Fortinet NSE6_SDW_AD-7.6 Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator Exam Practice Test

Policy 3 points traffic To = HUB1-VPN1, which is an SD-WAN member interface. In SD-WAN you must reference the SD-WAN zone (the logical interface) in policies, not its member tunnels. Change the policy’s To interface to the zone HUB1, and the install will succeed.

The FCSS SD-WAN 7.6 curriculum describes multiple standard SD-WAN deployment designs , each mapped to a specific operational goal or constraint.

A cloud on-ramp topology is designed to optimize connectivity to cloud services such as SaaS and IaaS. This design provides the most efficient and reliable path to cloud applications by establishing direct tunnels to cloud gateways or cloud workloads and by avoiding backhauling traffic through a central data center. As a result, its primary indication is improving the performance of cloud applications , which makes option A correct.

A remote breakout (centralized breakout) design forwards all internet-bound traffic from branch sites to a central hub for security inspection. This allows security policies, inspection, and logging to be centralized on a high-capacity FortiGate at the hub. Because branch devices do not need advanced local security configurations, this design also limits local management requirements , which makes option C correct.

Option B is incorrect because a standalone SD-WAN design is not selected simply because a site has only one WAN link . SD-WAN provides its main benefits when multiple WAN paths exist, and single-link sites do not gain meaningful traffic-steering advantages.

Option D is incorrect because a direct internet access (DIA) design performs local internet breakout at the branch and therefore requires strong local security capabilities. DIA does not inherently increase traffic security and is not intended for devices with limited capabilities.

Therefore, the two correct associations are A and C .

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive , FortiGate attempts to measure link performance using passive monitoring first , based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive , FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A .

During passive monitoring , FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic , not ICMP traffic. ICMP is used for active probing , not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware . Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D .

The session details show the symmetric flow’s original direction as port3 → port2.

The asymmetric flow’s reply direction is listed as port2 → port3.

When you enable ADVPN (auto-discovery VPN) in the overlay template, FortiManager automatically updates both the IPsec and BGP templates on the hub so that shortcut tunnels can be established dynamically.

ADVPN can be activated in the SD-WAN overlay template for any supported topology, including dual-hub primary–primary, not just single hub.

" Secure internet access (SIA), also known as remote breakout, is another use case for SD-WAN. "

FortiManager enforces a strict distinction:

" Firewall policies must reference SD-WAN zones, not individual SD-WAN members, when used in conjunction with SD-WAN templates. Attempting to install a policy that references a specific member (interface) will result in a deployment error, as member-level targeting is not supported in SD-WAN policy abstraction. This enforces centralized policy consistency and proper SD-WAN operation. "

Ensuring policies target zones allows FortiGate to dynamically select the optimal member.

When referencing a zone in a static route, FortiGate’s behavior is described as:

" Referencing a zone in a static route causes FortiGate to install a static route for each member interface of the zone. This enables ECMP (Equal-Cost Multi-Path) and load balancing where supported and ensures that traffic can be steered over any valid zone member according to SD-WAN rules or standard routing. "

This mechanism is fundamental to Fortinet’s implementation of SD-WAN and simplifies large, multi-interface deployments.

In FortiOS 7.6, when SD-WAN is enabled, physical and logical WAN interfaces are added as SD-WAN members and are abstracted behind the SD-WAN interface (virtual-wan-link or SD-WAN zone) . Traffic forwarding decisions are then made by SD-WAN rules instead of individual interfaces.

As documented in the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture guides, firewall policies must reference the SD-WAN interface or SD-WAN zone , not the individual WAN interfaces that are members of SD-WAN. Therefore, during the configuration update process, existing firewall policies that reference physical WAN interfaces must be updated to reference the SD-WAN interface .

Option A is incorrect because routing configuration does not require replacing interface references when SD-WAN is enabled. Static and dynamic routes typically point to the SD-WAN interface automatically, and SD-WAN rules handle path selection.

Option B is incorrect because SD-WAN is a built-in FortiOS feature . It does not require a separate license and does not require a reboot when enabled.

Option D is incorrect because interfaces must remain enabled to function as SD-WAN members. Disabling an interface would prevent SD-WAN from using it for traffic forwarding.

Therefore, the required action during the SD-WAN configuration update process is to replace references to interfaces used as SD-WAN members in the firewall policies , which corresponds to option C.

This is because the setting minimum-sla-meet-members = 2 requires at least two SD-WAN zone members (in this case, HUB2-VPN1, HUB2-VPN2, and HUB2-VPN3) to pass the defined SLA health check (HUB1_HC) before the FortiGate will establish ADVPN shortcuts. If fewer than two members meet the SLA, shortcuts will not be created.

The rule is in SLA mode with two SLAs. From the status, HUB1-VPN2 and HUB1-VPN3 meet the SLA (sla(0x2) and sla(0x3)), while HUB1-VPN1 does not (sla(0x0)). Among members that meet SLA, FortiGate uses the configured order (priority-members 4 5 6) to pick the first eligible one—HUB1-VPN2—so traffic is routed over HUB1-VPN2.

From the SD-WAN rule configuration (service edit 1, “Critical-DIA”), the rule uses mode sla and specifies:

set priority-members 1 2

This means, for traffic matching SD-WAN rule ID 1, FortiGate prefers member 1 first , then member 2 , but only if the selected member meets the SLA requirements.

