The New NSE5_FSM-6.3 2025 Updated Verified Study Guides & Best Courses [Q16-Q35]

Posted On April 15, 2025

The New NSE5_FSM-6.3 2025 Updated Verified Study Guides & Best Courses

Authentic NSE5_FSM-6.3 Exam Dumps PDF – 2025 Updated

Fortinet NSE5_FSM-6.3 certification exam is designed for professionals who want to validate their skills and knowledge in using Fortinet NSE 5 – FortiSIEM 6.3. NSE5_FSM-6.3 exam is a must-have for IT professionals who want to demonstrate their expertise in using Fortinet’s Security Information and Event Management (SIEM) solution. Successful candidates will gain recognition for their skills in deploying, configuring, and managing FortiSIEM 6.3.

NO.16 A FortiSIEM is continuously receiving syslog events from a FortiGate firewall. The FortiSIEM administrator is trying to search the raw event logs for the last two hours that contain the keyword tcp . However, the administrator is getting no results from the search.
Based on the selected filters shown in the exhibit, why are there no search results?

The keyword is case sensitive Instead of typing TCP in the Value field. the administrator should type tcp.

In the Time section, the administrator selected the Relative Last option, and in the drop-dawn lists, selected 2 and Hours as the time period. The time period should be 24 hours.

The administrator selected – in the Operator column That a the wrong operator.

The administrator selected AND in the Next drop-down list. This is the wrong boolean operator.

NO.17 How was the FortiGate device discovered by FortiSIEM?

Through GUI log discovery

Through syslog discovery

using the pull events method

Through auto lag discovery

NO.18 An administrator is using SNMP and WMI credentials to discover a Windows device. How will the WMI method handle this?

WMI method will collect only traffic and IIS logs.

WMI method will collect only DNS logs.

WMI method will collect only DHCP logs.

WMI method will collect security, application, and system events logs.

WMI Method: Windows Management Instrumentation (WMI) is a set of specifications from Microsoft for consolidating the management of devices and applications in a network.
Log Collection: WMI is used to collect various types of logs from Windows devices.
* Security Logs: Contains records of security-related events such as login attempts and resource access.
* Application Logs: Contains logs generated by applications running on the system.
* System Logs: Contains logs related to the operating system and its components.
Comprehensive Data Collection: By using WMI, FortiSIEM can gather a wide range of event logs that are crucial for monitoring and analyzing the security and performance of Windows devices.
References: FortiSIEM 6.3 User Guide, Data Collection Methods section, which details the use of WMI for collecting event logs from Windows devices.

NO.19 Refer to the exhibit.

An administrator is investigating a FortiSIEM license issue.
The procedure is for which offline licensing condition?

The procedure is for offline license debug.

The procedure is for offline license registration.

The procedure is for offline license validation.

The procedure is for offline license verification.

Offline Licensing in FortiSIEM: FortiSIEM provides mechanisms for offline licensing to accommodate environments without direct internet access.
License Tool Command: The command./phLicenseTool –collect license_req.datis used to collect license information necessary for offline registration.
Procedure Analysis: The exhibit shows the output of this command, which indicates the collection of license information to a file namedlicense_req.dat.
Offline License Registration: This collected data file is then typically uploaded to the FortiSIEM support portal or provided to the FortiSIEM support team for processing and generating a license file.
References: FortiSIEM 6.3 Administration Guide, Licensing section, details the procedures for both online and offline license registration, including the use of thephLicenseToolfor offline scenarios.

NO.20 Which process convertsRaw log data to structured data?

Data enrichment

Data classification

Data parsing

Data validation

NO.21 Refer to the exhibit.

A FortiSIEM administrator wants to collect both SIEM event logs and performance and availability metrics (PAM) events from a Microsoft Windows server Which protocol should the administrator select in the Access Protocol drop-down list so that FortiSIEM will collect both SIEM and PAM events?

TELNET

WMI

LDAPS

LDAP start TLS

Collecting SIEM and PAM Events: To collect both SIEM event logs and Performance and Availability Monitoring (PAM) events from a Microsoft Windows server, a suitable protocol must be selected.
WMI Protocol: Windows Management Instrumentation (WMI) is the appropriate protocol for this task.
* SIEM Event Logs: WMI can collect security, application, and system logs from Windows devices.
* PAM Events: WMI can also gather performance metrics, such as CPU usage, memory utilization, and disk activity.
Comprehensive Data Collection: Using WMI ensures that both types of data are collected efficiently from the Windows server.
References: FortiSIEM 6.3 User Guide, Data Collection Methods section, which details the use of WMI for collecting various types of logs and performance metrics.

NO.22 Refer to the exhibits.

Three events are collected over a 10-minute time period from two servers: Server A and Server B.
Based on thesettings tor the rule subpattern. how many incidents will the servers generate?

Server A will generate one incident and Server B will generate one incident.

Server A will generate one incident and Server B will not generate any incidents.

