Practice Free NSE6_SDW_AD-7.6 Exam Online Questions
Question #31
Refer to the exhibit.
You update the spokes configuration of an existing auto-discovery VPN (ADVPN) topology by adding the parameters shown in the exhibit.
Which is a valid objective of those settings? Choose one answer.
- A . Enable the tunnels as overlay links.
- B . Convert the configuration from ADVPN to ADVPN 2.0.
- C . Prevent cross-overlay shortcuts.
- D . Prevent multiple shortcuts from being established over the same overlay.
Correct Answer: C
C
Explanation:
The exhibit shows the following IPsec phase1-interface configuration applied on spoke tunnels:
set auto-discovery-shortcuts dependent
set network-overlay enable
set network-id <value>
In the FCSS SD-WAN 7.6 ADVPN architecture, the network-overlay and network-id parameters are used to logically group IPsec tunnels into separate overlays. When network-overlay is enabled, FortiGate treats the tunnel as part of an overlay network rather than a simple transport tunnel.
The network-id parameter is critical in multi-overlay ADVPN designs. Fortinet documentation specifies that ADVPN shortcuts are only allowed between tunnels that share the same network-id. This mechanism explicitly prevents cross-overlay shortcuts, ensuring that shortcuts are formed only within the same logical overlay and not across different overlays that may serve different purposes (for example, different hubs, regions, or transport groups).
The use of auto-discovery-shortcuts dependent further enforces correct shortcut behavior by ensuring that shortcut tunnels depend on the state of the parent overlay tunnel, but it does not by itself prevent multiple shortcuts or convert ADVPN versions.
Why the other options are incorrect:
Option A is incorrect because simply enabling network-overlay does not exist to “enable overlay links” in general; its purpose is to define overlay membership and control shortcut behavior.
Option B is incorrect because there is no concept of “ADVPN 2.0” conversion using these parameters in FortiOS 7.6.
Option D is incorrect because preventing multiple shortcuts over the same overlay is not controlled by network-id; multiple shortcuts within the same overlay are allowed when required.
Therefore, the valid objective of these settings is to prevent cross-overlay shortcuts, which corresponds to Option C.
C
Explanation:
The exhibit shows the following IPsec phase1-interface configuration applied on spoke tunnels:
set auto-discovery-shortcuts dependent
set network-overlay enable
set network-id <value>
In the FCSS SD-WAN 7.6 ADVPN architecture, the network-overlay and network-id parameters are used to logically group IPsec tunnels into separate overlays. When network-overlay is enabled, FortiGate treats the tunnel as part of an overlay network rather than a simple transport tunnel.
The network-id parameter is critical in multi-overlay ADVPN designs. Fortinet documentation specifies that ADVPN shortcuts are only allowed between tunnels that share the same network-id. This mechanism explicitly prevents cross-overlay shortcuts, ensuring that shortcuts are formed only within the same logical overlay and not across different overlays that may serve different purposes (for example, different hubs, regions, or transport groups).
The use of auto-discovery-shortcuts dependent further enforces correct shortcut behavior by ensuring that shortcut tunnels depend on the state of the parent overlay tunnel, but it does not by itself prevent multiple shortcuts or convert ADVPN versions.
Why the other options are incorrect:
Option A is incorrect because simply enabling network-overlay does not exist to “enable overlay links” in general; its purpose is to define overlay membership and control shortcut behavior.
Option B is incorrect because there is no concept of “ADVPN 2.0” conversion using these parameters in FortiOS 7.6.
Option D is incorrect because preventing multiple shortcuts over the same overlay is not controlled by network-id; multiple shortcuts within the same overlay are allowed when required.
Therefore, the valid objective of these settings is to prevent cross-overlay shortcuts, which corresponds to Option C.
Question #32
An SD-WAN member is no longer used to steer SD-WAN traffic. The administrator updated the SD-WAN configuration and deleted the unused member. After the configuration update, users report that some destinations are unreachable. You confirm that the affected flow does not match an SD-WAN rule.
What could be a possible cause of the traffic interruption?
- A . FortiGate, with SD-WAN enabled, cannot route traffic through interfaces that are not SD-WAN members.
- B . FortiGate can remove some static routes associated with an interface when the member is removed from SD-WAN.
- C . FortiGate removes the layer 3 settings for interfaces that are removed from the SD-WAN configuration.
- D . FortiGate administratively brings down interfaces when they are removed from the SD-WAN configuration.
Correct Answer: B
B
Explanation:
When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.
B
Explanation:
When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.
Question #33
You are configuring SD-WAN zones and members on a FortiGate device.
Which two facts should you take into account? (Choose two.)
- A . The default zone is sdw-default
- B . The default zone is virtual-wan-link.
- C . You can add any physical interface to a zone.
- D . You can add only SD-WAN members to a zone.
Correct Answer: BD
Question #34
Which three parameters are available to configure SD-WAN rules? (Choose three.)
- A . Application signatures
- B . Incoming interface
- C . Internet service database (ISDB) address object
- D . Source and destination IP address
- E . Type of physical link connection
Correct Answer: ACD
Question #35
Which SD-WAN path control technique involves sending traffic over multiple paths simultaneously?
