Free and Premium Fortinet FCSS_SDW_AR-7.6 Dumps Questions Answers

The rule is in SLA mode with two SLAs. From the status, HUB1-VPN2 and HUB1-VPN3 meet the SLA (sla(0x2) and sla(0x3)), while HUB1-VPN1 does not (sla(0x0)). Among members that meet SLA, FortiGate uses the configured order (priority-members 4 5 6) to pick the first eligible one—HUB1-VPN2—so traffic is routed over HUB1-VPN2.

Policy 3 points traffic To = HUB1-VPN1, which is an SD-WAN member interface. In SD-WAN you must reference the SD-WAN zone (the logical interface) in policies, not its member tunnels. Change the policy’s To interface to the zone HUB1, and the install will succeed.

From the SD-WAN service configuration, rule edit 3 (name "Corp") is configured with:

set mode sla

set load-balance enable

set dst "Corp-net"

set src "LAN-net"

SLA checks referenced under config sla

Traffic from 10.0.1.101 to 10.0.0.126 matches this rule because the destination is within the corporate network range (shown in the policy-route/proute output as destination 10.0.0.0–10.255.255.255 for the Corp service).

In the diagnose firewall proute list output for vwl_service=3 (Corp), FortiGate shows which SD-WAN members are eligible based on SLA pass results:

oif=21 (HUB1-VPN3) num_pass=2

oif=20 (HUB1-VPN2) num_pass=0

oif=19 (HUB1-VPN1) num_pass=0

This indicates that, for the SLA-based rule, only HUB1-VPN3 is meeting the SLA requirements (it is the only member with num_pass=2). The other members have num_pass=0, so they are not eligible for forwarding under this SLA rule even though links are up.

The sniffer trace further corroborates the forwarding decision by showing the traffic egressing through HUB1-VPN3.

Therefore, FortiGate will steer the HTTP traffic through only HUB1-VPN3, which corresponds to Option A.

Rules template → Defines the SD-WAN rules for traffic steering.

BGP template → Configures dynamic routing for overlay tunnels.

IPsec tunnel template → Builds the IPsec VPN tunnels from the spoke to the hubs.

In FortiOS 7.6, local-out traffic is traffic generated by the FortiGate itself, such as ping, traceroute, FortiGuard updates, DNS, NTP, and SNMP. Local-out traffic does not traverse the firewall policy engine and therefore behaves differently from forwarded traffic in SD-WAN.

According to the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture documentation, local-out traffic does not use SD-WAN by default. Instead, it follows the routing table (static and dynamic routes). To allow local-out traffic to be evaluated by SD-WAN rules, the administrator must explicitly enable local-out SD-WAN processing.

The curriculum also states that only SD-WAN rules using the manual strategy are supported for local-out traffic. SLA-based, application-based, and dynamic strategies are not evaluated for traffic generated by the FortiGate itself. This is a fundamental architectural limitation of SD-WAN in FortiOS 7.6.

Option B is incorrect because FortiGate does not automatically apply SD-WAN rules to ping or traceroute traffic by default. Even these tools follow the routing table unless local-out SD-WAN is enabled.

Option D is incorrect because local-out SD-WAN configuration is global. Individual local-out features do not require separate SD-WAN enablement.

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN's application-aware steering, which uses dynamic performance metrics to select the optimal path.

The SD-WAN rule (config service edit 1) is configured with set mode priority. This means the rule selects the best interface based on a defined performance metric, as opposed to a simple static priority or SLA. The event log (image_41cfb5.png) shows Metric latency and Message Service prioritized by performance metric will be redirected in sequence order. This indicates that the rule is using latency to determine the preferred member. Given that the log message is about a change, and the most logical reason for a change in a priority mode is that a different member is now the best performer, it implies that the latency on port2 has become lower than that on port1.

The log message Service prioritized by performance metric will be redirected in sequence order confirms that FortiGate is changing the member being used for this service. Because the mode is priority, FortiGate dynamically selects the member that currently meets the best performance criteria, which in this case is latency. The log implies a new member has been selected as the most optimal, and with the default configuration, the members are sorted based on their performance, so the outgoing interface list is effectively updated to prefer the new best-performing member (port2).

In FortiOS 7.6, SD-WAN rules can steer traffic based on Internet Services, which represent predefined application and service signatures maintained by FortiGuard. Common applications such as Facebook and LinkedIn are included in the Internet Service database.

According to the FCSS SD-WAN 7.6 curriculum, when configuring an SD-WAN rule from the GUI on a standalone FortiGate device, applications are selected as destinations using the Internet service field, not by enabling a separate application destination field. The exhibit highlights the Internet service option under the Destination section, which is the correct method to match traffic for specific applications.

