Fortinet NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Exam Practice Test

The correct answers are B and D .

Option B is correct because the profile has Medium , High , and Critical selected, while Low severity is not selected. That means low-severity virtual patching signatures are not enforced by this profile. So for the device with MAC address 12:12:12:12:12 , low-severity signatures are not blocked. The study guide explains virtual patching as device-specific protection where “FortiGate caches the signatures and mitigation rules that apply to each device” and applies them when the related traffic matches the firewall policy.

Option D is correct because the Virtual Patching Exemptions table shows a row with the MAC address 11:11:11:11:11 and no specific signature listed. The study guide states that in the Virtual Patching profile you can “Exempt a specific device with the MAC address or a specific signature.” A MAC-only exemption means that specific device is excluded from virtual patching enforcement, so in practical terms it is treated as having no applicable vulnerabilities in this profile.

Option C is incorrect because the profile does not block critical signatures for all devices. The exemptions list proves that at least one device can be excluded by MAC address, and a specific signature can also be exempted. Therefore, enforcement is not universal across all devices.

Option A is incorrect because the entry Schneider.Electric.ClearSCADA.HTTP.Interface.XSS appears as a specific signature exemption , not as the only remaining vulnerability. The profile display is showing exemptions, not a statement that only one vulnerability is still present.

The correct answers are C and D .

Option D is correct because the Playbook Monitor clearly shows the starter as On_Demand and the trigger as user(admin) . The study guide states that “ON_DEMAND: The playbook runs when an administrator manually starts it” and also notes that to run it manually, you select the playbook and click Run . This exactly matches the exhibit, so the playbook was manually triggered.

Option C is also correct. The study guide explains that “tasks run one after another” and that “if needed, the output of one task can be used by the tasks that follow it.” It also gives an example where workflow logic matters, such as creating an incident and then attaching details to it. In the exhibit, the sequence shown is Attach_report , then Run_report , then Create_Incident , while the incident analysis shows no report attached . Since the report must exist and the incident must already be available before it can be attached properly, the task order is wrong and must be reordered.

Option B is incorrect because the monitor shows multiple tasks completed successfully, not only Create_Incident . Option A is not the best answer because the main problem demonstrated by the exhibits is not simply waiting time, but the incorrect workflow order. The playbook completed successfully, yet the report is still not attached, which indicates a design issue in the task sequence rather than just a delay.

The correct answers are A and C . The study guide explains that “You can use application control signatures to detect OT protocols” and that application control provides “granular message type identification.” In the exhibit, the Operational Technology application category is included in the Application Sensor profile, so OT application signatures are enabled in this profile.

Option C is also correct because the override table shows Modbus_Read.Holding.Registers = Allow and Modbus = Block . The study guide states that you can use specific granular application control signatures to allow a specific Modbus command and block all others , and it also shows that application control can identify read and write commands separately at message level. Therefore, Modbus write commands are blocked by this profile.

Option B is incorrect because the profile is not simply monitoring all OT protocols; it contains a Block action for Modbus. Option D is incorrect because the study guide links OT protocol visibility specifically to the monitor status , while in the exhibit Modbus_Read.Holding.Registers is set to Allow , not Monitor .

According to the OT Security 7.6 Architect study guide regarding the Purdue Model :

Asset Location : The study guide states that "All critical physical assets are located on the plant floor and equipped with IIoT sensors."

Level Classification : The "plant floor" is further defined as the "control area zone," which consists of Levels 0, 1, and 2 .

Hierarchy : The "Operations & Control" zone is identified as Level 3 and Level 3.5 .

Direct Answer : In the "Introduction" lesson's Knowledge Check , the specific question "In the Purdue model, at which level are IIoTs placed?" is provided with the verified answer: Below Level 3.5 .

Based on the provided exhibits from the FortiAnalyzer playbook engine:

Playbook Trigger Condition : The Partial Playbook configuration exhibit shows that the playbook is set to trigger based on a condition where the Basic Handler Name is Equal To IPS_Attack_Handling.

Event vs. Log : In FortiAnalyzer, the field Basic Handler Name is a property of an Event record, indicating the specific Event Handler that generated it. A playbook configured with this condition is triggered by an Event , not directly by a raw log.

Playbook Execution Flow : The Partial Playbook Monitor view shows the execution sequence:

Event_Trigger (Starter) : This is the entry point of the playbook, which matches the condition defined in the configuration.

IPS_Attack_Incident : The first task executed after the trigger.

Run_Report : The task in question, which is executed as part of the automated workflow initiated by the starter.

Conclusion : Since the playbook's "Starter" is defined by the IPS_Attack_Handling handler name, an event produced by that handler is the root trigger for the entire playbook execution, including the Run_Report task.

Therefore, the Run_Report task was triggered (as part of the playbook) by an IPS_Attack_Handling event .

