Fortinet NSE 6 SD-WAN 7.6 Enterprise Administrator - NSE6_SDW_AD-7.6 Practice Questions

Explanation:

This scenario describes a Managed Security Service Provider (MSSP) model where the customer wants to offload maximum administrative control while maintaining Direct Internet Access (DIA) at each branch (spoke). The requirement for "significant traffic flow between the sites" necessitates an efficient, centrally managed hub for inter-spoke traffic.

Both correct options (B & D) place the hub FortiGate at the MSSP's data center. This is the key design principle that meets the core requirement: it delegates the administration, installation, and management of the critical hub—which controls the SD-WAN overlay and inter-site routing—to the MSSP. The spokes remain at customer sites, preserving local internet breakout (DIA). Traffic between sites (east-west) will typically flow through the MSSP-managed hub for optimized routing and security inspection.

Option B (Dedicated Hub):
The MSSP provisions a physical or virtual FortiGate dedicated solely to the customer. This offers maximum isolation and customization.

Option D (Shared Hub with VDOM):
The MSSP uses a multi-tenant FortiGate, isolating the customer within a dedicated Virtual Domain (VDOM). This is a cost-effective and scalable MSSP model.

Why the other options are incorrect:

Option A is incorrect because it proposes a dedicated hub on the customer premises. This contradicts the requirement to delegate "as much...management as possible," as the customer would then be responsible for that on-premises hub's infrastructure and connectivity.

Option C is incorrect because it places both the hub and spokes on customer premises. While the MSSP can manage the configuration via FortiManager (with a dedicated ADOM), they do not own or manage the underlying infrastructure, WAN links, or installation. This is a managed service model, not the fully delegated MSSP deployment blueprint requested.

Reference
This aligns with Fortinet's documented MSSP blueprints for SD-WAN, specifically the "MSSP Hosted Hub" models. The Fortinet SD-WAN 7.6 Administration Guide and the Fortinet MSSP Deployment Guide detail that to maximize delegation, the hub should be under the MSSP's physical control, whether as a dedicated device or within a shared device using VDOMs, while spokes remain at the edge for local internet access.

Explanation:

The log entries are key for identifying Auto-Discovery VPN (ADVPN) shortcut tunnels. In ADVPN, a shortcut tunnel is a direct IPsec tunnel built dynamically between two spokes (or a hub and spoke for optimization), bypassing the hub for specific traffic. The critical indicator is the advpn=1 field.

Log Entry 9 (for HUB1-VPN1_0 tunnel) explicitly shows advpn=1. This confirms it is an ADVPN shortcut tunnel. The cvptunnel="HUB1-VPN1_0" is the name, and the presence of advpn=1 is the definitive flag.

Log Entry 6 (for HUB1-VPN3 tunnel) shows an SLA health check with slatargetid=1. While this indicates it's part of an SD-WAN performance SLA monitor, there is no advpn field in this SLA log entry to classify it as a shortcut or master tunnel for voice traffic.

Log Entry 8 (for HUB2-VPN3 tunnel) shows advpn=0. This means it is not a shortcut tunnel; it is a regular or master tunnel, which can accept ADVPN shortcuts (contradicting option D).

Why the other options are incorrect:

A: Incorrect. The logs do not show a tunnel named "VPN4," nor do they show a master/shortcut relationship between tunnels labeled "VPN4" and another.

B: Incorrect. Log Entry 6 for HUB1-VPN3 only shows SLA metrics (latency, jitter). While these metrics are relevant for voice, the log does not show any actual traffic being steered. It is a health check log, not a traffic flow log.

D: Incorrect. Log Entry 9 for HUB2-VPN3 shows advpn=0, meaning it is not itself a shortcut. However, a master tunnel (advpn=0) is the prerequisite for accepting shortcut requests. The statement that it "cannot accept" shortcuts is false.

Reference
Fortinet NSE 6 SD-WAN 7.6 Study Guide / Administration Guide: The advpn flag in IPsec tunnel logs (type="event" subtype="vpn") is the definitive field to identify ADVPN shortcut tunnels (advpn=1) versus regular/master tunnels (advpn=0).

