Exam NSE7_EFW-7.2 topic 1 question 55 discussion

In a Security Fabric, every FortiGate device sends its logs directly to FortiAnalyzer, independently of the root FortiGate. While the root FortiGate is typically responsible for configuring and managing the log forwarding configuration, all leaf FortiGates (downstream devices) send their logs to FortiAnalyzer, ensuring complete visibility across the Security Fabric. This design ensures redundancy and guarantees that logs are not lost if a specific FortiGate device in the fabric fails. Other options are incorrect for the following reasons: A: Only the root FortiGate is responsible for configuration synchronization, not exclusive logging. C: NAT or UTM devices log traffic details, but all devices in the Security Fabric send logs, not just these. D: Logging is not limited to the last FortiGate in the session chain; all devices log their activity independently.

All Fortigates send logs to FortiAnalyzer. But session logs only sent by first fortigate that handle the session, so it's not being duplicated. If any fortigate that performs NAT or UTM, it will generate additional log for that session and send it to FortiAnalyzer. See page 69

Study Guide 7.2 Page 68 - see the last comment.

C is correct. see on P.68. Doesn't create duplicate except NAT and UTM traffic

Study guide P.69

The correct answer is "The first FGT that handles a session". Study guide p.68

B is correct Study Guide 7.2 Page 64

p.64 study guide

A is wrong, because only Root applies specifically to topology information, not logs. ALL devices send logs.