policy, but this is not the best choice to automatically quarantine a workstation when ransomware behavior is detected. Mitigation Mode = Suspicious typically refers to behaviors that suggest something unusual is happening, but it doesn't directly enforce quarantine. It’s more useful for monitoring and analysis rather than immediate action, so this option is not the correct choice.

Option C involves the Contain playbook step in an automatic incident-response rule. While this step may be part of the response plan in a broader context, it does not directly facilitate the quarantine action described in the question. The Network Isolation action in the Realtime Protection policy (as described in Option A) is the more direct method for quarantining the workstation.

Option D talks about Advanced Remediation and removing malware artifacts, but this setting is more focused on post-event remediation rather than isolating the system to prevent the spread of ransomware in real-time. Therefore, it does not directly meet the need for automatic quarantine when ransomware is detected.

In conclusion, A and E are the correct answers because they allow for automatic quarantine of the workstation and ensure that security analysts can still access the quarantined system remotely for investigation.

Question 10:

Which two FortiEDR capabilities rely on the Cloud Intelligence Engine to enhance endpoint protection without updating local signatures? (Choose 2.)

A. Realtime Memory Protection against in-memory exploits
B. Threat Hunting queries that enrich event data with threat-intel verdicts
C. Pre-execution prevention using AI static analysis of portable-executables
D. Kernel-level rollback of malicious file modifications
E. Automated IOC feed for Communication Control reputation lists

Answer: B, E

Explanation:
FortiEDR uses the Cloud Intelligence Engine to enhance endpoint protection by leveraging cloud-based intelligence without needing to rely solely on local signature updates. This cloud-based approach provides real-time analysis and threat intelligence to help the system respond faster and more effectively to emerging threats.

Option B is correct. The Cloud Intelligence Engine plays a crucial role in enriching threat hunting queries with threat-intelligence verdicts. This means that even if the endpoint doesn't have the latest signature updates, it can still receive updated information from the cloud. The engine can analyze events in real-time, providing security teams with more accurate context and intelligence to investigate threats. By utilizing the cloud’s processing power, the system can assess potential threats more effectively, even if new types of attacks are not yet captured by local signatures.

Option E is also correct. The Cloud Intelligence Engine is responsible for the Automated IOC feed, which feeds into the Communication Control reputation lists. This feature allows for the continuous updating of indicators of compromise (IOCs) that are used for blocking malicious domains, IPs, and URLs in real time. The cloud intelligence automatically adjusts the reputation lists without requiring local signature updates, ensuring that the endpoint is protected against new threats and zero-day attacks even when traditional signatures are not yet available.

Option A refers to Realtime Memory Protection against in-memory exploits. While the Cloud Intelligence Engine may assist with overall protection strategies, memory protection is typically handled by local security mechanisms on the endpoint rather than being primarily driven by the cloud intelligence. This is a more local defense strategy rather than a cloud-dependent one, so Option A is not the correct answer.

Option C describes Pre-execution prevention using AI static analysis of portable executables. While AI plays a role in analyzing files, this specific prevention method is more reliant on local analysis, not cloud intelligence. The local AI engine can analyze executable files before they run, but it does not necessarily require the Cloud Intelligence Engine for this functionality, so Option C is incorrect.

Option D mentions Kernel-level rollback of malicious file modifications, which is a local action that occurs at the system level. Although FortiEDR can use cloud intelligence for some activities, kernel-level rollback does not specifically rely on the Cloud Intelligence Engine. This action focuses on local system remediation rather than cloud-based protection, making Option D incorrect.

In conclusion, B and E are the correct answers because they both rely on cloud-based intelligence to enhance endpoint protection without requiring frequent updates to local signatures. The cloud intelligence provides real-time enrichment and automated IOC updates, ensuring up-to-date protection against evolving threats.