Explanation:

The SD-WAN service rule is configured in priority mode but includes the critical flag use-shortest-sla, as shown in the diagnose sys sdwan service output. This flag modifies standard priority behavior: instead of strictly following sequence number order, it selects the member with the best SLA performance (lowest latency, jitter, or loss) from among the configured priority members, provided all meet the link-cost-threshold.

Key parameters:
link-cost-factor: packet-loss
link-cost-threshold: 10 (members with packet loss >10% are excluded)
Current latencies: HUB1-VPN1=96.349 ms, HUB1-VPN2=141.278 ms, HUB1-VPN3=190.984 ms

Since all members are "alive" and presumably meeting the packet-loss threshold, the use-shortest-sla flag causes the member with the lowest latency to be preferred. Currently, HUB1-VPN1 is selected (lowest at 96.349 ms). For HUB1-VPN3 to become preferred, its latency must drop below HUB1-VPN1's current 96.349 ms. Option C (90 ms) is the only choice where HUB1-VPN3's latency falls below this threshold while still being the highest possible value under 96 ms, making it the precise point where preference would switch.

Why other options are incorrect:

A: Incorrect because it's incomplete. HUB1-VPN3 must have lower latency specifically than HUB1-VPN1's current 96 ms, not just lower than both.

B: While 80 ms would also make HUB1-VPN3 preferred, the question asks for the first change. With use-shortest-sla, preference switches as soon as latency drops below 96 ms. 90 ms represents that threshold value—the highest latency still triggering the change.

D: If HUB1-VPN1's latency rises to 200 ms, HUB1-VPN3 (190 ms) still wouldn't be preferred because HUB1-VPN2 (141 ms) has better latency and would be selected first under use-shortest-sla.

Reference
Fortinet SD-WAN 7.6 Administration Guide: The use-shortest-sla flag in priority mode enables performance-based selection where the member with the best SLA metrics (latency/jitter/loss) is chosen from the priority list, overriding strict sequence order when latency differences exceed measurement variations.

Explanation:

When an SLA performance rule is configured with Probe Mode set to "Prefer Passive", the FortiGate primarily uses passive monitoring of actual user traffic to measure performance metrics (latency, jitter, packet loss), rather than sending active probe packets. This mode has specific operational characteristics.

Why C is correct:
In "Prefer Passive" mode, the FortiGate can utilize ICMP traffic (like ping replies) passing through the SD-WAN member interface to gather performance data. This is a documented passive monitoring method alongside TCP traffic.

Why D is correct:
A key limitation of passive monitoring is that it requires traffic flow. If a member link fails or has no traffic, there are no packets to analyze, so the dead member may not be detected promptly. Active probing is required for reliable dead gateway detection.

Why the other options are incorrect:

A: Incorrect. While TCP traffic can be used for passive monitoring, the statement is misleading. "Prefer Passive" mode utilizes both TCP and ICMP traffic for passive measurements, not TCexclusively.

B: Incorrect. The "Prefer Passive" mode does not automatically fall back to passive after 3 minutes. The "After 3 minutes" behavior is specific to the "Probe Passive" mode, where active probing runs for 3 minutes after a failure is detected before returning to passive-only.

E: Incorrect. Passive monitoring itself is a traffic inspection method and does not enable or disable hardware offloading. Hardware offloading depends on NPU/ASIC support and traffic profile, not the SLA monitoring mode.

Reference
FortiOS 7.6 SD-WAN Administration Guide > Configuring SD-WAN > Performance SLA: Explicitly states that in "Prefer Passive" mode, the FortiGate uses both TCP and ICMP traffic for passive measurements when available, and switches to active probes only when passive data is insufficient. It also notes that passive monitoring cannot detect dead members without traffic flow.

Explanation:

When you create an interface zone and add multiple physical or logical interfaces to it, then reference that zone in a static route, the FortiGate's behavior is to install an equal-cost multipath (ECMP) static route for every member interface within that zone.

This means:
The FortiGate creates a separate routing table entry for each interface in the zone, all pointing to the same destination network.
Traffic can be load-balanced across all zone members (if ECMP is enabled and properly configured).
This is a fundamental routing construct that treats the zone as a logical group of egress paths.

Why the other options are incorrect:

A: Incorrect. The FortiGate installs ECMP routes for all zone members, not just the first two. The number of routes equals the number of zone members.

