Fortinet NSE6_OTS_AR-7.6 - Fortinet NSE 6 - OT Security 7.6 Architect

The correct answer is A. You must enable Virtual Patching in the Feature Visibility section .

The study guide states clearly that “By default, virtual patching profiles are hidden on the GUI, and you must enable them through System > Feature Visibility.” That exactly matches the situation in the exhibit, where Virtual Patching does not appear under Security Profiles . So the issue is not that the feature is unsupported, but that it is simply hidden in the GUI until it is enabled.

The other options do not answer the question being asked. A valid OT security service license is required for virtual patching signatures and protection workflow, and OT signatures are relevant to IPS-based OT protection, but those do not explain why the menu item itself is missing from the Security Profiles section . The guide specifically identifies Feature Visibility as the reason the Virtual Patching profile is not shown in the GUI. Therefore, the required action is to enable Virtual Patching in System > Feature Visibility .

Based on the technical data provided in the exhibits and the OT Security 7.6 Architect curriculum:

Industrial Protocol Identification (Statement A) : The log details exhibit clearly shows that the Destination Port used in the attack is 502 . According to the study guide ' s section on Industrial Protocol Protection , the standard port used by the Modbus TCP protocol is 502 . Furthermore, the attack name identifies a " Triangle.Research.Nano-10.PLC, " which are industrial controllers commonly utilizing Modbus for communications.

Attack Mitigation (Statement B) : The log details specify that the Action taken by the FortiGate (Edge-FortiGate) was dropped . In cybersecurity and Fortinet fabric operations, dropping a packet associated with an IPS signature means the traffic was blocked from reaching its target, thereby mitigating the attack.

Target IP Address (Statement E) : The log detail explicitly lists the Destination IP as 192.168.2.3 . The Incident Analysis page also titles the incident with dstip:192.168.2.3. While the " Affected Endpoint " is shown as 10.1.5.20 , in an " outgoing " attack direction (as shown in the log), this likely refers to the internal source/attacker IP, whereas the target is the destination IP (192.168.2.3). Thus, Statement E is incorrect.

Protocol Conflict (Statement C) : The IEC 104 protocol typically utilizes port 2404 . Since the log specifies port 502, Statement C is incorrect.

Severity Distinction (Statement D) : While the Incident severity is marked as High , the question specifically asks about event severity. The " Events " table at the bottom of the Incident Analysis page shows a " User login/logout failed " event with a medium severity. Because there is a distinction in the management console between the severity of individual events and the aggregated incident, and Statement A and B are technically definitive based on port and action, A and B are the correct architectural choices.

The correct answers are A and C . The study guide explains that “You can use application control signatures to detect OT protocols” and that application control provides “granular message type identification.” In the exhibit, the Operational Technology application category is included in the Application Sensor profile, so OT application signatures are enabled in this profile.

Option C is also correct because the override table shows Modbus_Read.Holding.Registers = Allow and Modbus = Block . The study guide states that you can use specific granular application control signatures to allow a specific Modbus command and block all others , and it also shows that application control can identify read and write commands separately at message level. Therefore, Modbus write commands are blocked by this profile.

Option B is incorrect because the profile is not simply monitoring all OT protocols; it contains a Block action for Modbus. Option D is incorrect because the study guide links OT protocol visibility specifically to the monitor status , while in the exhibit Modbus_Read.Holding.Registers is set to Allow , not Monitor .

The correct answer is C. Application sensor set to monitor on all the FortiGate devices .

The study guide clearly explains that application control is the feature used to identify OT protocols. It states that “application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” and also says “You can use application control signatures to detect OT protocols.” It further shows an example where a Modbus application control profile is enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly matches the requirement in the question, which is to detect OT protocols and increase traffic visibility .

The other options do not fit the requirement as precisely. Device detection is for identifying devices and collecting endpoint information, not for detecting industrial protocols. Inline IDS and IPS are focused more on detecting or blocking attacks, exploits, protocol abnormalities, and known vulnerabilities. While IPS can inspect some OT traffic, the study guide distinguishes it from application control by stating that IPS signatures tend to detect exploits, whereas application control signatures tend to provide protocol detection at various levels . Therefore, the required security sensor for OT protocol detection and traffic visibility is the application sensor in monitor mode .

The correct answers are B. The Datasets library and D. The Chart library .

