Fortinet NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Exam Practice Test

The correct answers are B. IPS on FortiGate_Level5 and C. Virtual patching on FortiGate_Level2 .

The study guide explains that “the first line of defense is securing the IT side of your network” and that FortiGate should be placed to protect ICS environments and stop threats from propagating from IT into OT. It also states that IPS improves OT security because “today’s threat landscape requires IPS to block a wider range of threats and improve OT security” and that in IPS mode, vulnerable devices are protected . This makes FortiGate_Level5 , at the upper boundary near the DMZ and external connectivity, the correct place to implement IPS as a primary protection control.

The study guide also states in the Purdue model section that “Level 2 consists of the processes and programs that control the PLCs, RTUs, and IEDs found at Level 1” and that “it is necessary to segment, or even microsegment, these servers with firewall segmentation, along with policies that include application control and virtual patching.” In addition, the virtual patching section says “Virtual patching protects OT devices that have not yet been updated against vulnerability exploits” and applies when traffic related to the vulnerable device reaches the firewall policy. Since FortiGate_Level2 sits between the process network and the control network, it is the right enforcement point for virtual patching to protect the PLC-side assets.

Option A is not one of the best answers because offline IDS only detects and logs attacks; the guide says “no traffic flows through FortiGate” in offline IDS mode, whereas IPS can actually block threats. Option D is also not the best answer because OT signatures are enabled within the IPS framework, but the stronger control explicitly described for this design is to deploy IPS at the upper boundary and virtual patching closer to vulnerable OT devices .

The correct answers are C and D .

Option C is correct because the study guide explains that when “a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” and, in the Security Fabric workflow, “FortiAnalyzer parses the logs and notifies the root FortiGate.” This means FortiGate must first have the FortiAnalyzer connection configured so it can consume FortiAnalyzer event handlers and use them in automation. The wizard message in the exhibit also points to this requirement by indicating that a FortiAnalyzer connection must be configured.

Option D is also correct because the study guide explicitly says that in this automation flow “the root FortiGate triggers the action” and shows “Stitches configured on root FortiGate.” Therefore, if you want the FortiAnalyzer event handler to appear and be usable for automation, the trigger must be configured on the root FortiGate , not on an arbitrary downstream FortiGate.

Option A is incorrect because + Create is only a GUI control and does not solve the missing-event-handler visibility problem. Option B is not identified in the study guide as the requirement for making a FortiAnalyzer event handler available in the FortiGate automation trigger list.

The correct answer is D. You can configure forward domain IDs for each network . The study guide explains that in FortiGate transparent mode, “all interfaces belong to the same broadcast domain, even interfaces with different VLAN IDs” and then states that you should “use this command to subdivide into multiple broadcast domains” with set forward-domain < domain_ID > . It further explains that “interfaces with the same domain ID belong to the same broadcast domain” and “traffic arriving on one interface is broadcast only to interfaces in the same forward domain ID.” This is exactly the mechanism used to separate one internal network from another and improve segmentation.

The other options do not match this requirement. Universal ZTNA is described as controlling user access to applications , not segmenting two internal OT networks. An explicit software switch is for controlling intra-switch or intra-VLAN traffic inside the same software switch broadcast domain, which is more aligned with microsegmentation than separating two routed internal networks. One traffic VDOM does not create segmentation by itself; segmentation with VDOMs requires multiple VDOMs, not one. Therefore, the best choice for segmenting network 1 and network 2 in this scenario is to assign separate forward domain IDs .

The correct answers are A and B .

Option B is correct because the study guide states that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to FortiGate. If Automation Stitch is not enabled in the FortiAnalyzer event handler, that handler will not be usable for the FortiGate automation-stitch workflow. The guide also explains that the configuration of each event handler can include “Automation stitches” and “Rules,” showing that this is a required part of the FortiAnalyzer-to-FortiGate automation path.

Option A is also correct. The study guide explains the automation flow in the Security Fabric: “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” That means FortiGate must have the FortiAnalyzer connection configured through the Security Fabric side before it can consume FortiAnalyzer event handlers. The warning in the exhibit about configuring a FortiAnalyzer connection also points directly to that requirement.

