Pass the Fortinet NSE 6 Network Security Specialist NSE6_OTS_AR-7.6 Questions and answers with CertsForce

The correct answers are B and D .

Option B is correct because the profile has Medium , High , and Critical selected, while Low severity is not selected. That means low-severity virtual patching signatures are not enforced by this profile. So for the device with MAC address 12:12:12:12:12 , low-severity signatures are not blocked. The study guide explains virtual patching as device-specific protection where “FortiGate caches the signatures and mitigation rules that apply to each device” and applies them when the related traffic matches the firewall policy.

Option D is correct because the Virtual Patching Exemptions table shows a row with the MAC address 11:11:11:11:11 and no specific signature listed. The study guide states that in the Virtual Patching profile you can “Exempt a specific device with the MAC address or a specific signature.” A MAC-only exemption means that specific device is excluded from virtual patching enforcement, so in practical terms it is treated as having no applicable vulnerabilities in this profile.

Option C is incorrect because the profile does not block critical signatures for all devices. The exemptions list proves that at least one device can be excluded by MAC address, and a specific signature can also be exempted. Therefore, enforcement is not universal across all devices.

Option A is incorrect because the entry Schneider.Electric.ClearSCADA.HTTP.Interface.XSS appears as a specific signature exemption , not as the only remaining vulnerability. The profile display is showing exemptions, not a statement that only one vulnerability is still present.

 The study guide says playbooks are used to automate tasks such as running reports and creating/updating incidents . It also says that after a playbook is triggered, it flows through its configured tasks.

 It further shows a sample playbook sequence where an event is detected, an incident is created , a report runs , and details are attached to the incident . That is exactly the kind of workflow shown in the incident analysis view.

 By contrast, the study guide says event handlers generate events when logs match configured rules. Event handlers are for detection, not for attaching reports to incidents.

The correct answers are B and C . The study guide states that “You can use application control signatures to detect OT protocols” and that “Application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” . It also shows that a Modbus application control profile can be enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly supports B , because application control is the feature used to identify and monitor OT protocols on FortiGate.

The guide also explains under IPS that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI” using config ips global and set exclude-signatures none . Once enabled, FortiGate can use those OT signatures for OT-aware inspection and protection. That supports C as the second required configuration. A is related to device discovery, not protocol identification, and D is focused on exploit and vulnerability detection rather than the first-step goal of identifying OT protocols.