Fortinet FCSS_SDW_AR-7.6 Dumps

The exhibit shows the following IPsec phase1-interface configuration applied on spoke tunnels:

set auto-discovery-shortcuts dependent

set network-overlay enable

set network-id

In the FCSS SD-WAN 7.6 ADVPN architecture, the network-overlay and network-id parameters are used to logically group IPsec tunnels into separate overlays. When network-overlay is enabled, FortiGate treats the tunnel as part of an overlay network rather than a simple transport tunnel.

The network-id parameter is critical in multi-overlay ADVPN designs. Fortinet documentation specifies that ADVPN shortcuts are only allowed between tunnels that share the same network-id. This mechanism explicitly prevents cross-overlay shortcuts, ensuring that shortcuts are formed only within the same logical overlay and not across different overlays that may serve different purposes (for example, different hubs, regions, or transport groups).

The use of auto-discovery-shortcuts dependent further enforces correct shortcut behavior by ensuring that shortcut tunnels depend on the state of the parent overlay tunnel, but it does not by itself prevent multiple shortcuts or convert ADVPN versions.

Why the other options are incorrect:

Option A is incorrect because simply enabling network-overlay does not exist to “enable overlay links” in general; its purpose is to define overlay membership and control shortcut behavior.

Option B is incorrect because there is no concept of “ADVPN 2.0” conversion using these parameters in FortiOS 7.6.

Option D is incorrect because preventing multiple shortcuts over the same overlay is not controlled by network-id; multiple shortcuts within the same overlay are allowed when required.

Therefore, the valid objective of these settings is to prevent cross-overlay shortcuts, which corresponds to Option C.

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:

"Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic."

Administrators can observe this in diagnostic outputs for troubleshooting.

Within ADVPN topologies, shortcut requests and responses traverse spokes and hubs. Fortinet documentation states:

"When a spoke receives a shortcut query from another spoke, it may forward the response to its hub for validation or to facilitate dynamic shortcut tunnel setup. This mechanism allows direct spoke-to-spoke communication for optimized routing and performance, reducing latency and offloading the hub after initial control-plane mediation."

This is a core benefit of ADVPN’s dynamic shortcut feature.

In the exhibits, port2 is already assigned to the SD-WAN zone named Test. An interface can only belong to a single SD-WAN zone, so before you can add both port1 and port2 into the new SD-WAN zone Underlay, you must first delete the SD-WAN Zone Test to free port2.

In Fortinet SD-WAN, hubs should not have extensions like FortiSwitch, FortiAP, or FortiExtender installed, as these can affect hub functionality and scalability. While all device types can be included in the topology, the hubs must be "clean" FortiGate devices without such extensions to ensure proper ADVPN and overlay management.

The hub must send additional paths to spokes (set additional-path send).

The hub must treat each spoke as a route-reflector client so spoke routes are reflected to other spokes.

The hub must specify how many additional paths to advertise (set adv-additional-path ).

Hosting the hub at the MSSP centralizes installation, security, and ongoing management while each site (spoke) keeps local DIA. This can be done multi-tenant with a shared hub using a dedicated VDOM or with a fully dedicated hub per customer for stricter isolation and control, both meeting the requirement to delegate administration to the MSSP and support high inter-site traffic.

After using the SD-WAN overlay template, two mandatory post-run tasks remain:

"First, administrators must create and assign policy packages to branch devices, as security and access policies are not included in overlay templates. Second, SD-WAN rules must be configured so that traffic can be matched and steered appropriately through the established overlays. Neglecting either task results in ungoverned traffic or inefficient routing, undermining the benefits of SD-WAN."

Templates automate topology, but policy and rule definition are critical for operational effectiveness.

The router policy explicitly denies traffic with source 10.0.1.128/25 (which includes 10.0.1.130) and destination 128.66.0.0/24 (which includes 128.66.0.125). Even though SD-WAN service 4 shows members (port1 and port2) alive and available for this traffic, the router policy is evaluated first and blocks it. Therefore, FortiGate drops the traffic flow.

