Practice Free NSE6_SDW_AD-7.6 Exam Online Questions
Question #61
The SD-WAN overlay template helps to prepare SD-WAN deployments. To complete the tasks performed by the SD-WAN overlay template, the administrator must perform some post-run tasks.
What are two mandatory post-run tasks that must be performed? (Choose two.)
- A . Configure routing through the overlay tunnels created by the SD-WAN overlay template.
- B . Create policy packages and assign them to the branch devices.
- C . Assign a hub id metadata variable to each hub device.
- D . Configure SD-WAN rules
- E . Assign an sdwan_id metadata variable to each device (branch and hub)
Correct Answer: B, D
B, D
Explanation:
After using the SD-WAN overlay template, two mandatory post-run tasks remain:
"First, administrators must create and assign policy packages to branch devices, as security and access policies are not included in overlay templates. Second, SD-WAN rules must be configured so that traffic can be matched and steered appropriately through the established overlays. Neglecting either task results in ungoverned traffic or inefficient routing, undermining the benefits of SD-WAN." Templates automate topology, but policy and rule definition are critical for operational effectiveness.
Reference: [FCSS_SDW_AR-7.4 1-0.docx Q25]
Fortinet SD-WAN Reference Architecture 7.4, "Post-Deployment Tasks for SD-WAN Overlay Templates"
B, D
Explanation:
After using the SD-WAN overlay template, two mandatory post-run tasks remain:
"First, administrators must create and assign policy packages to branch devices, as security and access policies are not included in overlay templates. Second, SD-WAN rules must be configured so that traffic can be matched and steered appropriately through the established overlays. Neglecting either task results in ungoverned traffic or inefficient routing, undermining the benefits of SD-WAN." Templates automate topology, but policy and rule definition are critical for operational effectiveness.
Reference: [FCSS_SDW_AR-7.4 1-0.docx Q25]
Fortinet SD-WAN Reference Architecture 7.4, "Post-Deployment Tasks for SD-WAN Overlay Templates"
Question #62
What is the main benefit of using a hub-and-spoke IPsec topology for SD-WAN and ADVPN instead of a full-mesh topology?
- A . Simplified configuration and management
- B . Improved security
- C . Increased application performance
- D . Better network connectivity
Correct Answer: A
Question #63
You want FortiGate to use SD-WAN rules to steer ping local-out traffic.
Which two constraints should you consider? Choose two answers.
- A . You can steer local-out traffic only with SD-WAN rules that use the manual strategy.
- B . By default, FortiGate uses SD-WAN rules only for local-out traffic that corresponds to ping and traceroute.
- C . By default, local-out traffic does not use SD-WAN.
- D . You must configure each local-out feature individually to use SD-WAN.
Correct Answer: AC
AC
Explanation:
In FortiOS 7.6, local-out traffic is traffic generated by the FortiGate itself, such as ping, traceroute, FortiGuard updates, DNS, NTP, and SNMP. Local-out traffic does not traverse the firewall policy engine and therefore behaves differently from forwarded traffic in SD-WAN.
According to the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture documentation, local-out traffic does not use SD-WAN by default. Instead, it follows the routing table (static and dynamic routes). To allow local-out traffic to be evaluated by SD-WAN rules, the administrator must explicitly enable local-out SD-WAN processing.
The curriculum also states that only SD-WAN rules using the manual strategy are supported for local-out traffic. SLA-based, application-based, and dynamic strategies are not evaluated for traffic generated by the FortiGate itself. This is a fundamental architectural limitation of SD-WAN in FortiOS 7.6.
Option B is incorrect because FortiGate does not automatically apply SD-WAN rules to ping or traceroute traffic by default. Even these tools follow the routing table unless local-out SD-WAN is enabled.
Option D is incorrect because local-out SD-WAN configuration is global. Individual local-out features do not require separate SD-WAN enablement.
AC
Explanation:
In FortiOS 7.6, local-out traffic is traffic generated by the FortiGate itself, such as ping, traceroute, FortiGuard updates, DNS, NTP, and SNMP. Local-out traffic does not traverse the firewall policy engine and therefore behaves differently from forwarded traffic in SD-WAN.
According to the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture documentation, local-out traffic does not use SD-WAN by default. Instead, it follows the routing table (static and dynamic routes). To allow local-out traffic to be evaluated by SD-WAN rules, the administrator must explicitly enable local-out SD-WAN processing.
The curriculum also states that only SD-WAN rules using the manual strategy are supported for local-out traffic. SLA-based, application-based, and dynamic strategies are not evaluated for traffic generated by the FortiGate itself. This is a fundamental architectural limitation of SD-WAN in FortiOS 7.6.
Option B is incorrect because FortiGate does not automatically apply SD-WAN rules to ping or traceroute traffic by default. Even these tools follow the routing table unless local-out SD-WAN is enabled.