Option A is incorrect because there is no GUI option to enable application visibility as destinations for SD-WAN rules. Application matching is already abstracted through Internet Services.

Option C is incorrect because standalone FortiGate devices fully support application-based steering using Internet Services in SD-WAN rules.

Option D is incorrect because no additional license is required to use Internet Services in SD-WAN rules. This functionality is included in FortiOS and relies on the built-in FortiGuard Internet Service database.

Therefore, to steer Facebook and LinkedIn traffic through a specific WAN link, you must select Facebook and LinkedIn in the Internet service field, which corresponds to option B.

In FortiOS (including FortiOS 7.6), FortiGate follows a strict and well-defined route lookup order when determining how to forward traffic. This order is critical for understanding SD-WAN behavior and is explicitly referenced in the FCSS SD-WAN curriculum.

The correct lookup sequence is:

Policy routes (Policy-Based Routing)Policy routes are evaluated first. If traffic matches a policy route, FortiGate immediately forwards the traffic according to that policy and bypasses all other routing mechanisms.

Internet Service Database (ISDB) routesIf no policy route matches, FortiGate checks ISDB routes. These routes match traffic based on Internet Services rather than destination IP prefixes.

SD-WAN rulesIf neither a policy route nor an ISDB route matches, FortiGate evaluates SD-WAN rules to determine the outgoing interface based on the configured SD-WAN strategy.

Routing table (connected, static, and dynamic routes such as BGP)If no SD-WAN rule matches, FortiGate performs a normal routing table lookup.

FIB (Forwarding Information Base)The FIB is used to forward the packet based on the selected route.

DropIf no valid route exists, the packet is dropped.

Among the options provided, only Option D correctly reflects the beginning of this sequence by placing policy routes first, followed by ISDB routes, then SD-WAN rules, and finally static routes (representing the routing table).

Therefore, the correct answer is D.

When the member priority of a port is increased (e.g., port2 to 20), FortiGate evaluates existing sessions and applies “dirty” flags where applicable. The SD-WAN session management mechanism is described in detail: “Upon a change in SD-WAN member priority, all existing sessions using that member are marked as dirty. For SNAT sessions, the gateway information is updated to ensure future packets are routed through the newly preferred member, in this case, port1. This automatic re-evaluation allows SD-WAN to dynamically respond to topology or priority changes, maintaining optimal routing.” This is fundamental to seamless failover and session persistence in Fortinet SD-WAN, ensuring active flows are redirected based on updated priorities or health status.

One SD-WAN rule is defined with application categories as the destination → The diagnose output shows application control matches such as Microsoft.Portal, Operational.Technology, and Social.Media, confirming that SD-WAN rules are using application categories as destinations.

UDP traffic destined to the subnet 10.22.0.0/24 matches a policy route → The first entry (id=1) shows protocol=17 (UDP) with destination 10.22.0.0/24, confirming this traffic is handled by a policy route instead of an SD-WAN rule.

Specify the gateway of the SD-WAN member port1 with an IP address or use the default value → The error log shows invalid ip – prop[gateway]: ip4class(${sdwan_port1_gw}) invalid ip addr, meaning the variable ${sdwan_port1_gw} does not have a valid mapping. Assigning a valid IP address or default value for the gateway resolves this error.

Review the per-device mapping configuration for metadata variables → The issue is tied to how the metadata variable ${sdwan_port1_gw} is mapped for branch1_fgt. If this device does not have the variable properly defined in per-device mapping, the configuration will fail. Correcting the mapping ensures that the install works.

The SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones. This statement perfectly describes the likely sequence of events. The template, when applied, re-organizes the interfaces and zones, causing the existing firewall policy that relies on the old zone configuration to fail. This is the most plausible root cause.

With the Best Quality strategy, FortiGate first checks which links meet the SLA targets defined in the selected performance SLA (in this case, Custom-profile-1). Among those qualified links, FortiGate then uses the member configuration order to decide preference. If multiple links still qualify, it finally considers the member local cost to select the best path.

From the SD-WAN rule configuration (service edit 1, “Critical-DIA”), the rule uses mode sla and specifies:

set priority-members 1 2

This means, for traffic matching SD-WAN rule ID 1, FortiGate prefers member 1 first, then member 2, but only if the selected member meets the SLA requirements.

From the SD-WAN event log, the message explicitly states:

Member status changed. Member out-of-sla.

The log includes Member: 1

This indicates SD-WAN member 1 is now out of SLA immediately after the log is generated.

