NSE6_OTS_AR-7.6 Exam Dumps - Fortinet NSE 6 - OT Security 7.6 Architect

According to the OT Security 7.6 Architect study guide regarding IEC 62443 Security Levels :

Security Level 4 (SL 4) Definition : This level provides " Protection against intentional violation using sophisticated means with extended resources, specific skills, and high motivation " .

Real-World Application : The study guide specifically notes: " If you are facing a syndicate of cyber extortionists with extensive resources and capabilities, then you should strive for security level 4 " .

Comparison to other levels :

SL 1 : Protection against " casual or unintentional system violation " .

SL 2 : Protection against " intentional violation using simple means with low resources " .

SL 3 : Protection against " intentional violation using sophisticated means with moderate resources " .

According to the OT Security 7.6 Architect study guide section on Asset Management , specifically regarding FortiNAC Visibility :

Layer 2 Polling Data : Because each physical address is unique, FortiNAC identifies hosts as they connect to the network. The information gathered during this process fills in the physical address and location information in the database.

Visibility Components : The guide states that the physical address learned , the time it was learned , and where it was learned from provide the foundation of endpoint visibility in the form of " what, where, and when " information. This confirms that Where it was learned (Option A) and The time it was learned (Option D) are correct.

Exclusions :

Layer 3 Polling : The MAC-to-IP correlation (Option B) is explicitly defined as a function of Layer 3 polling , where the correlated IP address is added to the database record for the corresponding MAC address.

DHCP Fingerprinting : The host name or system name (Option C) and the operating system are gathered via DHCP fingerprinting , not layer 2 polling.

The correct answers are C and D .

Option C is correct because the study guide explains that when “a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification” and, in the Security Fabric workflow, “FortiAnalyzer parses the logs and notifies the root FortiGate.” This means FortiGate must first have the FortiAnalyzer connection configured so it can consume FortiAnalyzer event handlers and use them in automation. The wizard message in the exhibit also points to this requirement by indicating that a FortiAnalyzer connection must be configured.

Option D is also correct because the study guide explicitly says that in this automation flow “the root FortiGate triggers the action” and shows “Stitches configured on root FortiGate.” Therefore, if you want the FortiAnalyzer event handler to appear and be usable for automation, the trigger must be configured on the root FortiGate , not on an arbitrary downstream FortiGate.

Option A is incorrect because + Create is only a GUI control and does not solve the missing-event-handler visibility problem. Option B is not identified in the study guide as the requirement for making a FortiAnalyzer event handler available in the FortiGate automation trigger list.

The correct answers are A and C .

Option C is correct because the profile clearly contains the Operational Technology category and specific OT application signatures such as Modbus and IEC.60870.5.104 . The study guide says “You can use application control signatures to detect OT protocols” and “You can filter to a specific OT protocol.” That means OT application signatures are active in this sensor profile.

Option A is correct because the guide explains that application control works at different levels: “Detection of protocol (one detection per session)” and “Message level (one detection per protocol message).” It also says you can use application signatures for “granular message type identification.” In the exhibit, IEC.60870.5.104.Control.Functions is explicitly configured, which is a granular IEC message/control-level signature rather than only a protocol-level match. That means logging and control can occur at the IEC command level.

Option B is not correct because the profile shows Modbus configured at the parent protocol level as Monitor , while the guide states that the “parent signature takes precedence over the child signature.” Since protocol-level detection is one detection per session , that does not mean FortiGate will necessarily log each Modbus command individually.

Option D is incorrect because even though the broader Operational Technology category is set to block, the profile includes specific application and filter overrides for Modbus and IEC 104 behavior. So the resulting effect is not simply that all OT protocols are blocked .