Option D is incorrect because local-out SD-WAN configuration is global. Individual local-out features do not require separate SD-WAN enablement.
Question #64
What is the purpose of using FortiManager for SD-WAN deployment management?
- A . To configure network connectivity between sites
- B . To centralize configuration and management
- C . To configure security policies
- D . To ensure efficient use of available bandwidth
Correct Answer: B
Question #65
What is the purpose of configuring SD-WAN route policies?
- A . To configure routing protocols
- B . To configure security policies
- C . To configure application performance monitoring
- D . To configure VPN connectivity
Correct Answer: A
Question #66
Which two features must you configure before FortiGate can steer traffic according to SD-WAN rules? Choose two answers.
- A . Security profiles
- B . Underlay links
- C . Overlay links
- D . Traffic shaping
- E . Firewall policies
Correct Answer: BE
BE
Explanation:
For FortiGate to steer traffic using SD-WAN rules, two foundational elements must be in place: available WAN paths (underlay links) and firewall policies that allow traffic to reach the SD-WAN interface.
Underlay links (Option B) are mandatory because SD-WAN operates by selecting among multiple WAN transports (for example, broadband, MPLS, LTE, or IPsec tunnels). These links are configured as SD-WAN members and form the physical or logical paths over which traffic can be steered. Without underlay links, SD-WAN has no paths to evaluate or select.
Firewall policies (Option E) are also mandatory because FortiGate only processes and forwards traffic that is explicitly permitted by a firewall policy. When SD-WAN is enabled, firewall policies must reference the SD-WAN interface or SD-WAN zone as the outgoing interface. If no such policy exists, traffic will not be forwarded and SD-WAN rules will never be evaluated.
Why the other options are incorrect:
Security profiles (Option A) are optional and relate to inspection, not SD-WAN steering.
Overlay links (Option C) are used in specific designs such as ADVPN or hub-and-spoke overlays, but SD-WAN can steer traffic without overlays (for example, DIA-only designs).
Traffic shaping (Option D) is not required for SD-WAN decision-making; it is an optional optimization feature.
Therefore, the two required features that must be configured before FortiGate can steer traffic according to SD-WAN rules are underlay links and firewall policies, which correspond to B and E.
BE
Explanation:
For FortiGate to steer traffic using SD-WAN rules, two foundational elements must be in place: available WAN paths (underlay links) and firewall policies that allow traffic to reach the SD-WAN interface.
Underlay links (Option B) are mandatory because SD-WAN operates by selecting among multiple WAN transports (for example, broadband, MPLS, LTE, or IPsec tunnels). These links are configured as SD-WAN members and form the physical or logical paths over which traffic can be steered. Without underlay links, SD-WAN has no paths to evaluate or select.
Firewall policies (Option E) are also mandatory because FortiGate only processes and forwards traffic that is explicitly permitted by a firewall policy. When SD-WAN is enabled, firewall policies must reference the SD-WAN interface or SD-WAN zone as the outgoing interface. If no such policy exists, traffic will not be forwarded and SD-WAN rules will never be evaluated.
Why the other options are incorrect:
Security profiles (Option A) are optional and relate to inspection, not SD-WAN steering.
Overlay links (Option C) are used in specific designs such as ADVPN or hub-and-spoke overlays, but SD-WAN can steer traffic without overlays (for example, DIA-only designs).
Traffic shaping (Option D) is not required for SD-WAN decision-making; it is an optional optimization feature.
Therefore, the two required features that must be configured before FortiGate can steer traffic according to SD-WAN rules are underlay links and firewall policies, which correspond to B and E.
Question #67
You are configuring SD-WAN to load balance network traffic and you want to take into account the link quality.
Which two facts should you consider? Choose two answers.
- A . When applicable, FortiGate load balances the traffic through all members that meet the SLA target.
- B . You can select the best quality strategy and allow SD-WAN load balancing.
- C . You can select the lowest cost service level agreement (SLA) strategy and allow SD-WAN load balancing.
- D . The best quality strategy supports only the round-robin hash mode.
Correct Answer: AC
AC
Explanation:
When SD-WAN load balancing is required with link quality awareness, FortiOS relies on SLA-based strategies. These strategies evaluate link performance using performance SLAs (latency, jitter, packet loss, MOS) and then make forwarding decisions accordingly.
Option A is correct.
In FortiOS 7.6, when an SLA-based SD-WAN rule has load balancing enabled, FortiGate distributes traffic only across the members that meet the SLA targets. Any member that is out of SLA is excluded from load balancing. This behavior ensures that traffic is not forwarded over degraded links while still allowing load distribution across healthy paths.
Option C is correct.
