NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Questions and Answers

According to the OT Security 7.6 Architect study guide regarding the Purdue Model :

Asset Location : The study guide states that " All critical physical assets are located on the plant floor and equipped with IIoT sensors. "

Level Classification : The " plant floor " is further defined as the " control area zone, " which consists of Levels 0, 1, and 2 .

Hierarchy : The " Operations & Control " zone is identified as Level 3 and Level 3.5 .

Direct Answer : In the " Introduction " lesson ' s Knowledge Check , the specific question " In the Purdue model, at which level are IIoTs placed? " is provided with the verified answer: Below Level 3.5 .

The correct answers are B. IPS on FortiGate_Level5 and C. Virtual patching on FortiGate_Level2 .

The study guide explains that “the first line of defense is securing the IT side of your network” and that FortiGate should be placed to protect ICS environments and stop threats from propagating from IT into OT. It also states that IPS improves OT security because “today’s threat landscape requires IPS to block a wider range of threats and improve OT security” and that in IPS mode, vulnerable devices are protected . This makes FortiGate_Level5 , at the upper boundary near the DMZ and external connectivity, the correct place to implement IPS as a primary protection control.

The study guide also states in the Purdue model section that “Level 2 consists of the processes and programs that control the PLCs, RTUs, and IEDs found at Level 1” and that “it is necessary to segment, or even microsegment, these servers with firewall segmentation, along with policies that include application control and virtual patching.” In addition, the virtual patching section says “Virtual patching protects OT devices that have not yet been updated against vulnerability exploits” and applies when traffic related to the vulnerable device reaches the firewall policy. Since FortiGate_Level2 sits between the process network and the control network, it is the right enforcement point for virtual patching to protect the PLC-side assets.

Option A is not one of the best answers because offline IDS only detects and logs attacks; the guide says “no traffic flows through FortiGate” in offline IDS mode, whereas IPS can actually block threats. Option D is also not the best answer because OT signatures are enabled within the IPS framework, but the stronger control explicitly described for this design is to deploy IPS at the upper boundary and virtual patching closer to vulnerable OT devices .

The correct answers are A and D .

Option A is correct because the study guide states that for OT protocol coverage, “a valid OT security service license is required to receive updates on both intrusion prevention and application control signatures.” It also shows “Valid license required” in the FortiGuard subscriptions section for OT protocol coverage. This confirms that a valid OT security service license is required to use and maintain the OT signatures database correctly.

Option D is also correct because the guide explicitly shows the CLI configuration used “To enable OT signatures” :

config ips global

set exclude-signatures none

end

It then states that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI.” This directly confirms that you must set exclude-signatures to none in the CLI to enable OT signatures.

Option B is incorrect because the study guide does not say you manually import the OT signatures database. Instead, it explains that FortiGuard maintains updated OT signatures and that a valid license is required to receive updates. Option C is incorrect because the guide clearly says OT signatures are excluded by default until enabled from the CLI.

The verified answer is C. The Fabric settings . The study guide ties FortiAnalyzer-triggered actions to the Security Fabric relationship with FortiGate, not to playbook tasks or standalone event handlers alone. It explains that “within the Security Fabric environment, FortiAnalyzer is a key element in the creation of automation stitches” and shows the flow where a downstream FortiGate sends logs to FortiAnalyzer, then FortiAnalyzer parses the logs and notifies the root FortiGate , after which the root FortiGate triggers the action . This shows that FortiAnalyzer must be configured so it can communicate with FortiGate through the Security Fabric.

The guide also states that FortiAnalyzer is the foundation of the Security Fabric , providing logging, reporting, analytics, and automation for Fabric devices and endpoints. It further explains that the FortiAnalyzer Fabric connector consolidates the traffic logs within the Security Fabric. This confirms that the automation workflow depends on proper Security Fabric integration. A playbook task is used for automated SOC actions, and an event handler is used to generate events from logs, but neither one alone establishes the direct communication path needed between FortiAnalyzer and FortiGate. Therefore, the required configuration on FortiAnalyzer is the Fabric settings .

Based on the architecture of FortiAnalyzer within the Security Fabric and its automation capabilities:

Automation Stitch and Reports : Within the Security Fabric environment, FortiAnalyzer serves as a key element in creating automation stitches and playbooks. For a report to be selectable within a Playbook task (such as the Run_report task shown in the exhibit), it must meet specific technical prerequisites in the report configuration.

Auto-cache Requirement (Answer C) : For a report to be used for automated generation, it must be " ready " to be processed by the engine without manual intervention. Auto-cache must be enabled in the report settings to ensure the report can be generated dynamically and efficiently when triggered by the playbook.

Extended Log Filtering (Answer B) : Playbooks often pass specific variables from the trigger (such as a specific device IP or a time range) into the report. For the report to accept these dynamic parameters and be visible as an " automation-compatible " report in the Playbook interface, Extended Log Filtering must be enabled.

