Fortinet NSE6_OTS_AR-7.6 - Fortinet NSE 6 - OT Security 7.6 Architect

The correct answers are B and C . The study guide states that “You can use application control signatures to detect OT protocols” and that “Application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” . It also shows that a Modbus application control profile can be enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly supports B , because application control is the feature used to identify and monitor OT protocols on FortiGate.

The guide also explains under IPS that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI” using config ips global and set exclude-signatures none . Once enabled, FortiGate can use those OT signatures for OT-aware inspection and protection. That supports C as the second required configuration. A is related to device discovery, not protocol identification, and D is focused on exploit and vulnerability detection rather than the first-step goal of identifying OT protocols.

The correct answer is C. EtherCAT .

The study guide states that for industrial Ethernet protocols, “such as Ethernet/IP and Modbus/TCP, you can use VLANs to segment your physical LAN into multiple logical LANs.” This directly confirms that Ethernet/IP and Modbus/TCP support VLAN-based segmentation in the OT context.

By contrast, the guide explains that “EtherCAT skips layers 3 to 6 to deliver real-time communication” and describes it as an “Open-Software Modified-Ethernet” approach. Because it does not operate like the standard Ethernet/IP model used for normal VLAN-based segmentation, EtherCAT is the protocol identified here as not supporting VLANs in the way Ethernet/IP and Modbus/TCP do.

So, based on the study guide comparison, the verified answer is EtherCAT .

The correct answers are B. IPS on FortiGate_Level5 and C. Virtual patching on FortiGate_Level2 .

The study guide explains that “the first line of defense is securing the IT side of your network” and that FortiGate should be placed to protect ICS environments and stop threats from propagating from IT into OT. It also states that IPS improves OT security because “today’s threat landscape requires IPS to block a wider range of threats and improve OT security” and that in IPS mode, vulnerable devices are protected . This makes FortiGate_Level5 , at the upper boundary near the DMZ and external connectivity, the correct place to implement IPS as a primary protection control.

The study guide also states in the Purdue model section that “Level 2 consists of the processes and programs that control the PLCs, RTUs, and IEDs found at Level 1” and that “it is necessary to segment, or even microsegment, these servers with firewall segmentation, along with policies that include application control and virtual patching.” In addition, the virtual patching section says “Virtual patching protects OT devices that have not yet been updated against vulnerability exploits” and applies when traffic related to the vulnerable device reaches the firewall policy. Since FortiGate_Level2 sits between the process network and the control network, it is the right enforcement point for virtual patching to protect the PLC-side assets.

Option A is not one of the best answers because offline IDS only detects and logs attacks; the guide says “no traffic flows through FortiGate” in offline IDS mode, whereas IPS can actually block threats. Option D is also not the best answer because OT signatures are enabled within the IPS framework, but the stronger control explicitly described for this design is to deploy IPS at the upper boundary and virtual patching closer to vulnerable OT devices .

The correct answers are C and D .

Option D is correct because the Playbook Monitor clearly shows the starter as On_Demand and the trigger as user(admin) . The study guide states that “ON_DEMAND: The playbook runs when an administrator manually starts it” and also notes that to run it manually, you select the playbook and click Run . This exactly matches the exhibit, so the playbook was manually triggered.

Option C is also correct. The study guide explains that “tasks run one after another” and that “if needed, the output of one task can be used by the tasks that follow it.” It also gives an example where workflow logic matters, such as creating an incident and then attaching details to it. In the exhibit, the sequence shown is Attach_report , then Run_report , then Create_Incident , while the incident analysis shows no report attached . Since the report must exist and the incident must already be available before it can be attached properly, the task order is wrong and must be reordered.

Option B is incorrect because the monitor shows multiple tasks completed successfully, not only Create_Incident . Option A is not the best answer because the main problem demonstrated by the exhibits is not simply waiting time, but the incorrect workflow order. The playbook completed successfully, yet the report is still not attached, which indicates a design issue in the task sequence rather than just a delay.

The correct answer is A. You must enable Virtual Patching in the Feature Visibility section .

The study guide states clearly that “By default, virtual patching profiles are hidden on the GUI, and you must enable them through System > Feature Visibility.” That exactly matches the situation in the exhibit, where Virtual Patching does not appear under Security Profiles . So the issue is not that the feature is unsupported, but that it is simply hidden in the GUI until it is enabled.