The correct answer is C. Industrial Control System (ICS) . The study guide states that “ICS is a main component of OT” and “consists of systems used for monitoring and controlling industrial processes.” It also explains that ICS includes various devices, systems, controls, and networks that manage industrial processes, and that the most common types are SCADA and distributed control systems (DCS) . This makes ICS the primary OT component for monitoring and controlling industrial processes.

The other options are related OT components, but they are not the best answer to this wording. SCADA collects real-time data and helps visualize and control the OT environment, but it is described as a system within the broader ICS structure. PLC devices collect and transmit real-time data and connect sensors and RTUs to SCADA, while IIoT refers to sensors, actuators, and other connected field devices. Therefore, the overarching main OT component for monitoring and controlling industrial processes is ICS .

The correct answer is D. You can configure forward domain IDs for each network . The study guide explains that in FortiGate transparent mode, “all interfaces belong to the same broadcast domain, even interfaces with different VLAN IDs” and then states that you should “use this command to subdivide into multiple broadcast domains” with set forward-domain < domain_ID > . It further explains that “interfaces with the same domain ID belong to the same broadcast domain” and “traffic arriving on one interface is broadcast only to interfaces in the same forward domain ID.” This is exactly the mechanism used to separate one internal network from another and improve segmentation.

The other options do not match this requirement. Universal ZTNA is described as controlling user access to applications , not segmenting two internal OT networks. An explicit software switch is for controlling intra-switch or intra-VLAN traffic inside the same software switch broadcast domain, which is more aligned with microsegmentation than separating two routed internal networks. One traffic VDOM does not create segmentation by itself; segmentation with VDOMs requires multiple VDOMs, not one. Therefore, the best choice for segmenting network 1 and network 2 in this scenario is to assign separate forward domain IDs .

The correct answers are B. Real-time control and D. Determinism . The study guide defines industrial Ethernet as the “use of Ethernet and TCP/IP as transport mechanisms for industrial protocols” and states that it provides “real-time control,” “low latency,” and “determinism (meaning reliable and predictable data delivery)” in harsh environments. It further explains that industrial Ethernet “provides deterministic communication between machine controllers, actuators, sensors, and other units.” These statements directly confirm that the two key advantages are real-time control and determinism.

The other options are not supported by the study guide as core advantages of industrial Ethernet. Encryption is not listed as one of the benefits in this section, and remote access is discussed elsewhere in the OT architecture but not as a defining advantage of industrial Ethernet itself. The guide is explicit that the main benefits here are predictable delivery and real-time communication, which are essential in industrial control environments where timing and reliability matter.

The correct answer is D. Automatically by an event handler . The study guide explicitly states that “Event handlers generate events on FortiAnalyzer” and “FortiAnalyzer uses event handlers to filter all incoming logs. If the logs received match the conditions set in the event handlers, FortiAnalyzer generates an event.” It also says “You can view all generated events on the Event Monitor page.” This directly matches the exhibit, which is showing entries on the Event Monitor page. Therefore, the attack shown there was detected automatically through an event handler .

The guide also explains the detection flow: “FortiAnalyzer receives logs,” “FortiAnalyzer parses logs,” and “FortiAnalyzer generates an event if a rule is matched in an event handler.” In addition, the Event Monitor view includes the Handler column, which identifies the event handler that generated the event. That is why the attack is not considered manually detected, and it is not primarily detected by a playbook or stitch. Playbooks and stitches are used for subsequent automation actions, but the event appearing in Event Monitor is created by the event handler mechanism.

Based on the technical data provided in the exhibits and the OT Security 7.6 Architect curriculum:

Industrial Protocol Identification (Statement A) : The log details exhibit clearly shows that the Destination Port used in the attack is 502 . According to the study guide's section on Industrial Protocol Protection , the standard port used by the Modbus TCP protocol is 502 . Furthermore, the attack name identifies a "Triangle.Research.Nano-10.PLC," which are industrial controllers commonly utilizing Modbus for communications.

Attack Mitigation (Statement B) : The log details specify that the Action taken by the FortiGate (Edge-FortiGate) was dropped . In cybersecurity and Fortinet fabric operations, dropping a packet associated with an IPS signature means the traffic was blocked from reaching its target, thereby mitigating the attack.

Target IP Address (Statement E) : The log detail explicitly lists the Destination IP as 192.168.2.3 . The Incident Analysis page also titles the incident with dstip:192.168.2.3. While the "Affected Endpoint" is shown as 10.1.5.20 , in an "outgoing" attack direction (as shown in the log), this likely refers to the internal source/attacker IP, whereas the target is the destination IP (192.168.2.3). Thus, Statement E is incorrect.

Protocol Conflict (Statement C) : The IEC 104 protocol typically utilizes port 2404 . Since the log specifies port 502, Statement C is incorrect.

Severity Distinction (Statement D) : While the Incident severity is marked as High , the question specifically asks about event severity. The "Events" table at the bottom of the Incident Analysis page shows a "User login/logout failed" event with a medium severity. Because there is a distinction in the management console between the severity of individual events and the aggregated incident, and Statement A and B are technically definitive based on port and action, A and B are the correct architectural choices.