Pass the Fortinet Fortinet Network Security Expert NSE6_SDW_AD-7.6 Questions and answers with CertsForce

In the exhibit, the IPsec tunnel statistics event log entries include the field advpnsc .

Fortinet documents that advpnsc identifies whether the VPN event is based on an ADVPN shortcut :

advpnsc=1 → the tunnel is an ADVPN shortcut

advpnsc=0 → not an ADVPN shortcut ( Fortinet Documentation Library )

In the shown logs, the tunnel vpntunnel= " HUB1-VPN1_0 " has advpnsc=1 , which means HUB1-VPN1_0 is an ADVPN shortcut tunnel . ( Fortinet Documentation Library )

The other tunnels shown (for example VPN4_0 and HUB2-VPN3 ) have advpnsc=0 , which only indicates no shortcut is identified for those log entries —it does not prove they “cannot accept” shortcuts, only that the specific event is not a shortcut. ( Fortinet Documentation Library )

For FortiGate to steer traffic using SD-WAN rules , two foundational elements must be in place: available WAN paths (underlay links) and firewall policies that allow traffic to reach the SD-WAN interface .

Underlay links (Option B) are mandatory because SD-WAN operates by selecting among multiple WAN transports (for example, broadband, MPLS, LTE, or IPsec tunnels). These links are configured as SD-WAN members and form the physical or logical paths over which traffic can be steered. Without underlay links, SD-WAN has no paths to evaluate or select.

Firewall policies (Option E) are also mandatory because FortiGate only processes and forwards traffic that is explicitly permitted by a firewall policy. When SD-WAN is enabled, firewall policies must reference the SD-WAN interface or SD-WAN zone as the outgoing interface. If no such policy exists, traffic will not be forwarded and SD-WAN rules will never be evaluated.

Why the other options are incorrect:

Security profiles (Option A) are optional and relate to inspection, not SD-WAN steering.

Overlay links (Option C) are used in specific designs such as ADVPN or hub-and-spoke overlays, but SD-WAN can steer traffic without overlays (for example, DIA-only designs).

Traffic shaping (Option D) is not required for SD-WAN decision-making; it is an optional optimization feature.

Therefore, the two required features that must be configured before FortiGate can steer traffic according to SD-WAN rules are underlay links and firewall policies , which correspond to B and E .

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:

" Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic. "

Administrators can observe this in diagnostic outputs for troubleshooting.

When the member priority of a port is increased (e.g., port2 to 20), FortiGate evaluates existing sessions and applies “dirty” flags where applicable. The SD-WAN session management mechanism is described in detail: “Upon a change in SD-WAN member priority, all existing sessions using that member are marked as dirty. For SNAT sessions, the gateway information is updated to ensure future packets are routed through the newly preferred member, in this case, port1. This automatic re-evaluation allows SD-WAN to dynamically respond to topology or priority changes, maintaining optimal routing.” This is fundamental to seamless failover and session persistence in Fortinet SD-WAN, ensuring active flows are redirected based on updated priorities or health status.

From the SD-WAN Zones view in the FortiGate GUI:

virtual-wan-link is the default SD-WAN zone. This zone is system-defined and cannot be deleted , which makes option A incorrect.

The WAN2 zone is displayed without any expandable members beneath it, indicating that no SD-WAN members are currently assigned to the WAN2 zone . This directly supports option B.

A zone can be deleted only if it has no members and is not system-defined , but the exhibit does not indicate that WAN1 is eligible for deletion. Therefore, option C cannot be concluded from the information shown.

In FortiOS SD-WAN, an SD-WAN member can belong to only one SD-WAN zone at a time . A member such as B-125 cannot be assigned to both the WAN3 zone and the Test zone simultaneously, which makes option D incorrect.