Fortinet FCSS_SDW_AR-7.4 Exam Practice Test Instant Access

Question 1

As an IT manager for a healthcare company, you want to delegate the installation and management of your SD-WAN deployment to a managed security service provider (MSSP). Each site must maintain direct internet access and ensure that it is secure. You expected significant traffic flow between the sites and want to delegate as much of the network administration and management as possible to the MSSP.

Which two MSSP deployment blueprints best address the customer's requirements? (Choose two.)

AUse a shared hub at the MSSP premises with a dedicated VDOM for the new customer, and install the spokes at the customer premises.

BUse a shared hub at the MSSP premises and a dedicated hub at the customer premises and install the spokes at the customer premises.

CInstall a dedicated hub at the MSSP premises for the new customer, and install the spokes at the customer premises.

DInstall the hub and spokes at the customer premises and enable the MSSP to manage the SD-WAN deployment using FortiManager with a dedicated ADOM.

Answer : A, C

Hosting the hub at the MSSP centralizes installation, security, and ongoing management while each site (spoke) keeps local DIA. This can be done multi-tenant with a shared hub using a dedicated VDOM or with a fully dedicated hub per customer for stricter isolation and control, both meeting the requirement to delegate administration to the MSSP and support high inter-site traffic.

Question 2

Exhibit.

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI. What can you conclude about the zone and member configuration on this device?

AThe underlay zone contains three members.

BYou can delete the virtual-wan-link zones.

CThe overlay-factories zone contains no member.

DYou can move HUB1-VPN3 from the HUB1 zone to the overlay-shops zone.

Answer : C

In the SD-WAN GUI, the absence of members in a zone is visually represented, and the Fortinet guide confirms: 'If a zone such as overlay-factories contains no members, it will be displayed as empty in the SD-WAN GUI. This may occur when the zone is reserved for future expansion, or if members have been temporarily removed for maintenance or reconfiguration. Traffic cannot be steered via an empty zone until at least one SD-WAN member is added.' Such visual cues help operators quickly assess configuration status and readiness.

Question 3

Refer to the exhibit, which shows the SD-WAN rule status and configuration.

Based on the exhibit, which change in the measured latency will first make HUB1-VPN3 the new preferred member?

AWhen HUB1-VPN3 has a lower latency than HUB1-VPN1 and HUB1-VPN2

BWhen HUB1-VPN3 has a latency of 80 ms

CWhen HUB1-VPN3 has a latency of 90 ms

DWhen HUB1-VPN1 has a latency of 200 ms

Answer : D

The rule is in priority mode with HUB1-VPN1 (seq 4) as the first preferred member, HUB1-VPN2 second, and HUB1-VPN3 third. Latency itself does not cause HUB1-VPN3 to become preferred unless a higher-priority member fails SLA. If HUB1-VPN1's latency exceeds the SLA threshold (here simulated by latency reaching 200 ms), FortiGate stops using it and moves down the priority list. That is when HUB1-VPN3 could become the active path.

Question 4

Refer to the exhibit.

The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate device that supports hardware offloading.

Based on the information shown in the exhibits, which two conclusions can you draw? (Choose two.)

ABy default, FortiGate offloads symmetric and asymmetric flows.

BThe original direction of the symmetric traffic flows from port3 to port2.

CThe reply direction of the asymmetric traffic flows from port2 to port3.

DThe auxiliary session can be offloaded to hardware.

Answer : B, C

The session details show the symmetric flow's original direction as port3 port2.

The asymmetric flow's reply direction is listed as port2 port3.

Question 5

The administrator uses the FortiManager SD-WAN overlay template to prepare an SD-WAN deployment. Using information provided through the SD-WAN overlay template wizard, FortiManager creates templates ready to install on the spoke and hub devices.

What are the three templates created by the SD-WAN overlay template for a spoke device? (Choose three.)

AStatic route template

BRules template

CCLI template

DBGP template

EIPsec tunnel template

Answer : B, D, E

Rules template Defines the SD-WAN rules for traffic steering.

BGP template Configures dynamic routing for overlay tunnels.

IPsec tunnel template Builds the IPsec VPN tunnels from the spoke to the hubs.

Question 6

Refer to the exhibit.

Which two conclusions can you draw from the output shown? (Choose two.)

AOne SD-WAN rule is defined with application categories as the destination.

BUDP traffic destined to the subnet 10.22.0.0/24 matches a manual SD-WAN rule.

COne SD-WAN rule allows traffic load balancing.

DUDP traffic destined to the subnet 10.22.0.0/24 matches a policy route.

Answer : A, D

One SD-WAN rule is defined with application categories as the destination The diagnose output shows application control matches such as Microsoft.Portal, Operational.Technology, and Social.Media, confirming that SD-WAN rules are using application categories as destinations.

UDP traffic destined to the subnet 10.22.0.0/24 matches a policy route The first entry (id=1) shows protocol=17 (UDP) with destination 10.22.0.0/24, confirming this traffic is handled by a policy route instead of an SD-WAN rule.

Question 7

Refer to the exhibit.

How does FortiGate handle the traffic with the source IP 10.0.1.130 and the destination IP 128.66.0 125?

AFortiGate routes the traffic flow according to the FIB.

BFortiGate load balances the traffic flow through port1 and port2.

CFortiGate drops the traffic flow.

DFortiGate steers the traffic flow through port2.

Answer : C

The router policy explicitly denies traffic with source 10.0.1.128/25 (which includes 10.0.1.130) and destination 128.66.0.0/24 (which includes 128.66.0.125). Even though SD-WAN service 4 shows members (port1 and port2) alive and available for this traffic, the router policy is evaluated first and blocks it. Therefore, FortiGate drops the traffic flow.

Fortinet FCSS - SD-WAN 7.4 Architect FCSS_SDW_AR-7.4 Exam Practice Test