- A . Active-active path
- B . Active-passive path
- C . Dynamic path
- D . Static path
Correct Answer: A
Question #36
Which VPN protocol is commonly used in a hub-and-spoke IPsec topology for SD-WAN and ADVPN?
- A . SSL VPN
- B . PPTP VPN
- C . L2TP VPN
- D . IPsec VPN
Correct Answer: D
Question #37
Which statement about using BGP routes in SD-WAN is true?
- A . Adding static routes must be enabled on all ADVPN interfaces.
- B . VPN topologies must be form using only BGP dynamic routing with SD-WAN.
- C . Learned routes can be used as dynamic destinations in SD-WAN rules.
- D . Dynamic routing protocols can be used only with non-encrypted traffic.
Correct Answer: C
Question #38
Refer to the exhibit.
Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?
- A . type must be set to static.
- B . mode-cfg must be enabled.
- C . exchange-interface-ip must be enabled.
- D . add-route must be disabled.
Correct Answer: D
Question #39
Refer to the exhibit.
Which statement correctly describes the role of the ADVPN device in handling traffic? Choose one answer.
- A . This device is a spoke that has received a direct shortcut query from a remote spoke.
- B . This device is a hub, and two spokes, 192.2.0.1 and 10.0.3.101, established a shortcut.
- C . This device is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke.
- D . This device is a spoke that has received a shortcut query from a remote hub.
Correct Answer: C
C
Explanation:
The log messages shown in the exhibit include the following key indicators:
processing notify type SHORTCUT_QUERY
shortcut-query received from 192.2.0.1
local-nat=yes, peer-nat=no
NAT hole punching for peer at 192.2.0.1:4500
In the FCSS SD-WAN 7.6 ADVPN workflow, shortcut queries are always initiated by spokes, not hubs. A spoke sends a shortcut query to its hub when it detects traffic destined for another spoke. The hub’s role is to receive this shortcut query and forward the discovery information toward the destination spoke, enabling the two spokes to build a direct shortcut tunnel.
The device name in the log (HUB1-VPN1) and the presence of NAT hole punching coordination clearly indicate that this device is acting as a hub, not a spoke. Hubs do not form shortcuts themselves; instead, they facilitate shortcut establishment between spokes by relaying discovery and negotiation information.
Option A is incorrect because a spoke does not receive shortcut queries from other spokes directly. Option B is incorrect because the log does not indicate that the shortcut has already been established; it shows the query and coordination phase, not completion.
Option D is incorrect because hubs do not initiate shortcut queries toward spokes.
Therefore, the correct description is that this device is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke, which corresponds to option C.
C
Explanation:
The log messages shown in the exhibit include the following key indicators:
processing notify type SHORTCUT_QUERY
shortcut-query received from 192.2.0.1
local-nat=yes, peer-nat=no
NAT hole punching for peer at 192.2.0.1:4500
In the FCSS SD-WAN 7.6 ADVPN workflow, shortcut queries are always initiated by spokes, not hubs. A spoke sends a shortcut query to its hub when it detects traffic destined for another spoke. The hub’s role is to receive this shortcut query and forward the discovery information toward the destination spoke, enabling the two spokes to build a direct shortcut tunnel.
The device name in the log (HUB1-VPN1) and the presence of NAT hole punching coordination clearly indicate that this device is acting as a hub, not a spoke. Hubs do not form shortcuts themselves; instead, they facilitate shortcut establishment between spokes by relaying discovery and negotiation information.
Option A is incorrect because a spoke does not receive shortcut queries from other spokes directly. Option B is incorrect because the log does not indicate that the shortcut has already been established; it shows the query and coordination phase, not completion.
Option D is incorrect because hubs do not initiate shortcut queries toward spokes.
Therefore, the correct description is that this device is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke, which corresponds to option C.
Question #40
Refer to the exhibit.
Which statement best describe the role of the ADVPN device in handling traffic?
- A . This is a spoke that has received a direct shortcut query from a remote spoke.
- B . This is a hub, and two spokes, 192.2.0.1 and 10.0.3.101, establish a shortcut.
- C . This is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke.
- D . This is a spoke that has received a shortcut query from a remote hub.
Correct Answer: B
B
Explanation:
The log shows messages on HUB1-VPN1 where the device processes a SHORTCUT_QUERY and performs NAT hole punching (peer at 192.2.0.1:4500). This indicates that the device is acting as a hub, helping two spokes (192.2.0.1 and 10.0.3.101) establish a direct ADVPN shortcut tunnel between each other, instead of routing their traffic through the hub.
B
Explanation:
The log shows messages on HUB1-VPN1 where the device processes a SHORTCUT_QUERY and performs NAT hole punching (peer at 192.2.0.1:4500). This indicates that the device is acting as a hub, helping two spokes (192.2.0.1 and 10.0.3.101) establish a direct ADVPN shortcut tunnel between each other, instead of routing their traffic through the hub.