Free and Premium Fortinet NSE6_SDW_AD-7.6 Dumps Questions Answers

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:

" Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic. "

Administrators can observe this in diagnostic outputs for troubleshooting.

In the exhibit, the IPsec tunnel statistics event log entries include the field advpnsc .

Fortinet documents that advpnsc identifies whether the VPN event is based on an ADVPN shortcut :

advpnsc=1 → the tunnel is an ADVPN shortcut

advpnsc=0 → not an ADVPN shortcut ( Fortinet Documentation Library )

In the shown logs, the tunnel vpntunnel= " HUB1-VPN1_0 " has advpnsc=1 , which means HUB1-VPN1_0 is an ADVPN shortcut tunnel . ( Fortinet Documentation Library )

The other tunnels shown (for example VPN4_0 and HUB2-VPN3 ) have advpnsc=0 , which only indicates no shortcut is identified for those log entries —it does not prove they “cannot accept” shortcuts, only that the specific event is not a shortcut. ( Fortinet Documentation Library )

In FortiOS 7.6, SD-WAN rules can steer traffic based on Internet Services , which represent predefined application and service signatures maintained by FortiGuard. Common applications such as Facebook and LinkedIn are included in the Internet Service database.

According to the FCSS SD-WAN 7.6 curriculum, when configuring an SD-WAN rule from the GUI on a standalone FortiGate device, applications are selected as destinations using the Internet service field , not by enabling a separate application destination field. The exhibit highlights the Internet service option under the Destination section, which is the correct method to match traffic for specific applications.

Option A is incorrect because there is no GUI option to enable application visibility as destinations for SD-WAN rules. Application matching is already abstracted through Internet Services.

Option C is incorrect because standalone FortiGate devices fully support application-based steering using Internet Services in SD-WAN rules.

Option D is incorrect because no additional license is required to use Internet Services in SD-WAN rules. This functionality is included in FortiOS and relies on the built-in FortiGuard Internet Service database.

Therefore, to steer Facebook and LinkedIn traffic through a specific WAN link, you must select Facebook and LinkedIn in the Internet service field , which corresponds to option B.

Hosting the hub at the MSSP centralizes installation, security, and ongoing management while each site (spoke) keeps local DIA. This can be done multi-tenant with a shared hub using a dedicated VDOM or with a fully dedicated hub per customer for stricter isolation and control, both meeting the requirement to delegate administration to the MSSP and support high inter-site traffic.

" Another popular MSSP choice is to deploy the hubs on the customer premises, such as at a central office or a data center. The traffic flow in this blueprint is quite different from the two previous scenarios described. The majority of the traffic is likely to be either spoke-to-hub—branch sites accessing workloads hosted in the data center or an RIA through a centralized breakout owned by the customer—or DIA on the spokes. In this type of topology, occasional spoke-to-spoke traffic is possible, but rare, and usually non-existent. "

When SD-WAN load balancing is required with link quality awareness , FortiOS relies on SLA-based strategies . These strategies evaluate link performance using performance SLAs (latency, jitter, packet loss, MOS) and then make forwarding decisions accordingly.

Option A is correct.

In FortiOS 7.6, when an SLA-based SD-WAN rule has load balancing enabled , FortiGate distributes traffic only across the members that meet the SLA targets . Any member that is out of SLA is excluded from load balancing. This behavior ensures that traffic is not forwarded over degraded links while still allowing load distribution across healthy paths.

Option C is correct.

The lowest cost (SLA) strategy is an SLA-based strategy that considers link quality while also allowing SD-WAN load balancing . When multiple members meet the SLA requirements and have equal cost, FortiGate can load balance traffic across them using the configured hash mode. This makes the lowest cost SLA strategy suitable when both link quality and load balancing are required.

Why the other options are incorrect:

Option B is incorrect because the best quality strategy is designed to select the single best-performing link based on SLA metrics. It does not support SD-WAN load balancing across multiple links.

Option D is incorrect because the best quality strategy does not support load balancing at all, so the statement about round-robin hash mode is invalid.

Therefore, the two correct facts to consider are A and C .

For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there’s an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management.

In FortiOS 7.6, when SD-WAN is enabled, physical and logical WAN interfaces are added as SD-WAN members and are abstracted behind the SD-WAN interface (virtual-wan-link or SD-WAN zone) . Traffic forwarding decisions are then made by SD-WAN rules instead of individual interfaces.

As documented in the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture guides, firewall policies must reference the SD-WAN interface or SD-WAN zone , not the individual WAN interfaces that are members of SD-WAN. Therefore, during the configuration update process, existing firewall policies that reference physical WAN interfaces must be updated to reference the SD-WAN interface .

