Pass the Fortinet Fortinet Certified Solution Specialist FCSS_SDW_AR-7.6 Questions and answers with CertsForce

In FortiOS 7.6, SD-WAN rules can steer traffic based on Internet Services, which represent predefined application and service signatures maintained by FortiGuard. Common applications such as Facebook and LinkedIn are included in the Internet Service database.

According to the FCSS SD-WAN 7.6 curriculum, when configuring an SD-WAN rule from the GUI on a standalone FortiGate device, applications are selected as destinations using the Internet service field, not by enabling a separate application destination field. The exhibit highlights the Internet service option under the Destination section, which is the correct method to match traffic for specific applications.

Option A is incorrect because there is no GUI option to enable application visibility as destinations for SD-WAN rules. Application matching is already abstracted through Internet Services.

Option C is incorrect because standalone FortiGate devices fully support application-based steering using Internet Services in SD-WAN rules.

Option D is incorrect because no additional license is required to use Internet Services in SD-WAN rules. This functionality is included in FortiOS and relies on the built-in FortiGuard Internet Service database.

Therefore, to steer Facebook and LinkedIn traffic through a specific WAN link, you must select Facebook and LinkedIn in the Internet service field, which corresponds to option B.

With the Best Quality strategy, FortiGate first checks which links meet the SLA targets defined in the selected performance SLA (in this case, Custom-profile-1). Among those qualified links, FortiGate then uses the member configuration order to decide preference. If multiple links still qualify, it finally considers the member local cost to select the best path.

Policy 3 points traffic To = HUB1-VPN1, which is an SD-WAN member interface. In SD-WAN you must reference the SD-WAN zone (the logical interface) in policies, not its member tunnels. Change the policy’s To interface to the zone HUB1, and the install will succeed.

When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.

The session details show the symmetric flow’s original direction as port3 → port2.

The asymmetric flow’s reply direction is listed as port2 → port3.

When asymmetric routing is observed (such as reply traffic not following the optimal path), the solution is:

"The auxiliary-session feature, enabled under config system settings, allows FortiGate to consider multiple egress interfaces for reply traffic, not just the original ingress interface. This is crucial for SD-WAN environments where the best path may differ between forward and return directions, especially when performance or policy rules are dynamically evaluated."

Activating this ensures reply traffic is always sent on the member with the best real-time metrics.

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive, FortiGate attempts to measure link performance using passive monitoring first, based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive, FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A.

During passive monitoring, FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic, not ICMP traffic. ICMP is used for active probing, not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware. Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D.

When SD-WAN load balancing is required with link quality awareness, FortiOS relies on SLA-based strategies. These strategies evaluate link performance using performance SLAs (latency, jitter, packet loss, MOS) and then make forwarding decisions accordingly.

Option A is correct.

In FortiOS 7.6, when an SLA-based SD-WAN rule has load balancing enabled, FortiGate distributes traffic only across the members that meet the SLA targets. Any member that is out of SLA is excluded from load balancing. This behavior ensures that traffic is not forwarded over degraded links while still allowing load distribution across healthy paths.

Option C is correct.

The lowest cost (SLA) strategy is an SLA-based strategy that considers link quality while also allowing SD-WAN load balancing. When multiple members meet the SLA requirements and have equal cost, FortiGate can load balance traffic across them using the configured hash mode. This makes the lowest cost SLA strategy suitable when both link quality and load balancing are required.

Why the other options are incorrect:

Option B is incorrect because the best quality strategy is designed to select the single best-performing link based on SLA metrics. It does not support SD-WAN load balancing across multiple links.

Option D is incorrect because the best quality strategy does not support load balancing at all, so the statement about round-robin hash mode is invalid.

Therefore, the two correct facts to consider are A and C.