NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Questions and Answers

The verified answer is C. The Fabric settings . The study guide ties FortiAnalyzer-triggered actions to the Security Fabric relationship with FortiGate, not to playbook tasks or standalone event handlers alone. It explains that “within the Security Fabric environment, FortiAnalyzer is a key element in the creation of automation stitches” and shows the flow where a downstream FortiGate sends logs to FortiAnalyzer, then FortiAnalyzer parses the logs and notifies the root FortiGate , after which the root FortiGate triggers the action . This shows that FortiAnalyzer must be configured so it can communicate with FortiGate through the Security Fabric.

The guide also states that FortiAnalyzer is the foundation of the Security Fabric , providing logging, reporting, analytics, and automation for Fabric devices and endpoints. It further explains that the FortiAnalyzer Fabric connector consolidates the traffic logs within the Security Fabric. This confirms that the automation workflow depends on proper Security Fabric integration. A playbook task is used for automated SOC actions, and an event handler is used to generate events from logs, but neither one alone establishes the direct communication path needed between FortiAnalyzer and FortiGate. Therefore, the required configuration on FortiAnalyzer is the Fabric settings .

Based on the provided exhibits from the FortiAnalyzer playbook engine:

Playbook Trigger Condition : The Partial Playbook configuration exhibit shows that the playbook is set to trigger based on a condition where the Basic Handler Name is Equal To IPS_Attack_Handling.

Event vs. Log : In FortiAnalyzer, the field Basic Handler Name is a property of an Event record, indicating the specific Event Handler that generated it. A playbook configured with this condition is triggered by an Event , not directly by a raw log.

Playbook Execution Flow : The Partial Playbook Monitor view shows the execution sequence:

Event_Trigger (Starter) : This is the entry point of the playbook, which matches the condition defined in the configuration.

IPS_Attack_Incident : The first task executed after the trigger.

Run_Report : The task in question, which is executed as part of the automated workflow initiated by the starter.

Conclusion : Since the playbook's "Starter" is defined by the IPS_Attack_Handling handler name, an event produced by that handler is the root trigger for the entire playbook execution, including the Run_Report task.

Therefore, the Run_Report task was triggered (as part of the playbook) by an IPS_Attack_Handling event .

The correct answer is A. Device Detection is enabled on the other identified device .

The study guide explains that device identification is a “useful feature for the Security Fabric topology view” and that “FortiGate detects most third-party devices in your network and adds them to the topology view of the Security Fabric.” It also states that in the interfaces section, you can enable device detection , and this detection is what allows FortiGate to identify devices based on observed traffic.

In the exhibit, the tooltip distinguishes between “1 device requires authorization” and “1 other identified device.” That means the unauthorized device is a separate FortiGate/Fabric member issue, while the other identified device is simply a detected third-party device shown in the topology because device detection is working. Therefore, the correct interpretation is that device detection is enabled for that identified device. Option B is incorrect because the exhibit does not say the other identified device requires authorization. Option C is not supported by the study guide, and option D is too specific because no evidence in the exhibit confirms that the detection was enabled specifically on port3 .

The correct answers are C and D .

Option D is correct because the study guide states that the configuration of an event handler can include “Rules” and explains that “Rules are granular conditions” and “Event handlers can have one or more rules.” It further states that “FortiAnalyzer uses event handlers to filter all incoming logs” and “If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.” Therefore, to use the automation stitch, you must define the rules on FortiAnalyzer so the event handler can actually generate the event that starts the automation flow.

Option C is also correct. The study guide explains that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to the FortiGate side, and in the attack-detection example it says “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” It also explicitly shows “Stitches configured on root FortiGate.” This means the FortiGate must have the corresponding automation trigger configured for the FortiAnalyzer event handler notification.

Option A is incorrect because the study guide does not describe configuring an Action on FortiAnalyzer as the required step for this FortiAnalyzer-to-FortiGate automation-stitch flow. Option B is also incorrect because playbooks are a different FortiAnalyzer automation mechanism; the question specifically refers to using the Automation Stitch option in the event handler.

Based on the architecture of FortiAnalyzer within the Security Fabric and its automation capabilities:

Automation Stitch and Reports : Within the Security Fabric environment, FortiAnalyzer serves as a key element in creating automation stitches and playbooks. For a report to be selectable within a Playbook task (such as the Run_report task shown in the exhibit), it must meet specific technical prerequisites in the report configuration.

Auto-cache Requirement (Answer C) : For a report to be used for automated generation, it must be "ready" to be processed by the engine without manual intervention. Auto-cache must be enabled in the report settings to ensure the report can be generated dynamically and efficiently when triggered by the playbook.

Extended Log Filtering (Answer B) : Playbooks often pass specific variables from the trigger (such as a specific device IP or a time range) into the report. For the report to accept these dynamic parameters and be visible as an "automation-compatible" report in the Playbook interface, Extended Log Filtering must be enabled.

Workflow Constraints : Without these two settings enabled on the report itself, the Playbook engine cannot guarantee the report's successful generation or parameter injection, and thus filters it out of the available selection list in the Run_report task.

The correct answer is C. You can implement parallel redundancy protocol . The study guide explains that media redundancy involves creating a backup path that can be used when part of the network fails and specifically states that “Parallel Redundancy Protocol (PRP) can be used for a star topology.” Since the problem described is many disconnections in the links , the issue is link availability, which is a media redundancy problem rather than a firewall virtualization or policy separation problem. PRP is designed to provide a backup communication path with low recovery time when links fail.

The other options do not fit this scenario as well. HA clusters are described in the guide as a solution for network node redundancy , where a backup firewall or switch takes over when the primary device fails. SD-WAN is recommended for remote site access across multiple WAN links, not for the local floor links shown in this topology. VDOMs provide logical segmentation, not link redundancy or higher link availability. Because the question is specifically about repeated link disconnections , the best action is to implement PRP .

The correct answers are B. Real-time control and D. Determinism . The study guide defines industrial Ethernet as the “use of Ethernet and TCP/IP as transport mechanisms for industrial protocols” and states that it provides “real-time control,” “low latency,” and “determinism (meaning reliable and predictable data delivery)” in harsh environments. It further explains that industrial Ethernet “provides deterministic communication between machine controllers, actuators, sensors, and other units.” These statements directly confirm that the two key advantages are real-time control and determinism.

The other options are not supported by the study guide as core advantages of industrial Ethernet. Encryption is not listed as one of the benefits in this section, and remote access is discussed elsewhere in the OT architecture but not as a defining advantage of industrial Ethernet itself. The guide is explicit that the main benefits here are predictable delivery and real-time communication, which are essential in industrial control environments where timing and reliability matter.