You are configuring SD-WAN to load balance network traffic. Which two facts should you consider when setting up SD-WAN? (Choose two.)
When applicable, FortiGate load balances traffic through all members that meet the SLA target.
SD-WAN load balancing is possible only when using the manual and the best quality strategies.
Only the manual and lowest cost (SLA) strategies allow SD-WAN load balancing.
You can select the outsessions hash mode with all strategies that allow load balancing.
According to theSD-WAN 7.6 Core Administratorstudy guide and theFortiOS 7.6 Administration Guide, configuring load balancing within SD-WAN rules requires an understanding of how the engine selects and distributes sessions across multiple links.
SLA Target Logic (Option A): In FortiOS 7.6, theLowest Cost (SLA)strategy has been enhanced. When the load-balance option is enabled for this strategy, the FortiGate does not just pick a single "best" link; it identifiesall member interfaces that currently meet the configured SLA target(e.g., latency < 100ms). It then load balances the traffic across all those healthy links to maximize resource utilization.
Hash Modes (Option D): When an SD-WAN rule is configured for load balancing (valid forManualandLowest Cost (SLA)strategies in 7.6), the administrator must define ahash modeto determine how sessions are distributed. While "outsessions" in the question is a common exam-variant typo foroutbandwidth(or sessions-based hashing), the core principle remains: you can select the specific load-balancing algorithm (e.g., source-ip, round-robin, or bandwidth-based) forall strategieswhere load-balancing is enabled.
Why other options are incorrect:
Option B and C: These options are too restrictive. InFortiOS 7.6, load balancing is not limited to only "manual and best quality" or "manual and lowest cost" in a singular way. The documentation highlights thatManualandLowest Cost (SLA)are the primary strategies that support the explicit load-balance toggle to steer traffic through multiple healthy members simultaneously.
A FortiGate device is in production. To optimize WAN link use and improve redundancy, you enable and configure SD-WAN.
What must you do as part of this configuration update process? (Choose one answer)
Replace references to interfaces used as SD-WAN members in the firewall policies.
Replace references to interfaces used as SD-WAN members in the routing configuration.
Disable the interface that you want to use as an SD-WAN member.
Purchase and install the SD-WAN license, and reboot the FortiGate device.
According to theSD-WAN 7.6 Core Administratorstudy guide and theFortiOS 7.6 Administration Guide, when you are migrating a production FortiGate to use SD-WAN, the most critical step involves reconfiguring how traffic is permitted and routed.
Reference Removal Requirement: Before an interface (such as wan1 or wan2) can be added as anSD-WAN member, it must be "unreferenced" in most parts of the FortiGate configuration. Specifically, if an interface is currently being used in an activeFirewall Policy, the system will prevent you from adding it to the SD-WAN bundle.
Firewall Policy Migration (Option A): In a production environment, you mustreplace the references to the physical interfacesin your firewall policies with the newSD-WAN virtual interface(or an SD-WAN Zone). For example, if your previous policy allowed traffic from internal to wan1, you must update that policy so theOutgoing Interfaceis now SD-WAN. This allows the SD-WAN engine to take over the traffic and apply its steering rules.
Modern Tools: While this used to be a purely manual process, FortiOS 7.x includes anInterface Migration Wizard(found underNetwork > Interfaces). This tool automates the "search and replace" function, moving all existing policy and routing references from the physical port to the SD-WAN object to ensure minimal downtime.
Why other options are incorrect:
Option B: While you do need to update your routing (e.g., creating a static route for 0.0.0.0/0 pointing to the SD-WAN interface), the curriculum specifically emphasizes the replacement of references infirewall policiesas the primary administrative hurdle, as policies are often more numerous and complex than the single static route required for SD-WAN.
Option C: You donotneed to disable the interface. It must be up and configured, just removed from other configuration references so it can be "absorbed" into the SD-WAN bundle.
Option D: SD-WAN is abase featureof FortiOS and doesnot require a separate licenseor a reboot to enable.
How is the Geofencing feature used in FortiSASE? (Choose one answer)
To allow or block remote user connections to FortiSASE POPs from specific countries.