Option A is incorrect because routing configuration does not require replacing interface references when SD-WAN is enabled. Static and dynamic routes typically point to the SD-WAN interface automatically, and SD-WAN rules handle path selection.

Option B is incorrect because SD-WAN is a built-in FortiOS feature . It does not require a separate license and does not require a reboot when enabled.

Option D is incorrect because interfaces must remain enabled to function as SD-WAN members. Disabling an interface would prevent SD-WAN from using it for traffic forwarding.

Therefore, the required action during the SD-WAN configuration update process is to replace references to interfaces used as SD-WAN members in the firewall policies , which corresponds to option C.

From the exhibit, both branches have an SD-WAN zone named overlay with set advpn-select enable, and each SD-WAN member in that zone is assigned a transport-group value.

Branch-A members:

T1 → transport-group 1

T2 → transport-group 1

T3 → transport-group 2

Branch-B members:

TA → transport-group 1

TB → transport-group 2

TC → transport-group 3

In FCSS SD-WAN 7.6 ADVPN design, transport-group is used to constrain which underlays are allowed to form ADVPN shortcuts with each other . A spoke can establish an ADVPN shortcut only between interfaces that belong to the same transport-group on both sides. This prevents building shortcuts across dissimilar transports.

Evaluating the options:

Option D ( T2 on Branch-A with transport-group 1 and TA on Branch-B with transport-group 1) is a valid shortcut pairing.

Option C is not valid because T3 is transport-group 2 while TC is transport-group 3, so they are not permitted to form a shortcut.

Option A is incorrect because not all overlay-zone interfaces are eligible; eligibility is restricted by transport-group matching.

Option B is incorrect because ADVPN shortcuts are spoke-to-spoke tunnels (facilitated by the hub), not limited to “interfaces connected to hub only.”

Therefore, the valid shortcut pairing listed is between T2 on Branch-A and TA on Branch-B , which corresponds to Option D .

After using the SD-WAN overlay template, two mandatory post-run tasks remain:

" First, administrators must create and assign policy packages to branch devices, as security and access policies are not included in overlay templates. Second, SD-WAN rules must be configured so that traffic can be matched and steered appropriately through the established overlays. Neglecting either task results in ungoverned traffic or inefficient routing, undermining the benefits of SD-WAN. "

Templates automate topology, but policy and rule definition are critical for operational effectiveness.

The SD-WAN monitor’s table view in FortiManager provides a donut visualization plus a detailed table that shows each SD-WAN member’s status and SLA pass/miss, giving the per-member health view you’re after.

Your requirements map to two key MSSP goals described in the FCSS SD-WAN 7.6 blueprint patterns:

Delegate as much administration and management as possible to the MSSP This is best achieved when the hub security and SD-WAN control point is located on the MSSP premises , because the MSSP can centrally operate the core enforcement and overlay control. Both option B (dedicated hub at MSSP) and option D (shared hub at MSSP with customer isolation) meet this requirement.

Each site must maintain direct internet access (DIA) and be secure, with significant site-to-site traffic In Fortinet SD-WAN MSSP designs, spokes can still use local breakout for DIA while also building secure overlays for inter-site traffic. Placing the hub at the MSSP enables centralized security services and scalable inter-site connectivity management while preserving DIA where required. Options B and D support this operating model.

Why the other options do not best match:

A includes a dedicated hub on the customer premises , which reduces how much the MSSP can centralize and operate from its own environment, so it does not maximize delegation.

C places both hub and spokes on the customer premises . While the MSSP can manage using a dedicated ADOM, this blueprint does not align as strongly with “delegate installation and management” to the MSSP as the designs where the hub is hosted and operated from the MSSP premises.

Therefore, the two MSSP deployment blueprints that address your requirements are B and D .

Application-based SD-WAN rules enable intelligent traffic steering. The guide specifies:

" If a flow is identified as belonging to a defined application category (such as social media), FortiGate will match it to the corresponding service rule (rule 2) and route it through the specified interface, such as port2. However, if the application is not recognized during the session setup, the system defaults to load balancing the traffic using the available tunnels according to the policy for unclassified traffic, ensuring continuous connectivity while waiting for application classification. "

This guarantees both performance and resilience.

