Fortinet NSE6_SDW_AD-7.6 Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator Exam Practice Test

When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.

When referencing a zone in a static route, FortiGate’s behavior is described as:

"Referencing a zone in a static route causes FortiGate to install a static route for each member interface of the zone. This enables ECMP (Equal-Cost Multi-Path) and load balancing where supported and ensures that traffic can be steered over any valid zone member according to SD-WAN rules or standard routing."

This mechanism is fundamental to Fortinet’s implementation of SD-WAN and simplifies large, multi-interface deployments.

In FortiOS 7.6, static routes can reference either:

an SD-WAN zone (for example, virtual-wan-link or a user-defined SD-WAN zone), or

a specific SD-WAN member interface that belongs to that zone.

However, FortiOS enforces a routing constraint to avoid ambiguity during route resolution. Two static routes cannot have the same destination prefix if one points to an SD-WAN zone and the other points to an SD-WAN member within that zone. This would create an overlapping and conflicting forwarding decision.

Therefore, if you configure:

one static route that references an SD-WAN zone, and

another static route that references an SD-WAN member belonging to that same zone,

the destination subnets of the two static routes must be different.

Why the other options are incorrect:

Option A is incorrect because FortiOS does allow static routes that reference individual SD-WAN members.

Option B is incorrect because static routes can reference SD-WAN zones.

Option D is incorrect because static routing decisions in FortiOS are based on destination prefixes, not source prefixes.

Thus, the correct answer is C.

The rule is in SLA mode with two SLAs. From the status, HUB1-VPN2 and HUB1-VPN3 meet the SLA (sla(0x2) and sla(0x3)), while HUB1-VPN1 does not (sla(0x0)). Among members that meet SLA, FortiGate uses the configured order (priority-members 4 5 6) to pick the first eligible one—HUB1-VPN2—so traffic is routed over HUB1-VPN2.

Traffic steering in Fortinet SD-WAN is based on defined rules and the corresponding outgoing interfaces. The exhibit (not shown here) would indicate that the traffic from the LAN subnet 10.0.1.0/24 to the server 10.2.5.254 is matched by SD-WAN rule 3 and sent out via the HUB1-VPN3 interface.

In the exhibit, the IPsec tunnel statistics event log entries include the field advpnsc.

Fortinet documents that advpnsc identifies whether the VPN event is based on an ADVPN shortcut:

advpnsc=1 → the tunnel is an ADVPN shortcut

advpnsc=0 → not an ADVPN shortcut (Fortinet Documentation Library)

In the shown logs, the tunnel vpntunnel="HUB1-VPN1_0" has advpnsc=1, which means HUB1-VPN1_0 is an ADVPN shortcut tunnel. (Fortinet Documentation Library)

The other tunnels shown (for example VPN4_0 and HUB2-VPN3) have advpnsc=0, which only indicates no shortcut is identified for those log entries—it does not prove they “cannot accept” shortcuts, only that the specific event is not a shortcut. (Fortinet Documentation Library)

Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract of SD-WAN 7.6 Enterprise Administrator documents:

When a FortiGate device is onboarded using a Device Blueprint in FortiManager, the system automates the provisioning process by applying the linked templates and scripts as soon as the device is authorized and connects. In this scenario, the Device Blueprint includes a CLI Template named "LAN-interface" and Provisioning Templates (corp_st and LAN-interface).

According to Fortinet documentation regarding Zero-Touch Provisioning (ZTP) and Blueprint workflows, FortiManager processes the CLI script configuration as part of the initial onboarding sync. The provided CLI script explicitly contains instructions for port1, port2, and port5. Specifically, it sets port1 and port2 to mode dhcp. Even though port1 already has a manual IP address ($15.1.0.154$) used for the initial FGFM connection, the FortiManager will push the configuration defined in the template.

When FortiManager pushes a configuration change to the interface used for the FGFM tunnel (port1), it does so by updating the configuration database. Since the template specifies set mode dhcp for port1 and port2, and a specific IP range for port5 using a metadata variable (10.0.$(branch_id).254), all three ports will be updated. Consequently, they may receive new IP addresses based on DHCP assignments or variable substitution. FortiManager is capable of updating the management interface as long as the new configuration does not permanently sever the FGFM connection.

Rules template → Defines the SD-WAN rules for traffic steering.

BGP template → Configures dynamic routing for overlay tunnels.

IPsec tunnel template → Builds the IPsec VPN tunnels from the spoke to the hubs.

Hosting the hub at the MSSP centralizes installation, security, and ongoing management while each site (spoke) keeps local DIA. This can be done multi-tenant with a shared hub using a dedicated VDOM or with a fully dedicated hub per customer for stricter isolation and control, both meeting the requirement to delegate administration to the MSSP and support high inter-site traffic.

In FortiOS 7.6, local-out traffic is traffic generated by the FortiGate itself, such as ping, traceroute, FortiGuard updates, DNS, NTP, and SNMP. Local-out traffic does not traverse the firewall policy engine and therefore behaves differently from forwarded traffic in SD-WAN.

According to the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture documentation, local-out traffic does not use SD-WAN by default. Instead, it follows the routing table (static and dynamic routes). To allow local-out traffic to be evaluated by SD-WAN rules, the administrator must explicitly enable local-out SD-WAN processing.

The curriculum also states that only SD-WAN rules using the manual strategy are supported for local-out traffic. SLA-based, application-based, and dynamic strategies are not evaluated for traffic generated by the FortiGate itself. This is a fundamental architectural limitation of SD-WAN in FortiOS 7.6.

Option B is incorrect because FortiGate does not automatically apply SD-WAN rules to ping or traceroute traffic by default. Even these tools follow the routing table unless local-out SD-WAN is enabled.