To restrict access to applications based on the time of day in specific countries.
To encrypt data at rest on mobile devices in specific countries.
To monitor user behavior on websites and block non-work-related content from specific countries
According to theFortiSASE 7.6 Administration Guideand theFCP - FortiSASE 24/25 Administratorstudy materials, theGeofencingfeature is a security measure implemented at the edge of the FortiSASE cloud to control ingress connectivity based on the physical location of the user.
Access Control by Location (Option A): Geofencing allows administrators toallow or block remote user connectionsto the FortiSASE Points of Presence (PoPs) based on the source country, region, or specific network infrastructure (e.g., AWS, Azure, GCP).
Scope of Application: This feature is universal across all SASE connectivity methods. It applies toAgent-based users(FortiClient),Agentless users(SWG/PAC file), andEdge devices(FortiExtender/FortiAP). If a user attempts to connect from a blacklisted country, the connection is dropped at the PoP level before the user can even attempt to authenticate.
Use Case Example: An organization operating exclusively in North America might configure geofencing toblock all connections originating from outside the US and Canada. This significantly reduces the attack surface by preventing brute-force or unauthorized access attempts from high-risk regions or countries where the organization has no legitimate employees.
Configuration Path: In the FortiSASE portal, this is managed underConfiguration > Geofencing. From there, administrators can create an "Allow" or "Deny" list and select the relevant countries from a standardized global database.
Why other options are incorrect:
Option B: While FortiSASE supportsTime-based schedulesfor firewall policies, geofencing is specifically an IP-to-Geography mapping tool for connection admission, not a time-of-day restriction tool.
Option C: Encryption of data at rest on mobile devices is a function of anMDM (Mobile Device Management)solution or local OS features (like FileVault or BitLocker), not a SASE network geofencing feature.
Option D: Monitoring web behavior and blocking non-work content is the role of theWeb FilterandApplication Controlprofiles, which operate on the trafficafterthe connection is allowed by geofencing.
SD-WAN interacts with many other FortiGate features. Some of them are required to allow SD-WAN to steer the traffic.
Which three configuration elements must you configure before FortiGate can steer traffic according to SD-WAN rules? (Choose three.)
Firewall policies
Security profiles
Interfaces
Routing
Traffic shaping
According to theSD-WAN 7.6 Core Administratorstudy guide and theFortiOS 7.6 Administration Guide, for the FortiGate SD-WAN engine to successfully steer traffic using SD-WAN rules, three fundamental configuration components must be in place. This is because the SD-WAN rule lookup occurs only after certain initial conditions are met in the packet flow:
Interfaces (Option C):You must first define the physical or logical interfaces (such as ISP links, LTE, or VPN tunnels) asSD-WAN members. These members are then typically grouped intoSD-WAN Zones. Without designated member interfaces, there is no "pool" of links for the SD-WAN rules to select from.
Routing (Option D):For a packet to even be considered by the SD-WAN engine, there must be a matching route in theForwarding Information Base (FIB). Usually, this is a static route where the destination is the network you want to reach, and the gateway interface is set to theSD-WAN virtual interface(or a specific SD-WAN zone). If there is no route pointing to SD-WAN, the FortiGate will use other routing table entries (like a standard static route) and bypass the SD-WAN rule-based steering logic entirely.
Firewall Policies (Option A):In FortiOS, no traffic is allowed to pass through the device unless aFirewall Policypermits it. To steer traffic, you must have a policy where theIncoming Interfaceis the internal network and theOutgoing Interfaceis the SD-WAN zone (or the virtual-wan-link). The SD-WAN rule selection happens during the "Dirty" session state, which requires a policy match to proceed with the session creation.
Why other options are incorrect:
Security Profiles (Option B):While mandatory forApplication-levelsteering (to identify L7 signatures), basic SD-WAN steering based on IP addresses, ports, or ISDB objects does not require security profiles to be active.
Traffic Shaping (Option E):This is an optimization feature used to manage bandwidth once steering is already determined; it is not a prerequisite for the steering engine itself to function.
Refer to the exhibit.