From the SD-WAN member status output:

Member(1) corresponds to interface port1

Member(2) corresponds to interface port2

Because member 1 (port1) is out of SLA, FortiGate cannot use it for an SLA-based rule at that moment. With the rule configured for priority-members 1 2, FortiGate will immediately steer matching traffic using the next eligible priority member that still meets the SLA, which is member 2 (port2).

Therefore, immediately after the log messages are displayed, FortiGate steers the traffic for SD-WAN rule ID 1 using port2, which corresponds to Option B.

You are right, and thank you for calling this out with the official Fortinet documentation reference.

Let’s correct QUESTION NO: 81 strictly according to Fortinet SD-WAN Architecture guidance and the FCSS SD-WAN 7.6 design principles.

Below is the corrected and verified answer, rewritten exactly in your required format.

The log shows messages on HUB1-VPN1 where the device processes a SHORTCUT_QUERY and performs NAT hole punching (peer at 192.2.0.1:4500). This indicates that the device is acting as a hub, helping two spokes (192.2.0.1 and 10.0.3.101) establish a direct ADVPN shortcut tunnel between each other, instead of routing their traffic through the hub.

From the SD-WAN Zones view in the FortiGate GUI:

virtual-wan-link is the default SD-WAN zone. This zone is system-defined and cannot be deleted, which makes option A incorrect.

The WAN2 zone is displayed without any expandable members beneath it, indicating that no SD-WAN members are currently assigned to the WAN2 zone. This directly supports option B.

A zone can be deleted only if it has no members and is not system-defined, but the exhibit does not indicate that WAN1 is eligible for deletion. Therefore, option C cannot be concluded from the information shown.

In FortiOS SD-WAN, an SD-WAN member can belong to only one SD-WAN zone at a time. A member such as B-125 cannot be assigned to both the WAN3 zone and the Test zone simultaneously, which makes option D incorrect.

In FortiOS 7.6, static routes can reference either:

an SD-WAN zone (for example, virtual-wan-link or a user-defined SD-WAN zone), or

a specific SD-WAN member interface that belongs to that zone.

However, FortiOS enforces a routing constraint to avoid ambiguity during route resolution. Two static routes cannot have the same destination prefix if one points to an SD-WAN zone and the other points to an SD-WAN member within that zone. This would create an overlapping and conflicting forwarding decision.

Therefore, if you configure:

one static route that references an SD-WAN zone, and

another static route that references an SD-WAN member belonging to that same zone,

the destination subnets of the two static routes must be different.

Why the other options are incorrect:

Option A is incorrect because FortiOS does allow static routes that reference individual SD-WAN members.

Option B is incorrect because static routes can reference SD-WAN zones.

Option D is incorrect because static routing decisions in FortiOS are based on destination prefixes, not source prefixes.

Thus, the correct answer is C.

In Fortinet SD-WAN architecture, underlay and overlay have distinct meanings:

Underlay links are the physical or logical transport networks that provide basic IP connectivity (for example, broadband, MPLS, LTE/5G).

Overlay links are virtual tunnels (such as IPsec VPNs) built on top of the underlay, providing abstraction, routing control, and segmentation.

Option B is correct.

Overlay links (for example, IPsec tunnels used in SD-WAN and ADVPN) decouple routing from the physical transport. This allows dynamic path selection, segmentation, and flexible routing policies independent of the underlay. Providing routing flexibility is a core purpose of overlays in SD-WAN.

Option D is correct.

Wireless connections such as LTE or 5G can be used as underlay transports, and overlay tunnels can be built over them. Fortinet SD-WAN fully supports building IPsec overlays on wireless underlays, making wireless links valid for overlay construction.

Why the other options are incorrect:

Option A is incorrect because a VLAN is a Layer 2 segmentation mechanism, not an SD-WAN overlay link.

Option C is incorrect because FortiLink is used for internal management and switch/AP connectivity, not as a WAN underlay for SD-WAN.

Option E is incorrect because underlay links can be wired or wireless; they are not limited to wired connections.

Therefore, the two correct statements are B and D.

The command shown in the exhibit is:

diagnose sys sdwan service 4 3

This command displays the runtime state of SD-WAN rule ID 3 on the device. The output explicitly shows:

Service(3) which confirms the SD-WAN rule being evaluated is rule number 3

Members(9) which indicates that nine SD-WAN members are associated with this rule

The listed members include multiple IPsec tunnel interfaces such as HUB1-VPN1, HUB1-VPN2, HUB1-VPN3, HUB2-VPN1, HUB2-VPN2, and HUB2-VPN3, which is characteristic of a spoke device connecting to multiple hubs in a hub-and-spoke ADVPN topology, as defined in the FCSS SD-WAN 7.6 architecture.

Option B is incorrect because, although members are listed under different interfaces, the output does not indicate SD-WAN zones. Zones are shown only in configuration output, not in this diagnostic command.

