NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Questions and Answers

The correct answers are B and D .

Option B is correct because the profile has Medium , High , and Critical selected, while Low severity is not selected. That means low-severity virtual patching signatures are not enforced by this profile. So for the device with MAC address 12:12:12:12:12 , low-severity signatures are not blocked. The study guide explains virtual patching as device-specific protection where “FortiGate caches the signatures and mitigation rules that apply to each device” and applies them when the related traffic matches the firewall policy.

Option D is correct because the Virtual Patching Exemptions table shows a row with the MAC address 11:11:11:11:11 and no specific signature listed. The study guide states that in the Virtual Patching profile you can “Exempt a specific device with the MAC address or a specific signature.” A MAC-only exemption means that specific device is excluded from virtual patching enforcement, so in practical terms it is treated as having no applicable vulnerabilities in this profile.

Option C is incorrect because the profile does not block critical signatures for all devices. The exemptions list proves that at least one device can be excluded by MAC address, and a specific signature can also be exempted. Therefore, enforcement is not universal across all devices.

Option A is incorrect because the entry Schneider.Electric.ClearSCADA.HTTP.Interface.XSS appears as a specific signature exemption , not as the only remaining vulnerability. The profile display is showing exemptions, not a statement that only one vulnerability is still present.

Based on the provided exhibits from the FortiAnalyzer playbook engine:

Playbook Trigger Condition : The Partial Playbook configuration exhibit shows that the playbook is set to trigger based on a condition where the Basic Handler Name is Equal To IPS_Attack_Handling.

Event vs. Log : In FortiAnalyzer, the field Basic Handler Name is a property of an Event record, indicating the specific Event Handler that generated it. A playbook configured with this condition is triggered by an Event , not directly by a raw log.

Playbook Execution Flow : The Partial Playbook Monitor view shows the execution sequence:

Event_Trigger (Starter) : This is the entry point of the playbook, which matches the condition defined in the configuration.

IPS_Attack_Incident : The first task executed after the trigger.

Run_Report : The task in question, which is executed as part of the automated workflow initiated by the starter.

Conclusion : Since the playbook's "Starter" is defined by the IPS_Attack_Handling handler name, an event produced by that handler is the root trigger for the entire playbook execution, including the Run_Report task.

Therefore, the Run_Report task was triggered (as part of the playbook) by an IPS_Attack_Handling event .

The verified answer is C. The Fabric settings . The study guide ties FortiAnalyzer-triggered actions to the Security Fabric relationship with FortiGate, not to playbook tasks or standalone event handlers alone. It explains that “within the Security Fabric environment, FortiAnalyzer is a key element in the creation of automation stitches” and shows the flow where a downstream FortiGate sends logs to FortiAnalyzer, then FortiAnalyzer parses the logs and notifies the root FortiGate , after which the root FortiGate triggers the action . This shows that FortiAnalyzer must be configured so it can communicate with FortiGate through the Security Fabric.

The guide also states that FortiAnalyzer is the foundation of the Security Fabric , providing logging, reporting, analytics, and automation for Fabric devices and endpoints. It further explains that the FortiAnalyzer Fabric connector consolidates the traffic logs within the Security Fabric. This confirms that the automation workflow depends on proper Security Fabric integration. A playbook task is used for automated SOC actions, and an event handler is used to generate events from logs, but neither one alone establishes the direct communication path needed between FortiAnalyzer and FortiGate. Therefore, the required configuration on FortiAnalyzer is the Fabric settings .

The correct answer is A. You must enable Virtual Patching in the Feature Visibility section .

The study guide states clearly that “By default, virtual patching profiles are hidden on the GUI, and you must enable them through System > Feature Visibility.” That exactly matches the situation in the exhibit, where Virtual Patching does not appear under Security Profiles . So the issue is not that the feature is unsupported, but that it is simply hidden in the GUI until it is enabled.

The other options do not answer the question being asked. A valid OT security service license is required for virtual patching signatures and protection workflow, and OT signatures are relevant to IPS-based OT protection, but those do not explain why the menu item itself is missing from the Security Profiles section . The guide specifically identifies Feature Visibility as the reason the Virtual Patching profile is not shown in the GUI. Therefore, the required action is to enable Virtual Patching in System > Feature Visibility .

The correct answer is A . The study guide states that “The OT view is not available by default. You must enable it in the Feature Visibility section of the GUI or using the CLI command shown on this slide” and shows config system settings → set gui-ot enable . It also says that “After you enable the feature, the Asset Identity Center contains an Asset Identity List tab and an OT View tab.” This directly explains why the OT View tab is missing: the feature that enables the Purdue-style OT display has not been enabled yet.

The OT View is the view that displays devices in a Purdue diagram , and the Asset Identity List also shows the current Purdue level for each device. Because the answer options do not explicitly say enable OT View in Feature Visibility , option A is the intended match, since it refers to enabling the Purdue-related OT display feature. Option B is incorrect because device detection affects visibility of devices, not whether the OT View tab exists. Option C is not supported by the study guide, and option D is also not given as the requirement for showing the OT View tab.

Based on the OT Security 7.6 Architect study guide regarding the Asset Identity Center and Asset Management :

Vulnerability Visibility : The Asset Identity List tab displays key metadata for IT and OT devices, including detected addresses, users, and a specific column for Vulnerabilities .

Virtual Patching Feature : In the OT Security 7.6 architecture, the "Vulnerabilities" column is populated through the OT Security Service license, which includes " OT vulnerability correlation definitions & virtual patching signatures ".

Correlation Mechanism : FortiGate extracts metadata from OT traffic and uses these signatures to identify known vulnerabilities on the assets. For these vulnerabilities to be identified and correlated in the Asset Identity Center as shown in the exhibit (displaying a count of 8 vulnerabilities), the Virtual Patching feature must be active.

Architectural Implementation : Virtual patching is a critical component of the "Protection" layer in OT networks, allowing administrators to secure legacy or unpatchable PLCs and RTUs by blocking exploit attempts at the network level using IPS-based virtual patching signatures.

Exhibit Analysis : The presence of identified vulnerabilities (the number "8" in the red shield) in the Asset Identity List confirms that the FortiGate is actively performing vulnerability correlation, which is the operational result of having a Virtual Patching security profile applied to the relevant firewall policy.

Based on the provided exhibit and the OT Security 7.6 Architect curriculum regarding the Fortinet Security Fabric :

Fabric Role : The exhibit clearly shows that FortiGate-2 has the role set to Join Fabric . This confirms it is a downstream device and not the Fabric Root (eliminating Option A).

Upstream Connection : The device is configured to point to an Upstream FortiGate at IP address 10.1.2.254 .

Fabric Status : The status is currently displayed as Not Connected . In a standard Fortinet Security Fabric deployment, once a downstream device is configured to join the fabric, it sends a request to the upstream root device. The root FortiGate must then explicitly authorize the downstream unit before the connection is established and the status changes to "Connected."

Authorization Requirement : The "Not Connected" status, while having the upstream IP correctly configured, is the classic indicator that the authorization step is pending on the root FortiGate. Furthermore, under the LAN Edge Devices section, it shows another downstream FortiGate requiring authorization on this specific unit, highlighting that authorization is a manual security requirement for all stages of the Fabric hierarchy.

FortiAnalyzer Status : While the Logging & Analytics section shows FortiAnalyzer is Disabled , this is a configuration choice and does not prevent the Security Fabric from connecting; therefore, configuring it is not the solution to the connectivity status shown (eliminating Option C).

In summary, FortiGate-2 cannot join the fabric until an administrator logs into the Root FortiGate (10.1.2.254) and authorizes the join request from FortiGate-2.