Workflow Constraints : Without these two settings enabled on the report itself, the Playbook engine cannot guarantee the report ' s successful generation or parameter injection, and thus filters it out of the available selection list in the Run_report task.

The correct answers are C and D .

Option D is correct because the study guide states that the configuration of an event handler can include “Rules” and explains that “Rules are granular conditions” and “Event handlers can have one or more rules.” It further states that “FortiAnalyzer uses event handlers to filter all incoming logs” and “If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.” Therefore, to use the automation stitch, you must define the rules on FortiAnalyzer so the event handler can actually generate the event that starts the automation flow.

Option C is also correct. The study guide explains that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to the FortiGate side, and in the attack-detection example it says “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” It also explicitly shows “Stitches configured on root FortiGate.” This means the FortiGate must have the corresponding automation trigger configured for the FortiAnalyzer event handler notification.

Option A is incorrect because the study guide does not describe configuring an Action on FortiAnalyzer as the required step for this FortiAnalyzer-to-FortiGate automation-stitch flow. Option B is also incorrect because playbooks are a different FortiAnalyzer automation mechanism; the question specifically refers to using the Automation Stitch option in the event handler.

The correct answers are C and D .

Option C is correct because the study guide explains that when “a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” and, in the Security Fabric workflow, “FortiAnalyzer parses the logs and notifies the root FortiGate.” This means FortiGate must first have the FortiAnalyzer connection configured so it can consume FortiAnalyzer event handlers and use them in automation. The wizard message in the exhibit also points to this requirement by indicating that a FortiAnalyzer connection must be configured.

Option D is also correct because the study guide explicitly says that in this automation flow “the root FortiGate triggers the action” and shows “Stitches configured on root FortiGate.” Therefore, if you want the FortiAnalyzer event handler to appear and be usable for automation, the trigger must be configured on the root FortiGate , not on an arbitrary downstream FortiGate.

Option A is incorrect because + Create is only a GUI control and does not solve the missing-event-handler visibility problem. Option B is not identified in the study guide as the requirement for making a FortiAnalyzer event handler available in the FortiGate automation trigger list.

Based on the OT Security 7.6 Architect study guide regarding the Asset Identity Center and Asset Management :

Vulnerability Visibility : The Asset Identity List tab displays key metadata for IT and OT devices, including detected addresses, users, and a specific column for Vulnerabilities .

Virtual Patching Feature : In the OT Security 7.6 architecture, the " Vulnerabilities " column is populated through the OT Security Service license, which includes " OT vulnerability correlation definitions & virtual patching signatures " .

Correlation Mechanism : FortiGate extracts metadata from OT traffic and uses these signatures to identify known vulnerabilities on the assets. For these vulnerabilities to be identified and correlated in the Asset Identity Center as shown in the exhibit (displaying a count of 8 vulnerabilities), the Virtual Patching feature must be active.

Architectural Implementation : Virtual patching is a critical component of the " Protection " layer in OT networks, allowing administrators to secure legacy or unpatchable PLCs and RTUs by blocking exploit attempts at the network level using IPS-based virtual patching signatures.

Exhibit Analysis : The presence of identified vulnerabilities (the number " 8 " in the red shield) in the Asset Identity List confirms that the FortiGate is actively performing vulnerability correlation, which is the operational result of having a Virtual Patching security profile applied to the relevant firewall policy.

The correct answers are A and C . The study guide explains that “You can use application control signatures to detect OT protocols” and that application control provides “granular message type identification.” In the exhibit, the Operational Technology application category is included in the Application Sensor profile, so OT application signatures are enabled in this profile.

Option C is also correct because the override table shows Modbus_Read.Holding.Registers = Allow and Modbus = Block . The study guide states that you can use specific granular application control signatures to allow a specific Modbus command and block all others , and it also shows that application control can identify read and write commands separately at message level. Therefore, Modbus write commands are blocked by this profile.

Option B is incorrect because the profile is not simply monitoring all OT protocols; it contains a Block action for Modbus. Option D is incorrect because the study guide links OT protocol visibility specifically to the monitor status , while in the exhibit Modbus_Read.Holding.Registers is set to Allow , not Monitor .

According to the OT Security 7.6 Architect study guide section on Asset Management , specifically regarding FortiNAC Visibility :

Layer 2 Polling Data : Because each physical address is unique, FortiNAC identifies hosts as they connect to the network. The information gathered during this process fills in the physical address and location information in the database.

Visibility Components : The guide states that the physical address learned , the time it was learned , and where it was learned from provide the foundation of endpoint visibility in the form of " what, where, and when " information. This confirms that Where it was learned (Option A) and The time it was learned (Option D) are correct.

Exclusions :

Layer 3 Polling : The MAC-to-IP correlation (Option B) is explicitly defined as a function of Layer 3 polling , where the correlated IP address is added to the database record for the corresponding MAC address.

DHCP Fingerprinting : The host name or system name (Option C) and the operating system are gathered via DHCP fingerprinting , not layer 2 polling.