FCSS_SDW_AR-7.4 Questions and Answers

When asymmetric routing is observed (such as reply traffic not following the optimal path), the solution is:

"The auxiliary-session feature, enabled under config system settings, allows FortiGate to consider multiple egress interfaces for reply traffic, not just the original ingress interface. This is crucial for SD-WAN environments where the best path may differ between forward and return directions, especially when performance or policy rules are dynamically evaluated."

Activating this ensures reply traffic is always sent on the member with the best real-time metrics.

Application-based SD-WAN rules enable intelligent traffic steering. The guide specifies:

"If a flow is identified as belonging to a defined application category (such as social media), FortiGate will match it to the corresponding service rule (rule 2) and route it through the specified interface, such as port2. However, if the application is not recognized during the session setup, the system defaults to load balancing the traffic using the available tunnels according to the policy for unclassified traffic, ensuring continuous connectivity while waiting for application classification."

This guarantees both performance and resilience.

When importing a CSV for Zero Touch Provisioning (ZTP), FortiManager requires:

"Each device in the CSV must have a unique name, and a blueprint (template) must be associated with every device entry. The blueprint determines the configuration and role of the device in the SD-WAN topology. Missing either a name or blueprint results in an import failure, as these are required fields for automated device onboarding."

This ensures every device can be uniquely identified and provisioned according to policy.

In the SD-WAN GUI, the absence of members in a zone is visually represented, and the Fortinet guide confirms:

"If a zone such as overlay-factories contains no members, it will be displayed as empty in the SD-WAN GUI. This may occur when the zone is reserved for future expansion, or if members have been temporarily removed for maintenance or reconfiguration. Traffic cannot be steered via an empty zone until at least one SD-WAN member is added."

Such visual cues help operators quickly assess configuration status and readiness.

Traffic steering in Fortinet SD-WAN is based on defined rules and the corresponding outgoing interfaces. The exhibit (not shown here) would indicate that the traffic from the LAN subnet 10.0.1.0/24 to the server 10.2.5.254 is matched by SD-WAN rule 3 and sent out via the HUB1-VPN3 interface.

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN's application-aware steering, which uses dynamic performance metrics to select the optimal path.