The Fortinet NSE 6 - OT Security 7.6 Architect (NSE6_OTS_AR-7.6)

The correct answer is C. Industrial Control System (ICS) . The study guide states that “ICS is a main component of OT” and “consists of systems used for monitoring and controlling industrial processes.” It also explains that ICS includes various devices, systems, controls, and networks that manage industrial processes, and that the most common types are SCADA and distributed control systems (DCS) . This makes ICS the primary OT component for monitoring and controlling industrial processes.

The other options are related OT components, but they are not the best answer to this wording. SCADA collects real-time data and helps visualize and control the OT environment, but it is described as a system within the broader ICS structure. PLC devices collect and transmit real-time data and connect sensors and RTUs to SCADA, while IIoT refers to sensors, actuators, and other connected field devices. Therefore, the overarching main OT component for monitoring and controlling industrial processes is ICS .

The correct answer is A. FortiGate queries FortiGuard servers . The study guide explains the device detection process very clearly: “First, FortiGate attempts to detect the devices based on the information in the local device database (CIDB). If FortiGate cannot detect the devices locally, it queries the FortiGuard servers by sending data about the unknown devices to the FortiGuard servers. In response, the FortiGuard servers provide additional information about those devices.” This directly answers the question and shows that querying FortiGuard is the next step after local detection fails.

Option D is incorrect because the guide says FortiGate checks the local device database (CIDB) first, before this next step. Option B refers more to FortiNAC-style profiling logic, not FortiGate’s OT device detection flow. Option C is also incorrect because service connectors are not described here as the immediate follow-up step for unknown local device detection. The study guide specifically identifies FortiGuard servers as the next destination for device identification assistance.

The correct answer is D. Automatically by an event handler . The study guide explicitly states that “Event handlers generate events on FortiAnalyzer” and “FortiAnalyzer uses event handlers to filter all incoming logs. If the logs received match the conditions set in the event handlers, FortiAnalyzer generates an event.” It also says “You can view all generated events on the Event Monitor page.” This directly matches the exhibit, which is showing entries on the Event Monitor page. Therefore, the attack shown there was detected automatically through an event handler .

The guide also explains the detection flow: “FortiAnalyzer receives logs,” “FortiAnalyzer parses logs,” and “FortiAnalyzer generates an event if a rule is matched in an event handler.” In addition, the Event Monitor view includes the Handler column, which identifies the event handler that generated the event. That is why the attack is not considered manually detected, and it is not primarily detected by a playbook or stitch. Playbooks and stitches are used for subsequent automation actions, but the event appearing in Event Monitor is created by the event handler mechanism.

The correct answer is A. Fortinet Single-Sign On (FSSO) . The study guide states under Active and Passive Authentication that for passive authentication, “User does not receive a login prompt from FortiGate” , “Credentials are determined automatically” , and specifically “FSSO, RSSO, and NTLM can be used.” It then explains that passive authentication occurs with the single sign-on method and explicitly identifies Fortinet SSO (FSSO) as one of those methods.

The guide also says: “For passive authentication, you can implement FSSO. FSSO allows users who have already authenticated on the network through another system to be transparently identified. After initial login to any system on the network, users can access allowed resources without being prompted for credentials.” That is exactly what the question asks for: improving access control in a large OT network using passive authentication .

The other options do not match passive authentication. Local users are part of local authentication, two-factor authentication adds an extra security factor but still uses active authentication, and FortiAuthenticator as a remote server supports centralized authentication for mid-to-large networks, but by itself it is not the specific passive-authentication method being asked here. The study guide is explicit that the FortiGate configuration for passive authentication is FSSO .

The correct answer is B. A firewall policy has a Virtual Patching security profile applied to it .

The decisive clue in the exhibit is the Vulnerabilities column showing KEVs and device-specific vulnerability counts. The study guide explains the virtual patching workflow in this exact way: “FortiGate performs a lookup for device-specific vulnerabilities and mitigation rules in FortiGuard,” then “FortiGuard returns specific OT virtual patching signatures,” and “FortiGate caches the signatures and mitigation rules that apply to each device.” That is the same behavior reflected by the Asset Identity List showing vulnerability information per detected device.

