NSE6_OTS_AR-7.6 Practice Questions

The correct answers are B and C . The study guide states that “You can use application control signatures to detect OT protocols” and that “Application control detects the protocols used in applications like Modbus, IEC 104, and the contents of the telecontrol messages” . It also shows that a Modbus application control profile can be enabled on a firewall policy “for OT protocol visibility in the monitor status.” This directly supports B , because application control is the feature used to identify and monitor OT protocols on FortiGate.

The guide also explains under IPS that “By default, OT signatures are excluded from the signatures lists on the GUI until you enable them on the CLI” using config ips global and set exclude-signatures none . Once enabled, FortiGate can use those OT signatures for OT-aware inspection and protection. That supports C as the second required configuration. A is related to device discovery, not protocol identification, and D is focused on exploit and vulnerability detection rather than the first-step goal of identifying OT protocols.

The correct answers are C and D .

Option D is correct because the study guide states that the configuration of an event handler can include “Rules” and explains that “Rules are granular conditions” and “Event handlers can have one or more rules.” It further states that “FortiAnalyzer uses event handlers to filter all incoming logs” and “If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.” Therefore, to use the automation stitch, you must define the rules on FortiAnalyzer so the event handler can actually generate the event that starts the automation flow.

Option C is also correct. The study guide explains that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to the FortiGate side, and in the attack-detection example it says “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” It also explicitly shows “Stitches configured on root FortiGate.” This means the FortiGate must have the corresponding automation trigger configured for the FortiAnalyzer event handler notification.

Option A is incorrect because the study guide does not describe configuring an Action on FortiAnalyzer as the required step for this FortiAnalyzer-to-FortiGate automation-stitch flow. Option B is also incorrect because playbooks are a different FortiAnalyzer automation mechanism; the question specifically refers to using the Automation Stitch option in the event handler.

The correct answers are C and D .

Option D is correct because the Playbook Monitor clearly shows the starter as On_Demand and the trigger as user(admin) . The study guide states that “ON_DEMAND: The playbook runs when an administrator manually starts it” and also notes that to run it manually, you select the playbook and click Run . This exactly matches the exhibit, so the playbook was manually triggered.

Option C is also correct. The study guide explains that “tasks run one after another” and that “if needed, the output of one task can be used by the tasks that follow it.” It also gives an example where workflow logic matters, such as creating an incident and then attaching details to it. In the exhibit, the sequence shown is Attach_report , then Run_report , then Create_Incident , while the incident analysis shows no report attached . Since the report must exist and the incident must already be available before it can be attached properly, the task order is wrong and must be reordered.

Option B is incorrect because the monitor shows multiple tasks completed successfully, not only Create_Incident . Option A is not the best answer because the main problem demonstrated by the exhibits is not simply waiting time, but the incorrect workflow order. The playbook completed successfully, yet the report is still not attached, which indicates a design issue in the task sequence rather than just a delay.

The correct answers are B and D .

Option B is correct because the profile has Medium , High , and Critical selected, while Low severity is not selected. That means low-severity virtual patching signatures are not enforced by this profile. So for the device with MAC address 12:12:12:12:12 , low-severity signatures are not blocked. The study guide explains virtual patching as device-specific protection where “FortiGate caches the signatures and mitigation rules that apply to each device” and applies them when the related traffic matches the firewall policy.

Option D is correct because the Virtual Patching Exemptions table shows a row with the MAC address 11:11:11:11:11 and no specific signature listed. The study guide states that in the Virtual Patching profile you can “Exempt a specific device with the MAC address or a specific signature.” A MAC-only exemption means that specific device is excluded from virtual patching enforcement, so in practical terms it is treated as having no applicable vulnerabilities in this profile.

Option C is incorrect because the profile does not block critical signatures for all devices. The exemptions list proves that at least one device can be excluded by MAC address, and a specific signature can also be exempted. Therefore, enforcement is not universal across all devices.

Option A is incorrect because the entry Schneider.Electric.ClearSCAD

A.  

The correct answers are A and B .

Option B is correct because the study guide states that “When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” to FortiGate. If Automation Stitch is not enabled in the FortiAnalyzer event handler, that handler will not be usable for the FortiGate automation-stitch workflow. The guide also explains that the configuration of each event handler can include “Automation stitches” and “Rules,” showing that this is a required part of the FortiAnalyzer-to-FortiGate automation path.

Option A is also correct. The study guide explains the automation flow in the Security Fabric: “FortiAnalyzer parses the logs and notifies the root FortiGate” and then “The root FortiGate triggers the action.” That means FortiGate must have the FortiAnalyzer connection configured through the Security Fabric side before it can consume FortiAnalyzer event handlers. The warning in the exhibit about configuring a FortiAnalyzer connection also points directly to that requirement.

Option C is incorrect because + Create is not the reason the existing event handler is missing; it is only an interface control. Option D is not the best answer for this item because the question is about why the event handler name list on FortiGate is empty for FortiAnalyzer-triggered automation. The study guide’s verified requirements for that workflow are the FortiAnalyzer-to-FortiGate Fabric connection and enabling Automation Stitch on the FortiAnalyzer event handler.

The correct answers are C and D .

Option C is correct because the study guide explains that when “a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” and, in the Security Fabric workflow, “FortiAnalyzer parses the logs and notifies the root FortiGate.” This means FortiGate must first have the FortiAnalyzer connection configured so it can consume FortiAnalyzer event handlers and use them in automation. The wizard message in the exhibit also points to this requirement by indicating that a FortiAnalyzer connection must be configured.

Option D is also correct because the study guide explicitly says that in this automation flow “the root FortiGate triggers the action” and shows “Stitches configured on root FortiGate.” Therefore, if you want the FortiAnalyzer event handler to appear and be usable for automation, the trigger must be configured on the root FortiGate , not on an arbitrary downstream FortiGate.

Option A is incorrect because + Create is only a GUI control and does not solve the missing-event-handler visibility problem. Option B is not identified in the study guide as the requirement for making a FortiAnalyzer event handler available in the FortiGate automation trigger list.