NSE6_SDW_AD-7.6 Questions and Answers

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN ' s application-aware steering, which uses dynamic performance metrics to select the optimal path.

Before FortiGate can steer traffic according to SD-WAN rules, certain configuration elements must be present. The guide states:

" SD-WAN is not a standalone feature and interacts with several fundamental FortiGate configurations. Specifically, you must: (1) Define the interfaces (physical, VLAN, or IPsec) that will act as SD-WAN members, (2) Create firewall policies to allow traffic to be steered by SD-WAN, and (3) Set up routing so that traffic has valid routes via SD-WAN members. Without these, SD-WAN rules will not be able to match or steer any traffic. "

Security profiles and traffic shaping are not mandatory for basic SD-WAN steering but can be layered on for enhanced security and QoS once foundational elements are present.

Your requirements map to two key MSSP goals described in the FCSS SD-WAN 7.6 blueprint patterns:

Delegate as much administration and management as possible to the MSSP This is best achieved when the hub security and SD-WAN control point is located on the MSSP premises , because the MSSP can centrally operate the core enforcement and overlay control. Both option B (dedicated hub at MSSP) and option D (shared hub at MSSP with customer isolation) meet this requirement.

Each site must maintain direct internet access (DIA) and be secure, with significant site-to-site traffic In Fortinet SD-WAN MSSP designs, spokes can still use local breakout for DIA while also building secure overlays for inter-site traffic. Placing the hub at the MSSP enables centralized security services and scalable inter-site connectivity management while preserving DIA where required. Options B and D support this operating model.

Why the other options do not best match:

A includes a dedicated hub on the customer premises , which reduces how much the MSSP can centralize and operate from its own environment, so it does not maximize delegation.

C places both hub and spokes on the customer premises . While the MSSP can manage using a dedicated ADOM, this blueprint does not align as strongly with “delegate installation and management” to the MSSP as the designs where the hub is hosted and operated from the MSSP premises.

Therefore, the two MSSP deployment blueprints that address your requirements are B and D .

In FortiOS 7.6, static routes can reference either:

an SD-WAN zone (for example, virtual-wan-link or a user-defined SD-WAN zone), or

a specific SD-WAN member interface that belongs to that zone.

However, FortiOS enforces a routing constraint to avoid ambiguity during route resolution. Two static routes cannot have the same destination prefix if one points to an SD-WAN zone and the other points to an SD-WAN member within that zone . This would create an overlapping and conflicting forwarding decision.

Therefore, if you configure:

one static route that references an SD-WAN zone, and

another static route that references an SD-WAN member belonging to that same zone,

the destination subnets of the two static routes must be different .

Why the other options are incorrect:

Option A is incorrect because FortiOS does allow static routes that reference individual SD-WAN members.

Option B is incorrect because static routes can reference SD-WAN zones.

Option D is incorrect because static routing decisions in FortiOS are based on destination prefixes, not source prefixes.

Thus, the correct answer is C .

" Secure internet access (SIA), also known as remote breakout, is another use case for SD-WAN. "

The exhibit shows the runtime details of two SD-WAN services (rules):

Service(2)

Mode(manual hash-mode=inbandwidth)

Members(2): port2 (WAN2), port1 (WAN1)

Application matching: Facebook, LinkedIn, Game

Source: 10.0.1.0–10.0.1.255 This rule is clearly intended for internet/DIA application steering and does not show a corporate destination range.

Service(3)

Mode(sla hash-mode=round-robin)

Members(6): HUB1-VPN1/2/3 and HUB2-VPN1/2/3

Source: 10.0.1.0–10.0.1.255

Destination: 10.0.0.0–10.255.255.255

Traffic from 10.0.1.124 to 10.0.0.254 matches Service(3) because the destination IP 10.0.0.254 falls within the destination range 10.0.0.0–10.255.255.255.

Within Service(3) , the member list shows SLA results per interface:

HUB1-VPN2 has sla(0x1) and num of pass(1)

HUB2-VPN2 has sla(0x2) and num of pass(1)

The remaining members (HUB1-VPN1, HUB2-VPN1, HUB1-VPN3, HUB2-VPN3) show sla(0x0) and num of pass(0)

This indicates that, for Service(3), only HUB1-VPN2 and HUB2-VPN2 are currently meeting the SLA requirements (passing), and because the rule uses hash-mode=round-robin, FortiGate load-balances sessions across the passing members.

Therefore, FortiGate will steer the traffic using HUB1-VPN2 or HUB2-VPN2 , which corresponds to Option B .

When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.

From the Underlay and network advertisement configuration exhibit for the Secondary HUB :

Under Underlay , the template explicitly lists:

WAN Underlay 1 = port1

WAN Underlay 2 = port2

In FortiManager SD-WAN Overlay Orchestrator, underlay interfaces selected for a hub are the transports used to build the overlay IPsec tunnels (one overlay per underlay, per peer as defined by the template). Because both port1 and port2 are configured as underlays, FortiManager will build overlay tunnels over both underlay links. That supports:

Option C (overlay tunnel on port1 )

Option B (overlay tunnel on port2 )

For the BGP neighbor options:

The Network Advertisement section shows Interface 1 = port5 , which indicates a LAN/internal interface whose connected or static networks may be advertised into the overlay routing domain. This does not make port5 a BGP neighbor interface; it is the interface whose routes are being advertised.