B: Incorrect. The opposite is true; static routes are explicitly installed for each member. Ignoring them would break routing.

C: Incorrect. Static routes using a zone do not incorporate performance-based routing or SLA monitoring. The "best performing member" selection is a feature of SD-WAN rules, not basic static routing. A zone-based static route uses ECMP or routing priority settings, not real-time performance metrics.

Reference
FortiOS 7.6 Administration Guide > Network > Static Routes: Explicitly states, "When you add a zone to a static route, the route is added to the routing table for each zone member interface, creating equal-cost multipath (ECMP) routes."

Explanation:

The diagnose sys sdwan service output displays two distinct SD-WAN rules. Traffic steering is determined by rule matching order and operational status of members within the matched rule.

1. Rule Matching:
Traffic from 10.0.1.124 to 10.0.0.254 has:
Source IP (10.0.1.124) within 10.0.1.0-10.0.1.255 (matches both rules)
Destination IP (10.0.0.254) within 10.0.0.0-10.255.255.255 (matches only Service (3))
Since Service (2) has no destination constraint and handles only specific applications (Facebook, LinkedIn, Game), general corporate traffic (10.0.0.0/16) is exclusively handled by Service (3).

2. Service (3) Analysis:
Mode: sla (SLA mode)
Hash mode: round-robin
Members: Six VPN tunnels (HUB1-VPN1/2/3, HUB2-VPN1/2/3) Key field: sla(0x...) indicates SLA compliance:
sla(0x1) and sla(0x2) = Passing SLA (HUB1-VPN2, HUB2-VPN2)
sla(0x0) = Not meeting SLA (all other four tunnels)

In SLA mode, traffic is only distributed among members that meet the SLA thresholds. With hash-mode=round-robin, the two compliant members (HUB1-VPN2 and HUB2-VPN2) will share the traffic load.

Why Other Options Are Incorrect:

A: HUB2-VPN2 alone is incorrect because the rule uses round-robin load balancing between both SLA-compliant members. Traffic could use either tunnel.

C: port1 or port2 are the physical underlay interfaces for Service (2) only (application-specific rule). Service (3) uses VPN overlay interfaces (tunnels), not physical interfaces directly.

D: "Any interface in the HUB1 or HUB2 zones" is incorrect because four of the six zone members have sla(0x0), meaning they fail SLA and are excluded from traffic distribution in SLA mode. Only the two compliant members are used.

Reference
FortiOS 7.6 SD-WAN Administration Guide > Configuring SD-WAN > Performance SLA: Explains that in sla mode, only members meeting the configured SLA thresholds (latency, jitter, packet loss) are selected for traffic steering.

Explanation:

In FortiOS (including 7.6), static routes support referencing an SD-WAN zone (e.g., virtual-wan-link or a custom zone) as the outgoing interface. This allows the route to use any healthy member within the zone, providing flexibility for load balancing, failover, or ECMP across multiple links. Documentation explicitly states: "SD-WAN zones and members can be used in IPv4 and IPv6 static routes to make route configurations more flexible." However, the GUI and CLI for static routes (under config router static) allow selecting only an SD-WAN zone in the interface field—not an individual SD-WAN member interface.

You cannot directly configure a static route pointing to a single SD-WAN member (e.g., WAN1 or port2 when configured as an SD-WAN member). Attempting this is not supported; the interface dropdown lists zones, not individual members. This design encourages zone-based routing for SD-WAN-aware behavior (SLA monitoring, performance steering). Individual member routes would bypass SD-WAN logic.

Thus, in the scenario of configuring one static route referencing a zone and another referencing a member in that zone: the second is impossible.

Why the other options are incorrect:

B. You cannot create static routes that reference an SD-WAN zone
→ False; this is fully supported and recommended for default routes and subnets in SD-WAN setups.

C. The destination subnets must be different
→ No such restriction; overlapping or identical destinations are allowed (resolved by priority/distance), but irrelevant here.

D. The source subnets must be different
→ Static routes do not use source subnets (unlike policy routes); source is not a factor, so no requirement.

References:
Administration Guide → SD-WAN members and zones:
Administration Guide → Specify an SD-WAN zone in static routes: