Pass the Fortinet NSE 6 Network Security Specialist NSE6_OTS_AR-7.6 Questions and answers with CertsForce

The correct answers are B. IPS on FortiGate_Level5 and C. Virtual patching on FortiGate_Level2 .

The study guide explains that “the first line of defense is securing the IT side of your network” and that FortiGate should be placed to protect ICS environments and stop threats from propagating from IT into OT. It also states that IPS improves OT security because “today’s threat landscape requires IPS to block a wider range of threats and improve OT security” and that in IPS mode, vulnerable devices are protected . This makes FortiGate_Level5 , at the upper boundary near the DMZ and external connectivity, the correct place to implement IPS as a primary protection control.

The study guide also states in the Purdue model section that “Level 2 consists of the processes and programs that control the PLCs, RTUs, and IEDs found at Level 1” and that “it is necessary to segment, or even microsegment, these servers with firewall segmentation, along with policies that include application control and virtual patching.” In addition, the virtual patching section says “Virtual patching protects OT devices that have not yet been updated against vulnerability exploits” and applies when traffic related to the vulnerable device reaches the firewall policy. Since FortiGate_Level2 sits between the process network and the control network, it is the right enforcement point for virtual patching to protect the PLC-side assets.

Option A is not one of the best answers because offline IDS only detects and logs attacks; the guide says “no traffic flows through FortiGate” in offline IDS mode, whereas IPS can actually block threats. Option D is also not the best answer because OT signatures are enabled within the IPS framework, but the stronger control explicitly described for this design is to deploy IPS at the upper boundary and virtual patching closer to vulnerable OT devices .

Based on the exhibit and the OT Security 7.6 Architect standards for Secure Remote Access :

Secure Tunneling (Statement A) : The exhibit shows a Remote PC connecting through a VPN Cloud to the Edge-FortiGate . In the Fortinet architecture, IPsec VPN is the primary method for establishing a secure, encrypted tunnel for remote administrators or supervisors to access the internal OT segments (Level 2/3) from an external location.

Multi-Factor Authentication (Statement B) : Secure remote access in OT environments (aligned with IEC 62443 standards) requires strong authentication. The study guide emphasizes the use of FortiToken to provide Two-Factor Authentication (2FA) for VPN users, ensuring that compromised credentials alone are not enough to gain access to critical infrastructure.

FSSO (Statement D) : Fortinet Single Sign-On is generally used for identifying internal users already on the network to apply identity-based policies; it is not the primary mechanism for establishing the remote connection itself.

SD-WAN (Statement C) : While SD-WAN can manage the path of the VPN traffic, it is a WAN optimization and reliability feature, not a " secure remote access " feature for a supervisor in the context of authentication and encryption.

The correct answer is A. Through device profiling rules . The study guide states: “When a rogue device record is created, the device is evaluated against the enabled device profiling rules.” It further explains that “FortiNAC evaluates a device against each rule until a failed, passed, or cannot evaluate result is reached.” That is the direct evaluation mechanism used for rogue devices in FortiNAC.

The guide also adds that “Device profiling rules are used to evaluate and classify rogue devices” and that FortiNAC applies rule methods and classification settings to determine whether the device matches a known type. This is why the other options are incorrect: FortiGuard server queries and the local device database (CIDB) relate to FortiGate device detection workflows, not FortiNAC rogue-device evaluation, and importing a devices list is not the evaluation method described for rogue devices.

The correct answer is C. Application sensor set to monitor on all the FortiGate devices .

The study guide clearly explains that application control is the feature used to identify OT protocols. It states that “application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” and also says “You can use application control signatures to detect OT protocols.” It further shows an example where a Modbus application control profile is enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly matches the requirement in the question, which is to detect OT protocols and increase traffic visibility .

The other options do not fit the requirement as precisely. Device detection is for identifying devices and collecting endpoint information, not for detecting industrial protocols. Inline IDS and IPS are focused more on detecting or blocking attacks, exploits, protocol abnormalities, and known vulnerabilities. While IPS can inspect some OT traffic, the study guide distinguishes it from application control by stating that IPS signatures tend to detect exploits, whereas application control signatures tend to provide protocol detection at various levels . Therefore, the required security sensor for OT protocol detection and traffic visibility is the application sensor in monitor mode .

The correct answers are A and C .

Option C is correct because the profile clearly contains the Operational Technology category and specific OT application signatures such as Modbus and IEC.60870.5.104 . The study guide says “You can use application control signatures to detect OT protocols” and “You can filter to a specific OT protocol.” That means OT application signatures are active in this sensor profile.

Option A is correct because the guide explains that application control works at different levels: “Detection of protocol (one detection per session)” and “Message level (one detection per protocol message).” It also says you can use application signatures for “granular message type identification.” In the exhibit, IEC.60870.5.104.Control.Functions is explicitly configured, which is a granular IEC message/control-level signature rather than only a protocol-level match. That means logging and control can occur at the IEC command level.