The guide then states that “When traffic related to the vulnerable device reaches FortiGate, the firewall policy with the virtual patching profile applies.” It also says “A virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT device.” This directly links the per-device vulnerability visibility to a Virtual Patching profile enforced through firewall policy.

The other options do not match the exhibit. Antivirus is not described in the study guide as building a device-by-device vulnerability list, Application Control is used for OT protocol and message visibility, and IPS focuses on exploit detection and prevention. The Vulnerabilities/KEVs display is the indicator that FortiGate is using Virtual Patching logic for those OT devices.

The correct answers are A and D .

Option A is correct because the study guide states that for OT protocol coverage, “a valid OT security service license is required to receive updates on both intrusion prevention and application control signatures.” It also shows “Valid license required” in the FortiGuard subscriptions section for OT protocol coverage. This confirms that a valid OT security service license is required to use and maintain the OT signatures database correctly.

Option D is also correct because the guide explicitly shows the CLI configuration used “To enable OT signatures” :

config ips global

set exclude-signatures none

end

It then states that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI.” This directly confirms that you must set exclude-signatures to none in the CLI to enable OT signatures.

Option B is incorrect because the study guide does not say you manually import the OT signatures database. Instead, it explains that FortiGuard maintains updated OT signatures and that a valid license is required to receive updates. Option C is incorrect because the guide clearly says OT signatures are excluded by default until enabled from the CLI.

The correct answers are B and C . The study guide states that “You can use application control signatures to detect OT protocols” and that “Application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” . It also shows that a Modbus application control profile can be enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly supports B , because application control is the feature used to identify and monitor OT protocols on FortiGate.

The guide also explains under IPS that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI” using config ips global and set exclude-signatures none . Once enabled, FortiGate can use those OT signatures for OT-aware inspection and protection. That supports C as the second required configuration. A is related to device discovery, not protocol identification, and D is focused on exploit and vulnerability detection rather than the first-step goal of identifying OT protocols.

Based on the provided exhibits from the FortiAnalyzer playbook engine:

Playbook Trigger Condition : The Partial Playbook configuration exhibit shows that the playbook is set to trigger based on a condition where the Basic Handler Name is Equal To IPS_Attack_Handling.

Event vs. Log : In FortiAnalyzer, the field Basic Handler Name is a property of an Event record, indicating the specific Event Handler that generated it. A playbook configured with this condition is triggered by an Event , not directly by a raw log.

Playbook Execution Flow : The Partial Playbook Monitor view shows the execution sequence:

Event_Trigger (Starter) : This is the entry point of the playbook, which matches the condition defined in the configuration.

IPS_Attack_Incident : The first task executed after the trigger.

Run_Report : The task in question, which is executed as part of the automated workflow initiated by the starter.

Conclusion : Since the playbook ' s " Starter " is defined by the IPS_Attack_Handling handler name, an event produced by that handler is the root trigger for the entire playbook execution, including the Run_Report task.

Therefore, the Run_Report task was triggered (as part of the playbook) by an IPS_Attack_Handling event .

Based on the OT Security 7.6 Architect study guide regarding the Asset Identity Center and Asset Management :

Vulnerability Visibility : The Asset Identity List tab displays key metadata for IT and OT devices, including detected addresses, users, and a specific column for Vulnerabilities .

Virtual Patching Feature : In the OT Security 7.6 architecture, the " Vulnerabilities " column is populated through the OT Security Service license, which includes " OT vulnerability correlation definitions & virtual patching signatures " .

Correlation Mechanism : FortiGate extracts metadata from OT traffic and uses these signatures to identify known vulnerabilities on the assets. For these vulnerabilities to be identified and correlated in the Asset Identity Center as shown in the exhibit (displaying a count of 8 vulnerabilities), the Virtual Patching feature must be active.

Architectural Implementation : Virtual patching is a critical component of the " Protection " layer in OT networks, allowing administrators to secure legacy or unpatchable PLCs and RTUs by blocking exploit attempts at the network level using IPS-based virtual patching signatures.

Exhibit Analysis : The presence of identified vulnerabilities (the number " 8 " in the red shield) in the Asset Identity List confirms that the FortiGate is actively performing vulnerability correlation, which is the operational result of having a Virtual Patching security profile applied to the relevant firewall policy.