Free and Premium Fortinet NSE6_SDW_AD-7.6 Dumps Questions Answers

For SD-WAN deployments that span multiple regions—where most traffic is intra-region and there is no requirement for inter-region ADVPN—the best practice is to use IBGP with BGP on loopback interfaces for routing within each region and EBGP between the regions. This approach ensures robust and scalable routing, isolates regional routing domains, and enables policy control at region boundaries. BGP on loopback is preferred for its reliability and flexibility, as it enables peering that is not tied to specific physical interfaces. EBGP between regions allows each region to maintain independent routing policies and summarization, optimizing performance and manageability. By separating IBGP (intra-region) and EBGP (inter-region), you create a modular architecture that scales easily and simplifies fault isolation and troubleshooting.

Specify the gateway of the SD-WAN member port1 with an IP address or use the default value → The error log shows invalid ip – prop[gateway]: ip4class(${sdwan_port1_gw}) invalid ip addr, meaning the variable ${sdwan_port1_gw} does not have a valid mapping. Assigning a valid IP address or default value for the gateway resolves this error.

Review the per-device mapping configuration for metadata variables → The issue is tied to how the metadata variable ${sdwan_port1_gw} is mapped for branch1_fgt. If this device does not have the variable properly defined in per-device mapping, the configuration will fail. Correcting the mapping ensures that the install works.

The diagnose output shows multiple ADVPN tunnels (HUB1-VPN1, HUB1-VPN2, HUB1-VPN3) with detailed latency, jitter, and packet loss values being reported for each. In ADVPN, the spoke performs embedded health checks and provides the hub with the performance metrics for each tunnel. Therefore, the device in the exhibit is a spoke, and it is sending health-check measurements for each tunnel to the hub.

In FortiOS (including FortiOS 7.6), FortiGate follows a strict and well-defined route lookup order when determining how to forward traffic. This order is critical for understanding SD-WAN behavior and is explicitly referenced in the FCSS SD-WAN curriculum.

The correct lookup sequence is:

Policy routes (Policy-Based Routing)Policy routes are evaluated first. If traffic matches a policy route, FortiGate immediately forwards the traffic according to that policy and bypasses all other routing mechanisms.

Internet Service Database (ISDB) routesIf no policy route matches, FortiGate checks ISDB routes. These routes match traffic based on Internet Services rather than destination IP prefixes.

SD-WAN rulesIf neither a policy route nor an ISDB route matches, FortiGate evaluates SD-WAN rules to determine the outgoing interface based on the configured SD-WAN strategy.

Routing table (connected, static, and dynamic routes such as BGP)If no SD-WAN rule matches, FortiGate performs a normal routing table lookup.

FIB (Forwarding Information Base)The FIB is used to forward the packet based on the selected route.

DropIf no valid route exists, the packet is dropped.

Among the options provided, only Option D correctly reflects the beginning of this sequence by placing policy routes first, followed by ISDB routes, then SD-WAN rules, and finally static routes (representing the routing table).

Therefore, the correct answer is D.

When referencing a zone in a static route, FortiGate’s behavior is described as:

"Referencing a zone in a static route causes FortiGate to install a static route for each member interface of the zone. This enables ECMP (Equal-Cost Multi-Path) and load balancing where supported and ensures that traffic can be steered over any valid zone member according to SD-WAN rules or standard routing."

This mechanism is fundamental to Fortinet’s implementation of SD-WAN and simplifies large, multi-interface deployments.

The SD-WAN monitor’s table view in FortiManager provides a donut visualization plus a detailed table that shows each SD-WAN member’s status and SLA pass/miss, giving the per-member health view you’re after.

When planning to deploy a large number of branches (e.g., 50), Fortinet recommends several preparatory steps to simplify and automate the rollout. Creating model devices allows you to predefine configurations and settings that can be cloned or adapted for each branch, saving time and minimizing manual errors. Preparing a Zero Touch Provisioning (ZTP) template enables automatic onboarding and provisioning of new FortiGates as soon as they come online, reducing manual intervention. Lastly, creating a policy blueprint allows for standardized policy deployment across all branches, ensuring consistent security and SD-WAN rule enforcement. This holistic approach streamlines the deployment process, allows for rapid scaling, and ensures that all devices are configured according to corporate policy from day one.

When you enable ADVPN (auto-discovery VPN) in the overlay template, FortiManager automatically updates both the IPsec and BGP templates on the hub so that shortcut tunnels can be established dynamically.

ADVPN can be activated in the SD-WAN overlay template for any supported topology, including dual-hub primary–primary, not just single hub.

In Fortinet SD-WAN, hubs should not have extensions like FortiSwitch, FortiAP, or FortiExtender installed, as these can affect hub functionality and scalability. While all device types can be included in the topology, the hubs must be "clean" FortiGate devices without such extensions to ensure proper ADVPN and overlay management.

