Pass the Fortinet NSE 6 Network Security Specialist NSE6_OTS_AR-7.6 Questions and answers with Dumpstech

The correct answers are B. The Datasets library and D. The Chart library .

The study guide explains that a FortiAnalyzer report is built from charts, and that charts consist of two elements: datasets and format . It states: “A FortiAnalyzer report is a set of data organized in charts” and “Charts consist of two elements: Datasets … and Format.” It then goes further in the Customizing Reports section and explicitly says “By default, the Chart Library contains more than 300 charts” and “By default, the Datasets library contains almost 400 datasets.” It also states that you can clone and edit both charts and datasets, and create new ones , which is exactly how you enhance and customize an existing report.

The other options are not the best answers for this question. FortiView can export a chart into a report chart, and Log View can help build a custom dataset and chart from search results, but the question asks which options you can use to enhance the report itself. The study guide identifies the actual report-customization components as the Chart Library and Datasets library . Dashboard library is not presented as a FortiAnalyzer report customization library in this section.

The correct answers are A and D . The study guide provides a direct use case called Attack Detection and Automated Alert . It states: “A downstream FortiGate detects an attack and sends logs to FortiAnalyzer. FortiAnalyzer parses the logs and notifies the root FortiGate. The root FortiGate triggers the action, which in this case, is a notification to the administrator.” The same slide also explicitly shows “Stitches configured on root FortiGate.” This confirms that to send the automated alert, you must configure the automation stitch on the root FortiGate .

The second required configuration is an event handler on FortiAnalyzer . The guide explains that “Event handlers generate events” and that “FortiAnalyzer uses event handlers to filter all incoming logs. If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.” Since FortiAnalyzer must detect the attack from the received logs before notifying the root FortiGate, an event handler is required on FortiAnalyzer.

Option B is incorrect because the study guide does not identify a LOCALHOST task as the required configuration for this attack-alert flow. Option C is also incorrect because the question asks what must be configured to enable the automated alert workflow . An IPS profile may detect some attacks, but the required automation path in the study guide is specifically event handler on FortiAnalyzer + stitch on the root FortiGate .

The correct answer is D. You can configure forward domain IDs for each network .

The study guide explains that in FortiGate transparent mode, all interfaces belong to the same broadcast domain, even interfaces with different VLAN IDs , and then states that you can “subdivide into multiple broadcast domains” by configuring set forward-domain < domain_ID > . It also states that “interfaces with the same domain ID belong to the same broadcast domain” and, with multiple forward domains, “traffic arriving on one interface is broadcast only to interfaces in the same forward domain ID.” That is the mechanism used to separate internal networks and confine traffic between network segments.

The other options do not fit this requirement. Universal ZTNA is for application access control, not segmentation between two OT networks. One traffic VDOM does not create segmentation by itself; multiple VDOMs would be needed for that type of isolation. An explicit software switch controls intraswitch traffic inside the same software-switch domain, not segmentation between separate networks like network 1 and network 2. Therefore, the correct way to implement the internal segmentation asked in the question is to assign different forward domain IDs to each network.

The correct answer is C. Industrial Control System (ICS) . The study guide states that “ICS is a main component of OT” and “consists of systems used for monitoring and controlling industrial processes.” It also explains that ICS includes various devices, systems, controls, and networks that manage industrial processes, and that the most common types are SCADA and distributed control systems (DCS) . This makes ICS the primary OT component for monitoring and controlling industrial processes.

The other options are related OT components, but they are not the best answer to this wording. SCADA collects real-time data and helps visualize and control the OT environment, but it is described as a system within the broader ICS structure. PLC devices collect and transmit real-time data and connect sensors and RTUs to SCADA, while IIoT refers to sensors, actuators, and other connected field devices. Therefore, the overarching main OT component for monitoring and controlling industrial processes is ICS .

The correct answers are A and C .

Option A is correct because the study guide explains that with active authentication , FortiGate prompts the user only when they use “an acceptable login protocol.” It states: “When you use only active authentication, if all possible policies that could match the source IP address have authentication enabled, then the user will receive a login prompt (assuming they use an acceptable login protocol).” A direct ping to PLC-1 uses ICMP , which is not the kind of login protocol used to trigger user authentication. So the supervisor must first authenticate through a protocol such as HTTPS or Telnet , then the ICMP traffic can match the authenticated policy.

Option C is also correct because the exhibit shows policy ID 8 greyed out, meaning it is not enabled. That policy appears above the Supervisor_access (9) policy and allows broader access to PLC-1 , whereas policy 9 is limited to ALL_ICMP . The study guide explains that “Because the user has not yet authenticated, the user group aspect of the traffic does not match” and FortiGate continues searching for another complete match. In this case, with policy 8 disabled, the supervisor is left with only the ICMP rule, which cannot be used to perform the initial login step needed for active authentication.

Option B is not supported by the exhibit. Option D is incorrect because auth-on-demand always would force authentication prompts more aggressively, but the core problem here is that the user is trying to start with ICMP and the broader policy that could permit the initial authenticated access is disabled.

The correct answer is B. A firewall policy has a Virtual Patching security profile applied to it .

The decisive clue in the exhibit is the Vulnerabilities column showing KEVs and device-specific vulnerability counts. The study guide explains the virtual patching workflow in this exact way: “FortiGate performs a lookup for device-specific vulnerabilities and mitigation rules in FortiGuard,” then “FortiGuard returns specific OT virtual patching signatures,” and “FortiGate caches the signatures and mitigation rules that apply to each device.” That is the same behavior reflected by the Asset Identity List showing vulnerability information per detected device.

