Master Fortinet NSE6_OTS_AR-7.6: NSE 6 - OT Security 7.6 Architect Exam Prep

Correct : C, D

The correct answers are C and D.

Option D is correct because the study guide states that the configuration of an event handler can include ''Rules'' and explains that ''Rules are granular conditions'' and ''Event handlers can have one or more rules.'' It further states that ''FortiAnalyzer uses event handlers to filter all incoming logs'' and ''If logs match the conditions configured in an event handler, FortiAnalyzer generates an event.'' Therefore, to use the automation stitch, you must define the rules on FortiAnalyzer so the event handler can actually generate the event that starts the automation flow.

Option C is also correct. The study guide explains that ''When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification'' to the FortiGate side, and in the attack-detection example it says ''FortiAnalyzer parses the logs and notifies the root FortiGate'' and then ''The root FortiGate triggers the action.'' It also explicitly shows ''Stitches configured on root FortiGate.'' This means the FortiGate must have the corresponding automation trigger configured for the FortiAnalyzer event handler notification.

Option A is incorrect because the study guide does not describe configuring an Action on FortiAnalyzer as the required step for this FortiAnalyzer-to-FortiGate automation-stitch flow. Option B is also incorrect because playbooks are a different FortiAnalyzer automation mechanism; the question specifically refers to using the Automation Stitch option in the event handler.

Correct : A, B

Based on the exhibit and the OT Security 7.6 Architect standards for Secure Remote Access:

Secure Tunneling (Statement A): The exhibit shows a Remote PC connecting through a VPN Cloud to the Edge-FortiGate. In the Fortinet architecture, IPsec VPN is the primary method for establishing a secure, encrypted tunnel for remote administrators or supervisors to access the internal OT segments (Level 2/3) from an external location.

Multi-Factor Authentication (Statement B): Secure remote access in OT environments (aligned with IEC 62443 standards) requires strong authentication. The study guide emphasizes the use of FortiToken to provide Two-Factor Authentication (2FA) for VPN users, ensuring that compromised credentials alone are not enough to gain access to critical infrastructure.

FSSO (Statement D): Fortinet Single Sign-On is generally used for identifying internal users already on the network to apply identity-based policies; it is not the primary mechanism for establishing the remote connection itself.

SD-WAN (Statement C): While SD-WAN can manage the path of the VPN traffic, it is a WAN optimization and reliability feature, not a 'secure remote access' feature for a supervisor in the context of authentication and encryption.

Correct : A, B

The correct answers are A and B.

Option B is correct because the study guide states that ''When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a notification'' to FortiGate. If Automation Stitch is not enabled in the FortiAnalyzer event handler, that handler will not be usable for the FortiGate automation-stitch workflow. The guide also explains that the configuration of each event handler can include ''Automation stitches'' and ''Rules,'' showing that this is a required part of the FortiAnalyzer-to-FortiGate automation path.

Option A is also correct. The study guide explains the automation flow in the Security Fabric: ''FortiAnalyzer parses the logs and notifies the root FortiGate'' and then ''The root FortiGate triggers the action.'' That means FortiGate must have the FortiAnalyzer connection configured through the Security Fabric side before it can consume FortiAnalyzer event handlers. The warning in the exhibit about configuring a FortiAnalyzer connection also points directly to that requirement.

Option C is incorrect because + Create is not the reason the existing event handler is missing; it is only an interface control. Option D is not the best answer for this item because the question is about why the event handler name list on FortiGate is empty for FortiAnalyzer-triggered automation. The study guide's verified requirements for that workflow are the FortiAnalyzer-to-FortiGate Fabric connection and enabling Automation Stitch on the FortiAnalyzer event handler.

Correct : C

The correct answer is C. Industrial Control System (ICS). The study guide states that ''ICS is a main component of OT'' and ''consists of systems used for monitoring and controlling industrial processes.'' It also explains that ICS includes various devices, systems, controls, and networks that manage industrial processes, and that the most common types are SCADA and distributed control systems (DCS). This makes ICS the primary OT component for monitoring and controlling industrial processes.

The other options are related OT components, but they are not the best answer to this wording. SCADA collects real-time data and helps visualize and control the OT environment, but it is described as a system within the broader ICS structure. PLC devices collect and transmit real-time data and connect sensors and RTUs to SCADA, while IIoT refers to sensors, actuators, and other connected field devices. Therefore, the overarching main OT component for monitoring and controlling industrial processes is ICS.

Correct : D

Based on the provided exhibit and the OT Security 7.6 Architect curriculum regarding the Fortinet Security Fabric:

Fabric Role: The exhibit clearly shows that FortiGate-2 has the role set to Join Fabric. This confirms it is a downstream device and not the Fabric Root (eliminating Option A).

Upstream Connection: The device is configured to point to an Upstream FortiGate at IP address 10.1.2.254.

Fabric Status: The status is currently displayed as Not Connected. In a standard Fortinet Security Fabric deployment, once a downstream device is configured to join the fabric, it sends a request to the upstream root device. The root FortiGate must then explicitly authorize the downstream unit before the connection is established and the status changes to 'Connected.'

Authorization Requirement: The 'Not Connected' status, while having the upstream IP correctly configured, is the classic indicator that the authorization step is pending on the root FortiGate. Furthermore, under the LAN Edge Devices section, it shows another downstream FortiGate requiring authorization on this specific unit, highlighting that authorization is a manual security requirement for all stages of the Fabric hierarchy.

FortiAnalyzer Status: While the Logging & Analytics section shows FortiAnalyzer is Disabled, this is a configuration choice and does not prevent the Security Fabric from connecting; therefore, configuring it is not the solution to the connectivity status shown (eliminating Option C).

In summary, FortiGate-2 cannot join the fabric until an administrator logs into the Root FortiGate (10.1.2.254) and authorizes the join request from FortiGate-2.