NSE6_OTS_AR-7.6 Practice Questions

The correct answers are C and D .

Option D is correct because the Playbook Monitor clearly shows the starter as On_Demand and the trigger as user(admin) . The study guide states that “ON_DEMAND: The playbook runs when an administrator manually starts it” and also notes that to run it manually, you select the playbook and click Run . This exactly matches the exhibit, so the playbook was manually triggered.

Option C is also correct. The study guide explains that “tasks run one after another” and that “if needed, the output of one task can be used by the tasks that follow it.” It also gives an example where workflow logic matters, such as creating an incident and then attaching details to it. In the exhibit, the sequence shown is Attach_report , then Run_report , then Create_Incident , while the incident analysis shows no report attached . Since the report must exist and the incident must already be available before it can be attached properly, the task order is wrong and must be reordered.

Option B is incorrect because the monitor shows multiple tasks completed successfully, not only Create_Incident . Option A is not the best answer because the main problem demonstrated by the exhibits is not simply waiting time, but the incorrect workflow order. The playbook completed successfully, yet the report is still not attached, which indicates a design issue in the task sequence rather than just a delay.

The correct answers are A and C .

Option A is correct because the study guide explains that with active authentication , FortiGate prompts the user only when they use “an acceptable login protocol.” It states: “When you use only active authentication, if all possible policies that could match the source IP address have authentication enabled, then the user will receive a login prompt (assuming they use an acceptable login protocol).” A direct ping to PLC-1 uses ICMP , which is not the kind of login protocol used to trigger user authentication. So the supervisor must first authenticate through a protocol such as HTTPS or Telnet , then the ICMP traffic can match the authenticated policy.

Option C is also correct because the exhibit shows policy ID 8 greyed out, meaning it is not enabled. That policy appears above the Supervisor_access (9) policy and allows broader access to PLC-1 , whereas policy 9 is limited to ALL_ICMP . The study guide explains that “Because the user has not yet authenticated, the user group aspect of the traffic does not match” and FortiGate continues searching for another complete match. In this case, with policy 8 disabled, the supervisor is left with only the ICMP rule, which cannot be used to perform the initial login step needed for active authentication.

Option B is not supported by the exhibit. Option D is incorrect because auth-on-demand always would force authentication prompts more aggressively, but the core problem here is that the user is trying to start with ICMP and the broader policy that could permit the initial authenticated access is disabled.

The correct answers are A and B .

Option B is correct because the study guide states that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to FortiGate. If Automation Stitch is not enabled in the FortiAnalyzer event handler, that handler will not be usable for the FortiGate automation-stitch workflow. The guide also explains that the configuration of each event handler can include “Automation stitches” and “Rules,” showing that this is a required part of the FortiAnalyzer-to-FortiGate automation path.

Option A is also correct. The study guide explains the automation flow in the Security Fabric: “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” That means FortiGate must have the FortiAnalyzer connection configured through the Security Fabric side before it can consume FortiAnalyzer event handlers. The warning in the exhibit about configuring a FortiAnalyzer connection also points directly to that requirement.

Option C is incorrect because + Create is not the reason the existing event handler is missing; it is only an interface control. Option D is not the best answer for this item because the question is about why the event handler name list on FortiGate is empty for FortiAnalyzer-triggered automation. The study guide’s verified requirements for that workflow are the FortiAnalyzer-to-FortiGate Fabric connection and enabling Automation Stitch on the FortiAnalyzer event handler.