Option C is incorrect because + Create is not the reason the existing event handler is missing; it is only an interface control. Option D is not the best answer for this item because the question is about why the event handler name list on FortiGate is empty for FortiAnalyzer-triggered automation. The study guide’s verified requirements for that workflow are the FortiAnalyzer-to-FortiGate Fabric connection and enabling Automation Stitch on the FortiAnalyzer event handler.

The verified answer is C. The Fabric settings . The study guide ties FortiAnalyzer-triggered actions to the Security Fabric relationship with FortiGate, not to playbook tasks or standalone event handlers alone. It explains that “within the Security Fabric environment, FortiAnalyzer is a key element in the creation of automation stitches” and shows the flow where a downstream FortiGate sends logs to FortiAnalyzer, then FortiAnalyzer parses the logs and notifies the root FortiGate , after which the root FortiGate triggers the action . This shows that FortiAnalyzer must be configured so it can communicate with FortiGate through the Security Fabric.

The guide also states that FortiAnalyzer is the foundation of the Security Fabric , providing logging, reporting, analytics, and automation for Fabric devices and endpoints. It further explains that the FortiAnalyzer Fabric connector consolidates the traffic logs within the Security Fabric. This confirms that the automation workflow depends on proper Security Fabric integration. A playbook task is used for automated SOC actions, and an event handler is used to generate events from logs, but neither one alone establishes the direct communication path needed between FortiAnalyzer and FortiGate. Therefore, the required configuration on FortiAnalyzer is the Fabric settings .

The correct answers are C. Vendor OUI and D. Network traffic .

The study guide explicitly separates active/direct profiling methods from passive/non-direct methods and states that “In OT environments, passive methods are preferred over active methods.” It then lists the methods that do not require FortiNAC to interact directly with the device being profiled. Among those methods are “Network traffic: gathered from the infrastructure” and “Vendor OUI: determined by the MAC address gathered from the infrastructure.” That directly matches options C and D .

Options A and B are incorrect because SSH and SNMP are shown in the guide under the direct/active profiling methods. The guide’s point is that passive detection avoids directly scanning or interacting with OT endpoints, since that can negatively affect performance in industrial environments. Because the question specifically asks for passive detection methods, the correct pair is Vendor OUI and Network traffic .

The correct answer is C. Industrial Control System (ICS) . The study guide states that “ICS is a main component of OT” and “consists of systems used for monitoring and controlling industrial processes.” It also explains that ICS includes various devices, systems, controls, and networks that manage industrial processes, and that the most common types are SCADA and distributed control systems (DCS) . This makes ICS the primary OT component for monitoring and controlling industrial processes.

The other options are related OT components, but they are not the best answer to this wording. SCADA collects real-time data and helps visualize and control the OT environment, but it is described as a system within the broader ICS structure. PLC devices collect and transmit real-time data and connect sensors and RTUs to SCADA, while IIoT refers to sensors, actuators, and other connected field devices. Therefore, the overarching main OT component for monitoring and controlling industrial processes is ICS .

According to the OT Security 7.6 Architect study guide section on Asset Management , specifically regarding FortiNAC Visibility :

Layer 2 Polling Data : Because each physical address is unique, FortiNAC identifies hosts as they connect to the network. The information gathered during this process fills in the physical address and location information in the database.

Visibility Components : The guide states that the physical address learned , the time it was learned , and where it was learned from provide the foundation of endpoint visibility in the form of " what, where, and when " information. This confirms that Where it was learned (Option A) and The time it was learned (Option D) are correct.

Exclusions :

Layer 3 Polling : The MAC-to-IP correlation (Option B) is explicitly defined as a function of Layer 3 polling , where the correlated IP address is added to the database record for the corresponding MAC address.

DHCP Fingerprinting : The host name or system name (Option C) and the operating system are gathered via DHCP fingerprinting , not layer 2 polling.

The correct answer is C. You can implement parallel redundancy protocol . The study guide explains that media redundancy involves creating a backup path that can be used when part of the network fails and specifically states that “Parallel Redundancy Protocol (PRP) can be used for a star topology.” Since the problem described is many disconnections in the links , the issue is link availability, which is a media redundancy problem rather than a firewall virtualization or policy separation problem. PRP is designed to provide a backup communication path with low recovery time when links fail.

