Free and Premium Fortinet NSE6_OTS_AR-7.6 Dumps Questions Answers

The correct answers are C and D .

Option C is correct because the study guide explains that when “a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” and, in the Security Fabric workflow, “FortiAnalyzer parses the logs and notifies the root FortiGate.” This means FortiGate must first have the FortiAnalyzer connection configured so it can consume FortiAnalyzer event handlers and use them in automation. The wizard message in the exhibit also points to this requirement by indicating that a FortiAnalyzer connection must be configured.

Option D is also correct because the study guide explicitly says that in this automation flow “the root FortiGate triggers the action” and shows “Stitches configured on root FortiGate.” Therefore, if you want the FortiAnalyzer event handler to appear and be usable for automation, the trigger must be configured on the root FortiGate , not on an arbitrary downstream FortiGate.

Option A is incorrect because + Create is only a GUI control and does not solve the missing-event-handler visibility problem. Option B is not identified in the study guide as the requirement for making a FortiAnalyzer event handler available in the FortiGate automation trigger list.

According to the OT Security 7.6 Architect study guide section on Asset Management , specifically regarding FortiNAC Visibility :

Layer 2 Polling Data : Because each physical address is unique, FortiNAC identifies hosts as they connect to the network. The information gathered during this process fills in the physical address and location information in the database.

Visibility Components : The guide states that the physical address learned , the time it was learned , and where it was learned from provide the foundation of endpoint visibility in the form of " what, where, and when " information. This confirms that Where it was learned (Option A) and The time it was learned (Option D) are correct.

Exclusions :

Layer 3 Polling : The MAC-to-IP correlation (Option B) is explicitly defined as a function of Layer 3 polling , where the correlated IP address is added to the database record for the corresponding MAC address.

DHCP Fingerprinting : The host name or system name (Option C) and the operating system are gathered via DHCP fingerprinting , not layer 2 polling.

The verified answer is C. The Fabric settings . The study guide ties FortiAnalyzer-triggered actions to the Security Fabric relationship with FortiGate, not to playbook tasks or standalone event handlers alone. It explains that “within the Security Fabric environment, FortiAnalyzer is a key element in the creation of automation stitches” and shows the flow where a downstream FortiGate sends logs to FortiAnalyzer, then FortiAnalyzer parses the logs and notifies the root FortiGate , after which the root FortiGate triggers the action . This shows that FortiAnalyzer must be configured so it can communicate with FortiGate through the Security Fabric.

The guide also states that FortiAnalyzer is the foundation of the Security Fabric , providing logging, reporting, analytics, and automation for Fabric devices and endpoints. It further explains that the FortiAnalyzer Fabric connector consolidates the traffic logs within the Security Fabric. This confirms that the automation workflow depends on proper Security Fabric integration. A playbook task is used for automated SOC actions, and an event handler is used to generate events from logs, but neither one alone establishes the direct communication path needed between FortiAnalyzer and FortiGate. Therefore, the required configuration on FortiAnalyzer is the Fabric settings .

According to the OT Security 7.6 Architect study guide regarding the Purdue Model :

Asset Location : The study guide states that " All critical physical assets are located on the plant floor and equipped with IIoT sensors. "

Level Classification : The " plant floor " is further defined as the " control area zone, " which consists of Levels 0, 1, and 2 .

Hierarchy : The " Operations & Control " zone is identified as Level 3 and Level 3.5 .

Direct Answer : In the " Introduction " lesson ' s Knowledge Check , the specific question " In the Purdue model, at which level are IIoTs placed? " is provided with the verified answer: Below Level 3.5 .

The correct answer is C. You can implement parallel redundancy protocol . The study guide explains that media redundancy involves creating a backup path that can be used when part of the network fails and specifically states that “Parallel Redundancy Protocol (PRP) can be used for a star topology.” Since the problem described is many disconnections in the links , the issue is link availability, which is a media redundancy problem rather than a firewall virtualization or policy separation problem. PRP is designed to provide a backup communication path with low recovery time when links fail.

The other options do not fit this scenario as well. HA clusters are described in the guide as a solution for network node redundancy , where a backup firewall or switch takes over when the primary device fails. SD-WAN is recommended for remote site access across multiple WAN links, not for the local floor links shown in this topology. VDOMs provide logical segmentation, not link redundancy or higher link availability. Because the question is specifically about repeated link disconnections , the best action is to implement PRP .

The correct answer is C. Application sensor set to monitor on all the FortiGate devices .

The study guide clearly explains that application control is the feature used to identify OT protocols. It states that “application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” and also says “You can use application control signatures to detect OT protocols.” It further shows an example where a Modbus application control profile is enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly matches the requirement in the question, which is to detect OT protocols and increase traffic visibility .

The other options do not fit the requirement as precisely. Device detection is for identifying devices and collecting endpoint information, not for detecting industrial protocols. Inline IDS and IPS are focused more on detecting or blocking attacks, exploits, protocol abnormalities, and known vulnerabilities. While IPS can inspect some OT traffic, the study guide distinguishes it from application control by stating that IPS signatures tend to detect exploits, whereas application control signatures tend to provide protocol detection at various levels . Therefore, the required security sensor for OT protocol detection and traffic visibility is the application sensor in monitor mode .

The correct answer is A. Fortinet Single-Sign On (FSSO) . The study guide states under Active and Passive Authentication that for passive authentication, “User does not receive a login prompt from FortiGate” , “Credentials are determined automatically” , and specifically “FSSO, RSSO, and NTLM can be used.” It then explains that passive authentication occurs with the single sign-on method and explicitly identifies Fortinet SSO (FSSO) as one of those methods.