From the SD-WAN event log , the message explicitly states:

Member status changed. Member out-of-sla.

The log includes Member: 1

This indicates SD-WAN member 1 is now out of SLA immediately after the log is generated.

From the SD-WAN member status output:

Member(1) corresponds to interface port1

Member(2) corresponds to interface port2

Because member 1 (port1) is out of SLA, FortiGate cannot use it for an SLA-based rule at that moment. With the rule configured for priority-members 1 2 , FortiGate will immediately steer matching traffic using the next eligible priority member that still meets the SLA, which is member 2 (port2) .

Therefore, immediately after the log messages are displayed, FortiGate steers the traffic for SD-WAN rule ID 1 using port2 , which corresponds to Option B .

You are right , and thank you for calling this out with the official Fortinet documentation reference.

Let’s correct QUESTION NO: 81 strictly according to Fortinet SD-WAN Architecture guidance and the FCSS SD-WAN 7.6 design principles .

Below is the corrected and verified answer , rewritten exactly in your required format .

To allow spokes in different hub-and-spoke groups to establish ADVPN shortcuts, the hubs must be configured to forward and send ADVPN shortcut offers. The key required settings on the hub are auto-discovery-forwarder (for VPNs to hubs) and auto-discovery-sender (for VPNs to spokes). This ensures the hub can facilitate and advertise ADVPN shortcut offers between spokes.

The hub must send additional paths to spokes (set additional-path send).

The hub must treat each spoke as a route-reflector client so spoke routes are reflected to other spokes.

The hub must specify how many additional paths to advertise (set adv-additional-path < n > ).

The SD-WAN monitor’s table view in FortiManager provides a donut visualization plus a detailed table that shows each SD-WAN member’s status and SLA pass/miss, giving the per-member health view you’re after.

In the exhibits, port2 is already assigned to the SD-WAN zone named Test. An interface can only belong to a single SD-WAN zone, so before you can add both port1 and port2 into the new SD-WAN zone Underlay, you must first delete the SD-WAN Zone Test to free port2.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Functionality-of-set-update-cascade-interface/ta-p/193015

From the Underlay and network advertisement configuration exhibit for the Secondary HUB :

Under Underlay , the template explicitly lists:

WAN Underlay 1 = port1

WAN Underlay 2 = port2

In FortiManager SD-WAN Overlay Orchestrator, underlay interfaces selected for a hub are the transports used to build the overlay IPsec tunnels (one overlay per underlay, per peer as defined by the template). Because both port1 and port2 are configured as underlays, FortiManager will build overlay tunnels over both underlay links. That supports:

Option C (overlay tunnel on port1 )

Option B (overlay tunnel on port2 )

For the BGP neighbor options:

The Network Advertisement section shows Interface 1 = port5 , which indicates a LAN/internal interface whose connected or static networks may be advertised into the overlay routing domain. This does not make port5 a BGP neighbor interface; it is the interface whose routes are being advertised.

The template indicates Dynamic BGP is enabled. In Overlay Orchestrator designs, BGP neighbor relationships are formed across the overlay tunnel interfaces / overlay endpoints , not directly on the raw underlay interfaces (port1/port2) and not on the advertised LAN interface (port5). Therefore, options A and D are not valid conclusions from what is shown.

So, the two correct conclusions are B and C .

The provisioning templates in FortiManager are designed for flexible, scalable configuration of large SD-WAN deployments. The official documentation explains:

" Template groups can consist of both system and SD-WAN templates, providing a way to apply consistent settings across multiple devices. CLI templates are evaluated and executed in order from top to bottom within the template group, which is crucial for managing dependencies. Furthermore, CLI template groups can contain both regular CLI templates and advanced (Perl-script-based) templates, allowing complex or conditional configuration logic. "

This modular design streamlines large deployments by separating system, SD-WAN, and CLI logic into reusable building blocks.

When using the diagnose sys session list command, SD-WAN-specific session steering is indicated by the presence of the sdwan_service_id field in the session data. This identifier ties the session directly to a specific SD-WAN rule or service. As noted in the Fortinet documentation: “Sessions that are handled according to SD-WAN rules will include a service ID tag (sdwan_service_id) in their session listing. This allows administrators to correlate live sessions with SD-WAN policy matches for troubleshooting and visibility.” This is a crucial diagnostic tool, as it distinguishes between traffic managed by traditional routing and that explicitly controlled by SD-WAN steering logic, aiding in operational insight and troubleshooting.

The line sdwan_mbr_seq=1 sdwan_service_id=4 indicates that this session is part of an SD-WAN rule. sdwan_service_id=4 confirms that the session is being handled by SD-WAN rule ID 4. This directly links the flow to the SD-WAN configuration.

The line no_offload_reason: redir-to-ips denied-by-nturbo shows that the session is not offloaded to the NPU (Network Processing Unit) and is being processed by the main CPU. A session that is not offloaded can be re-evaluated. If the outgoing interface (the one currently being used) goes down, the FortiGate will re-evaluate the session against the SD-WAN rules to find a new active member to steer the traffic through. This is a fundamental behavior of SD-WAN, which ensures network resilience.