The diagnose output shows multiple ADVPN tunnels (HUB1-VPN1, HUB1-VPN2, HUB1-VPN3) with detailed latency, jitter, and packet loss values being reported for each. In ADVPN, the spoke performs embedded health checks and provides the hub with the performance metrics for each tunnel. Therefore, the device in the exhibit is a spoke, and it is sending health-check measurements for each tunnel to the hub.

In Fortinet SD-WAN architecture, underlay and overlay have distinct meanings:

Underlay links are the physical or logical transport networks that provide basic IP connectivity (for example, broadband, MPLS, LTE/5G).

Overlay links are virtual tunnels (such as IPsec VPNs) built on top of the underlay, providing abstraction, routing control, and segmentation.

Option B is correct.

Overlay links (for example, IPsec tunnels used in SD-WAN and ADVPN) decouple routing from the physical transport. This allows dynamic path selection, segmentation, and flexible routing policies independent of the underlay. Providing routing flexibility is a core purpose of overlays in SD-WAN.

Option D is correct.

Wireless connections such as LTE or 5G can be used as underlay transports, and overlay tunnels can be built over them. Fortinet SD-WAN fully supports building IPsec overlays on wireless underlays, making wireless links valid for overlay construction.

Why the other options are incorrect:

Option A is incorrect because a VLAN is a Layer 2 segmentation mechanism, not an SD-WAN overlay link.

Option C is incorrect because FortiLink is used for internal management and switch/AP connectivity, not as a WAN underlay for SD-WAN.

Option E is incorrect because underlay links can be wired or wireless; they are not limited to wired connections.

Therefore, the two correct statements are B and D.

The use of SLA targets is specific to certain SD-WAN strategies. The "Lowest Cost (SLA)" and "Maximize Bandwidth (SLA)" strategies are explicitly designed to use the configured SLA targets to make routing decisions. The "Best Quality" strategy uses performance metrics but does not necessarily require or reference SLA targets in the same way, while "Manual" does not use metrics at all for path selection.

This is a core function of SD-WAN rules with SLA targets. The purpose of configuring an SLA target with specific thresholds for latency, jitter, and packet loss is to define what is considered "acceptable" performance for an application. SD-WAN rules then use these targets to check if the members (interfaces) meet these requirements before a flow is steered over them, ensuring that a preferred path still offers a good user experience.

FortiGate allows for a single SD-WAN rule to reference multiple, different performance SLAs. This is crucial for complex deployments where a single SD-WAN rule needs to handle traffic for multiple applications that have distinct performance requirements. For example, a single rule might direct VoIP traffic based on one performance SLA with strict latency/jitter targets, while simultaneously handling general web traffic using another performance SLA with more lenient requirements.

Fortinet outlines key SD-WAN routing principles:

"Policy routes are always evaluated before SD-WAN rules, meaning if a policy route matches, SD-WAN steering is bypassed. If the best route for a destination is not via an SD-WAN member, SD-WAN rules do not apply, and members are ignored if they lack a valid route. This hierarchy ensures traffic always follows the most deterministic and valid path according to configuration."

Understanding these principles is critical for correct SD-WAN and routing integration.

Before FortiGate can steer traffic according to SD-WAN rules, certain configuration elements must be present. The guide states:

"SD-WAN is not a standalone feature and interacts with several fundamental FortiGate configurations. Specifically, you must: (1) Define the interfaces (physical, VLAN, or IPsec) that will act as SD-WAN members, (2) Create firewall policies to allow traffic to be steered by SD-WAN, and (3) Set up routing so that traffic has valid routes via SD-WAN members. Without these, SD-WAN rules will not be able to match or steer any traffic."

Security profiles and traffic shaping are not mandatory for basic SD-WAN steering but can be layered on for enhanced security and QoS once foundational elements are present.

From the SD-WAN service configuration, rule edit 3 (name "Corp") is configured with:

set mode sla

set load-balance enable

set dst "Corp-net"

set src "LAN-net"

SLA checks referenced under config sla

Traffic from 10.0.1.101 to 10.0.0.126 matches this rule because the destination is within the corporate network range (shown in the policy-route/proute output as destination 10.0.0.0–10.255.255.255 for the Corp service).

