Pass the Fortinet Fortinet Network Security Expert NSE6_SDW_AD-7.6 Questions and answers with CertsForce

From the Underlay and network advertisement configuration exhibit for the Secondary HUB :

Under Underlay , the template explicitly lists:

WAN Underlay 1 = port1

WAN Underlay 2 = port2

In FortiManager SD-WAN Overlay Orchestrator, underlay interfaces selected for a hub are the transports used to build the overlay IPsec tunnels (one overlay per underlay, per peer as defined by the template). Because both port1 and port2 are configured as underlays, FortiManager will build overlay tunnels over both underlay links. That supports:

Option C (overlay tunnel on port1 )

Option B (overlay tunnel on port2 )

For the BGP neighbor options:

The Network Advertisement section shows Interface 1 = port5 , which indicates a LAN/internal interface whose connected or static networks may be advertised into the overlay routing domain. This does not make port5 a BGP neighbor interface; it is the interface whose routes are being advertised.

The template indicates Dynamic BGP is enabled. In Overlay Orchestrator designs, BGP neighbor relationships are formed across the overlay tunnel interfaces / overlay endpoints , not directly on the raw underlay interfaces (port1/port2) and not on the advertised LAN interface (port5). Therefore, options A and D are not valid conclusions from what is shown.

So, the two correct conclusions are B and C .

When SD-WAN load balancing is required with link quality awareness , FortiOS relies on SLA-based strategies . These strategies evaluate link performance using performance SLAs (latency, jitter, packet loss, MOS) and then make forwarding decisions accordingly.

Option A is correct.

In FortiOS 7.6, when an SLA-based SD-WAN rule has load balancing enabled , FortiGate distributes traffic only across the members that meet the SLA targets . Any member that is out of SLA is excluded from load balancing. This behavior ensures that traffic is not forwarded over degraded links while still allowing load distribution across healthy paths.

Option C is correct.

The lowest cost (SLA) strategy is an SLA-based strategy that considers link quality while also allowing SD-WAN load balancing . When multiple members meet the SLA requirements and have equal cost, FortiGate can load balance traffic across them using the configured hash mode. This makes the lowest cost SLA strategy suitable when both link quality and load balancing are required.

Why the other options are incorrect:

Option B is incorrect because the best quality strategy is designed to select the single best-performing link based on SLA metrics. It does not support SD-WAN load balancing across multiple links.

Option D is incorrect because the best quality strategy does not support load balancing at all, so the statement about round-robin hash mode is invalid.

Therefore, the two correct facts to consider are A and C .

The log messages shown in the exhibit include the following key indicators:

processing notify type SHORTCUT_QUERY

shortcut-query received from 192.2.0.1

local-nat=yes, peer-nat=no

NAT hole punching for peer at 192.2.0.1:4500

In the FCSS SD-WAN 7.6 ADVPN workflow, shortcut queries are always initiated by spokes, not hubs. A spoke sends a shortcut query to its hub when it detects traffic destined for another spoke. The hub’s role is to receive this shortcut query and forward the discovery information toward the destination spoke, enabling the two spokes to build a direct shortcut tunnel.

The device name in the log (HUB1-VPN1) and the presence of NAT hole punching coordination clearly indicate that this device is acting as a hub, not a spoke. Hubs do not form shortcuts themselves; instead, they facilitate shortcut establishment between spokes by relaying discovery and negotiation information.

Option A is incorrect because a spoke does not receive shortcut queries from other spokes directly.

Option B is incorrect because the log does not indicate that the shortcut has already been established; it shows the query and coordination phase, not completion.

Option D is incorrect because hubs do not initiate shortcut queries toward spokes.

Therefore, the correct description is that this device is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke, which corresponds to option C.

From the SD-WAN rule configuration (service edit 1, “Critical-DIA”), the rule uses mode sla and specifies:

set priority-members 1 2

This means, for traffic matching SD-WAN rule ID 1, FortiGate prefers member 1 first , then member 2 , but only if the selected member meets the SLA requirements.

From the SD-WAN event log , the message explicitly states:

Member status changed. Member out-of-sla.

The log includes Member: 1

This indicates SD-WAN member 1 is now out of SLA immediately after the log is generated.

From the SD-WAN member status output:

Member(1) corresponds to interface port1

Member(2) corresponds to interface port2

Because member 1 (port1) is out of SLA, FortiGate cannot use it for an SLA-based rule at that moment. With the rule configured for priority-members 1 2 , FortiGate will immediately steer matching traffic using the next eligible priority member that still meets the SLA, which is member 2 (port2) .

Therefore, immediately after the log messages are displayed, FortiGate steers the traffic for SD-WAN rule ID 1 using port2 , which corresponds to Option B .

You are right , and thank you for calling this out with the official Fortinet documentation reference.

Let’s correct QUESTION NO: 81 strictly according to Fortinet SD-WAN Architecture guidance and the FCSS SD-WAN 7.6 design principles .

Below is the corrected and verified answer , rewritten exactly in your required format .

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive , FortiGate attempts to measure link performance using passive monitoring first , based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive , FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A .

During passive monitoring , FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic , not ICMP traffic. ICMP is used for active probing , not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware . Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D .

" Secure internet access (SIA), also known as remote breakout, is another use case for SD-WAN. "

Policy 3 points traffic To = HUB1-VPN1, which is an SD-WAN member interface. In SD-WAN you must reference the SD-WAN zone (the logical interface) in policies, not its member tunnels. Change the policy’s To interface to the zone HUB1, and the install will succeed.

In FortiOS (including FortiOS 7.6), FortiGate follows a strict and well-defined route lookup order when determining how to forward traffic. This order is critical for understanding SD-WAN behavior and is explicitly referenced in the FCSS SD-WAN curriculum.

The correct lookup sequence is:

Policy routes (Policy-Based Routing) Policy routes are evaluated first. If traffic matches a policy route, FortiGate immediately forwards the traffic according to that policy and bypasses all other routing mechanisms.

Internet Service Database (ISDB) routes If no policy route matches, FortiGate checks ISDB routes. These routes match traffic based on Internet Services rather than destination IP prefixes.

SD-WAN rules If neither a policy route nor an ISDB route matches, FortiGate evaluates SD-WAN rules to determine the outgoing interface based on the configured SD-WAN strategy.

Routing table (connected, static, and dynamic routes such as BGP) If no SD-WAN rule matches, FortiGate performs a normal routing table lookup.

FIB (Forwarding Information Base) The FIB is used to forward the packet based on the selected route.

Drop If no valid route exists, the packet is dropped.

Among the options provided, only Option D correctly reflects the beginning of this sequence by placing policy routes first, followed by ISDB routes, then SD-WAN rules, and finally static routes (representing the routing table).

Therefore, the correct answer is D .