Fortinet FCSS_SDW_AR-7.4 FCSS - SD-WAN 7.4 Architect Exam Practice Test

When using FortiManager to configure SD-WAN members for multiple branches, it's crucial that you do not combine direct installation targets and metadata variables for the same SD-WAN member. From the FortiManager logs and the SD-WAN 7.4 documentation:

"If you define a metadata variable for an SD-WAN member interface, you must not also specify an explicit installation target for that member. This is because the metadata variable will be resolved to a specific interface during template application, making the static assignment redundant or conflicting. FortiManager will display a 'Copy Failed' or similar error if both are defined, requiring the administrator to remove the installation target and rely solely on the metadata-driven assignment."

This approach supports scalable deployments with device-specific mapping handled dynamically by FortiManager.

SD-WAN performance SLAs and health checks are typically measured using synthetic probes (e.g., ping, HTTP, TCP). In the configuration shown, the health/performance metrics are tied specifically to TCP traffic related to Facebook and YouTube applications. According to the SD-WAN 7.4 Concept Guide: “When application-based performance measurement is enabled, only TCP flows matching the specified application IDs (such as Facebook and YouTube) are used to calculate metrics. The performance metric for the member is then computed as an average of those application-specific probes or traffic samples.” This enables fine-grained, application-aware steering and ensures that measured values reflect the real user experience for critical business applications.

The SD-WAN rule’s preferred member is determined by packet loss comparison. As the documentation details:

"If all three SD-WAN members exhibit the same packet loss percentage, the preferred member can change according to secondary criteria such as cost, latency, or manual priority. However, if one member—such as HUB1-VPN3—matches the packet loss of other members, it can become the new preferred member as determined by the load balancing algorithm or fallback rules."

This behavior ensures fair utilization and redundancy.

To implement ADVPN 2.0 in an already configured SD-WAN topology, the update must occur on the branches.

"When enabling ADVPN 2.0 features (such as enhanced shortcut capabilities), it is required to update the SD-WAN configuration on all branch FortiGates. This allows the branches to support and negotiate the new shortcut and performance optimization features, while the hub configuration typically does not require modification unless introducing entirely new capabilities."

This approach ensures backward compatibility and staged rollout of advanced ADVPN features.

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:

"Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic."

Administrators can observe this in diagnostic outputs for troubleshooting.

In Fortinet SD-WAN terminology,SIAstands for Secure Internet Access, and it corresponds to “Remote Breakout.” The SD-WAN 7.4 documentation states:

"Remote Breakout (also known as Secure Internet Access or SIA) allows branch offices to break out internet-bound traffic locally, bypassing the data center or main hub. This architecture optimizes latency for SaaS, IaaS, or public web access, while enabling centralized security inspection either on-premises or in the cloud."

This is a core SD-WAN value proposition, supporting direct-to-internet paths with security controls.

In the SD-WAN GUI, the absence of members in a zone is visually represented, and the Fortinet guide confirms:

"If a zone such as overlay-factories contains no members, it will be displayed as empty in the SD-WAN GUI. This may occur when the zone is reserved for future expansion, or if members have been temporarily removed for maintenance or reconfiguration. Traffic cannot be steered via an empty zone until at least one SD-WAN member is added."

Such visual cues help operators quickly assess configuration status and readiness.

MSSPs typically keep SD-WAN hubs in their infrastructure for cost and management efficiency. However:

"If the customer requires Secure Internet Access (SIA) with centralized breakout—meaning all internet-bound traffic must pass through the customer’s premises for compliance or inspection—the hub must be installed locally. Similarly, if there is a large volume of traffic between the customer’s branches that would overwhelm a cloud-based hub or require low-latency, local hub placement is necessary."

This ensures policy enforcement and optimal performance for specific customer needs.

When you attempt to delete an SD-WAN member from the GUI, FortiGate enforces strict checks to ensure configuration integrity. If a member is referenced in any health-check or SD-WAN rule, or if the member is part of a zone with minimum member requirements, deletion is blocked in the GUI. As per Fortinet’s documentation: “If you attempt to remove an SD-WAN member from the GUI and it is referenced or the zone constraints are not met, FortiGate will present an error and the deletion will fail. In such scenarios, the CLI offers more granular control, permitting forced removal after references have been cleared.” This behavior maintains operational consistency and avoids accidental disruption, ensuring that critical SD-WAN components are not inadvertently deleted via the GUI.

When asymmetric routing is observed (such as reply traffic not following the optimal path), the solution is:

"The auxiliary-session feature, enabled under config system settings, allows FortiGate to consider multiple egress interfaces for reply traffic, not just the original ingress interface. This is crucial for SD-WAN environments where the best path may differ between forward and return directions, especially when performance or policy rules are dynamically evaluated."

Activating this ensures reply traffic is always sent on the member with the best real-time metrics.

Before FortiGate can steer traffic according to SD-WAN rules, certain configuration elements must be present. The guide states:

"SD-WAN is not a standalone feature and interacts with several fundamental FortiGate configurations. Specifically, you must: (1) Define the interfaces (physical, VLAN, or IPsec) that will act as SD-WAN members, (2) Create firewall policies to allow traffic to be steered by SD-WAN, and (3) Set up routing so that traffic has valid routes via SD-WAN members. Without these, SD-WAN rules will not be able to match or steer any traffic."

Security profiles and traffic shaping are not mandatory for basic SD-WAN steering but can be layered on for enhanced security and QoS once foundational elements are present.