NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Questions and Answers

The correct answers are C and D .

Option C is correct because the study guide explains that when “a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” and, in the Security Fabric workflow, “FortiAnalyzer parses the logs and notifies the root FortiGate.” This means FortiGate must first have the FortiAnalyzer connection configured so it can consume FortiAnalyzer event handlers and use them in automation. The wizard message in the exhibit also points to this requirement by indicating that a FortiAnalyzer connection must be configured.

Option D is also correct because the study guide explicitly says that in this automation flow “the root FortiGate triggers the action” and shows “Stitches configured on root FortiGate.” Therefore, if you want the FortiAnalyzer event handler to appear and be usable for automation, the trigger must be configured on the root FortiGate , not on an arbitrary downstream FortiGate.

Option A is incorrect because + Create is only a GUI control and does not solve the missing-event-handler visibility problem. Option B is not identified in the study guide as the requirement for making a FortiAnalyzer event handler available in the FortiGate automation trigger list.

The correct answers are A and D .

Option A is correct because the study guide states that for OT protocol coverage, “a valid OT security service license is required to receive updates on both intrusion prevention and application control signatures.” It also shows “Valid license required” in the FortiGuard subscriptions section for OT protocol coverage. This confirms that a valid OT security service license is required to use and maintain the OT signatures database correctly.

Option D is also correct because the guide explicitly shows the CLI configuration used “To enable OT signatures” :

config ips global

set exclude-signatures none

end

It then states that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI.” This directly confirms that you must set exclude-signatures to none in the CLI to enable OT signatures.

Option B is incorrect because the study guide does not say you manually import the OT signatures database. Instead, it explains that FortiGuard maintains updated OT signatures and that a valid license is required to receive updates. Option C is incorrect because the guide clearly says OT signatures are excluded by default until enabled from the CLI.

According to the OT Security 7.6 Architect study guide regarding IEC 62443 Security Levels :

Security Level 4 (SL 4) Definition : This level provides " Protection against intentional violation using sophisticated means with extended resources, specific skills, and high motivation " .

Real-World Application : The study guide specifically notes: " If you are facing a syndicate of cyber extortionists with extensive resources and capabilities, then you should strive for security level 4 " .

Comparison to other levels :

SL 1 : Protection against " casual or unintentional system violation " .

SL 2 : Protection against " intentional violation using simple means with low resources " .

SL 3 : Protection against " intentional violation using sophisticated means with moderate resources " .

Based on the provided exhibit and the OT Security 7.6 Architect curriculum regarding the Fortinet Security Fabric :

Fabric Role : The exhibit clearly shows that FortiGate-2 has the role set to Join Fabric . This confirms it is a downstream device and not the Fabric Root (eliminating Option A).

Upstream Connection : The device is configured to point to an Upstream FortiGate at IP address 10.1.2.254 .

Fabric Status : The status is currently displayed as Not Connected . In a standard Fortinet Security Fabric deployment, once a downstream device is configured to join the fabric, it sends a request to the upstream root device. The root FortiGate must then explicitly authorize the downstream unit before the connection is established and the status changes to " Connected. "

Authorization Requirement : The " Not Connected " status, while having the upstream IP correctly configured, is the classic indicator that the authorization step is pending on the root FortiGate. Furthermore, under the LAN Edge Devices section, it shows another downstream FortiGate requiring authorization on this specific unit, highlighting that authorization is a manual security requirement for all stages of the Fabric hierarchy.

FortiAnalyzer Status : While the Logging & Analytics section shows FortiAnalyzer is Disabled , this is a configuration choice and does not prevent the Security Fabric from connecting; therefore, configuring it is not the solution to the connectivity status shown (eliminating Option C).

In summary, FortiGate-2 cannot join the fabric until an administrator logs into the Root FortiGate (10.1.2.254) and authorizes the join request from FortiGate-2.

The correct answers are C. Vendor OUI and D. Network traffic .

The study guide explicitly separates active/direct profiling methods from passive/non-direct methods and states that “In OT environments, passive methods are preferred over active methods.” It then lists the methods that do not require FortiNAC to interact directly with the device being profiled. Among those methods are “Network traffic: gathered from the infrastructure” and “Vendor OUI: determined by the MAC address gathered from the infrastructure.” That directly matches options C and D .

Options A and B are incorrect because SSH and SNMP are shown in the guide under the direct/active profiling methods. The guide’s point is that passive detection avoids directly scanning or interacting with OT endpoints, since that can negatively affect performance in industrial environments. Because the question specifically asks for passive detection methods, the correct pair is Vendor OUI and Network traffic .

