NSE6_SDW_AD-7.6 Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator Questions and Answers

The FortiManager SD-WAN overlay template preview, as described in the document, indicates:

" When the device is acting as a hub, the configuration enables the sending of ADVPN shortcut offers to spokes. This means the hub can facilitate on-demand dynamic shortcut tunnel creation between spokes, improving performance for branch-to-branch communication by bypassing the hub for inter-branch traffic after initial discovery. "

Such a role is critical in scalable ADVPN topologies, enabling hub devices to optimize overlays dynamically.

In the exhibits, port2 is already assigned to the SD-WAN zone named Test. An interface can only belong to a single SD-WAN zone, so before you can add both port1 and port2 into the new SD-WAN zone Underlay, you must first delete the SD-WAN Zone Test to free port2.

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:

" Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic. "

Administrators can observe this in diagnostic outputs for troubleshooting.

The FortiManager SD-WAN overlay system allows only one IPsec template to be assigned to each device per overlay operation. The guide clarifies:

" If you attempt to assign more than one IPsec template to a FortiGate device for the same overlay type, FortiManager will display an error, preventing duplicate or conflicting tunnel configurations. This limitation ensures a one-to-one mapping between device and overlay template per operation, maintaining configuration integrity and preventing routing issues. "

This prevents complex troubleshooting scenarios and enforces best practices for overlay design.

From the SD-WAN Zones view in the FortiGate GUI:

virtual-wan-link is the default SD-WAN zone. This zone is system-defined and cannot be deleted , which makes option A incorrect.

The WAN2 zone is displayed without any expandable members beneath it, indicating that no SD-WAN members are currently assigned to the WAN2 zone . This directly supports option B.

A zone can be deleted only if it has no members and is not system-defined , but the exhibit does not indicate that WAN1 is eligible for deletion. Therefore, option C cannot be concluded from the information shown.

In FortiOS SD-WAN, an SD-WAN member can belong to only one SD-WAN zone at a time . A member such as B-125 cannot be assigned to both the WAN3 zone and the Test zone simultaneously, which makes option D incorrect.

For SD-WAN deployments that span multiple regions—where most traffic is intra-region and there is no requirement for inter-region ADVPN—the best practice is to use IBGP with BGP on loopback interfaces for routing within each region and EBGP between the regions. This approach ensures robust and scalable routing, isolates regional routing domains, and enables policy control at region boundaries. BGP on loopback is preferred for its reliability and flexibility, as it enables peering that is not tied to specific physical interfaces. EBGP between regions allows each region to maintain independent routing policies and summarization, optimizing performance and manageability. By separating IBGP (intra-region) and EBGP (inter-region), you create a modular architecture that scales easily and simplifies fault isolation and troubleshooting.

In an SD-WAN rule, you can steer application traffic by using Internet Service Database (ISDB) entries. Facebook and LinkedIn are predefined ISDB objects in FortiGate, so the correct way is to select them in the Internet service field under Destination. This ensures that all traffic to these applications is matched and routed through the chosen (less costly) link.

When referencing a zone in a static route, FortiGate’s behavior is described as:

" Referencing a zone in a static route causes FortiGate to install a static route for each member interface of the zone. This enables ECMP (Equal-Cost Multi-Path) and load balancing where supported and ensures that traffic can be steered over any valid zone member according to SD-WAN rules or standard routing. "

This mechanism is fundamental to Fortinet’s implementation of SD-WAN and simplifies large, multi-interface deployments.

" The SD-WAN overlay template generates multiple template, one per topic. For branches and hubs, it creates BGP, IPsec, and CLI templates to accommodate all required configuration changes. "

From the SD-WAN service configuration , rule edit 3 (name " Corp " ) is configured with:

set mode sla

set load-balance enable

set dst " Corp-net "

set src " LAN-net "

SLA checks referenced under config sla

Traffic from 10.0.1.101 to 10.0.0.126 matches this rule because the destination is within the corporate network range (shown in the policy-route/proute output as destination 10.0.0.0–10.255.255.255 for the Corp service).

In the diagnose firewall proute list output for vwl_service=3 (Corp) , FortiGate shows which SD-WAN members are eligible based on SLA pass results:

oif=21 (HUB1-VPN3) num_pass=2

oif=20 (HUB1-VPN2) num_pass=0

oif=19 (HUB1-VPN1) num_pass=0

This indicates that, for the SLA-based rule, only HUB1-VPN3 is meeting the SLA requirements (it is the only member with num_pass=2). The other members have num_pass=0, so they are not eligible for forwarding under this SLA rule even though links are up.

The sniffer trace further corroborates the forwarding decision by showing the traffic egressing through HUB1-VPN3 .

Therefore, FortiGate will steer the HTTP traffic through only HUB1-VPN3 , which corresponds to Option A .

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Functionality-of-set-update-cascade-interface/ta-p/193015

Fortinet outlines key SD-WAN routing principles:

" Policy routes are always evaluated before SD-WAN rules, meaning if a policy route matches, SD-WAN steering is bypassed. If the best route for a destination is not via an SD-WAN member, SD-WAN rules do not apply, and members are ignored if they lack a valid route. This hierarchy ensures traffic always follows the most deterministic and valid path according to configuration. "

Understanding these principles is critical for correct SD-WAN and routing integration.

Enforce Device Configuration is enabled and the blueprint applies the provisioning CLI templates. The LAN-interface script sets port1 and port2 to DHCP and assigns a static IP to port5 (using the branch_id variable). Therefore, when FortiManager pushes the blueprint, it updates the configurations of port1, port2, and port5 - and their IP addresses may change accordingly.

The session details show the symmetric flow’s original direction as port3 → port2.

The asymmetric flow’s reply direction is listed as port2 → port3.