In the diagnose firewall proute list output for vwl_service=3 (Corp), FortiGate shows which SD-WAN members are eligible based on SLA pass results:

oif=21 (HUB1-VPN3) num_pass=2

oif=20 (HUB1-VPN2) num_pass=0

oif=19 (HUB1-VPN1) num_pass=0

This indicates that, for the SLA-based rule, only HUB1-VPN3 is meeting the SLA requirements (it is the only member with num_pass=2). The other members have num_pass=0, so they are not eligible for forwarding under this SLA rule even though links are up.

The sniffer trace further corroborates the forwarding decision by showing the traffic egressing through HUB1-VPN3.

Therefore, FortiGate will steer the HTTP traffic through only HUB1-VPN3, which corresponds to Option A.

In FortiOS (including FortiOS 7.6), FortiGate follows a strict and well-defined route lookup order when determining how to forward traffic. This order is critical for understanding SD-WAN behavior and is explicitly referenced in the FCSS SD-WAN curriculum.

The correct lookup sequence is:

Policy routes (Policy-Based Routing)Policy routes are evaluated first. If traffic matches a policy route, FortiGate immediately forwards the traffic according to that policy and bypasses all other routing mechanisms.

Internet Service Database (ISDB) routesIf no policy route matches, FortiGate checks ISDB routes. These routes match traffic based on Internet Services rather than destination IP prefixes.

SD-WAN rulesIf neither a policy route nor an ISDB route matches, FortiGate evaluates SD-WAN rules to determine the outgoing interface based on the configured SD-WAN strategy.

Routing table (connected, static, and dynamic routes such as BGP)If no SD-WAN rule matches, FortiGate performs a normal routing table lookup.

FIB (Forwarding Information Base)The FIB is used to forward the packet based on the selected route.

DropIf no valid route exists, the packet is dropped.

Among the options provided, only Option D correctly reflects the beginning of this sequence by placing policy routes first, followed by ISDB routes, then SD-WAN rules, and finally static routes (representing the routing table).

Therefore, the correct answer is D.

Rules template → Defines the SD-WAN rules for traffic steering.

BGP template → Configures dynamic routing for overlay tunnels.

IPsec tunnel template → Builds the IPsec VPN tunnels from the spoke to the hubs.

With the Best Quality strategy, FortiGate first checks which links meet the SLA targets defined in the selected performance SLA (in this case, Custom-profile-1). Among those qualified links, FortiGate then uses the member configuration order to decide preference. If multiple links still qualify, it finally considers the member local cost to select the best path.

The hub must use a performance SLA with the same criteria as the spoke's health check. The spoke's health check is using ping (protocol ping) and measuring latency (link-cost-factor latency). For the hub to use the data sent by the spoke, its performance SLA must be configured to measure the same metrics. If the hub is looking for jitter or packet loss, it will not use the latency data sent by the spoke.

When a spoke sends embedded health data, the hub FortiGate must be configured to receive and use it. This is done by setting set embedded-measure accept within the performance SLA configuration on the hub. This setting explicitly tells the hub to trust and use the performance metrics received from the remote FortiGate (the spoke). Without this setting, the hub will likely ignore the embedded health data and rely on its own health checks, which could lead to incorrect traffic prioritization.

When referencing a zone in a static route, FortiGate’s behavior is described as:

"Referencing a zone in a static route causes FortiGate to install a static route for each member interface of the zone. This enables ECMP (Equal-Cost Multi-Path) and load balancing where supported and ensures that traffic can be steered over any valid zone member according to SD-WAN rules or standard routing."

This mechanism is fundamental to Fortinet’s implementation of SD-WAN and simplifies large, multi-interface deployments.

When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.

The rule is in priority mode with HUB1-VPN1 (seq 4) as the first preferred member, HUB1-VPN2 second, and HUB1-VPN3 third. Latency itself does not cause HUB1-VPN3 to become preferred unless a higher-priority member fails SLA. If HUB1-VPN1’s latency exceeds the SLA threshold (here simulated by latency reaching 200 ms), FortiGate stops using it and moves down the priority list. That is when HUB1-VPN3 could become the active path.

The SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones. This statement perfectly describes the likely sequence of events. The template, when applied, re-organizes the interfaces and zones, causing the existing firewall policy that relies on the old zone configuration to fail. This is the most plausible root cause.