The correct answers are B and D .

Option B is correct because the profile has Medium , High , and Critical selected, while Low severity is not selected. That means low-severity virtual patching signatures are not enforced by this profile. So for the device with MAC address 12:12:12:12:12 , low-severity signatures are not blocked. The study guide explains virtual patching as device-specific protection where “FortiGate caches the signatures and mitigation rules that apply to each device” and applies them when the related traffic matches the firewall policy.

Option D is correct because the Virtual Patching Exemptions table shows a row with the MAC address 11:11:11:11:11 and no specific signature listed. The study guide states that in the Virtual Patching profile you can “Exempt a specific device with the MAC address or a specific signature.” A MAC-only exemption means that specific device is excluded from virtual patching enforcement, so in practical terms it is treated as having no applicable vulnerabilities in this profile.

Option C is incorrect because the profile does not block critical signatures for all devices. The exemptions list proves that at least one device can be excluded by MAC address, and a specific signature can also be exempted. Therefore, enforcement is not universal across all devices.

Option A is incorrect because the entry Schneider.Electric.ClearSCADA.HTTP.Interface.XSS appears as a specific signature exemption , not as the only remaining vulnerability. The profile display is showing exemptions, not a statement that only one vulnerability is still present.

The correct answers are A and B .

Option B is correct because the study guide states that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to FortiGate. If Automation Stitch is not enabled in the FortiAnalyzer event handler, that handler will not be usable for the FortiGate automation-stitch workflow. The guide also explains that the configuration of each event handler can include “Automation stitches” and “Rules,” showing that this is a required part of the FortiAnalyzer-to-FortiGate automation path.

Option A is also correct. The study guide explains the automation flow in the Security Fabric: “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” That means FortiGate must have the FortiAnalyzer connection configured through the Security Fabric side before it can consume FortiAnalyzer event handlers. The warning in the exhibit about configuring a FortiAnalyzer connection also points directly to that requirement.

Option C is incorrect because + Create is not the reason the existing event handler is missing; it is only an interface control. Option D is not the best answer for this item because the question is about why the event handler name list on FortiGate is empty for FortiAnalyzer-triggered automation. The study guide’s verified requirements for that workflow are the FortiAnalyzer-to-FortiGate Fabric connection and enabling Automation Stitch on the FortiAnalyzer event handler.

The correct answer is A. FortiGate queries FortiGuard servers . The study guide explains the device detection process very clearly: “First, FortiGate attempts to detect the devices based on the information in the local device database (CIDB). If FortiGate cannot detect the devices locally, it queries the FortiGuard servers by sending data about the unknown devices to the FortiGuard servers. In response, the FortiGuard servers provide additional information about those devices.” This directly answers the question and shows that querying FortiGuard is the next step after local detection fails.

Option D is incorrect because the guide says FortiGate checks the local device database (CIDB) first, before this next step. Option B refers more to FortiNAC-style profiling logic, not FortiGate’s OT device detection flow. Option C is also incorrect because service connectors are not described here as the immediate follow-up step for unknown local device detection. The study guide specifically identifies FortiGuard servers as the next destination for device identification assistance.

The correct answer is D. You must configure a layer 3 switch .

The study guide explains that “Layer 2 devices can add or remove tags” but “cannot modify them.” It then states that “A layer 3 device, such as a router or FortiGate, can modify the VLAN tag before routing the packet. This allows them to route traffic between VLANs.” It also explicitly describes “Router on a Stick” as “a way to allow routing between VLANs.” Since the exhibit shows a layer-2 switch and the Engineering Workstation and PLC are placed in different VLANs, inter-VLAN communication requires layer-3 routing.

The other options do not solve this requirement. intra-switch-policy explicit/implicit applies to a software switch , where member interfaces are in the same broadcast domain and same subnet, not to routing between separate VLANs. forward domain IDs are used in transparent mode to confine broadcasts to specific broadcast domains; they do not provide inter-VLAN access. Therefore, to let the Engineering Workstation in one VLAN reach the PLC in another VLAN, you need a layer 3 routing function , which matches option D .

 The study guide says playbooks are used to automate tasks such as running reports and creating/updating incidents . It also says that after a playbook is triggered, it flows through its configured tasks.

 It further shows a sample playbook sequence where an event is detected, an incident is created , a report runs , and details are attached to the incident . That is exactly the kind of workflow shown in the incident analysis view.

 By contrast, the study guide says event handlers generate events when logs match configured rules. Event handlers are for detection, not for attaching reports to incidents.