The objective is to create a filter that identifies all login attempts to the FortiAnalyzer web interface (GUI) coming from Laptop1 (IP 10.1.1.100) and excludes the admin user. This filter should match any user other than admin.

Filter Components Analysis :

Operation-login : This portion of the filter will target login actions specifically, which is correct for filtering login attempts.

performed_on==’’GUI(10.1.1.100)’ : This indicates that the login attempt must occur on the GUI interface and originate from the specified IP, which matches Laptop1 ' s IP address (10.1.1.100). This ensures that the filter only matches GUI logins from this specific device.

user!=admin : This part excludes logins by the admin user, meeting the requirement to capture only non-admin users.

Option Analysis :

Option A : Correctly specifies the Operation-login , performed_on==’’GUI(10.1.1.100)’ , and user!=admin . This setup effectively filters login attempts to the GUI from Laptop1, excluding the admin user.

Option B : Uses the incorrect IP 10.1.1.120 in the performed_on filter, which does not match Laptop1 ' s IP (10.1.1.100).

Option C : This option includes srcip==10.1.1.100 and dstip==10.1.1.210 but incorrectly specifies user==admin instead of user!=admin , which does not match the requirement to exclude admin users.

Option D : This option does not specify the performed_on field to restrict it to the GUI and only includes dstip (destination IP) without srcip . It also incorrectly uses user!-admin instead of the correct syntax user!=admin .

Conclusion:

Correct Answer : A. Operation-login and performed_on==’’GUI(10.1.1.100)’ and user!=admin

This filter precisely captures the required conditions: login attempts from Laptop1 to the GUI interface by any user except admin.

The exhibit shows a graph that tracks two metrics over time: Receive Rate and Insert Rate . These two rates are crucial for understanding the log processing behavior in FortiAnalyzer.

Understanding Receive Rate and Insert Rate :

Receive Rate : This is the rate at which FortiAnalyzer is receiving logs from connected devices.

Insert Rate : This is the rate at which FortiAnalyzer is indexing (inserting) logs into its database for storage and analysis.

Data Point at 21:20 :

At 21:20, the Insert Rate line is above the Receive Rate line, indicating that FortiAnalyzer is inserting logs into its database at a faster rate than it is receiving them. This situation suggests that FortiAnalyzer is able to keep up with the incoming logs and is possibly processing a backlog or temporarily received logs faster than new logs are coming in.

Option Analysis :

Option A - FortiAnalyzer is Indexing Logs Faster Than Logs are Being Received : This accurately describes the scenario at 21:20, where the Insert Rate exceeds the Receive Rate. This indicates that FortiAnalyzer is handling logs efficiently at that moment, with no backlog in processing.

Option B - The fortilogd Daemon is Ahead in Indexing by One Log : The data does not provide specific information about the fortilogd daemon’s log count, only the rates. This option is incorrect.

Option C - SQL Database Requires a Rebuild : High receive lag would imply a backlog in receiving and indexing logs, typically visible if the Receive Rate were significantly above the Insert Rate, which is not the case here.

Option D - FortiAnalyzer is Temporarily Buffering Logs to Index Older Logs First : There is no indication of buffering in this scenario. Buffering would usually occur if the Receive Rate were higher than the Insert Rate, indicating that FortiAnalyzer is storing logs temporarily due to indexing lag.

Conclusion:

Correct Answer : A. FortiAnalyzer is indexing logs faster than logs are being received.

The graph at 21:20 shows a higher Insert Rate than Receive Rate, indicating efficient log processing by FortiAnalyzer.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

B is true (members operate in analyzer mode, not collector mode): The study guide defines Fabric members as FortiAnalyzer devices that “retain access to the features described in the FortiAnalyzer Administration Guide” and that “each member can create or raise incidents and events.” In contrast, it states that a FortiAnalyzer operating in collector mode “does not provide capabilities for event management or reporting,” and also notes that “in collector mode, the GUI doesn’t include FortiView, Reports, or Incidents & Events.” Since Fabric members must be able to generate/manage incidents and events, they must be operating with analyzer capabilities rather than collector-only functionality.

C is true (members do not forward their logs to the supervisor): The supervisor provides centralized visibility, but the study guide describes the supervisor’s log access as viewing logs collected on members , not receiving/storing forwarded log files. It states: “In the FortiAnalyzer Fabric supervisor, Log View displays logs collected on all FortiAnalyzer Fabric members,” and clarifies “the logs contain the same information as displayed in the host FortiAnalyzer device they were collected on.” This indicates the logs remain on the member (host) and are made visible to the supervisor for centralized monitoring rather than being forwarded and stored on the supervisor.

For completeness, the study guide also explicitly states “HA is not available on the supervisor” (so A is false) and members do not need the same time zone as the supervisor (so D is false).

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

The exhibit shows the event Event Status = Mitigated and Event Type = Web Filter , with the event message indicating the web request was blocked .

The study guide defines Mitigated events as follows: “Mitigated: The security risk is mitigated by being blocked or dropped.” This means a mitigated status corresponds to enforcement that prevented the risk (block/drop), not a condition where the source is isolated.

It also distinguishes Contained events from mitigated ones: “Contained: The risk source is isolated.” Since the exhibit clearly shows Mitigated (not Contained), option B is incorrect.

Additionally, the study guide notes: “Generally, you can acknowledge mitigated events because the related traffic was blocked by the firewall.” This aligns directly with the exhibit’s “blocked” wording and supports that the correct interpretation is that the security risk was blocked.

Finally, the event type displayed is Web Filter , not application control, so option D is incorrect.

Therefore, the correct statement is C. The security risk was blocked.