Fortinet NSE6_SDW_AD-7.6 Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator Exam Practice Test

The SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones. This statement perfectly describes the likely sequence of events. The template, when applied, re-organizes the interfaces and zones, causing the existing firewall policy that relies on the old zone configuration to fail. This is the most plausible root cause.

Application-based SD-WAN rules enable intelligent traffic steering. The guide specifies:

"If a flow is identified as belonging to a defined application category (such as social media), FortiGate will match it to the corresponding service rule (rule 2) and route it through the specified interface, such as port2. However, if the application is not recognized during the session setup, the system defaults to load balancing the traffic using the available tunnels according to the policy for unclassified traffic, ensuring continuous connectivity while waiting for application classification."

This guarantees both performance and resilience.

The command shown in the exhibit is:

diagnose sys sdwan service 4 3

This command displays the runtime state of SD-WAN rule ID 3 on the device. The output explicitly shows:

Service(3) which confirms the SD-WAN rule being evaluated is rule number 3

Members(9) which indicates that nine SD-WAN members are associated with this rule

The listed members include multiple IPsec tunnel interfaces such as HUB1-VPN1, HUB1-VPN2, HUB1-VPN3, HUB2-VPN1, HUB2-VPN2, and HUB2-VPN3, which is characteristic of a spoke device connecting to multiple hubs in a hub-and-spoke ADVPN topology, as defined in the FCSS SD-WAN 7.6 architecture.

Option B is incorrect because, although members are listed under different interfaces, the output does not indicate SD-WAN zones. Zones are shown only in configuration output, not in this diagnostic command.

Option C is incorrect because this is not a hub device. The presence of multiple hub tunnels as SD-WAN members indicates a spoke role. Additionally, the output does not confirm the number of established ADVPN shortcuts.

Option D is incorrect because the output clearly references SD-WAN rule 3, not rule 4, and it does not state that exactly three shortcut tunnels are allowed.

Therefore, the correct conclusion is that this is a spoke device and SD-WAN rule 3 is configured with nine members, which matches option A.

When you enable ADVPN (auto-discovery VPN) in the overlay template, FortiManager automatically updates both the IPsec and BGP templates on the hub so that shortcut tunnels can be established dynamically.

ADVPN can be activated in the SD-WAN overlay template for any supported topology, including dual-hub primary–primary, not just single hub.

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive, FortiGate attempts to measure link performance using passive monitoring first, based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive, FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A.

During passive monitoring, FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic, not ICMP traffic. ICMP is used for active probing, not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware. Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D.

From the SD-WAN service configuration, rule edit 3 (name "Corp") is configured with:

set mode sla

set load-balance enable

set dst "Corp-net"

set src "LAN-net"

SLA checks referenced under config sla

Traffic from 10.0.1.101 to 10.0.0.126 matches this rule because the destination is within the corporate network range (shown in the policy-route/proute output as destination 10.0.0.0–10.255.255.255 for the Corp service).

In the diagnose firewall proute list output for vwl_service=3 (Corp), FortiGate shows which SD-WAN members are eligible based on SLA pass results:

oif=21 (HUB1-VPN3) num_pass=2

oif=20 (HUB1-VPN2) num_pass=0

oif=19 (HUB1-VPN1) num_pass=0

This indicates that, for the SLA-based rule, only HUB1-VPN3 is meeting the SLA requirements (it is the only member with num_pass=2). The other members have num_pass=0, so they are not eligible for forwarding under this SLA rule even though links are up.

The sniffer trace further corroborates the forwarding decision by showing the traffic egressing through HUB1-VPN3.

Therefore, FortiGate will steer the HTTP traffic through only HUB1-VPN3, which corresponds to Option A.

From the SD-WAN monitor in FortiManager:

"The SD-WAN monitor provides a summary view of the branch devices and their members. In the scenario shown, it is clear that branch2_fgt is missing SLA configuration for one member, as evidenced by the lack of performance metrics. The monitor also shows only two branches in the current topology, allowing quick assessment of branch health and configuration completeness."

This kind of visibility is vital for proactive monitoring and rapid troubleshooting in SD-WAN environments.

The FCSS SD-WAN 7.6 curriculum describes multiple standard SD-WAN deployment designs, each mapped to a specific operational goal or constraint.

A cloud on-ramp topology is designed to optimize connectivity to cloud services such as SaaS and IaaS. This design provides the most efficient and reliable path to cloud applications by establishing direct tunnels to cloud gateways or cloud workloads and by avoiding backhauling traffic through a central data center. As a result, its primary indication is improving the performance of cloud applications, which makes option A correct.