Server B will generate one incident and Server A will not generate any incidents.

Server A will not generate any incidents and Server B will not generate any incidents.

Event Collection Overview: The exhibits show three events collected over a 10-minute period from two servers, Server A and Server B.
Rule Subpattern Settings: The rule subpattern specifies two conditions:
* AVG(CPU Util) > DeviceToCMDBAttr(Host IP : Server CPU Util Critical Threshold): This checks if the average CPU utilization exceeds the critical threshold defined for each server.
* COUNT(Matched Events) >= 2: This requires at least two matching events within the specified period.
Server A Analysis:
* Events: Three events (CPU=90, CPU=90, CPU=95).
* Average CPU Utilization: (90+90+95)/3 = 91.67, which exceeds the critical threshold of 90.
* Matched Events Count: 3, which meets the condition of being greater than or equal to 2.
* Incident Generation: Server A meets both conditions, so it generates one incident.
Server B Analysis:
* Events: Three events (CPU=70, CPU=50, CPU=60).
* Average CPU Utilization: (70+50+60)/3 = 60, which does not exceed the critical threshold of 90.
* Matched Events Count: 3, but since the average CPU utilization condition is not met, no incident is generated.
Conclusion: Based on the rule subpattern, Server A will generate one incident, and Server B will not generate any incidents.
References: FortiSIEM 6.3 User Guide, Event Correlation Rules and Incident Management sections, which explain how incidents are generated based on rule subpatterns and event conditions.

NO.23 What is a prerequisite for FortiSIEM Linux agent installation?

The web server must be installed on the Linux server being monitored

The auditd service must be installed on the Linux server being monitored

The Linux agent manager server must be installed.

Both the web server and the audit service must be installed on the Linux server being monitored

FortiSIEM Linux Agent: The FortiSIEM Linux agent is used to collect logs and performance metrics from Linux servers and send them to the FortiSIEM system.
Prerequisite for Installation: Theauditdservice, which is the Linux Audit Daemon, must be installed and running on the Linux server to capture and log security-related events.
* auditd Service: This service collects and logs security events on Linux systems, which are essential for monitoring and analysis by FortiSIEM.
Importance of auditd: Without the auditd service, the FortiSIEM Linux agent will not be able to collect the necessary event data from the Linux server.
References: FortiSIEM 6.3 User Guide, Linux Agent Installation section, which lists the prerequisites and steps for installing the FortiSIEM Linux agent.

NO.24 FortiSIEM administrator wants to group some attributes for a report, but is not able to do so successfully.
As shown in the exhibit, why are some of the fields highlighted in red?

The Event Receive Time attribute is not available for lags.

The attribute COUNT(Matched event) is an invalid expression.

Unique attributes cannot be grouped.

No RAW Event Log attribute is available far devices.

NO.25 In FortiSIEM enterprise licensing mode, if the link between the collector and data center FortiSIEM cluster a down what happens?

The collector drops incoming events like syslog, but slops performance collection

The collector continues performance collection of devices, but stops receiving syslog

The collector buffers events

The collector processes stop, and events are dropped

NO.26 FortiSIEM is deployed in disaster recovery mode.
When disaster strikes, which two tasks must you perform manually to achieve a successful disaster recovery operation? (Choose two.)

Promote the secondary workers tothe primary rotes using the phSecworker2priworker command.

Promote the secondary supervisor to the primary role using thephSecondary2primary command.

Change the DNS configuration to ensure that users, devices, and collectors log in to the secondary FortiSIEM.

Change the configuration for shared storage NFS configured for EventDB to the secondary FortiSIEM.

Disaster Recovery Mode: FortiSIEM’s disaster recovery (DR) mode ensures that there is a backup system ready to take over in case the primary system fails.
Manual Tasks for DR Operation: In the event of a disaster, certain tasks must be performed manually to ensure a smooth transition to the secondary system.
Promoting the Secondary Supervisor:
* Use the commandphSecondary2primaryto promote the secondary supervisor to the primary role. This command reconfigures the secondary supervisor to take over as the primary supervisor, ensuring continuity in management and coordination.
Changing DNS Configuration:
* Update the DNS configuration to direct all users, devices, and collectors to the secondary FortiSIEM instance. This ensures that all components in the environment can communicate with the newly promoted primary supervisor without manual reconfiguration of individual devices.
References: FortiSIEM 6.3 Administration Guide, Disaster Recovery section, provides detailed steps on promoting the secondary supervisor and updating DNS configurations during a disaster recovery operation.

NO.27 Which three ports can be used to send Syslogs to FortiSIEM? (Choose three.)