The other options do not answer the question being asked. A valid OT security service license is required for virtual patching signatures and protection workflow, and OT signatures are relevant to IPS-based OT protection, but those do not explain why the menu item itself is missing from the Security Profiles section . The guide specifically identifies Feature Visibility as the reason the Virtual Patching profile is not shown in the GUI. Therefore, the required action is to enable Virtual Patching in System > Feature Visibility .

According to the OT Security 7.6 Architect study guide regarding FortiAnalyzer Event Management :

Notification Options : When configuring a new event handler, FortiAnalyzer provides several built-in notification methods to alert administrators when specific log criteria are met. The most common and direct method is Send alert email (Option A).

Incident Management : To streamline the SOC workflow, an event handler can be configured to Automatically create an incident (Option D) based on the triggered event. This moves the event into the Incident Manager for further analysis.

Security Fabric Integration : In the 7.6 architecture, event handlers can directly trigger an Automation stitch (Option E). This allows the FortiAnalyzer to notify the root FortiGate to take action (like running a CLI script or changing a policy) across the Security Fabric.

Exclusions : Create a report (Option B) is typically a task performed by a Playbook or a scheduled report job, not a direct setting inside the basic event handler configuration. Quarantine an attacker (Option C) is an action that results from an automation stitch or playbook, but it is not a direct configuration toggle within the event handler itself.

The correct answers are A and C . The study guide explains that “You can use application control signatures to detect OT protocols” and that application control provides “granular message type identification.” In the exhibit, the Operational Technology application category is included in the Application Sensor profile, so OT application signatures are enabled in this profile.

Option C is also correct because the override table shows Modbus_Read.Holding.Registers = Allow and Modbus = Block . The study guide states that you can use specific granular application control signatures to allow a specific Modbus command and block all others , and it also shows that application control can identify read and write commands separately at message level. Therefore, Modbus write commands are blocked by this profile.

Option B is incorrect because the profile is not simply monitoring all OT protocols; it contains a Block action for Modbus. Option D is incorrect because the study guide links OT protocol visibility specifically to the monitor status , while in the exhibit Modbus_Read.Holding.Registers is set to Allow , not Monitor .

The correct answers are C and D .

Option D is correct because the study guide states that the configuration of an event handler can include “Rules” and explains that “Rules are granular conditions” and “Event handlers can have one or more rules.” It further states that “FortiAnalyzer uses event handlers to filter all incoming logs” and “If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.” Therefore, to use the automation stitch, you must define the rules on FortiAnalyzer so the event handler can actually generate the event that starts the automation flow.

Option C is also correct. The study guide explains that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to the FortiGate side, and in the attack-detection example it says “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” It also explicitly shows “Stitches configured on root FortiGate.” This means the FortiGate must have the corresponding automation trigger configured for the FortiAnalyzer event handler notification.

Option A is incorrect because the study guide does not describe configuring an Action on FortiAnalyzer as the required step for this FortiAnalyzer-to-FortiGate automation-stitch flow. Option B is also incorrect because playbooks are a different FortiAnalyzer automation mechanism; the question specifically refers to using the Automation Stitch option in the event handler.

Deploying a FortiGate in offline IDS (also known as one-arm sniffer mode) is a common strategy in OT environments for several reasons found in the study guide:

Priority of Availability : In OT, availability and safety are critically important and prioritized higher than in IT. An offline IDS minimizes impact because it does not sit in the direct path of production traffic.

Network Sensor Role : In this mode, the FortiGate is connected to a mirror/SPAN port on a switch. It acts as a network sensor , receiving a copy of the traffic rather than having the traffic flow through it. This confirms Statement A is correct and Statement D is incorrect.

Passive vs. Active : The guide explicitly states that in OT environments, passive methods are preferred over active methods to avoid negatively impacting performance or causing process interruptions.

Depth of Visibility : Even though the device is offline, you apply security profiles (such as IPS, Application Control, and Antivirus) to the sniffer interface. This allows the FortiGate to analyze the copied traffic and provide deep visibility into the OT assets and their behaviors. This confirms Statement B is correct.

Detection vs. Prevention : An IDS (Intrusion Detection System) is passive ; it can detect threats but cannot reset connections or drop packets to block attacks. Therefore, it cannot block zero-day attacks, making Statement C incorrect.