The template indicates Dynamic BGP is enabled. In Overlay Orchestrator designs, BGP neighbor relationships are formed across the overlay tunnel interfaces / overlay endpoints , not directly on the raw underlay interfaces (port1/port2) and not on the advertised LAN interface (port5). Therefore, options A and D are not valid conclusions from what is shown.

So, the two correct conclusions are B and C .

When the member priority of a port is increased (e.g., port2 to 20), FortiGate evaluates existing sessions and applies “dirty” flags where applicable. The SD-WAN session management mechanism is described in detail: “Upon a change in SD-WAN member priority, all existing sessions using that member are marked as dirty. For SNAT sessions, the gateway information is updated to ensure future packets are routed through the newly preferred member, in this case, port1. This automatic re-evaluation allows SD-WAN to dynamically respond to topology or priority changes, maintaining optimal routing.” This is fundamental to seamless failover and session persistence in Fortinet SD-WAN, ensuring active flows are redirected based on updated priorities or health status.

" The custom-profile-1 metric uses a formula that calculates a composite value out of the latency, jitter, packet loss, and bibandwidth. The composite value is called the link quality index. " And from page 227, the factors FortiGate uses in order are: " FortiGate determines the member with the best quality using three factors: member configuration order, the link-cost-threshold setting, and the value of the metric measured for the member. "

When a FortiGate device is onboarded using a Device Blueprint in FortiManager, the system automates the provisioning process by applying the linked templates and scripts as soon as the device is authorized and connects. In this scenario, the Device Blueprint includes a CLI Template named " LAN-interface " and Provisioning Templates (corp_st and LAN-interface).

According to Fortinet documentation regarding Zero-Touch Provisioning (ZTP) and Blueprint workflows, FortiManager processes the CLI script configuration as part of the initial onboarding sync. The provided CLI script explicitly contains instructions for port1, port2, and port5 . Specifically, it sets port1 and port2 to mode dhcp. Even though port1 already has a manual IP address ($15.1.0.154$) used for the initial FGFM connection, the FortiManager will push the configuration defined in the template.

When FortiManager pushes a configuration change to the interface used for the FGFM tunnel (port1), it does so by updating the configuration database. Since the template specifies set mode dhcp for port1 and port2, and a specific IP range for port5 using a metadata variable (10.0.$(branch_id).254), all three ports will be updated. Consequently, they may receive new IP addresses based on DHCP assignments or variable substitution. FortiManager is capable of updating the management interface as long as the new configuration does not permanently sever the FGFM connection.

To allow spokes in different hub-and-spoke groups to establish ADVPN shortcuts, the hubs must be configured to forward and send ADVPN shortcut offers. The key required settings on the hub are auto-discovery-forwarder (for VPNs to hubs) and auto-discovery-sender (for VPNs to spokes). This ensures the hub can facilitate and advertise ADVPN shortcut offers between spokes.

From the SD-WAN rule configuration (service ID 3 , name " Corp " ), the rule is configured as:

set mode sla

set load-balance enable

set hash-mode source-ip-based

set priority-members 3 4 5

Two SLAs are referenced under config sla

In the diagnose firewall proute list output for service=3 (Corp) , FortiGate shows the actual members considered for this rule and their SLA pass status:

oif=19 (HUB1-VPN1) num_pass=2

oif=20 (HUB1-VPN2) num_pass=2

oif=21 (HUB1-VPN3) num_pass=1

Because the rule is SLA-based , FortiGate selects only members that meet the SLA requirements for the rule. The output indicates that HUB1-VPN1 and HUB1-VPN2 pass both SLA checks (num_pass=2) , while HUB1-VPN3 passes only one (num_pass=1) and therefore is not selected as an eligible forwarding interface for this rule.

Since load-balance is enabled and the rule uses hash-mode source-ip-based, FortiGate will consistently choose an eligible member based on the source IP hash. For traffic sourced from 10.0.1.101 , the session can be steered through either HUB1-VPN1 or HUB1-VPN2 (whichever the hash selects), but not HUB1-VPN3.

Therefore, the correct answer is B .

Specify the gateway of the SD-WAN member port1 with an IP address or use the default value → The error log shows invalid ip – prop[gateway]: ip4class(${sdwan_port1_gw}) invalid ip addr, meaning the variable ${sdwan_port1_gw} does not have a valid mapping. Assigning a valid IP address or default value for the gateway resolves this error.

Review the per-device mapping configuration for metadata variables → The issue is tied to how the metadata variable ${sdwan_port1_gw} is mapped for branch1_fgt. If this device does not have the variable properly defined in per-device mapping, the configuration will fail. Correcting the mapping ensures that the install works.

By default, local-out traffic does not use SD-WAN → FortiGate normally sends local-out traffic (e.g., DNS, NTP, FortiGuard updates) directly through its interfaces without applying SD-WAN rules.

You must configure each local-out feature individually to use SD-WAN → To steer local-out traffic via SD-WAN, you must explicitly configure the desired local-out features (e.g., DNS, FortiGuard, CAPWAP) to use SD-WAN rules.