" The custom-profile-1 metric uses a formula that calculates a composite value out of the latency, jitter, packet loss, and bibandwidth. The composite value is called the link quality index. " And from page 227, the factors FortiGate uses in order are: " FortiGate determines the member with the best quality using three factors: member configuration order, the link-cost-threshold setting, and the value of the metric measured for the member. "

From the SD-WAN Zones view in the FortiGate GUI:

virtual-wan-link is the default SD-WAN zone. This zone is system-defined and cannot be deleted , which makes option A incorrect.

The WAN2 zone is displayed without any expandable members beneath it, indicating that no SD-WAN members are currently assigned to the WAN2 zone . This directly supports option B.

A zone can be deleted only if it has no members and is not system-defined , but the exhibit does not indicate that WAN1 is eligible for deletion. Therefore, option C cannot be concluded from the information shown.

In FortiOS SD-WAN, an SD-WAN member can belong to only one SD-WAN zone at a time . A member such as B-125 cannot be assigned to both the WAN3 zone and the Test zone simultaneously, which makes option D incorrect.

By default, local-out traffic does not use SD-WAN → FortiGate normally sends local-out traffic (e.g., DNS, NTP, FortiGuard updates) directly through its interfaces without applying SD-WAN rules.

You must configure each local-out feature individually to use SD-WAN → To steer local-out traffic via SD-WAN, you must explicitly configure the desired local-out features (e.g., DNS, FortiGuard, CAPWAP) to use SD-WAN rules.

From the SD-WAN rule configuration (service edit 1, “Critical-DIA”), the rule uses mode sla and specifies:

set priority-members 1 2

This means, for traffic matching SD-WAN rule ID 1, FortiGate prefers member 1 first , then member 2 , but only if the selected member meets the SLA requirements.

From the SD-WAN event log , the message explicitly states:

Member status changed. Member out-of-sla.

The log includes Member: 1

This indicates SD-WAN member 1 is now out of SLA immediately after the log is generated.

From the SD-WAN member status output:

Member(1) corresponds to interface port1

Member(2) corresponds to interface port2

Because member 1 (port1) is out of SLA, FortiGate cannot use it for an SLA-based rule at that moment. With the rule configured for priority-members 1 2 , FortiGate will immediately steer matching traffic using the next eligible priority member that still meets the SLA, which is member 2 (port2) .

Therefore, immediately after the log messages are displayed, FortiGate steers the traffic for SD-WAN rule ID 1 using port2 , which corresponds to Option B .

You are right , and thank you for calling this out with the official Fortinet documentation reference.

Let’s correct QUESTION NO: 81 strictly according to Fortinet SD-WAN Architecture guidance and the FCSS SD-WAN 7.6 design principles .

Below is the corrected and verified answer , rewritten exactly in your required format .

The rule is in SLA mode with two SLAs. From the status, HUB1-VPN2 and HUB1-VPN3 meet the SLA (sla(0x2) and sla(0x3)), while HUB1-VPN1 does not (sla(0x0)). Among members that meet SLA, FortiGate uses the configured order (priority-members 4 5 6) to pick the first eligible one—HUB1-VPN2—so traffic is routed over HUB1-VPN2.

The described design is a multi-region SD-WAN architecture , where:

Each region has its own dual-hub ADVPN domain

Most traffic is intra-region

Inter-region traffic is limited and controlled

Spokes can be single-hub or dual-hub , depending on size and redundancy requirements

According to Fortinet’s SD-WAN Architecture for Enterprise guidance, when deploying multiple ADVPN regions , eBGP is the recommended routing protocol between regions . Each region operates as an independent routing domain (typically iBGP within the region), while eBGP is used to exchange routes between regional hubs . This approach:

Prevents excessive route reflection and scaling issues

Provides clear administrative boundaries between regions

Improves stability and scalability in large global deployments

Matches the exact traffic pattern described (high intra-region, low inter-region traffic)

This is explicitly documented in Fortinet guidance for “Using eBGP between regions with intra-region ADVPN” , which confirms that the architecture described in the question is valid and recommended when eBGP is used between regions.

Why the other options are incorrect:

Option B is incorrect because FortiOS does not impose a hard “four-hub” architectural limit in the described regional model. Each region has its own hubs, not a single flat multihub domain.

Option C is incomplete. While FortiManager Overlay Orchestrator can help operationally, it is not the key architectural requirement that makes this design valid. The question asks what makes the plan correct from a design standpoint , not a tooling standpoint.

Option D is incorrect because FortiOS fully supports mixed spoke connectivity within the same region (some spokes single-hub, others dual-hub), which is a common enterprise SD-WAN design.

Therefore, the correct and documented conclusion is that the plan is possible and eBGP should be used as the routing protocol between regions , which corresponds to Answer A .