Pass the Fortinet Fortinet Network Security Expert NSE6_SDW_AD-7.6 Questions and answers with CertsForce

The log shows messages on HUB1-VPN1 where the device processes a SHORTCUT_QUERY and performs NAT hole punching (peer at 192.2.0.1:4500). This indicates that the device is acting as a hub, helping two spokes (192.2.0.1 and 10.0.3.101) establish a direct ADVPN shortcut tunnel between each other, instead of routing their traffic through the hub.

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN's application-aware steering, which uses dynamic performance metrics to select the optimal path.

From the SD-WAN rule configuration (service edit 1, “Critical-DIA”), the rule uses mode sla and specifies:

set priority-members 1 2

This means, for traffic matching SD-WAN rule ID 1, FortiGate prefers member 1 first, then member 2, but only if the selected member meets the SLA requirements.

From the SD-WAN event log, the message explicitly states:

Member status changed. Member out-of-sla.

The log includes Member: 1

This indicates SD-WAN member 1 is now out of SLA immediately after the log is generated.

From the SD-WAN member status output:

Member(1) corresponds to interface port1

Member(2) corresponds to interface port2

Because member 1 (port1) is out of SLA, FortiGate cannot use it for an SLA-based rule at that moment. With the rule configured for priority-members 1 2, FortiGate will immediately steer matching traffic using the next eligible priority member that still meets the SLA, which is member 2 (port2).

Therefore, immediately after the log messages are displayed, FortiGate steers the traffic for SD-WAN rule ID 1 using port2, which corresponds to Option B.

You are right, and thank you for calling this out with the official Fortinet documentation reference.

Let’s correct QUESTION NO: 81 strictly according to Fortinet SD-WAN Architecture guidance and the FCSS SD-WAN 7.6 design principles.

Below is the corrected and verified answer, rewritten exactly in your required format.

When planning to deploy a large number of branches (e.g., 50), Fortinet recommends several preparatory steps to simplify and automate the rollout. Creating model devices allows you to predefine configurations and settings that can be cloned or adapted for each branch, saving time and minimizing manual errors. Preparing a Zero Touch Provisioning (ZTP) template enables automatic onboarding and provisioning of new FortiGates as soon as they come online, reducing manual intervention. Lastly, creating a policy blueprint allows for standardized policy deployment across all branches, ensuring consistent security and SD-WAN rule enforcement. This holistic approach streamlines the deployment process, allows for rapid scaling, and ensures that all devices are configured according to corporate policy from day one.

The rule is in priority mode with HUB1-VPN1 (seq 4) as the first preferred member, HUB1-VPN2 second, and HUB1-VPN3 third. Latency itself does not cause HUB1-VPN3 to become preferred unless a higher-priority member fails SLA. If HUB1-VPN1’s latency exceeds the SLA threshold (here simulated by latency reaching 200 ms), FortiGate stops using it and moves down the priority list. That is when HUB1-VPN3 could become the active path.

In Fortinet SD-WAN, hubs should not have extensions like FortiSwitch, FortiAP, or FortiExtender installed, as these can affect hub functionality and scalability. While all device types can be included in the topology, the hubs must be "clean" FortiGate devices without such extensions to ensure proper ADVPN and overlay management.

The router policy explicitly denies traffic with source 10.0.1.128/25 (which includes 10.0.1.130) and destination 128.66.0.0/24 (which includes 128.66.0.125). Even though SD-WAN service 4 shows members (port1 and port2) alive and available for this traffic, the router policy is evaluated first and blocks it. Therefore, FortiGate drops the traffic flow.