A remote breakout (centralized breakout) design forwards all internet-bound traffic from branch sites to a central hub for security inspection. This allows security policies, inspection, and logging to be centralized on a high-capacity FortiGate at the hub. Because branch devices do not need advanced local security configurations, this design also limits local management requirements, which makes option C correct.

Option B is incorrect because a standalone SD-WAN design is not selected simply because a site has only one WAN link. SD-WAN provides its main benefits when multiple WAN paths exist, and single-link sites do not gain meaningful traffic-steering advantages.

Option D is incorrect because a direct internet access (DIA) design performs local internet breakout at the branch and therefore requires strong local security capabilities. DIA does not inherently increase traffic security and is not intended for devices with limited capabilities.

Therefore, the two correct associations are A and C.

From the SD-WAN Zones view in the FortiGate GUI:

virtual-wan-link is the default SD-WAN zone. This zone is system-defined and cannot be deleted, which makes option A incorrect.

The WAN2 zone is displayed without any expandable members beneath it, indicating that no SD-WAN members are currently assigned to the WAN2 zone. This directly supports option B.

A zone can be deleted only if it has no members and is not system-defined, but the exhibit does not indicate that WAN1 is eligible for deletion. Therefore, option C cannot be concluded from the information shown.

In FortiOS SD-WAN, an SD-WAN member can belong to only one SD-WAN zone at a time. A member such as B-125 cannot be assigned to both the WAN3 zone and the Test zone simultaneously, which makes option D incorrect.

In an SD-WAN rule, you can steer application traffic by using Internet Service Database (ISDB) entries. Facebook and LinkedIn are predefined ISDB objects in FortiGate, so the correct way is to select them in the Internet service field under Destination. This ensures that all traffic to these applications is matched and routed through the chosen (less costly) link.

The log shows messages on HUB1-VPN1 where the device processes a SHORTCUT_QUERY and performs NAT hole punching (peer at 192.2.0.1:4500). This indicates that the device is acting as a hub, helping two spokes (192.2.0.1 and 10.0.3.101) establish a direct ADVPN shortcut tunnel between each other, instead of routing their traffic through the hub.

The log messages shown in the exhibit include the following key indicators:

processing notify type SHORTCUT_QUERY

shortcut-query received from 192.2.0.1

local-nat=yes, peer-nat=no

NAT hole punching for peer at 192.2.0.1:4500

In the FCSS SD-WAN 7.6 ADVPN workflow, shortcut queries are always initiated by spokes, not hubs. A spoke sends a shortcut query to its hub when it detects traffic destined for another spoke. The hub’s role is to receive this shortcut query and forward the discovery information toward the destination spoke, enabling the two spokes to build a direct shortcut tunnel.

The device name in the log (HUB1-VPN1) and the presence of NAT hole punching coordination clearly indicate that this device is acting as a hub, not a spoke. Hubs do not form shortcuts themselves; instead, they facilitate shortcut establishment between spokes by relaying discovery and negotiation information.

Option A is incorrect because a spoke does not receive shortcut queries from other spokes directly.

Option B is incorrect because the log does not indicate that the shortcut has already been established; it shows the query and coordination phase, not completion.

Option D is incorrect because hubs do not initiate shortcut queries toward spokes.

Therefore, the correct description is that this device is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke, which corresponds to option C.

The diagnose output shows multiple ADVPN tunnels (HUB1-VPN1, HUB1-VPN2, HUB1-VPN3) with detailed latency, jitter, and packet loss values being reported for each. In ADVPN, the spoke performs embedded health checks and provides the hub with the performance metrics for each tunnel. Therefore, the device in the exhibit is a spoke, and it is sending health-check measurements for each tunnel to the hub.

The policy-route output shows the matching SD-WAN service for destination 10.66.0.0/24 is vwl_service=4 (LAN-to-Corp2) with vwl_mbr_seq=1 2 and paths oif=3(port1) and oif=4(port2). Therefore, traffic from 10.0.1.133 to 10.66.0.125 is steered via SD-WAN member ID 1 or 2.

The hub must send additional paths to spokes (set additional-path send).

The hub must treat each spoke as a route-reflector client so spoke routes are reflected to other spokes.

The hub must specify how many additional paths to advertise (set adv-additional-path ).

Your requirements map to two key MSSP goals described in the FCSS SD-WAN 7.6 blueprint patterns:

Delegate as much administration and management as possible to the MSSPThis is best achieved when the hub security and SD-WAN control point is located on the MSSP premises, because the MSSP can centrally operate the core enforcement and overlay control. Both option B (dedicated hub at MSSP) and option D (shared hub at MSSP with customer isolation) meet this requirement.

