Fortinet NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Exam Practice Test

The correct answer is A. You must enable Virtual Patching in the Feature Visibility section .

The study guide states clearly that “By default, virtual patching profiles are hidden on the GUI, and you must enable them through System > Feature Visibility.” That exactly matches the situation in the exhibit, where Virtual Patching does not appear under Security Profiles . So the issue is not that the feature is unsupported, but that it is simply hidden in the GUI until it is enabled.

The other options do not answer the question being asked. A valid OT security service license is required for virtual patching signatures and protection workflow, and OT signatures are relevant to IPS-based OT protection, but those do not explain why the menu item itself is missing from the Security Profiles section . The guide specifically identifies Feature Visibility as the reason the Virtual Patching profile is not shown in the GUI. Therefore, the required action is to enable Virtual Patching in System > Feature Visibility .

According to the OT Security 7.6 Architect study guide regarding the Purdue Model :

Asset Location : The study guide states that " All critical physical assets are located on the plant floor and equipped with IIoT sensors. "

Level Classification : The " plant floor " is further defined as the " control area zone, " which consists of Levels 0, 1, and 2 .

Hierarchy : The " Operations & Control " zone is identified as Level 3 and Level 3.5 .

Direct Answer : In the " Introduction " lesson ' s Knowledge Check , the specific question " In the Purdue model, at which level are IIoTs placed? " is provided with the verified answer: Below Level 3.5 .

Based on the technical data provided in the exhibits and the OT Security 7.6 Architect curriculum:

Industrial Protocol Identification (Statement A) : The log details exhibit clearly shows that the Destination Port used in the attack is 502 . According to the study guide ' s section on Industrial Protocol Protection , the standard port used by the Modbus TCP protocol is 502 . Furthermore, the attack name identifies a " Triangle.Research.Nano-10.PLC, " which are industrial controllers commonly utilizing Modbus for communications.

Attack Mitigation (Statement B) : The log details specify that the Action taken by the FortiGate (Edge-FortiGate) was dropped . In cybersecurity and Fortinet fabric operations, dropping a packet associated with an IPS signature means the traffic was blocked from reaching its target, thereby mitigating the attack.

Target IP Address (Statement E) : The log detail explicitly lists the Destination IP as 192.168.2.3 . The Incident Analysis page also titles the incident with dstip:192.168.2.3. While the " Affected Endpoint " is shown as 10.1.5.20 , in an " outgoing " attack direction (as shown in the log), this likely refers to the internal source/attacker IP, whereas the target is the destination IP (192.168.2.3). Thus, Statement E is incorrect.

Protocol Conflict (Statement C) : The IEC 104 protocol typically utilizes port 2404 . Since the log specifies port 502, Statement C is incorrect.

Severity Distinction (Statement D) : While the Incident severity is marked as High , the question specifically asks about event severity. The " Events " table at the bottom of the Incident Analysis page shows a " User login/logout failed " event with a medium severity. Because there is a distinction in the management console between the severity of individual events and the aggregated incident, and Statement A and B are technically definitive based on port and action, A and B are the correct architectural choices.

The correct answers are A and C .

Option A is correct because the study guide explains that with active authentication , FortiGate prompts the user only when they use “an acceptable login protocol.” It states: “When you use only active authentication, if all possible policies that could match the source IP address have authentication enabled, then the user will receive a login prompt (assuming they use an acceptable login protocol).” A direct ping to PLC-1 uses ICMP , which is not the kind of login protocol used to trigger user authentication. So the supervisor must first authenticate through a protocol such as HTTPS or Telnet , then the ICMP traffic can match the authenticated policy.

Option C is also correct because the exhibit shows policy ID 8 greyed out, meaning it is not enabled. That policy appears above the Supervisor_access (9) policy and allows broader access to PLC-1 , whereas policy 9 is limited to ALL_ICMP . The study guide explains that “Because the user has not yet authenticated, the user group aspect of the traffic does not match” and FortiGate continues searching for another complete match. In this case, with policy 8 disabled, the supervisor is left with only the ICMP rule, which cannot be used to perform the initial login step needed for active authentication.

Option B is not supported by the exhibit. Option D is incorrect because auth-on-demand always would force authentication prompts more aggressively, but the core problem here is that the user is trying to start with ICMP and the broader policy that could permit the initial authenticated access is disabled.