The other options do not fit this scenario as well. HA clusters are described in the guide as a solution for network node redundancy , where a backup firewall or switch takes over when the primary device fails. SD-WAN is recommended for remote site access across multiple WAN links, not for the local floor links shown in this topology. VDOMs provide logical segmentation, not link redundancy or higher link availability. Because the question is specifically about repeated link disconnections , the best action is to implement PRP .

Deploying a FortiGate in offline IDS (also known as one-arm sniffer mode) is a common strategy in OT environments for several reasons found in the study guide:

Priority of Availability : In OT, availability and safety are critically important and prioritized higher than in IT. An offline IDS minimizes impact because it does not sit in the direct path of production traffic.

Network Sensor Role : In this mode, the FortiGate is connected to a mirror/SPAN port on a switch. It acts as a network sensor , receiving a copy of the traffic rather than having the traffic flow through it. This confirms Statement A is correct and Statement D is incorrect.

Passive vs. Active : The guide explicitly states that in OT environments, passive methods are preferred over active methods to avoid negatively impacting performance or causing process interruptions.

Depth of Visibility : Even though the device is offline, you apply security profiles (such as IPS, Application Control, and Antivirus) to the sniffer interface. This allows the FortiGate to analyze the copied traffic and provide deep visibility into the OT assets and their behaviors. This confirms Statement B is correct.

Detection vs. Prevention : An IDS (Intrusion Detection System) is passive ; it can detect threats but cannot reset connections or drop packets to block attacks. Therefore, it cannot block zero-day attacks, making Statement C incorrect.

The correct answer is D. EtherCAT . The study guide explicitly states under the Ethernet/IP and EtherCAT section that “EtherCAT is a protocol that offers real-time communication in a primary-secondary configuration” and “EtherCAT skips layers 3 to 6 to deliver real-time communication.” It also adds that “the most important feature of this protocol is that secondary devices collect only the information they need from the data packets.” This matches the exhibit exactly, where the diagram shows Real-Time Data above a Proprietary MAC and Proprietary physical layer , reflecting the protocol structure that bypasses the intermediate OSI layers.

The other options do not match this behavior. The guide says POWERLINK uses layer 2 and layer 7 of the OSI model, not that it skips layers 3 to 6. It also explains that Ethernet/IP is the industrial protocol based entirely on Ethernet standards and adapts to the OSI model. Modbus is described as an open client/server protocol and is not suitable for transmitting data in real time . Therefore, the protocol in the exhibit is clearly EtherCAT .

According to the OT Security 7.6 Architect study guide regarding IEC 62443 Security Levels :

Security Level 4 (SL 4) Definition : This level provides " Protection against intentional violation using sophisticated means with extended resources, specific skills, and high motivation " .

Real-World Application : The study guide specifically notes: " If you are facing a syndicate of cyber extortionists with extensive resources and capabilities, then you should strive for security level 4 " .

Comparison to other levels :

SL 1 : Protection against " casual or unintentional system violation " .

SL 2 : Protection against " intentional violation using simple means with low resources " .

SL 3 : Protection against " intentional violation using sophisticated means with moderate resources " .

Based on the provided exhibits from the FortiAnalyzer playbook engine:

Playbook Trigger Condition : The Partial Playbook configuration exhibit shows that the playbook is set to trigger based on a condition where the Basic Handler Name is Equal To IPS_Attack_Handling.

Event vs. Log : In FortiAnalyzer, the field Basic Handler Name is a property of an Event record, indicating the specific Event Handler that generated it. A playbook configured with this condition is triggered by an Event , not directly by a raw log.

Playbook Execution Flow : The Partial Playbook Monitor view shows the execution sequence:

Event_Trigger (Starter) : This is the entry point of the playbook, which matches the condition defined in the configuration.

IPS_Attack_Incident : The first task executed after the trigger.

Run_Report : The task in question, which is executed as part of the automated workflow initiated by the starter.

Conclusion : Since the playbook ' s " Starter " is defined by the IPS_Attack_Handling handler name, an event produced by that handler is the root trigger for the entire playbook execution, including the Run_Report task.

Therefore, the Run_Report task was triggered (as part of the playbook) by an IPS_Attack_Handling event .