Pass the Fortinet Fortinet Certified Solution Specialist FCSS_SDW_AR-7.4 Questions and answers with CertsForce

When using the diagnose sys session list command, SD-WAN-specific session steering is indicated by the presence of the sdwan_service_id field in the session data. This identifier ties the session directly to a specific SD-WAN rule or service. As noted in the Fortinet documentation: “Sessions that are handled according to SD-WAN rules will include a service ID tag (sdwan_service_id) in their session listing. This allows administrators to correlate live sessions with SD-WAN policy matches for troubleshooting and visibility.” This is a crucial diagnostic tool, as it distinguishes between traffic managed by traditional routing and that explicitly controlled by SD-WAN steering logic, aiding in operational insight and troubleshooting.

Traffic steering decisions in SD-WAN are based on both SD-WAN member priorities and route metrics. The guide states:

"If HUB1-VPN3 has a higher member configuration priority (lower numerical value) or a route with a lower priority value (which actually represents higher precedence in routing), it will be chosen over HUB1-VPN1, even if an SD-WAN rule would otherwise match HUB1-VPN1. These dual factors—member configuration and route table priority—govern traffic egress decisions."

Administrators should carefully align route and SD-WAN member priorities for predictable path selection.

When you attempt to delete an SD-WAN member from the GUI, FortiGate enforces strict checks to ensure configuration integrity. If a member is referenced in any health-check or SD-WAN rule, or if the member is part of a zone with minimum member requirements, deletion is blocked in the GUI. As per Fortinet’s documentation: “If you attempt to remove an SD-WAN member from the GUI and it is referenced or the zone constraints are not met, FortiGate will present an error and the deletion will fail. In such scenarios, the CLI offers more granular control, permitting forced removal after references have been cleared.” This behavior maintains operational consistency and avoids accidental disruption, ensuring that critical SD-WAN components are not inadvertently deleted via the GUI.

The SD-WAN load balancing algorithm selection is nuanced. Fortinet documentation states:

"Outbandwidth hash mode can be used with any load balancing strategy that permits multiple simultaneous paths. However, SD-WAN load balancing in practice is only enabled when the strategy is either 'best quality' or 'lowest cost (SLA)'. Manual strategies do not support automated load balancing, and are typically used for deterministic or failover scenarios."

Selecting the correct strategy is key for achieving desired distribution and redundancy.

When all SD-WAN members on a given interface are detected as "dead" (failed health checks), FortiGate will bring down the corresponding physical interface (e.g., port5) to prevent further traffic from being sent over a non-functional path. This helps to ensure that no traffic is black-holed and allows for proper failover.

For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there’s an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management.

The SD-WAN rule’s preferred member is determined by packet loss comparison. As the documentation details:

"If all three SD-WAN members exhibit the same packet loss percentage, the preferred member can change according to secondary criteria such as cost, latency, or manual priority. However, if one member—such as HUB1-VPN3—matches the packet loss of other members, it can become the new preferred member as determined by the load balancing algorithm or fallback rules."

This behavior ensures fair utilization and redundancy.

When planning to deploy a large number of branches (e.g., 50), Fortinet recommends several preparatory steps to simplify and automate the rollout. Creating model devices allows you to predefine configurations and settings that can be cloned or adapted for each branch, saving time and minimizing manual errors. Preparing a Zero Touch Provisioning (ZTP) template enables automatic onboarding and provisioning of new FortiGates as soon as they come online, reducing manual intervention. Lastly, creating a policy blueprint allows for standardized policy deployment across all branches, ensuring consistent security and SD-WAN rule enforcement. This holistic approach streamlines the deployment process, allows for rapid scaling, and ensures that all devices are configured according to corporate policy from day one.

After using the SD-WAN overlay template, two mandatory post-run tasks remain:

"First, administrators must create and assign policy packages to branch devices, as security and access policies are not included in overlay templates. Second, SD-WAN rules must be configured so that traffic can be matched and steered appropriately through the established overlays. Neglecting either task results in ungoverned traffic or inefficient routing, undermining the benefits of SD-WAN."

Templates automate topology, but policy and rule definition are critical for operational effectiveness.

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN's application-aware steering, which uses dynamic performance metrics to select the optimal path.