NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Question and Answers

The correct answers are B and C . The study guide states that “You can use application control signatures to detect OT protocols” and that “Application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” . It also shows that a Modbus application control profile can be enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly supports B , because application control is the feature used to identify and monitor OT protocols on FortiGate.

The guide also explains under IPS that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI” using config ips global and set exclude-signatures none . Once enabled, FortiGate can use those OT signatures for OT-aware inspection and protection. That supports C as the second required configuration. A is related to device discovery, not protocol identification, and D is focused on exploit and vulnerability detection rather than the first-step goal of identifying OT protocols.

The verified answer is C. The Fabric settings . The study guide ties FortiAnalyzer-triggered actions to the Security Fabric relationship with FortiGate, not to playbook tasks or standalone event handlers alone. It explains that “within the Security Fabric environment, FortiAnalyzer is a key element in the creation of automation stitches” and shows the flow where a downstream FortiGate sends logs to FortiAnalyzer, then FortiAnalyzer parses the logs and notifies the root FortiGate , after which the root FortiGate triggers the action . This shows that FortiAnalyzer must be configured so it can communicate with FortiGate through the Security Fabric.

The guide also states that FortiAnalyzer is the foundation of the Security Fabric , providing logging, reporting, analytics, and automation for Fabric devices and endpoints. It further explains that the FortiAnalyzer Fabric connector consolidates the traffic logs within the Security Fabric. This confirms that the automation workflow depends on proper Security Fabric integration. A playbook task is used for automated SOC actions, and an event handler is used to generate events from logs, but neither one alone establishes the direct communication path needed between FortiAnalyzer and FortiGate. Therefore, the required configuration on FortiAnalyzer is the Fabric settings .

The correct answers are C and D .

Option D is correct because the study guide states that the configuration of an event handler can include “Rules” and explains that “Rules are granular conditions” and “Event handlers can have one or more rules.” It further states that “FortiAnalyzer uses event handlers to filter all incoming logs” and “If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.” Therefore, to use the automation stitch, you must define the rules on FortiAnalyzer so the event handler can actually generate the event that starts the automation flow.

Option C is also correct. The study guide explains that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to the FortiGate side, and in the attack-detection example it says “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” It also explicitly shows “Stitches configured on root FortiGate.” This means the FortiGate must have the corresponding automation trigger configured for the FortiAnalyzer event handler notification.

Option A is incorrect because the study guide does not describe configuring an Action on FortiAnalyzer as the required step for this FortiAnalyzer-to-FortiGate automation-stitch flow. Option B is also incorrect because playbooks are a different FortiAnalyzer automation mechanism; the question specifically refers to using the Automation Stitch option in the event handler.

The correct answer is C. Application sensor set to monitor on all the FortiGate devices .

The study guide clearly explains that application control is the feature used to identify OT protocols. It states that “application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” and also says “You can use application control signatures to detect OT protocols.” It further shows an example where a Modbus application control profile is enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly matches the requirement in the question, which is to detect OT protocols and increase traffic visibility .

The other options do not fit the requirement as precisely. Device detection is for identifying devices and collecting endpoint information, not for detecting industrial protocols. Inline IDS and IPS are focused more on detecting or blocking attacks, exploits, protocol abnormalities, and known vulnerabilities. While IPS can inspect some OT traffic, the study guide distinguishes it from application control by stating that IPS signatures tend to detect exploits, whereas application control signatures tend to provide protocol detection at various levels . Therefore, the required security sensor for OT protocol detection and traffic visibility is the application sensor in monitor mode .

The correct answer is C. You can implement parallel redundancy protocol . The study guide explains that media redundancy involves creating a backup path that can be used when part of the network fails and specifically states that “Parallel Redundancy Protocol (PRP) can be used for a star topology.” Since the problem described is many disconnections in the links , the issue is link availability, which is a media redundancy problem rather than a firewall virtualization or policy separation problem. PRP is designed to provide a backup communication path with low recovery time when links fail.

The other options do not fit this scenario as well. HA clusters are described in the guide as a solution for network node redundancy , where a backup firewall or switch takes over when the primary device fails. SD-WAN is recommended for remote site access across multiple WAN links, not for the local floor links shown in this topology. VDOMs provide logical segmentation, not link redundancy or higher link availability. Because the question is specifically about repeated link disconnections , the best action is to implement PRP .

The correct answer is C. Industrial Control System (ICS) . The study guide states that “ICS is a main component of OT” and “consists of systems used for monitoring and controlling industrial processes.” It also explains that ICS includes various devices, systems, controls, and networks that manage industrial processes, and that the most common types are SCADA and distributed control systems (DCS) . This makes ICS the primary OT component for monitoring and controlling industrial processes.

The other options are related OT components, but they are not the best answer to this wording. SCADA collects real-time data and helps visualize and control the OT environment, but it is described as a system within the broader ICS structure. PLC devices collect and transmit real-time data and connect sensors and RTUs to SCADA, while IIoT refers to sensors, actuators, and other connected field devices. Therefore, the overarching main OT component for monitoring and controlling industrial processes is ICS .

The correct answer is D. Automatically by an event handler . The study guide explicitly states that “Event handlers generate events on FortiAnalyzer” and “FortiAnalyzer uses event handlers to filter all incoming logs. If the logs received match the conditions set in the event handlers, FortiAnalyzer generates an event.” It also says “You can view all generated events on the Event Monitor page.” This directly matches the exhibit, which is showing entries on the Event Monitor page. Therefore, the attack shown there was detected automatically through an event handler .

The guide also explains the detection flow: “FortiAnalyzer receives logs,” “FortiAnalyzer parses logs,” and “FortiAnalyzer generates an event if a rule is matched in an event handler.” In addition, the Event Monitor view includes the Handler column, which identifies the event handler that generated the event. That is why the attack is not considered manually detected, and it is not primarily detected by a playbook or stitch. Playbooks and stitches are used for subsequent automation actions, but the event appearing in Event Monitor is created by the event handler mechanism.