Fortinet NSE6_SDW_AD-7.6 Exam Questions Instant Access

Question 1

You are planning a large SD-WAN deployment with approximately 1000 spokes and want to allow ADVPN between the spokes. Some remote sites use FortiSASE to connect to the company's SD-WAN hub. Which overlay routing configuration should you use?

ABGP on loopback with dynamic BGP for ADVPN shortcut routing.

BBGP on loopback with IPsec phase2 selectors for ADVPN shortcut routing.

CBGP per overlay with dynamic BGP for ADVPN shortcut routing.

DBGP per overlay with BGP next-hop convergence for ADVPN shortcut routing.

Answer : A

For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there's an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management. Reference:

[FCSS_SDW_AR-7.4 1-0.docx Q6]

Fortinet SD-WAN Reference Architecture Guide 7.4, ''Scalable Routing with BGP on Loopback and ADVPN Shortcuts''

Fortinet SD-WAN Concept Guide, ''Overlay Routing Designs for Large Deployments''

Question 2

Refer to the exhibits.

You use FortiManager to configure SD-WAN on three branch devices.

When you install the device settings, FortiManager prompts you with the error ''Copy Failed'' for the device branch1_fgt. When you click the log button, FortiManager displays the message shown in the exhibit.

There are two different ways to resolve this issue. Based on the exhibits, which methods could you use? (Choose two.)

AUpdate the management IP address of branch1_fgt.

BSpecify the gateway of the SD-WAN member port1 with an IP address or use the default value.

CDo not define installation targets for SD-WAN members.

DReview the per-device mapping configuration for metadata variables

Answer : B, D

Specify the gateway of the SD-WAN member port1 with an IP address or use the default value The error log shows invalid ip -- prop[gateway]: ip4class(${sdwan_port1_gw}) invalid ip addr, meaning the variable ${sdwan_port1_gw} does not have a valid mapping. Assigning a valid IP address or default value for the gateway resolves this error.

Review the per-device mapping configuration for metadata variables The issue is tied to how the metadata variable ${sdwan_port1_gw} is mapped for branch1_fgt. If this device does not have the variable properly defined in per-device mapping, the configuration will fail. Correcting the mapping ensures that the install works.

Question 3

Refer to the exhibit.

The exhibit shows output of the command diagnose sys adwan aervice4 collected on a FortiGate device.

The administrator wants to know through which interface FortiGate will steer traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the social media application Facebook.

Based on the exhibits, which two statements are correct? (Choose two.)

AWhen FortiGate cannot recognize the application of the flow, it steers the traffic through the preferred member of rule 3, HQ_T1.

BThere is no service defined for the Facebook application, so FortiGate appliesservice rule 3 and directs the traffic to headquarters.

CFortiGate steers traffic for social media applications according to the service rule 2 and steers traffic through port2.

DWhen FortiGate cannot recognize the application of the flow, it load balances the traffic through the tunnels HQ_T1. HQ_T2. HQ_T3.

Answer : C, D

Application-based SD-WAN rules enable intelligent traffic steering. The guide specifies: 'If a flow is identified as belonging to a defined application category (such as social media), FortiGate will match it to the corresponding service rule (rule 2) and route it through the specified interface, such as port2. However, if the application is not recognized during the session setup, the system defaults to load balancing the traffic using the available tunnels according to the policy for unclassified traffic, ensuring continuous connectivity while waiting for application classification.' This guarantees both performance and resilience.

Question 4

You configured an SD-WAN rule with the best quality strategy and selected the predefined health check, Default_FortiGuard, to check the link performances against FortiGuard servers.

For the quality criteria, you selected Custom-profile-1.

Which factors does FortiGate use, and in which order. to determine the link that it should use to steer the traffic?

ALatency -- Member configuration order -- Link cost threshold

BLink quality index -- Member configuration order -- Link cost threshold

CLinks that meet the SLA targets -- Member configuration order -- Member local cost

DLatency -- Jitter - Packet loss -- Bibandwidth -- Member configuration order

Answer : C

With the Best Quality strategy, FortiGate first checks which links meet the SLA targets defined in the selected performance SLA (in this case, Custom-profile-1). Among those qualified links, FortiGate then uses the member configuration order to decide preference. If multiple links still qualify, it finally considers the member local cost to select the best path.

Question 5

(In the context of SD-WAN, the terms underlay and overlay are commonly used to categorize links.

Which two statements about underlay and overlay links are correct? Choose two answers.)

AA VLAN is a type of overlay link.

BOverlay links provide routing flexibility.

CFortiLink interface is considered an underlay link.

DWireless connections can be used to build overlay links.

EOnly wired connections can be used as underlay links.

Answer : B, D

In Fortinet SD-WAN architecture, underlay and overlay have distinct meanings:

Underlay links are the physical or logical transport networks that provide basic IP connectivity (for example, broadband, MPLS, LTE/5G).

Overlay links are virtual tunnels (such as IPsec VPNs) built on top of the underlay, providing abstraction, routing control, and segmentation.

Option B is correct.

Overlay links (for example, IPsec tunnels used in SD-WAN and ADVPN) decouple routing from the physical transport. This allows dynamic path selection, segmentation, and flexible routing policies independent of the underlay. Providing routing flexibility is a core purpose of overlays in SD-WAN.

Option D is correct.

Wireless connections such as LTE or 5G can be used as underlay transports, and overlay tunnels can be built over them. Fortinet SD-WAN fully supports building IPsec overlays on wireless underlays, making wireless links valid for overlay construction.

Why the other options are incorrect:

Option A is incorrect because a VLAN is a Layer 2 segmentation mechanism, not an SD-WAN overlay link.

Option C is incorrect because FortiLink is used for internal management and switch/AP connectivity, not as a WAN underlay for SD-WAN.

Option E is incorrect because underlay links can be wired or wireless; they are not limited to wired connections.

Therefore, the two correct statements are B and D.

Question 6

The FortiGate devices are managed by ForliManager, and are configured for direct internet access (DIA). You confirm that DIA is working as expected for each branch, and check the SD-WAN zone configuration and firewall policies shown in the exhibits.

Then, you use the SD-WAN overlay template to configure the IPsec overlay tunnels. You create the associated SD-WAN rules to connect existing branches to the company hub device and apply the changes on the branches.

After those changes, users complain that they lost internet access. DIA is no longer working.

Based on the exhibit, which statement best describes the possible root cause of this issue?

AThe SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones.

BThe SD-WAN overlay template didn't configure a firewall policy to allow traffic through the overlay.

CThe SD-WAN overlay template redefines the interface gateway addresses if they are defined with metadata variables.

DThe SD-WAN overlay template updates the SD-WAN template and the rules.

Answer : A

The SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones. This statement perfectly describes the likely sequence of events. The template, when applied, re-organizes the interfaces and zones, causing the existing firewall policy that relies on the old zone configuration to fail. This is the most plausible root cause.

Question 7

Refer to the exhibits.

The exhibits show the configuration for SD-WAN performance. SD-WAN rule, the application IDs of Facebook and YouTube along with the firewall policy configuration and the underlay zone status.

Which two statements are true about the health and performance of SD-WAN members 3 and 4? (Choose two.)

AOnly related TCP traffic is used for performance measurement.

BThe performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

CEncrypted traffic is not used for the performance measurement.

DFortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Answer : B, D

Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator NSE6_SDW_AD-7.6 Exam Questions