The study guide explains that a FortiAnalyzer report is built from charts, and that charts consist of two elements: datasets and format . It states: “A FortiAnalyzer report is a set of data organized in charts” and “Charts consist of two elements: Datasets … and Format.” It then goes further in the Customizing Reports section and explicitly says “By default, the Chart Library contains more than 300 charts” and “By default, the Datasets library contains almost 400 datasets.” It also states that you can clone and edit both charts and datasets, and create new ones , which is exactly how you enhance and customize an existing report.

The other options are not the best answers for this question. FortiView can export a chart into a report chart, and Log View can help build a custom dataset and chart from search results, but the question asks which options you can use to enhance the report itself. The study guide identifies the actual report-customization components as the Chart Library and Datasets library . Dashboard library is not presented as a FortiAnalyzer report customization library in this section.

The correct answer is A. FortiGate queries FortiGuard servers . The study guide explains the device detection process very clearly: “First, FortiGate attempts to detect the devices based on the information in the local device database (CIDB). If FortiGate cannot detect the devices locally, it queries the FortiGuard servers by sending data about the unknown devices to the FortiGuard servers. In response, the FortiGuard servers provide additional information about those devices.” This directly answers the question and shows that querying FortiGuard is the next step after local detection fails.

Option D is incorrect because the guide says FortiGate checks the local device database (CIDB) first, before this next step. Option B refers more to FortiNAC-style profiling logic, not FortiGate’s OT device detection flow. Option C is also incorrect because service connectors are not described here as the immediate follow-up step for unknown local device detection. The study guide specifically identifies FortiGuard servers as the next destination for device identification assistance.

The correct answers are A and D .

Option A is correct because the study guide states that for OT protocol coverage, “a valid OT security service license is required to receive updates on both intrusion prevention and application control signatures.” It also shows “Valid license required” in the FortiGuard subscriptions section for OT protocol coverage. This confirms that a valid OT security service license is required to use and maintain the OT signatures database correctly.

Option D is also correct because the guide explicitly shows the CLI configuration used “To enable OT signatures” :

config ips global

set exclude-signatures none

end

It then states that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI.” This directly confirms that you must set exclude-signatures to none in the CLI to enable OT signatures.

Option B is incorrect because the study guide does not say you manually import the OT signatures database. Instead, it explains that FortiGuard maintains updated OT signatures and that a valid license is required to receive updates. Option C is incorrect because the guide clearly says OT signatures are excluded by default until enabled from the CLI.

The correct answer is D. EtherCAT . The study guide explicitly states under the Ethernet/IP and EtherCAT section that “EtherCAT is a protocol that offers real-time communication in a primary-secondary configuration” and “EtherCAT skips layers 3 to 6 to deliver real-time communication.” It also adds that “the most important feature of this protocol is that secondary devices collect only the information they need from the data packets.” This matches the exhibit exactly, where the diagram shows Real-Time Data above a Proprietary MAC and Proprietary physical layer , reflecting the protocol structure that bypasses the intermediate OSI layers.

The other options do not match this behavior. The guide says POWERLINK uses layer 2 and layer 7 of the OSI model, not that it skips layers 3 to 6. It also explains that Ethernet/IP is the industrial protocol based entirely on Ethernet standards and adapts to the OSI model. Modbus is described as an open client/server protocol and is not suitable for transmitting data in real time . Therefore, the protocol in the exhibit is clearly EtherCAT .

The correct answers are A and D . The study guide provides a direct use case called Attack Detection and Automated Alert . It states: “A downstream FortiGate detects an attack and sends logs to FortiAnalyzer. FortiAnalyzer parses the logs and notifies the root FortiGate. The root FortiGate triggers the action, which in this case, is a notification to the administrator.” The same slide also explicitly shows “Stitches configured on root FortiGate.” This confirms that to send the automated alert, you must configure the automation stitch on the root FortiGate .

The second required configuration is an event handler on FortiAnalyzer . The guide explains that “Event handlers generate events” and that “FortiAnalyzer uses event handlers to filter all incoming logs. If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.” Since FortiAnalyzer must detect the attack from the received logs before notifying the root FortiGate, an event handler is required on FortiAnalyzer.

Option B is incorrect because the study guide does not identify a LOCALHOST task as the required configuration for this attack-alert flow. Option C is also incorrect because the question asks what must be configured to enable the automated alert workflow . An IPS profile may detect some attacks, but the required automation path in the study guide is specifically event handler on FortiAnalyzer + stitch on the root FortiGate .