Fortinet FCSS_SDW_AR-7.6 Exam Questions Instant Access

Question 1

(In the context of SD-WAN, the terms underlay and overlay are commonly used to categorize links.

Which two statements about underlay and overlay links are correct? Choose two answers.)

AA VLAN is a type of overlay link.

BOverlay links provide routing flexibility.

CFortiLink interface is considered an underlay link.

DWireless connections can be used to build overlay links.

EOnly wired connections can be used as underlay links.

Answer : B, D

In Fortinet SD-WAN architecture, underlay and overlay have distinct meanings:

Underlay links are the physical or logical transport networks that provide basic IP connectivity (for example, broadband, MPLS, LTE/5G).

Overlay links are virtual tunnels (such as IPsec VPNs) built on top of the underlay, providing abstraction, routing control, and segmentation.

Option B is correct.

Overlay links (for example, IPsec tunnels used in SD-WAN and ADVPN) decouple routing from the physical transport. This allows dynamic path selection, segmentation, and flexible routing policies independent of the underlay. Providing routing flexibility is a core purpose of overlays in SD-WAN.

Option D is correct.

Wireless connections such as LTE or 5G can be used as underlay transports, and overlay tunnels can be built over them. Fortinet SD-WAN fully supports building IPsec overlays on wireless underlays, making wireless links valid for overlay construction.

Why the other options are incorrect:

Option A is incorrect because a VLAN is a Layer 2 segmentation mechanism, not an SD-WAN overlay link.

Option C is incorrect because FortiLink is used for internal management and switch/AP connectivity, not as a WAN underlay for SD-WAN.

Option E is incorrect because underlay links can be wired or wireless; they are not limited to wired connections.

Therefore, the two correct statements are B and D.

Question 2

An SD-WAN member is no longer used to steer SD-WAN traffic. The administrator updated the SD-WAN configuration and deleted the unused member. After the configuration update, users report that some destinations are unreachable. You confirm that the affected flow does not match an SD-WAN rule.

What could be a possible cause of the traffic interruption?

AFortiGate, with SD-WAN enabled, cannot route traffic through interfaces that are not SD-WAN members.

BFortiGate can remove some static routes associated with an interface when the member is removed from SD-WAN.

CFortiGate removes the layer 3 settings for interfaces that are removed from the SD-WAN configuration.

DFortiGate administratively brings down interfaces when they are removed from the SD-WAN configuration.

Answer : B

When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.

Question 3

You have configured the performance SLA with the probe mode as Prefer Passive.

What are two observable impacts of this configuration? (Choose two.)

AFortiGate passively monitors the member if TCP traffic is passing through the member.

BAfter FortiGate switches to active mode, the SLA performance rule falls back to passive monitoring after 3 minutes.

CFortiGate passively monitors the member if ICMP traffic is passing through the member.

DDuring passive monitoring, the SLA performance rule cannot detect dead members.

EFortiGate can offload the traffic that is subject to passive monitoring to hardware.

Answer : A, D

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive, FortiGate attempts to measure link performance using passive monitoring first, based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive, FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A.

During passive monitoring, FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic, not ICMP traffic. ICMP is used for active probing, not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware. Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D.

Question 4

You have a FortiGate configuration with three user-defined SD-WAN zones and two members in each of these zones. One SD-WAN member is no longer in use in health-check and SD-WAN rules. You want to delete it.

What happens if you delete the SD-WAN member from the FortiGate GUI?

AFodiGate accepts the deletion and removes routes as required.

BFortiGate displays an error message. You must use the CLI to delete an SD-WAN member.

CFortiGate displays an error message. SD-WAN zones must contain at least two members

DFortiGate accepts the deletion and places the member in the default SD-WAN zone.

Answer : A

Question 5

(You configure the overlay tunnels for an SD-WAN hub-and-spoke topology defined with IPsec tunnels, BGP on loopback, and dynamic BGP.

Which are two recommended IPsec settings for this topology? Choose two answers.)

AOn the spoke, set the parameter net-device to enable.

BOn the spoke, configure the parameter localid.

COn the hub, set the parameter mode-cfg to enable.

DOn the hub, set the tunnel type to static.

Answer : A, B

Question 6

Refer to the exhibit.

An administrator configures SD-WAN rules for a DIA setup using the FortiGate GUI. The page to configure the source and destination part of the rule looks as shown in the exhibit. The GUI page shows no option to configure an application as the destination of the SD-WAN rule Why?

AYou cannot use applications as the destination when FortiGate is used for a DIA setup.

BFortiGate allows the configuration of applications as the destination of SD-WAN rules only on the CLI.

CYou must enable the feature on the CLI.

DYou must enable the feature first using the GUI menu System > Feature Visibility.

Answer : D

Question 7

Which two statements correctly describe what happens when traffic matches the implicit SD-WAN rule? (Choose two.)

AThe session information output displays no SD-WAN service id.

BTraffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

CThe traffic is distributed, regardless of weight, through all available static routes.

DTraffic does not match any of the entries in the policy route table.

EFortiGate flags the session with may_dirty and vwl_def ault.

Answer : A, D

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet: 'Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic.' Administrators can observe this in diagnostic outputs for troubleshooting.

Fortinet FCSS - SD-WAN 7.6 Architect FCSS_SDW_AR-7.6 Exam Questions