Option D is incorrect because local-out SD-WAN configuration is global. Individual local-out features do not require separate SD-WAN enablement.

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN's application-aware steering, which uses dynamic performance metrics to select the optimal path.

The router policy explicitly denies traffic with source 10.0.1.128/25 (which includes 10.0.1.130) and destination 128.66.0.0/24 (which includes 128.66.0.125). Even though SD-WAN service 4 shows members (port1 and port2) alive and available for this traffic, the router policy is evaluated first and blocks it. Therefore, FortiGate drops the traffic flow.

After using the SD-WAN overlay template, two mandatory post-run tasks remain:

"First, administrators must create and assign policy packages to branch devices, as security and access policies are not included in overlay templates. Second, SD-WAN rules must be configured so that traffic can be matched and steered appropriately through the established overlays. Neglecting either task results in ungoverned traffic or inefficient routing, undermining the benefits of SD-WAN."

Templates automate topology, but policy and rule definition are critical for operational effectiveness.

When using the diagnose sys session list command, SD-WAN-specific session steering is indicated by the presence of the sdwan_service_id field in the session data. This identifier ties the session directly to a specific SD-WAN rule or service. As noted in the Fortinet documentation: “Sessions that are handled according to SD-WAN rules will include a service ID tag (sdwan_service_id) in their session listing. This allows administrators to correlate live sessions with SD-WAN policy matches for troubleshooting and visibility.” This is a crucial diagnostic tool, as it distinguishes between traffic managed by traditional routing and that explicitly controlled by SD-WAN steering logic, aiding in operational insight and troubleshooting.

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive, FortiGate attempts to measure link performance using passive monitoring first, based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive, FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A.

During passive monitoring, FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic, not ICMP traffic. ICMP is used for active probing, not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware. Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D.

The diagnose output shows multiple ADVPN tunnels (HUB1-VPN1, HUB1-VPN2, HUB1-VPN3) with detailed latency, jitter, and packet loss values being reported for each. In ADVPN, the spoke performs embedded health checks and provides the hub with the performance metrics for each tunnel. Therefore, the device in the exhibit is a spoke, and it is sending health-check measurements for each tunnel to the hub.

The SD-WAN monitor’s table view in FortiManager provides a donut visualization plus a detailed table that shows each SD-WAN member’s status and SLA pass/miss, giving the per-member health view you’re after.

Within ADVPN topologies, shortcut requests and responses traverse spokes and hubs. Fortinet documentation states:

"When a spoke receives a shortcut query from another spoke, it may forward the response to its hub for validation or to facilitate dynamic shortcut tunnel setup. This mechanism allows direct spoke-to-spoke communication for optimized routing and performance, reducing latency and offloading the hub after initial control-plane mediation."

This is a core benefit of ADVPN’s dynamic shortcut feature.

From the SD-WAN Zones view in the FortiGate GUI:

virtual-wan-link is the default SD-WAN zone. This zone is system-defined and cannot be deleted, which makes option A incorrect.

The WAN2 zone is displayed without any expandable members beneath it, indicating that no SD-WAN members are currently assigned to the WAN2 zone. This directly supports option B.

A zone can be deleted only if it has no members and is not system-defined, but the exhibit does not indicate that WAN1 is eligible for deletion. Therefore, option C cannot be concluded from the information shown.

In FortiOS SD-WAN, an SD-WAN member can belong to only one SD-WAN zone at a time. A member such as B-125 cannot be assigned to both the WAN3 zone and the Test zone simultaneously, which makes option D incorrect.

The SD-WAN rule (config service edit 1) is configured with set mode priority. This means the rule selects the best interface based on a defined performance metric, as opposed to a simple static priority or SLA. The event log (image_41cfb5.png) shows Metric latency and Message Service prioritized by performance metric will be redirected in sequence order. This indicates that the rule is using latency to determine the preferred member. Given that the log message is about a change, and the most logical reason for a change in a priority mode is that a different member is now the best performer, it implies that the latency on port2 has become lower than that on port1.

The log message Service prioritized by performance metric will be redirected in sequence order confirms that FortiGate is changing the member being used for this service. Because the mode is priority, FortiGate dynamically selects the member that currently meets the best performance criteria, which in this case is latency. The log implies a new member has been selected as the most optimal, and with the default configuration, the members are sorted based on their performance, so the outgoing interface list is effectively updated to prefer the new best-performing member (port2).

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:

"Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic."

Administrators can observe this in diagnostic outputs for troubleshooting.

In FortiOS 7.6, SD-WAN rules can steer traffic based on Internet Services, which represent predefined application and service signatures maintained by FortiGuard. Common applications such as Facebook and LinkedIn are included in the Internet Service database.

According to the FCSS SD-WAN 7.6 curriculum, when configuring an SD-WAN rule from the GUI on a standalone FortiGate device, applications are selected as destinations using the Internet service field, not by enabling a separate application destination field. The exhibit highlights the Internet service option under the Destination section, which is the correct method to match traffic for specific applications.

Option A is incorrect because there is no GUI option to enable application visibility as destinations for SD-WAN rules. Application matching is already abstracted through Internet Services.

Option C is incorrect because standalone FortiGate devices fully support application-based steering using Internet Services in SD-WAN rules.

Option D is incorrect because no additional license is required to use Internet Services in SD-WAN rules. This functionality is included in FortiOS and relies on the built-in FortiGuard Internet Service database.

Therefore, to steer Facebook and LinkedIn traffic through a specific WAN link, you must select Facebook and LinkedIn in the Internet service field, which corresponds to option B.