Pass the Fortinet NSE 6 Network Security Specialist NSE6_OTS_AR-7.6 Questions and answers with CertsForce

According to the OT Security 7.6 Architect study guide regarding the Purdue Model :

Asset Location : The study guide states that "All critical physical assets are located on the plant floor and equipped with IIoT sensors."

Level Classification : The "plant floor" is further defined as the "control area zone," which consists of Levels 0, 1, and 2 .

Hierarchy : The "Operations & Control" zone is identified as Level 3 and Level 3.5 .

Direct Answer : In the "Introduction" lesson's Knowledge Check , the specific question "In the Purdue model, at which level are IIoTs placed?" is provided with the verified answer: Below Level 3.5 .

The correct answer is C. EtherCAT .

The study guide states that for industrial Ethernet protocols, “such as Ethernet/IP and Modbus/TCP, you can use VLANs to segment your physical LAN into multiple logical LANs.” This directly confirms that Ethernet/IP and Modbus/TCP support VLAN-based segmentation in the OT context.

By contrast, the guide explains that “EtherCAT skips layers 3 to 6 to deliver real-time communication” and describes it as an “Open-Software Modified-Ethernet” approach. Because it does not operate like the standard Ethernet/IP model used for normal VLAN-based segmentation, EtherCAT is the protocol identified here as not supporting VLANs in the way Ethernet/IP and Modbus/TCP do.

So, based on the study guide comparison, the verified answer is EtherCAT .

According to the OT Security 7.6 Architect study guide section on Asset Management , specifically regarding FortiNAC Visibility :

Layer 2 Polling Data : Because each physical address is unique, FortiNAC identifies hosts as they connect to the network. The information gathered during this process fills in the physical address and location information in the database.

Visibility Components : The guide states that the physical address learned , the time it was learned , and where it was learned from provide the foundation of endpoint visibility in the form of " what, where, and when " information. This confirms that Where it was learned (Option A) and The time it was learned (Option D) are correct.

Exclusions :

Layer 3 Polling : The MAC-to-IP correlation (Option B) is explicitly defined as a function of Layer 3 polling , where the correlated IP address is added to the database record for the corresponding MAC address.

DHCP Fingerprinting : The host name or system name (Option C) and the operating system are gathered via DHCP fingerprinting , not layer 2 polling.

Deploying a FortiGate in offline IDS (also known as one-arm sniffer mode) is a common strategy in OT environments for several reasons found in the study guide:

Priority of Availability : In OT, availability and safety are critically important and prioritized higher than in IT. An offline IDS minimizes impact because it does not sit in the direct path of production traffic.

Network Sensor Role : In this mode, the FortiGate is connected to a mirror/SPAN port on a switch. It acts as a network sensor , receiving a copy of the traffic rather than having the traffic flow through it. This confirms Statement A is correct and Statement D is incorrect.

Passive vs. Active : The guide explicitly states that in OT environments, passive methods are preferred over active methods to avoid negatively impacting performance or causing process interruptions.

Depth of Visibility : Even though the device is offline, you apply security profiles (such as IPS, Application Control, and Antivirus) to the sniffer interface. This allows the FortiGate to analyze the copied traffic and provide deep visibility into the OT assets and their behaviors. This confirms Statement B is correct.

Detection vs. Prevention : An IDS (Intrusion Detection System) is passive ; it can detect threats but cannot reset connections or drop packets to block attacks. Therefore, it cannot block zero-day attacks, making Statement C incorrect.

The correct answers are C and D .

Option C is correct because the study guide explains that when “a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” and, in the Security Fabric workflow, “FortiAnalyzer parses the logs and notifies the root FortiGate.” This means FortiGate must first have the FortiAnalyzer connection configured so it can consume FortiAnalyzer event handlers and use them in automation. The wizard message in the exhibit also points to this requirement by indicating that a FortiAnalyzer connection must be configured.

Option D is also correct because the study guide explicitly says that in this automation flow “the root FortiGate triggers the action” and shows “Stitches configured on root FortiGate.” Therefore, if you want the FortiAnalyzer event handler to appear and be usable for automation, the trigger must be configured on the root FortiGate , not on an arbitrary downstream FortiGate.

Option A is incorrect because + Create is only a GUI control and does not solve the missing-event-handler visibility problem. Option B is not identified in the study guide as the requirement for making a FortiAnalyzer event handler available in the FortiGate automation trigger list.

The correct answer is C. Application sensor set to monitor on all the FortiGate devices .