You want the performance service-level agreement (SLA) to measure the jitter of each member. Which configuration change must you make to achieve this result?
No change is required.
Add an SLA target and define a jitter threshold.
Specify the participant members.
Set the protocol to HTTP.
According to theSD-WAN 7.6 Core Administratorstudy guide andFortiOS 7.6 Administration Guide, no configuration change is required to simplymeasurejitter.
Implicit Measurement: In FortiOS, once a Performance SLA (Health Check) is configured with anActiveprobe mode (as seen in the exhibit with Ping selected), the FortiGate automatically begins calculating three key quality metrics for every member interface:Latency,Jitter, andPacket Loss.
Visibility: Even without an SLA Target defined, these real-time measurements are visible in theSD-WAN Monitorand via the CLI command diagnose sys virtual-wan-link health-check
Active Probes: Because the probe mode is set toActiveusing thePingprotocol, the FortiGate sends synthetic packets at the definedCheck interval(500ms in the exhibit). It calculates jitter by measuring the variation in the round-trip time (RTT) between these consecutive probes.
Why other options are incorrect:
Option B: Adding anSLA targetand defining a jitter threshold is only necessary if you want the SD-WAN engine to makesteering decisionsbased on that metric (e.g., "remove this link from the pool if jitter exceeds 50ms"). It is not required just tomeasurethe jitter.
Option C: While you can specify participants, the current setting is "All SD-WAN Members," which means it is already measuring jitter for every member.
Option D:HTTPis an alternative probe protocol, butPing (ICMP)is perfectly capable of measuring jitter and is often preferred for its lower overhead.
Refer to the exhibit, which shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured packet loss will make HUB1-VPN3 the new preferred member? (Choose one answer)
When all three members have the same packet loss
When HUB1-VPN1 has 4% packet loss
When HUB1-VPN1 has 12% packet loss
When HUB1-VPN3 has 4% packet loss
According to theSD-WAN 7.6 Core Administratorstudy guide and theFortiOS 7.6 Administration Guide, the selection process for theBest Quality (priority)strategy depends on two primary factors: the measured link quality metric and the configured member priority order.
Based on the provided exhibit (image_b40dfc.png), we can determine the following:
Strategy and Metric: The rule is in Mode(priority) (Best Quality) using link-cost-factor(packet loss).
Strict Comparison: The link-cost-threshold is set to0. This means there is no "advantage" given to the current preferred link; the FortiGate performs a strict comparison where the link with the objectively best metric is chosen.
Tie-Breaker Logic: When multiple links have thesamepacket loss, the FortiGate uses theMember Priority Orderdefined in the rule (set priority-members 6 4 5) as the tie-breaker.
Member 6 (HUB1-VPN3)is the highest priority.
Member 4 (HUB1-VPN1)is the second priority.
Member 5 (HUB1-VPN2)is the lowest priority.
Current State: HUB1-VPN1 is currently selected because its packet loss (2.000%) is lower than HUB1-VPN2 (4.000%) and HUB1-VPN3 (12.000%). Even though HUB1-VPN3 has a higher configuration priority, its significantly higher packet loss prevents it from being chosen.
Evaluation of Options:
Option A (Verified): If all three members have thesame packet loss(e.g., they all show 2%), the quality metrics are equal. The SD-WAN engine then refers to the priority-members list. Since HUB1-VPN3 (Seq 6) is the first member in that list, it will immediately become the new preferred member.
Option B: If HUB1-VPN1 reaches 4%, it matches HUB1-VPN2 (4%). HUB1-VPN3 remains at 12%. The system will choose between VPN1 and VPN2. Since VPN1 (Seq 4) is higher in the priority list than VPN2 (Seq 5), HUB1-VPN1 stays preferred.
Option C: If HUB1-VPN1 reaches 12%, it matches HUB1-VPN3. However, HUB1-VPN2 is still better at4.000%. Therefore, HUB1-VPN2 would become the new preferred member, not HUB1-VPN3.
Option D: If HUB1-VPN3 drops to 4%, it matches HUB1-VPN2. However, HUB1-VPN1 is still the best link at2.000%, so it remains selected.