The use of SLA targets is specific to certain SD-WAN strategies. The "Lowest Cost (SLA)" and "Maximize Bandwidth (SLA)" strategies are explicitly designed to use the configured SLA targets to make routing decisions. The "Best Quality" strategy uses performance metrics but does not necessarily require or reference SLA targets in the same way, while "Manual" does not use metrics at all for path selection.

This is a core function of SD-WAN rules with SLA targets. The purpose of configuring an SLA target with specific thresholds for latency, jitter, and packet loss is to define what is considered "acceptable" performance for an application. SD-WAN rules then use these targets to check if the members (interfaces) meet these requirements before a flow is steered over them, ensuring that a preferred path still offers a good user experience.

FortiGate allows for a single SD-WAN rule to reference multiple, different performance SLAs. This is crucial for complex deployments where a single SD-WAN rule needs to handle traffic for multiple applications that have distinct performance requirements. For example, a single rule might direct VoIP traffic based on one performance SLA with strict latency/jitter targets, while simultaneously handling general web traffic using another performance SLA with more lenient requirements.

When SD-WAN load balancing is required with link quality awareness, FortiOS relies on SLA-based strategies. These strategies evaluate link performance using performance SLAs (latency, jitter, packet loss, MOS) and then make forwarding decisions accordingly.

Option A is correct.

In FortiOS 7.6, when an SLA-based SD-WAN rule has load balancing enabled, FortiGate distributes traffic only across the members that meet the SLA targets. Any member that is out of SLA is excluded from load balancing. This behavior ensures that traffic is not forwarded over degraded links while still allowing load distribution across healthy paths.

Option C is correct.

The lowest cost (SLA) strategy is an SLA-based strategy that considers link quality while also allowing SD-WAN load balancing. When multiple members meet the SLA requirements and have equal cost, FortiGate can load balance traffic across them using the configured hash mode. This makes the lowest cost SLA strategy suitable when both link quality and load balancing are required.

Why the other options are incorrect:

Option B is incorrect because the best quality strategy is designed to select the single best-performing link based on SLA metrics. It does not support SD-WAN load balancing across multiple links.

Option D is incorrect because the best quality strategy does not support load balancing at all, so the statement about round-robin hash mode is invalid.

Therefore, the two correct facts to consider are A and C.

From the Underlay and network advertisement configuration exhibit for the Secondary HUB:

Under Underlay, the template explicitly lists:

WAN Underlay 1 = port1

WAN Underlay 2 = port2

In FortiManager SD-WAN Overlay Orchestrator, underlay interfaces selected for a hub are the transports used to build the overlay IPsec tunnels (one overlay per underlay, per peer as defined by the template). Because both port1 and port2 are configured as underlays, FortiManager will build overlay tunnels over both underlay links. That supports:

Option C (overlay tunnel on port1)

Option B (overlay tunnel on port2)

For the BGP neighbor options:

The Network Advertisement section shows Interface 1 = port5, which indicates a LAN/internal interface whose connected or static networks may be advertised into the overlay routing domain. This does not make port5 a BGP neighbor interface; it is the interface whose routes are being advertised.

The template indicates Dynamic BGP is enabled. In Overlay Orchestrator designs, BGP neighbor relationships are formed across the overlay tunnel interfaces / overlay endpoints, not directly on the raw underlay interfaces (port1/port2) and not on the advertised LAN interface (port5). Therefore, options A and D are not valid conclusions from what is shown.

So, the two correct conclusions are B and C.

The SD-WAN rule (config service edit 1) is configured with set mode priority. This means the rule selects the best interface based on a defined performance metric, as opposed to a simple static priority or SLA. The event log (image_41cfb5.png) shows Metric latency and Message Service prioritized by performance metric will be redirected in sequence order. This indicates that the rule is using latency to determine the preferred member. Given that the log message is about a change, and the most logical reason for a change in a priority mode is that a different member is now the best performer, it implies that the latency on port2 has become lower than that on port1.

The log message Service prioritized by performance metric will be redirected in sequence order confirms that FortiGate is changing the member being used for this service. Because the mode is priority, FortiGate dynamically selects the member that currently meets the best performance criteria, which in this case is latency. The log implies a new member has been selected as the most optimal, and with the default configuration, the members are sorted based on their performance, so the outgoing interface list is effectively updated to prefer the new best-performing member (port2).

FortiManager enforces a strict distinction:

"Firewall policies must reference SD-WAN zones, not individual SD-WAN members, when used in conjunction with SD-WAN templates. Attempting to install a policy that references a specific member (interface) will result in a deployment error, as member-level targeting is not supported in SD-WAN policy abstraction. This enforces centralized policy consistency and proper SD-WAN operation."