The study guide clearly explains that application control is the feature used to identify OT protocols. It states that “application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” and also says “You can use application control signatures to detect OT protocols.” It further shows an example where a Modbus application control profile is enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly matches the requirement in the question, which is to detect OT protocols and increase traffic visibility .

The other options do not fit the requirement as precisely. Device detection is for identifying devices and collecting endpoint information, not for detecting industrial protocols. Inline IDS and IPS are focused more on detecting or blocking attacks, exploits, protocol abnormalities, and known vulnerabilities. While IPS can inspect some OT traffic, the study guide distinguishes it from application control by stating that IPS signatures tend to detect exploits, whereas application control signatures tend to provide protocol detection at various levels . Therefore, the required security sensor for OT protocol detection and traffic visibility is the application sensor in monitor mode .

The correct answer is D. Automatically by an event handler . The study guide explicitly states that “Event handlers generate events on FortiAnalyzer” and “FortiAnalyzer uses event handlers to filter all incoming logs. If the logs received match the conditions set in the event handlers, FortiAnalyzer generates an event.” It also says “You can view all generated events on the Event Monitor page.” This directly matches the exhibit, which is showing entries on the Event Monitor page. Therefore, the attack shown there was detected automatically through an event handler .

The guide also explains the detection flow: “FortiAnalyzer receives logs,” “FortiAnalyzer parses logs,” and “FortiAnalyzer generates an event if a rule is matched in an event handler.” In addition, the Event Monitor view includes the Handler column, which identifies the event handler that generated the event. That is why the attack is not considered manually detected, and it is not primarily detected by a playbook or stitch. Playbooks and stitches are used for subsequent automation actions, but the event appearing in Event Monitor is created by the event handler mechanism.

According to the OT Security 7.6 Architect study guide regarding IEC 62443 Security Levels :

Security Level 4 (SL 4) Definition : This level provides "Protection against intentional violation using sophisticated means with extended resources, specific skills, and high motivation".

Real-World Application : The study guide specifically notes: "If you are facing a syndicate of cyber extortionists with extensive resources and capabilities, then you should strive for security level 4".

Comparison to other levels :

SL 1 : Protection against "casual or unintentional system violation".

SL 2 : Protection against "intentional violation using simple means with low resources".

SL 3 : Protection against "intentional violation using sophisticated means with moderate resources".

The correct answer is D. You can configure forward domain IDs for each network . The study guide explains that in FortiGate transparent mode, “all interfaces belong to the same broadcast domain, even interfaces with different VLAN IDs” and then states that you should “use this command to subdivide into multiple broadcast domains” with set forward-domain < domain_ID > . It further explains that “interfaces with the same domain ID belong to the same broadcast domain” and “traffic arriving on one interface is broadcast only to interfaces in the same forward domain ID.” This is exactly the mechanism used to separate one internal network from another and improve segmentation.

The other options do not match this requirement. Universal ZTNA is described as controlling user access to applications , not segmenting two internal OT networks. An explicit software switch is for controlling intra-switch or intra-VLAN traffic inside the same software switch broadcast domain, which is more aligned with microsegmentation than separating two routed internal networks. One traffic VDOM does not create segmentation by itself; segmentation with VDOMs requires multiple VDOMs, not one. Therefore, the best choice for segmenting network 1 and network 2 in this scenario is to assign separate forward domain IDs .

The correct answers are A and D . The study guide provides a direct use case called Attack Detection and Automated Alert . It states: “A downstream FortiGate detects an attack and sends logs to FortiAnalyzer. FortiAnalyzer parses the logs and notifies the root FortiGate. The root FortiGate triggers the action, which in this case, is a notification to the administrator.” The same slide also explicitly shows “Stitches configured on root FortiGate.” This confirms that to send the automated alert, you must configure the automation stitch on the root FortiGate .

The second required configuration is an event handler on FortiAnalyzer . The guide explains that “Event handlers generate events” and that “FortiAnalyzer uses event handlers to filter all incoming logs. If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.” Since FortiAnalyzer must detect the attack from the received logs before notifying the root FortiGate, an event handler is required on FortiAnalyzer.

Option B is incorrect because the study guide does not identify a LOCALHOST task as the required configuration for this attack-alert flow. Option C is also incorrect because the question asks what must be configured to enable the automated alert workflow . An IPS profile may detect some attacks, but the required automation path in the study guide is specifically event handler on FortiAnalyzer + stitch on the root FortiGate .