Which two statements correctly describe what happens when traffic matches the implicit SD-WAN rule? (Choose two answers)
Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.
Traffic does not match any of the entries in the policy route table.
FortiGate flags the session with may_dirty and vwl_default.
The traffic is distributed, regardless of weight, through all available static routes.
The session information output displays no SD-WAN service id.
According to theSD-WAN 7.6 Core Administratorstudy guide andFortiOS 7.6 Administration Guide, the "implicit rule" is the default rule at the bottom of the SD-WAN rule list (ID 0). It is only evaluated if traffic does not match any manually configured SD-WAN rules.
Policy Route Table Context (Option B): SD-WAN rules are technically a specialized form of policy-based routing. For a packet to match theimplicit rule, it must first pass through the routing hierarchy. If traffic matches the implicit rule, it indicates that it did not match any higher-priority user-defined SD-WAN rules or any specific entries in the manualpolicy route tablethat would have intercepted the traffic earlier.
Session Information (Option E): When you use the CLI to inspect an active session (e.g., diagnose sys session list), the output contains a field for theSD-WAN Service ID. If traffic is steered by a user-defined rule, it displays the ID of that rule (e.g., service_id=1). However, when traffic falls through to theimplicit rule, the session information displaysno SD-WAN service ID(it often shows as 0 or is omitted), because the implicit rule does not function as a "service" in the same way user-defined rules do.
Routing Behavior: The implicit rule follows the standard routing table (RIB/FIB) logic. It uses thepriorityanddistanceof the static routes to determine the path. If multiple paths have the same distance and priority, it uses the algorithm set by v4-ecmp-mode, but this is a function of the routing engine, not the SD-WAN engine itself.
Why other options are incorrect:
Option A: While v4-ecmp-mode (e.g., source-ip-based) is used for ECMP routing, this is part of the general FortiOS routing behavior for equal-cost paths in the FIB, whereas the implicit rule simply "hands over" the decision to that routing table.
Option C: When traffic matches the implicit rule, the session is actually flagged with vwl_id=0 and potentially dirty if a route change occurs, but vwl_default is not the standard flag name used in this specific context in the curriculum.
Option D: This is incorrect because the implicit ruledoes respect weight, distance, and priorityas defined in the static routes within the routing table; it does not distribute traffic "regardless" of these values.
What is the purpose of the on/off-net rule setting in FortiSASE?
To enable or disable user authentication for external network access.
To define different traffic routing rules for on-premises and cloud-based resources.
To determine if an endpoint is connecting from a trusted network or untrusted location.
To configure different access policies for users based on their geographical location.
According to theFortiSASE 24.4 Administration Guideand theFortiSASE Core Administratortraining materials, theOn-net detectionrule setting is a critical component for determining the "trust status" of an endpoint's physical location.
Endpoint Location Verification: On-net rule sets are used to determine if FortiSASE considers an endpoint to beon-net(trusted) oroff-net(untrusted). An endpoint is considered on-net when it is physically located within the corporate network, which is assumed to already have on-premises security measures (like a FortiGate NGFW).
Operational Impact: When an endpoint is detected as on-net, FortiSASE can be configured toexemptthe endpoint from automatically establishing a VPN tunnel to the SASE cloud. This optimization prevents redundant security inspection and conserves SASE bandwidth since the user is already protected by the local corporate firewall.
Detection Methods: To classify an endpoint as on-net, administrators configure rule sets that look for specific environmental markers, such as:
Known Public (WAN) IP: If the endpoint's public IP matches the corporate headquarters' egress IP.
DHCP Server: If the endpoint receives an IP from a specific corporate DHCP server.
DNS Server/Subnet: Matching internal DNS infrastructure or specific internal IP ranges.
Dynamic Policy Application: By accurately determining if an endpoint is on or off-net, FortiSASE ensures that theFortiClientagent only initiates its secure internet access (SIA) tunnel when the user is in an untrusted location (e.g., a home network or public Wi-Fi).