Ensuring policies target zones allows FortiGate to dynamically select the optimal member.

When asymmetric routing is observed (such as reply traffic not following the optimal path), the solution is:

"The auxiliary-session feature, enabled under config system settings, allows FortiGate to consider multiple egress interfaces for reply traffic, not just the original ingress interface. This is crucial for SD-WAN environments where the best path may differ between forward and return directions, especially when performance or policy rules are dynamically evaluated."

Activating this ensures reply traffic is always sent on the member with the best real-time metrics.

The hub must send additional paths to spokes (set additional-path send).

The hub must treat each spoke as a route-reflector client so spoke routes are reflected to other spokes.

The hub must specify how many additional paths to advertise (set adv-additional-path ).

With the Best Quality strategy, FortiGate first checks which links meet the SLA targets defined in the selected performance SLA (in this case, Custom-profile-1). Among those qualified links, FortiGate then uses the member configuration order to decide preference. If multiple links still qualify, it finally considers the member local cost to select the best path.

From the exhibit, both branches have an SD-WAN zone named overlay with set advpn-select enable, and each SD-WAN member in that zone is assigned a transport-group value.

Branch-A members:

T1 → transport-group 1

T2 → transport-group 1

T3 → transport-group 2

Branch-B members:

TA → transport-group 1

TB → transport-group 2

TC → transport-group 3

In FCSS SD-WAN 7.6 ADVPN design, transport-group is used to constrain which underlays are allowed to form ADVPN shortcuts with each other. A spoke can establish an ADVPN shortcut only between interfaces that belong to the same transport-group on both sides. This prevents building shortcuts across dissimilar transports.

Evaluating the options:

Option D (T2 on Branch-A with transport-group 1 and TA on Branch-B with transport-group 1) is a valid shortcut pairing.

Option C is not valid because T3 is transport-group 2 while TC is transport-group 3, so they are not permitted to form a shortcut.

Option A is incorrect because not all overlay-zone interfaces are eligible; eligibility is restricted by transport-group matching.

Option B is incorrect because ADVPN shortcuts are spoke-to-spoke tunnels (facilitated by the hub), not limited to “interfaces connected to hub only.”

Therefore, the valid shortcut pairing listed is between T2 on Branch-A and TA on Branch-B, which corresponds to Option D.

In FortiOS 7.6, when SD-WAN is enabled, physical and logical WAN interfaces are added as SD-WAN members and are abstracted behind the SD-WAN interface (virtual-wan-link or SD-WAN zone). Traffic forwarding decisions are then made by SD-WAN rules instead of individual interfaces.

As documented in the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture guides, firewall policies must reference the SD-WAN interface or SD-WAN zone, not the individual WAN interfaces that are members of SD-WAN. Therefore, during the configuration update process, existing firewall policies that reference physical WAN interfaces must be updated to reference the SD-WAN interface.

Option A is incorrect because routing configuration does not require replacing interface references when SD-WAN is enabled. Static and dynamic routes typically point to the SD-WAN interface automatically, and SD-WAN rules handle path selection.

Option B is incorrect because SD-WAN is a built-in FortiOS feature. It does not require a separate license and does not require a reboot when enabled.

Option D is incorrect because interfaces must remain enabled to function as SD-WAN members. Disabling an interface would prevent SD-WAN from using it for traffic forwarding.

Therefore, the required action during the SD-WAN configuration update process is to replace references to interfaces used as SD-WAN members in the firewall policies, which corresponds to option C.

This is because the setting minimum-sla-meet-members = 2 requires at least two SD-WAN zone members (in this case, HUB2-VPN1, HUB2-VPN2, and HUB2-VPN3) to pass the defined SLA health check (HUB1_HC) before the FortiGate will establish ADVPN shortcuts. If fewer than two members meet the SLA, shortcuts will not be created.

Rules template → Defines the SD-WAN rules for traffic steering.

BGP template → Configures dynamic routing for overlay tunnels.

IPsec tunnel template → Builds the IPsec VPN tunnels from the spoke to the hubs.

In the exhibits, port2 is already assigned to the SD-WAN zone named Test. An interface can only belong to a single SD-WAN zone, so before you can add both port1 and port2 into the new SD-WAN zone Underlay, you must first delete the SD-WAN Zone Test to free port2.

Hosting the hub at the MSSP centralizes installation, security, and ongoing management while each site (spoke) keeps local DIA. This can be done multi-tenant with a shared hub using a dedicated VDOM or with a fully dedicated hub per customer for stricter isolation and control, both meeting the requirement to delegate administration to the MSSP and support high inter-site traffic.