The correct answer is C. Industrial Control System (ICS) . The study guide states that “ICS is a main component of OT” and “consists of systems used for monitoring and controlling industrial processes.” It also explains that ICS includes various devices, systems, controls, and networks that manage industrial processes, and that the most common types are SCADA and distributed control systems (DCS) . This makes ICS the primary OT component for monitoring and controlling industrial processes.

The other options are related OT components, but they are not the best answer to this wording. SCADA collects real-time data and helps visualize and control the OT environment, but it is described as a system within the broader ICS structure. PLC devices collect and transmit real-time data and connect sensors and RTUs to SCADA, while IIoT refers to sensors, actuators, and other connected field devices. Therefore, the overarching main OT component for monitoring and controlling industrial processes is ICS .

The correct answers are B. IPS on FortiGate_Level5 and C. Virtual patching on FortiGate_Level2 .

The study guide explains that “the first line of defense is securing the IT side of your network” and that FortiGate should be placed to protect ICS environments and stop threats from propagating from IT into OT. It also states that IPS improves OT security because “today’s threat landscape requires IPS to block a wider range of threats and improve OT security” and that in IPS mode, vulnerable devices are protected . This makes FortiGate_Level5 , at the upper boundary near the DMZ and external connectivity, the correct place to implement IPS as a primary protection control.

The study guide also states in the Purdue model section that “Level 2 consists of the processes and programs that control the PLCs, RTUs, and IEDs found at Level 1” and that “it is necessary to segment, or even microsegment, these servers with firewall segmentation, along with policies that include application control and virtual patching.” In addition, the virtual patching section says “Virtual patching protects OT devices that have not yet been updated against vulnerability exploits” and applies when traffic related to the vulnerable device reaches the firewall policy. Since FortiGate_Level2 sits between the process network and the control network, it is the right enforcement point for virtual patching to protect the PLC-side assets.

Option A is not one of the best answers because offline IDS only detects and logs attacks; the guide says “no traffic flows through FortiGate” in offline IDS mode, whereas IPS can actually block threats. Option D is also not the best answer because OT signatures are enabled within the IPS framework, but the stronger control explicitly described for this design is to deploy IPS at the upper boundary and virtual patching closer to vulnerable OT devices .

 The study guide says playbooks are used to automate tasks such as running reports and creating/updating incidents . It also says that after a playbook is triggered, it flows through its configured tasks.

 It further shows a sample playbook sequence where an event is detected, an incident is created , a report runs , and details are attached to the incident . That is exactly the kind of workflow shown in the incident analysis view.

 By contrast, the study guide says event handlers generate events when logs match configured rules. Event handlers are for detection, not for attaching reports to incidents.

Based on the provided exhibit and the OT Security 7.6 Architect curriculum regarding the Fortinet Security Fabric :

Fabric Role : The exhibit clearly shows that FortiGate-2 has the role set to Join Fabric . This confirms it is a downstream device and not the Fabric Root (eliminating Option A).

Upstream Connection : The device is configured to point to an Upstream FortiGate at IP address 10.1.2.254 .

Fabric Status : The status is currently displayed as Not Connected . In a standard Fortinet Security Fabric deployment, once a downstream device is configured to join the fabric, it sends a request to the upstream root device. The root FortiGate must then explicitly authorize the downstream unit before the connection is established and the status changes to " Connected. "

Authorization Requirement : The " Not Connected " status, while having the upstream IP correctly configured, is the classic indicator that the authorization step is pending on the root FortiGate. Furthermore, under the LAN Edge Devices section, it shows another downstream FortiGate requiring authorization on this specific unit, highlighting that authorization is a manual security requirement for all stages of the Fabric hierarchy.

FortiAnalyzer Status : While the Logging & Analytics section shows FortiAnalyzer is Disabled , this is a configuration choice and does not prevent the Security Fabric from connecting; therefore, configuring it is not the solution to the connectivity status shown (eliminating Option C).

In summary, FortiGate-2 cannot join the fabric until an administrator logs into the Root FortiGate (10.1.2.254) and authorizes the join request from FortiGate-2.

According to the OT Security 7.6 Architect study guide regarding FortiAnalyzer Event Management :

Notification Options : When configuring a new event handler, FortiAnalyzer provides several built-in notification methods to alert administrators when specific log criteria are met. The most common and direct method is Send alert email (Option A).

Incident Management : To streamline the SOC workflow, an event handler can be configured to Automatically create an incident (Option D) based on the triggered event. This moves the event into the Incident Manager for further analysis.

Security Fabric Integration : In the 7.6 architecture, event handlers can directly trigger an Automation stitch (Option E). This allows the FortiAnalyzer to notify the root FortiGate to take action (like running a CLI script or changing a policy) across the Security Fabric.