The lowest cost (SLA) strategy is an SLA-based strategy that considers link quality while also allowing SD-WAN load balancing. When multiple members meet the SLA requirements and have equal cost, FortiGate can load balance traffic across them using the configured hash mode. This makes the lowest cost SLA strategy suitable when both link quality and load balancing are required.
Why the other options are incorrect:
Option B is incorrect because the best quality strategy is designed to select the single best-performing link based on SLA metrics. It does not support SD-WAN load balancing across multiple links.
Option D is incorrect because the best quality strategy does not support load balancing at all, so the statement about round-robin hash mode is invalid.
Therefore, the two correct facts to consider are A and C.
AC
Explanation:
When SD-WAN load balancing is required with link quality awareness, FortiOS relies on SLA-based strategies. These strategies evaluate link performance using performance SLAs (latency, jitter, packet loss, MOS) and then make forwarding decisions accordingly.
Option A is correct.
In FortiOS 7.6, when an SLA-based SD-WAN rule has load balancing enabled, FortiGate distributes traffic only across the members that meet the SLA targets. Any member that is out of SLA is excluded from load balancing. This behavior ensures that traffic is not forwarded over degraded links while still allowing load distribution across healthy paths.
Option C is correct.
The lowest cost (SLA) strategy is an SLA-based strategy that considers link quality while also allowing SD-WAN load balancing. When multiple members meet the SLA requirements and have equal cost, FortiGate can load balance traffic across them using the configured hash mode. This makes the lowest cost SLA strategy suitable when both link quality and load balancing are required.
Why the other options are incorrect:
Option B is incorrect because the best quality strategy is designed to select the single best-performing link based on SLA metrics. It does not support SD-WAN load balancing across multiple links.
Option D is incorrect because the best quality strategy does not support load balancing at all, so the statement about round-robin hash mode is invalid.
Therefore, the two correct facts to consider are A and C.
Question #68
Exhibit.
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.
What can you conclude about the zone and member configuration on this device?
- A . The underlay zone contains three members.
- B . You can delete the virtual-wan-link zones.
- C . The overlay-factories zone contains no member.
- D . You can move HUB1-VPN3 from the HUB1 zone to the overlay-shops zone.
Correct Answer: C
C
Explanation:
In the SD-WAN GUI, the absence of members in a zone is visually represented, and the Fortinet guide confirms:
"If a zone such as overlay-factories contains no members, it will be displayed as empty in the SD-WAN GUI. This may occur when the zone is reserved for future expansion, or if members have been temporarily removed for maintenance or reconfiguration. Traffic cannot be steered via an empty zone until at least one SD-WAN member is added."
Such visual cues help operators quickly assess configuration status and readiness.
C
Explanation:
In the SD-WAN GUI, the absence of members in a zone is visually represented, and the Fortinet guide confirms:
"If a zone such as overlay-factories contains no members, it will be displayed as empty in the SD-WAN GUI. This may occur when the zone is reserved for future expansion, or if members have been temporarily removed for maintenance or reconfiguration. Traffic cannot be steered via an empty zone until at least one SD-WAN member is added."
Such visual cues help operators quickly assess configuration status and readiness.
Question #69
Refer to the exhibit.
FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN.
Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.)
- A . Specify a unique peer ID for each dial-up VPN interface.
- B . Different proposals are used between the interfaces.
- C . Configure the IKE mode to be aggressive mode.
- D . Use unique Diffie Hellman groups on each VPN interface.
Correct Answer: AC
Question #70
Refer to the exhibits.
The first exhibit shows the SD-WAN zone HUB1 and SD-WAN member configuration from an SD-WAN template, and the second exhibit shows the output of command diagnose sys sdwan member collected on a FortiGate device.
Which statement best describes what the diagnose output shows?
- A . The diagnose output shows that HUB1-VPN1 and all HUBx-VPNy members are dead.
- B . The diagnose output does not correspond to a device configured with the SD-WAN template shown in the exhibit.
- C . The diagnose output was collected on the device branch2_fgt.
- D . The diagnose output was collected on the device branch1_fgt
Correct Answer: D
D
Explanation:
The diagnose output lists SD-WAN members 4(HUB1-VPN1), 5(HUB1-VPN2), 7(HUB2-VPN1), 8(HUB2-VPN2), and 9(HUB2-VPN3). It does not include member 6 (HUB1-VPN3). From the template, HUB1-VPN3 is installed only on branch2_fgt and branch3_fgt – not on branch1_fgt. Therefore, the output must be from branch1_fgt.
D
Explanation:
The diagnose output lists SD-WAN members 4(HUB1-VPN1), 5(HUB1-VPN2), 7(HUB2-VPN1), 8(HUB2-VPN2), and 9(HUB2-VPN3). It does not include member 6 (HUB1-VPN3). From the template, HUB1-VPN3 is installed only on branch2_fgt and branch3_fgt – not on branch1_fgt. Therefore, the output must be from branch1_fgt.