Why other options are incorrect:
Option A: User authentication is a separate process and is not controlled by the on/off-net detection rules, which focus on the network environment rather than user credentials.
Option B: While on-net status affectshowtraffic is routed (VPN vs. local), these rules specificallydetermine the statusitself rather than defining the routing tables for private vs. cloud resources.
Option D: Geographical location (Geo-location) is a different filtering criterion often used in firewall policies; on-net detection is specifically about the proximity to the trusted corporate perimeter.
Which statement is true about FortiSASE supported deployment?
FortiSASE supports VPN mode and Agentless mode, based on user requirements.
FortiSASE supports both Endpoint mode and SWG mode, depending on deployment.
FortiSASE operates only in SWG mode, where all traffic is forced through FortiSASE POPs.
FortiSASE relies on ZTNA-only mode, which replaces SWG and endpoint functions.
According to theFortiSASE 7.6 Administration Guideand theFCP - FortiSASE 24/25 Administratorcurriculum, FortiSASE is designed with a hybrid deployment architecture to support various user and device requirements. It primarily operates in two modes:
Endpoint Mode (Agent-based): This mode requires the installation ofFortiClienton the user's laptop or device. The agent establishes an "always-up" secure VPN tunnel to the nearest FortiSASE Point of Presence (PoP), providing full Secure Internet Access (SIA), Secure Private Access (SPA), and endpoint posture checks (ZTNA).
Secure Web Gateway (SWG) Mode (Agentless): This mode is used for users or devices where installing an agent is not feasible (e.g., unmanaged devices or Chromebooks). It relies on explicit web proxy settings or a PAC (Proxy Auto-Configuration) file to redirect web traffic (HTTP/HTTPS) to the SASE PoP for inspection.
Why other options are incorrect:
Option A: While it supports VPN, "VPN mode" is not the formal name of the deployment type; it is "Endpoint mode".
Option C: FortiSASE is not limited to SWG; it is a full SSE (Security Service Edge) solution including FWaaS and ZTNA.
Option D: ZTNA is a capability within the platform, not a replacement for the overall endpoint or SWG functions.
For a small site, an administrator plans to implement SD-WAN and ensure high network availability for business-critical applications while limiting the overall cost and the cost of pay-per-use backup connections.
Which action must the administrator take to accomplish this plan?
Use a mid-range FortiGate device to implement standalone SD-WAN.
Implement dynamic routing.
Set up a high availability (HA) cluster to implement standalone SD-WAN.
Configure at least two WAN links.
According to theSD-WAN 7.6 Core Administratorcurriculum, to implement an SD-WAN solution that ensures high network availability for business-critical applications while managing costs, the administrator mustconfigure at least two WAN links.
SD-WAN Fundamentals: SD-WAN operates by creating a virtual overlay across multiple physical or logical transport links (e.g., broadband, LTE, MPLS). Without at least two links, the SD-WAN engine has no alternative path to steer traffic toward if the primary link fails or degrades.
Cost Management: By using multiple links, administrators can implement theLowest Cost (SLA)orMaximize Bandwidthstrategies. This allows the site to use a low-cost broadband connection for primary traffic and only failover to a "pay-per-use" backup (like LTE) when the primary link's quality falls below the defined SLA target.
High Availability (Link Level): While a "High Availability (HA) cluster" (Option C) provides device redundancy (protecting against a hardware failure of the FortiGate itself), it does not address link redundancy or steering, which are the core functions of SD-WAN for application uptime.
Why other options are incorrect:
Option A: Using a mid-range device refers to hardware capacity but does not solve the requirement for link-level redundancy and cost-steering logic.
Option B: Dynamic routing (like BGP or OSPF) is often usedwithSD-WAN in large topologies, but for a small site, the primary mechanism for meeting availability and cost goals is the configuration of the SD-WAN member links and rules themselves.
Option C: HA clusters protect against hardware failure, but the question specifically asks about ensuring availability forapplicationswhile limitingbackup link costs, which is a traffic-steering (SD-WAN) requirement rather than a hardware-redundancy requirement.
Copyright © 2014-2026 Certensure. All Rights Reserved