The guide then states that “When traffic related to the vulnerable device reaches FortiGate, the firewall policy with the virtual patching profile applies.” It also says “A virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT device.” This directly links the per-device vulnerability visibility to a Virtual Patching profile enforced through firewall policy.

The other options do not match the exhibit. Antivirus is not described in the study guide as building a device-by-device vulnerability list, Application Control is used for OT protocol and message visibility, and IPS focuses on exploit detection and prevention. The Vulnerabilities/KEVs display is the indicator that FortiGate is using Virtual Patching logic for those OT devices.

The correct answer is C. EtherCAT .

The study guide states that for industrial Ethernet protocols, “such as Ethernet/IP and Modbus/TCP, you can use VLANs to segment your physical LAN into multiple logical LANs.” This directly confirms that Ethernet/IP and Modbus/TCP support VLAN-based segmentation in the OT context.

By contrast, the guide explains that “EtherCAT skips layers 3 to 6 to deliver real-time communication” and describes it as an “Open-Software Modified-Ethernet” approach. Because it does not operate like the standard Ethernet/IP model used for normal VLAN-based segmentation, EtherCAT is the protocol identified here as not supporting VLANs in the way Ethernet/IP and Modbus/TCP do.

So, based on the study guide comparison, the verified answer is EtherCAT .

Based on the technical data provided in the exhibits and the OT Security 7.6 Architect curriculum:

Industrial Protocol Identification (Statement A) : The log details exhibit clearly shows that the Destination Port used in the attack is 502 . According to the study guide ' s section on Industrial Protocol Protection , the standard port used by the Modbus TCP protocol is 502 . Furthermore, the attack name identifies a " Triangle.Research.Nano-10.PLC, " which are industrial controllers commonly utilizing Modbus for communications.

Attack Mitigation (Statement B) : The log details specify that the Action taken by the FortiGate (Edge-FortiGate) was dropped . In cybersecurity and Fortinet fabric operations, dropping a packet associated with an IPS signature means the traffic was blocked from reaching its target, thereby mitigating the attack.

Target IP Address (Statement E) : The log detail explicitly lists the Destination IP as 192.168.2.3 . The Incident Analysis page also titles the incident with dstip:192.168.2.3. While the " Affected Endpoint " is shown as 10.1.5.20 , in an " outgoing " attack direction (as shown in the log), this likely refers to the internal source/attacker IP, whereas the target is the destination IP (192.168.2.3). Thus, Statement E is incorrect.

Protocol Conflict (Statement C) : The IEC 104 protocol typically utilizes port 2404 . Since the log specifies port 502, Statement C is incorrect.

Severity Distinction (Statement D) : While the Incident severity is marked as High , the question specifically asks about event severity. The " Events " table at the bottom of the Incident Analysis page shows a " User login/logout failed " event with a medium severity. Because there is a distinction in the management console between the severity of individual events and the aggregated incident, and Statement A and B are technically definitive based on port and action, A and B are the correct architectural choices.

Based on the architecture of FortiAnalyzer within the Security Fabric and its automation capabilities:

Automation Stitch and Reports : Within the Security Fabric environment, FortiAnalyzer serves as a key element in creating automation stitches and playbooks. For a report to be selectable within a Playbook task (such as the Run_report task shown in the exhibit), it must meet specific technical prerequisites in the report configuration.

Auto-cache Requirement (Answer C) : For a report to be used for automated generation, it must be " ready " to be processed by the engine without manual intervention. Auto-cache must be enabled in the report settings to ensure the report can be generated dynamically and efficiently when triggered by the playbook.

Extended Log Filtering (Answer B) : Playbooks often pass specific variables from the trigger (such as a specific device IP or a time range) into the report. For the report to accept these dynamic parameters and be visible as an " automation-compatible " report in the Playbook interface, Extended Log Filtering must be enabled.

Workflow Constraints : Without these two settings enabled on the report itself, the Playbook engine cannot guarantee the report ' s successful generation or parameter injection, and thus filters it out of the available selection list in the Run_report task.

Based on the provided exhibit and the OT Security 7.6 Architect curriculum regarding the Fortinet Security Fabric :

Fabric Role : The exhibit clearly shows that FortiGate-2 has the role set to Join Fabric . This confirms it is a downstream device and not the Fabric Root (eliminating Option A).

Upstream Connection : The device is configured to point to an Upstream FortiGate at IP address 10.1.2.254 .

Fabric Status : The status is currently displayed as Not Connected . In a standard Fortinet Security Fabric deployment, once a downstream device is configured to join the fabric, it sends a request to the upstream root device. The root FortiGate must then explicitly authorize the downstream unit before the connection is established and the status changes to " Connected. "

Authorization Requirement : The " Not Connected " status, while having the upstream IP correctly configured, is the classic indicator that the authorization step is pending on the root FortiGate. Furthermore, under the LAN Edge Devices section, it shows another downstream FortiGate requiring authorization on this specific unit, highlighting that authorization is a manual security requirement for all stages of the Fabric hierarchy.

FortiAnalyzer Status : While the Logging & Analytics section shows FortiAnalyzer is Disabled , this is a configuration choice and does not prevent the Security Fabric from connecting; therefore, configuring it is not the solution to the connectivity status shown (eliminating Option C).

In summary, FortiGate-2 cannot join the fabric until an administrator logs into the Root FortiGate (10.1.2.254) and authorizes the join request from FortiGate-2.