Exclusions : Create a report (Option B) is typically a task performed by a Playbook or a scheduled report job, not a direct setting inside the basic event handler configuration. Quarantine an attacker (Option C) is an action that results from an automation stitch or playbook, but it is not a direct configuration toggle within the event handler itself.

Based on the architecture of FortiAnalyzer within the Security Fabric and its automation capabilities:

Automation Stitch and Reports : Within the Security Fabric environment, FortiAnalyzer serves as a key element in creating automation stitches and playbooks. For a report to be selectable within a Playbook task (such as the Run_report task shown in the exhibit), it must meet specific technical prerequisites in the report configuration.

Auto-cache Requirement (Answer C) : For a report to be used for automated generation, it must be " ready " to be processed by the engine without manual intervention. Auto-cache must be enabled in the report settings to ensure the report can be generated dynamically and efficiently when triggered by the playbook.

Extended Log Filtering (Answer B) : Playbooks often pass specific variables from the trigger (such as a specific device IP or a time range) into the report. For the report to accept these dynamic parameters and be visible as an " automation-compatible " report in the Playbook interface, Extended Log Filtering must be enabled.

Workflow Constraints : Without these two settings enabled on the report itself, the Playbook engine cannot guarantee the report ' s successful generation or parameter injection, and thus filters it out of the available selection list in the Run_report task.

Based on the exhibit and the OT Security 7.6 Architect standards for Secure Remote Access :

Secure Tunneling (Statement A) : The exhibit shows a Remote PC connecting through a VPN Cloud to the Edge-FortiGate . In the Fortinet architecture, IPsec VPN is the primary method for establishing a secure, encrypted tunnel for remote administrators or supervisors to access the internal OT segments (Level 2/3) from an external location.

Multi-Factor Authentication (Statement B) : Secure remote access in OT environments (aligned with IEC 62443 standards) requires strong authentication. The study guide emphasizes the use of FortiToken to provide Two-Factor Authentication (2FA) for VPN users, ensuring that compromised credentials alone are not enough to gain access to critical infrastructure.

FSSO (Statement D) : Fortinet Single Sign-On is generally used for identifying internal users already on the network to apply identity-based policies; it is not the primary mechanism for establishing the remote connection itself.

SD-WAN (Statement C) : While SD-WAN can manage the path of the VPN traffic, it is a WAN optimization and reliability feature, not a " secure remote access " feature for a supervisor in the context of authentication and encryption.

The verified answer is C. The Fabric settings . The study guide ties FortiAnalyzer-triggered actions to the Security Fabric relationship with FortiGate, not to playbook tasks or standalone event handlers alone. It explains that “within the Security Fabric environment, FortiAnalyzer is a key element in the creation of automation stitches” and shows the flow where a downstream FortiGate sends logs to FortiAnalyzer, then FortiAnalyzer parses the logs and notifies the root FortiGate , after which the root FortiGate triggers the action . This shows that FortiAnalyzer must be configured so it can communicate with FortiGate through the Security Fabric.

The guide also states that FortiAnalyzer is the foundation of the Security Fabric , providing logging, reporting, analytics, and automation for Fabric devices and endpoints. It further explains that the FortiAnalyzer Fabric connector consolidates the traffic logs within the Security Fabric. This confirms that the automation workflow depends on proper Security Fabric integration. A playbook task is used for automated SOC actions, and an event handler is used to generate events from logs, but neither one alone establishes the direct communication path needed between FortiAnalyzer and FortiGate. Therefore, the required configuration on FortiAnalyzer is the Fabric settings .

The correct answer is A . The study guide states that “The OT view is not available by default. You must enable it in the Feature Visibility section of the GUI or using the CLI command shown on this slide” and shows config system settings → set gui-ot enable . It also says that “After you enable the feature, the Asset Identity Center contains an Asset Identity List tab and an OT View tab.” This directly explains why the OT View tab is missing: the feature that enables the Purdue-style OT display has not been enabled yet.

The OT View is the view that displays devices in a Purdue diagram , and the Asset Identity List also shows the current Purdue level for each device. Because the answer options do not explicitly say enable OT View in Feature Visibility , option A is the intended match, since it refers to enabling the Purdue-related OT display feature. Option B is incorrect because device detection affects visibility of devices, not whether the OT View tab exists. Option C is not supported by the study guide, and option D is also not given as the requirement for showing the OT View tab.