Option C is incorrect because this is not a hub device. The presence of multiple hub tunnels as SD-WAN members indicates a spoke role. Additionally, the output does not confirm the number of established ADVPN shortcuts.

Option D is incorrect because the output clearly references SD-WAN rule 3, not rule 4, and it does not state that exactly three shortcut tunnels are allowed.

Therefore, the correct conclusion is that this is a spoke device and SD-WAN rule 3 is configured with nine members, which matches option A.

In the exhibit, the IPsec tunnel statistics event log entries include the field advpnsc.

Fortinet documents that advpnsc identifies whether the VPN event is based on an ADVPN shortcut:

advpnsc=1 → the tunnel is an ADVPN shortcut

advpnsc=0 → not an ADVPN shortcut (Fortinet Documentation Library)

In the shown logs, the tunnel vpntunnel="HUB1-VPN1_0" has advpnsc=1, which means HUB1-VPN1_0 is an ADVPN shortcut tunnel. (Fortinet Documentation Library)

The other tunnels shown (for example VPN4_0 and HUB2-VPN3) have advpnsc=0, which only indicates no shortcut is identified for those log entries—it does not prove they “cannot accept” shortcuts, only that the specific event is not a shortcut. (Fortinet Documentation Library)

The use of SLA targets is specific to certain SD-WAN strategies. The "Lowest Cost (SLA)" and "Maximize Bandwidth (SLA)" strategies are explicitly designed to use the configured SLA targets to make routing decisions. The "Best Quality" strategy uses performance metrics but does not necessarily require or reference SLA targets in the same way, while "Manual" does not use metrics at all for path selection.

This is a core function of SD-WAN rules with SLA targets. The purpose of configuring an SLA target with specific thresholds for latency, jitter, and packet loss is to define what is considered "acceptable" performance for an application. SD-WAN rules then use these targets to check if the members (interfaces) meet these requirements before a flow is steered over them, ensuring that a preferred path still offers a good user experience.

FortiGate allows for a single SD-WAN rule to reference multiple, different performance SLAs. This is crucial for complex deployments where a single SD-WAN rule needs to handle traffic for multiple applications that have distinct performance requirements. For example, a single rule might direct VoIP traffic based on one performance SLA with strict latency/jitter targets, while simultaneously handling general web traffic using another performance SLA with more lenient requirements.

In FortiOS 7.6, when SD-WAN is enabled, physical and logical WAN interfaces are added as SD-WAN members and are abstracted behind the SD-WAN interface (virtual-wan-link or SD-WAN zone). Traffic forwarding decisions are then made by SD-WAN rules instead of individual interfaces.

As documented in the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture guides, firewall policies must reference the SD-WAN interface or SD-WAN zone, not the individual WAN interfaces that are members of SD-WAN. Therefore, during the configuration update process, existing firewall policies that reference physical WAN interfaces must be updated to reference the SD-WAN interface.

Option A is incorrect because routing configuration does not require replacing interface references when SD-WAN is enabled. Static and dynamic routes typically point to the SD-WAN interface automatically, and SD-WAN rules handle path selection.

Option B is incorrect because SD-WAN is a built-in FortiOS feature. It does not require a separate license and does not require a reboot when enabled.

Option D is incorrect because interfaces must remain enabled to function as SD-WAN members. Disabling an interface would prevent SD-WAN from using it for traffic forwarding.

Therefore, the required action during the SD-WAN configuration update process is to replace references to interfaces used as SD-WAN members in the firewall policies, which corresponds to option C.

This configuration demonstrates a typical IPsec setup for SD-WAN overlays where the hub side requires a manually defined tunnel IP address, and the spoke can be flexibly configured, including interoperability with third-party IPsec devices. As described in the Fortinet SD-WAN Architect Guide: “For some overlays, the tunnel interface IP is configured statically on the hub side, which allows more control over overlay subnetting and facilitates the use of user-defined overlay IP addresses. This approach is also a requirement for compatibility with non-FortiGate endpoints, such as third-party IPsec devices that may not support dynamic address assignment via IKE or proprietary mechanisms.” This enables hybrid SD-WAN environments and advanced designs involving external partners or cloud services. Overlay IP flexibility is critical for route control and segmentation.

From the SD-WAN monitor in FortiManager:

"The SD-WAN monitor provides a summary view of the branch devices and their members. In the scenario shown, it is clear that branch2_fgt is missing SLA configuration for one member, as evidenced by the lack of performance metrics. The monitor also shows only two branches in the current topology, allowing quick assessment of branch health and configuration completeness."

This kind of visibility is vital for proactive monitoring and rapid troubleshooting in SD-WAN environments.