Each site must maintain direct internet access (DIA) and be secure, with significant site-to-site trafficIn Fortinet SD-WAN MSSP designs, spokes can still use local breakout for DIA while also building secure overlays for inter-site traffic. Placing the hub at the MSSP enables centralized security services and scalable inter-site connectivity management while preserving DIA where required. Options B and D support this operating model.

Why the other options do not best match:

A includes a dedicated hub on the customer premises, which reduces how much the MSSP can centralize and operate from its own environment, so it does not maximize delegation.

C places both hub and spokes on the customer premises. While the MSSP can manage using a dedicated ADOM, this blueprint does not align as strongly with “delegate installation and management” to the MSSP as the designs where the hub is hosted and operated from the MSSP premises.

Therefore, the two MSSP deployment blueprints that address your requirements are B and D.

The rule is in priority mode with HUB1-VPN1 (seq 4) as the first preferred member, HUB1-VPN2 second, and HUB1-VPN3 third. Latency itself does not cause HUB1-VPN3 to become preferred unless a higher-priority member fails SLA. If HUB1-VPN1’s latency exceeds the SLA threshold (here simulated by latency reaching 200 ms), FortiGate stops using it and moves down the priority list. That is when HUB1-VPN3 could become the active path.

From the SD-WAN rule configuration (service edit 1, “Critical-DIA”), the rule uses mode sla and specifies:

set priority-members 1 2

This means, for traffic matching SD-WAN rule ID 1, FortiGate prefers member 1 first, then member 2, but only if the selected member meets the SLA requirements.

From the SD-WAN event log, the message explicitly states:

Member status changed. Member out-of-sla.

The log includes Member: 1

This indicates SD-WAN member 1 is now out of SLA immediately after the log is generated.

From the SD-WAN member status output:

Member(1) corresponds to interface port1

Member(2) corresponds to interface port2

Because member 1 (port1) is out of SLA, FortiGate cannot use it for an SLA-based rule at that moment. With the rule configured for priority-members 1 2, FortiGate will immediately steer matching traffic using the next eligible priority member that still meets the SLA, which is member 2 (port2).

Therefore, immediately after the log messages are displayed, FortiGate steers the traffic for SD-WAN rule ID 1 using port2, which corresponds to Option B.

You are right, and thank you for calling this out with the official Fortinet documentation reference.

Let’s correct QUESTION NO: 81 strictly according to Fortinet SD-WAN Architecture guidance and the FCSS SD-WAN 7.6 design principles.

Below is the corrected and verified answer, rewritten exactly in your required format.

To allow spokes in different hub-and-spoke groups to establish ADVPN shortcuts, the hubs must be configured to forward and send ADVPN shortcut offers. The key required settings on the hub are auto-discovery-forwarder (for VPNs to hubs) and auto-discovery-sender (for VPNs to spokes). This ensures the hub can facilitate and advertise ADVPN shortcut offers between spokes.

The session details show the symmetric flow’s original direction as port3 → port2.

The asymmetric flow’s reply direction is listed as port2 → port3.

The hub must use a performance SLA with the same criteria as the spoke's health check. The spoke's health check is using ping (protocol ping) and measuring latency (link-cost-factor latency). For the hub to use the data sent by the spoke, its performance SLA must be configured to measure the same metrics. If the hub is looking for jitter or packet loss, it will not use the latency data sent by the spoke.

When a spoke sends embedded health data, the hub FortiGate must be configured to receive and use it. This is done by setting set embedded-measure accept within the performance SLA configuration on the hub. This setting explicitly tells the hub to trust and use the performance metrics received from the remote FortiGate (the spoke). Without this setting, the hub will likely ignore the embedded health data and rely on its own health checks, which could lead to incorrect traffic prioritization.

When planning to deploy a large number of branches (e.g., 50), Fortinet recommends several preparatory steps to simplify and automate the rollout. Creating model devices allows you to predefine configurations and settings that can be cloned or adapted for each branch, saving time and minimizing manual errors. Preparing a Zero Touch Provisioning (ZTP) template enables automatic onboarding and provisioning of new FortiGates as soon as they come online, reducing manual intervention. Lastly, creating a policy blueprint allows for standardized policy deployment across all branches, ensuring consistent security and SD-WAN rule enforcement. This holistic approach streamlines the deployment process, allows for rapid scaling, and ensures that all devices are configured according to corporate policy from day one.

Within ADVPN topologies, shortcut requests and responses traverse spokes and hubs. Fortinet documentation states:

"When a spoke receives a shortcut query from another spoke, it may forward the response to its hub for validation or to facilitate dynamic shortcut tunnel setup. This mechanism allows direct spoke-to-spoke communication for optimized routing and performance, reducing latency and offloading the hub after initial control-plane mediation."

This is a core benefit of ADVPN’s dynamic shortcut feature.