Fortinet Certified Solution Specialist FCSS_ADA_AR-6.7 Passing Score

The rule triggers an incident when there are two or more VPN logon failures within a 10-minute window, grouped by Source IP, Reporting Device, Reporting IP, and User. Let's analyze the events:

Breakdown of Events:

1. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Sarah

2. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: John

3. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Tom

4. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: John

5. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Sarah

6. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Tom

Now, applying the grouping criteria (Source IP, Reporting Device, Reporting IP, and User):

● Group 1: (1.1.1.1, 2.2.2.2, FortiGate, John) → 1 occurrence (not enough)

● Group 2: (1.1.1.1, 2.2.2.2, FortiGate, Sarah) → 1 occurrence (not enough)

● Group 3: (1.1.1.1, 2.2.2.2, FortiGate, Tom) → 2 occurrences (incident triggered)

● Group 4: (1.1.1.3, 2.2.2.2, FortiGate2, John) → 2 occurrences (incident triggered)

● Group 5: (1.1.1.3, 2.2.2.2, FortiGate2, Sarah) → 1 occurrence (not enough)

● Group 6: (1.1.1.3, 2.2.2.2, FortiGate2, Tom) → 1 occurrence (not enough)

Final Incident Count:

● One incident for Group 3 (Tom on FortiGate)

● One incident for Group 4 (John on FortiGate2)

From the exhibit, we can determine the IP range that will be added to the CMDB and mapped to Customer E.

● The included IP range is 10.50.0.1 – 10.50.0.50.

● This means any device within this range (10.50.0.1 to 10.50.0.50) will be added to the CMDB.

10.50.0.1 → Falls within the included range (10.50.0.1 – 10.50.0.50) → Added to CMDB.

10.50.0.149 → Falls within the 10.50.0.1 – 10.50.0.50 range → Added to CMDB.

In aFortiSIEM deployment,device discoveryis handled by theSupervisor, even when aCollectoris present.

● TheSupervisor initiates active scansusing protocols such asSNMP, WMI, SSH, and API queriesto discover devices in the network.

●Collectors do not perform discovery; they primarilycollect and forward logsfrom designated devices to the Supervisor.

●Workers handle event processing, not discovery.

Afterregistration, collectors maintaincontinuous communicationwith theSupervisorto ensure properevent processing, system health monitoring, and failover handling. The two key reasons collectors communicate with the Supervisor are:

1.To upload event data if a worker is down

If aworker node fails, thecollector can temporarily store event logsand then forward them to the Supervisor.

This ensuresevent continuityeven during infrastructure issues.

2.To report its own health status

Thecollector sends health reportsto theSupervisor, including resource usage, connectivity status, and operational logs.

This helps FortiSIEM trackcollector uptime and performance.