UDP9999

UDP 162

TCP 514

UDP 514

TCP 1470

Syslog Ports: Syslog messages can be sent over different ports using TCP or UDP protocols.
Common Ports for Syslog:
* UDP 514: This is the default port for sending syslog messages over UDP.
* TCP 514: This is the default port for sending syslog messages over TCP, providing a more reliable transmission.
* TCP 1470: This port is often used for secure or alternative syslog transmission.
Usage in FortiSIEM: FortiSIEM can be configured to receive syslog messages on these ports to ensure the logs are collected from various network devices.
References: FortiSIEM 6.3 User Guide, Syslog Integration section, which details the supported ports for syslog transmission.

NO.28 Which three ports can be used to send Syslogs to FortiSIEM? (Choose three.)

UDP 9999

UDP 162

TCP 514

UDP 514

TCP 1470

NO.29 What protocol can be used to collect Windows event logs in an agentless method?

SSH

SNMP

WMI

SMTP

NO.30 Which two export methods are available for FortiSIEM analytics results? (Choose two.)

csv

PNG

HTML

PDF

NO.31 Which FortiSIEM feature must you use to produce a report on which FortiGate devices in your environment are running which firmware version?

Run an analytic search.

Run a query using the Inventory tab.

Run a baseline report.

Run a CMDB report

Feature Overview: FortiSIEM provides several tools for querying and reporting on device information within an environment.
Inventory Tab: The Inventory tab is specifically designed to display detailed information about devices, including their firmware versions.
Query Functionality: Within the Inventory tab, you can run queries to filter and display devices based on specific attributes, such as the firmware version for FortiGate devices.
Report Generation: By running a query in the Inventory tab, you can produce a report that lists the FortiGate devices and their corresponding firmware versions.
References: FortiSIEM 6.3 User Guide, Inventory Management section, explains how to use the Inventory tab to query and report on device attributes.

NO.32 Refer to the exhibit.

How was the FortiGate device discovered by FortiSIEM?

GUI log discovery

Syslog discovery

Pull events discovery

Auto log discovery

Discovery Methods in FortiSIEM: FortiSIEM can discover devices using various methods, including syslog, SNMP, and others.
Syslog Discovery: The exhibit shows that the FortiGate device is discovered by FortiSIEM using syslog.
* Syslog Parsing: The syslog messages sent by the FortiGate device are parsed by FortiSIEM to extract relevant information.
* CMDB Entry: Based on the parsed information, an entry is populated in the Configuration Management Database (CMDB) for the device.
Evidence in Exhibit: The exhibit shows the syslog flow from the FortiGate Firewall to the parsing and discovery process, resulting in the device being listed in the CMDB with the status “Pending.” References: FortiSIEM 6.3 User Guide, Device Discovery section, which explains how syslog discovery works and how devices are added to the CMDB based on syslog data.

NO.33 If a performance rule is triggered repeatedly due to high CPU use. what occurs m the incident table?

A new incident is created each time the rule is triggered, and the First Seen and Last Seen times are updated.

The incident status changes to Repeated and the First Seen and Last Seen times are updated

A new incident is created based an the Rule Frequency value, and the First Seen and Last Seen times are updated

The Incident Count value increases, and the First Seen and Last Seen tomes update

NO.34 When configuring collectors located in geographically separated sites, what ports must be open on a front end firewall?

HTTPS, from the collector to the worker upload settings address only

HTTPS, from the collector to the supervisor and worker upload settings addresses

HTTPS, from the Internet to the collector

HTTPS, from the Internet to the collector and from the collector to the FortiSIEM cluster

FortiSIEM Architecture: In FortiSIEM, collectors gather data from various sources and send this data to supervisors and workers within the FortiSIEM architecture.
Communication Requirements: For collectors to effectively send data to the FortiSIEM system, specific communication channels must be open.
Port Usage: The primary port used for secure communication between the collectors and the FortiSIEM infrastructure is HTTPS (port 443).
Network Configuration: When configuring collectors in geographically separated sites, the HTTPS port must be open for the collectors to communicate with both the supervisor and the worker upload settings addresses. This ensures that the collected data can be securely transmitted to the appropriate processing and analysis components.
References: FortiSIEM 6.3 Administration Guide, Network Ports section details the necessary ports for communication within the FortiSIEM architecture.

NO.35 Refer to the exhibit.

What do the yellow stars listed in the Monitor column indicate?

A yellow star indicates that a metric was applied during discovery, and data has been collected successfully

A yellow star indicates that a metric was applied during discovery, but data collection has not started

A yellow star indicates that a metric was applied during discovery, but FortiSIEM is unable to collect data.

A yellow star indicates that a metric was not applied during discovery and, therefore, FortiSEIM was unable to collect data.

Monitor Column Indicators: In FortiSIEM, the Monitor column displays the status of various metrics applied during the discovery process.
Yellow Star Meaning: A yellow star next to a metric indicates that the metric was successfully applied during discovery and data has been collected for that metric.
Successful Data Collection: This visual indicator helps administrators quickly identify which metrics are active and have data available for analysis.
References: FortiSIEM 6.3 User Guide, Device Monitoring section, which explains the significance of different icons and indicators in the Monitor column.

Loading …