The guide also says: “For passive authentication, you can implement FSSO. FSSO allows users who have already authenticated on the network through another system to be transparently identified. After initial login to any system on the network, users can access allowed resources without being prompted for credentials.” That is exactly what the question asks for: improving access control in a large OT network using passive authentication .

The other options do not match passive authentication. Local users are part of local authentication, two-factor authentication adds an extra security factor but still uses active authentication, and FortiAuthenticator as a remote server supports centralized authentication for mid-to-large networks, but by itself it is not the specific passive-authentication method being asked here. The study guide is explicit that the FortiGate configuration for passive authentication is FSSO .

According to the OT Security 7.6 Architect study guide regarding IEC 62443 Security Levels :

Security Level 4 (SL 4) Definition : This level provides " Protection against intentional violation using sophisticated means with extended resources, specific skills, and high motivation " .

Real-World Application : The study guide specifically notes: " If you are facing a syndicate of cyber extortionists with extensive resources and capabilities, then you should strive for security level 4 " .

Comparison to other levels :

SL 1 : Protection against " casual or unintentional system violation " .

SL 2 : Protection against " intentional violation using simple means with low resources " .

SL 3 : Protection against " intentional violation using sophisticated means with moderate resources " .

The correct answers are A and C .

Option A is correct because the study guide explains that with active authentication , FortiGate prompts the user only when they use “an acceptable login protocol.” It states: “When you use only active authentication, if all possible policies that could match the source IP address have authentication enabled, then the user will receive a login prompt (assuming they use an acceptable login protocol).” A direct ping to PLC-1 uses ICMP , which is not the kind of login protocol used to trigger user authentication. So the supervisor must first authenticate through a protocol such as HTTPS or Telnet , then the ICMP traffic can match the authenticated policy.

Option C is also correct because the exhibit shows policy ID 8 greyed out, meaning it is not enabled. That policy appears above the Supervisor_access (9) policy and allows broader access to PLC-1 , whereas policy 9 is limited to ALL_ICMP . The study guide explains that “Because the user has not yet authenticated, the user group aspect of the traffic does not match” and FortiGate continues searching for another complete match. In this case, with policy 8 disabled, the supervisor is left with only the ICMP rule, which cannot be used to perform the initial login step needed for active authentication.

Option B is not supported by the exhibit. Option D is incorrect because auth-on-demand always would force authentication prompts more aggressively, but the core problem here is that the user is trying to start with ICMP and the broader policy that could permit the initial authenticated access is disabled.

The correct answers are A and D .

Option A is correct because the study guide states that for OT protocol coverage, “a valid OT security service license is required to receive updates on both intrusion prevention and application control signatures.” It also shows “Valid license required” in the FortiGuard subscriptions section for OT protocol coverage. This confirms that a valid OT security service license is required to use and maintain the OT signatures database correctly.

Option D is also correct because the guide explicitly shows the CLI configuration used “To enable OT signatures” :

config ips global

set exclude-signatures none

end

It then states that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI.” This directly confirms that you must set exclude-signatures to none in the CLI to enable OT signatures.

Option B is incorrect because the study guide does not say you manually import the OT signatures database. Instead, it explains that FortiGuard maintains updated OT signatures and that a valid license is required to receive updates. Option C is incorrect because the guide clearly says OT signatures are excluded by default until enabled from the CLI.

The correct answer is A. Device Detection is enabled on the other identified device .

The study guide explains that device identification is a “useful feature for the Security Fabric topology view” and that “FortiGate detects most third-party devices in your network and adds them to the topology view of the Security Fabric.” It also states that in the interfaces section, you can enable device detection , and this detection is what allows FortiGate to identify devices based on observed traffic.

In the exhibit, the tooltip distinguishes between “1 device requires authorization” and “1 other identified device.” That means the unauthorized device is a separate FortiGate/Fabric member issue, while the other identified device is simply a detected third-party device shown in the topology because device detection is working. Therefore, the correct interpretation is that device detection is enabled for that identified device. Option B is incorrect because the exhibit does not say the other identified device requires authorization. Option C is not supported by the study guide, and option D is too specific because no evidence in the exhibit confirms that the detection was enabled specifically on port3 .

The correct answer is A. FortiGate queries FortiGuard servers . The study guide explains the device detection process very clearly: “First, FortiGate attempts to detect the devices based on the information in the local device database (CIDB). If FortiGate cannot detect the devices locally, it queries the FortiGuard servers by sending data about the unknown devices to the FortiGuard servers. In response, the FortiGuard servers provide additional information about those devices.” This directly answers the question and shows that querying FortiGuard is the next step after local detection fails.

Option D is incorrect because the guide says FortiGate checks the local device database (CIDB) first, before this next step. Option B refers more to FortiNAC-style profiling logic, not FortiGate’s OT device detection flow. Option C is also incorrect because service connectors are not described here as the immediate follow-up step for unknown local device detection. The study guide specifically identifies FortiGuard servers as the next destination for device identification assistance.

The correct answer is C. The output of the CLI command get rule otvp status . In the Virtual Patching section, the study guide shows the workflow where FortiGate queries FortiGuard for device-specific vulnerabilities, receives OT virtual patching signatures, maps them to the device MAC address, and then explicitly displays the CLI verification command get rule otvp status together with fields such as Rule-name , Vuln_type , and Cve . This is the direct confirmation mechanism shown in the guide for checking whether OT devices have virtual patching rules associated with them.

The other options are less accurate for confirmation. The OT View page is for Purdue-level visualization, and the Asset Identity List page shows device and asset information, but neither is presented in the guide as the command or control used to verify virtual patching status. The study guide specifically uses get rule otvp status as the status check tied to virtual patching behavior.