NSE6_OTS_AR-7.6 Fortinet NSE 6 - OT Security 7.6 Architect Questions and Answers

The correct answer is D. EtherCAT . The study guide explicitly states under the Ethernet/IP and EtherCAT section that “EtherCAT is a protocol that offers real-time communication in a primary-secondary configuration” and “EtherCAT skips layers 3 to 6 to deliver real-time communication.” It also adds that “the most important feature of this protocol is that secondary devices collect only the information they need from the data packets.” This matches the exhibit exactly, where the diagram shows Real-Time Data above a Proprietary MAC and Proprietary physical layer , reflecting the protocol structure that bypasses the intermediate OSI layers.

The other options do not match this behavior. The guide says POWERLINK uses layer 2 and layer 7 of the OSI model, not that it skips layers 3 to 6. It also explains that Ethernet/IP is the industrial protocol based entirely on Ethernet standards and adapts to the OSI model. Modbus is described as an open client/server protocol and is not suitable for transmitting data in real time . Therefore, the protocol in the exhibit is clearly EtherCAT .

The correct answers are C and D .

Option C is correct because the study guide explains that when “a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” and, in the Security Fabric workflow, “FortiAnalyzer parses the logs and notifies the root FortiGate.” This means FortiGate must first have the FortiAnalyzer connection configured so it can consume FortiAnalyzer event handlers and use them in automation. The wizard message in the exhibit also points to this requirement by indicating that a FortiAnalyzer connection must be configured.

Option D is also correct because the study guide explicitly says that in this automation flow “the root FortiGate triggers the action” and shows “Stitches configured on root FortiGate.” Therefore, if you want the FortiAnalyzer event handler to appear and be usable for automation, the trigger must be configured on the root FortiGate , not on an arbitrary downstream FortiGate.

Option A is incorrect because + Create is only a GUI control and does not solve the missing-event-handler visibility problem. Option B is not identified in the study guide as the requirement for making a FortiAnalyzer event handler available in the FortiGate automation trigger list.

The correct answer is D. You can configure forward domain IDs for each network . The study guide explains that in FortiGate transparent mode, “all interfaces belong to the same broadcast domain, even interfaces with different VLAN IDs” and then states that you should “use this command to subdivide into multiple broadcast domains” with set forward-domain < domain_ID > . It further explains that “interfaces with the same domain ID belong to the same broadcast domain” and “traffic arriving on one interface is broadcast only to interfaces in the same forward domain ID.” This is exactly the mechanism used to separate one internal network from another and improve segmentation.

The other options do not match this requirement. Universal ZTNA is described as controlling user access to applications , not segmenting two internal OT networks. An explicit software switch is for controlling intra-switch or intra-VLAN traffic inside the same software switch broadcast domain, which is more aligned with microsegmentation than separating two routed internal networks. One traffic VDOM does not create segmentation by itself; segmentation with VDOMs requires multiple VDOMs, not one. Therefore, the best choice for segmenting network 1 and network 2 in this scenario is to assign separate forward domain IDs .

The correct answers are B. Real-time control and D. Determinism . The study guide defines industrial Ethernet as the “use of Ethernet and TCP/IP as transport mechanisms for industrial protocols” and states that it provides “real-time control,” “low latency,” and “determinism (meaning reliable and predictable data delivery)” in harsh environments. It further explains that industrial Ethernet “provides deterministic communication between machine controllers, actuators, sensors, and other units.” These statements directly confirm that the two key advantages are real-time control and determinism.

The other options are not supported by the study guide as core advantages of industrial Ethernet. Encryption is not listed as one of the benefits in this section, and remote access is discussed elsewhere in the OT architecture but not as a defining advantage of industrial Ethernet itself. The guide is explicit that the main benefits here are predictable delivery and real-time communication, which are essential in industrial control environments where timing and reliability matter.

Deploying a FortiGate in offline IDS (also known as one-arm sniffer mode) is a common strategy in OT environments for several reasons found in the study guide:

Priority of Availability : In OT, availability and safety are critically important and prioritized higher than in IT. An offline IDS minimizes impact because it does not sit in the direct path of production traffic.

Network Sensor Role : In this mode, the FortiGate is connected to a mirror/SPAN port on a switch. It acts as a network sensor , receiving a copy of the traffic rather than having the traffic flow through it. This confirms Statement A is correct and Statement D is incorrect.

Passive vs. Active : The guide explicitly states that in OT environments, passive methods are preferred over active methods to avoid negatively impacting performance or causing process interruptions.

Depth of Visibility : Even though the device is offline, you apply security profiles (such as IPS, Application Control, and Antivirus) to the sniffer interface. This allows the FortiGate to analyze the copied traffic and provide deep visibility into the OT assets and their behaviors. This confirms Statement B is correct.

Detection vs. Prevention : An IDS (Intrusion Detection System) is passive ; it can detect threats but cannot reset connections or drop packets to block attacks. Therefore, it cannot block zero-day attacks, making Statement C incorrect.

The correct answer is D. Automatically by an event handler . The study guide explicitly states that “Event handlers generate events on FortiAnalyzer” and “FortiAnalyzer uses event handlers to filter all incoming logs. If the logs received match the conditions set in the event handlers, FortiAnalyzer generates an event.” It also says “You can view all generated events on the Event Monitor page.” This directly matches the exhibit, which is showing entries on the Event Monitor page. Therefore, the attack shown there was detected automatically through an event handler .

The guide also explains the detection flow: “FortiAnalyzer receives logs,” “FortiAnalyzer parses logs,” and “FortiAnalyzer generates an event if a rule is matched in an event handler.” In addition, the Event Monitor view includes the Handler column, which identifies the event handler that generated the event. That is why the attack is not considered manually detected, and it is not primarily detected by a playbook or stitch. Playbooks and stitches are used for subsequent automation actions, but the event appearing in Event Monitor is created by the event handler mechanism.

According to the OT Security 7.6 Architect study guide regarding IEC 62443 Security Levels :

Security Level 4 (SL 4) Definition : This level provides "Protection against intentional violation using sophisticated means with extended resources, specific skills, and high motivation".

Real-World Application : The study guide specifically notes: "If you are facing a syndicate of cyber extortionists with extensive resources and capabilities, then you should strive for security level 4".

Comparison to other levels :

SL 1 : Protection against "casual or unintentional system violation".

SL 2 : Protection against "intentional violation using simple means with low resources".

SL 3 : Protection against "intentional violation using sophisticated means with moderate resources".