Option B is not correct because the profile shows Modbus configured at the parent protocol level as Monitor , while the guide states that the “parent signature takes precedence over the child signature.” Since protocol-level detection is one detection per session , that does not mean FortiGate will necessarily log each Modbus command individually.

Option D is incorrect because even though the broader Operational Technology category is set to block, the profile includes specific application and filter overrides for Modbus and IEC 104 behavior. So the resulting effect is not simply that all OT protocols are blocked .

The correct answer is D. EtherCAT . The study guide explicitly states under the Ethernet/IP and EtherCAT section that “EtherCAT is a protocol that offers real-time communication in a primary-secondary configuration” and “EtherCAT skips layers 3 to 6 to deliver real-time communication.” It also adds that “the most important feature of this protocol is that secondary devices collect only the information they need from the data packets.” This matches the exhibit exactly, where the diagram shows Real-Time Data above a Proprietary MAC and Proprietary physical layer , reflecting the protocol structure that bypasses the intermediate OSI layers.

The other options do not match this behavior. The guide says POWERLINK uses layer 2 and layer 7 of the OSI model, not that it skips layers 3 to 6. It also explains that Ethernet/IP is the industrial protocol based entirely on Ethernet standards and adapts to the OSI model. Modbus is described as an open client/server protocol and is not suitable for transmitting data in real time . Therefore, the protocol in the exhibit is clearly EtherCAT .

The correct answer is C. EtherCAT .

The study guide states that for industrial Ethernet protocols, “such as Ethernet/IP and Modbus/TCP, you can use VLANs to segment your physical LAN into multiple logical LANs.” This directly confirms that Ethernet/IP and Modbus/TCP support VLAN-based segmentation in the OT context.

By contrast, the guide explains that “EtherCAT skips layers 3 to 6 to deliver real-time communication” and describes it as an “Open-Software Modified-Ethernet” approach. Because it does not operate like the standard Ethernet/IP model used for normal VLAN-based segmentation, EtherCAT is the protocol identified here as not supporting VLANs in the way Ethernet/IP and Modbus/TCP do.

So, based on the study guide comparison, the verified answer is EtherCAT .

Deploying a FortiGate in offline IDS (also known as one-arm sniffer mode) is a common strategy in OT environments for several reasons found in the study guide:

Priority of Availability : In OT, availability and safety are critically important and prioritized higher than in IT. An offline IDS minimizes impact because it does not sit in the direct path of production traffic.

Network Sensor Role : In this mode, the FortiGate is connected to a mirror/SPAN port on a switch. It acts as a network sensor , receiving a copy of the traffic rather than having the traffic flow through it. This confirms Statement A is correct and Statement D is incorrect.

Passive vs. Active : The guide explicitly states that in OT environments, passive methods are preferred over active methods to avoid negatively impacting performance or causing process interruptions.

Depth of Visibility : Even though the device is offline, you apply security profiles (such as IPS, Application Control, and Antivirus) to the sniffer interface. This allows the FortiGate to analyze the copied traffic and provide deep visibility into the OT assets and their behaviors. This confirms Statement B is correct.

Detection vs. Prevention : An IDS (Intrusion Detection System) is passive ; it can detect threats but cannot reset connections or drop packets to block attacks. Therefore, it cannot block zero-day attacks, making Statement C incorrect.

According to the OT Security 7.6 Architect study guide section on Asset Management , specifically regarding FortiNAC Visibility :

Layer 2 Polling Data : Because each physical address is unique, FortiNAC identifies hosts as they connect to the network. The information gathered during this process fills in the physical address and location information in the database.

Visibility Components : The guide states that the physical address learned , the time it was learned , and where it was learned from provide the foundation of endpoint visibility in the form of " what, where, and when " information. This confirms that Where it was learned (Option A) and The time it was learned (Option D) are correct.

Exclusions :

Layer 3 Polling : The MAC-to-IP correlation (Option B) is explicitly defined as a function of Layer 3 polling , where the correlated IP address is added to the database record for the corresponding MAC address.

DHCP Fingerprinting : The host name or system name (Option C) and the operating system are gathered via DHCP fingerprinting , not layer 2 polling.

The correct answer is A. Device Detection is enabled on the other identified device .

The study guide explains that device identification is a “useful feature for the Security Fabric topology view” and that “FortiGate detects most third-party devices in your network and adds them to the topology view of the Security Fabric.” It also states that in the interfaces section, you can enable device detection , and this detection is what allows FortiGate to identify devices based on observed traffic.

In the exhibit, the tooltip distinguishes between “1 device requires authorization” and “1 other identified device.” That means the unauthorized device is a separate FortiGate/Fabric member issue, while the other identified device is simply a detected third-party device shown in the topology because device detection is working. Therefore, the correct interpretation is that device detection is enabled for that identified device. Option B is incorrect because the exhibit does not say the other identified device requires authorization. Option C is not supported by the study guide, and option D is too specific because no evidence in the exhibit confirms that the detection was enabled specifically on port3 .