Fortinet NSE6_SDW_AD-7.6 Dumps

Fortinet outlines key SD-WAN routing principles:

" Policy routes are always evaluated before SD-WAN rules, meaning if a policy route matches, SD-WAN steering is bypassed. If the best route for a destination is not via an SD-WAN member, SD-WAN rules do not apply, and members are ignored if they lack a valid route. This hierarchy ensures traffic always follows the most deterministic and valid path according to configuration. "

Understanding these principles is critical for correct SD-WAN and routing integration.

To allow spokes in different hub-and-spoke groups to establish ADVPN shortcuts, the hubs must be configured to forward and send ADVPN shortcut offers. The key required settings on the hub are auto-discovery-forwarder (for VPNs to hubs) and auto-discovery-sender (for VPNs to spokes). This ensures the hub can facilitate and advertise ADVPN shortcut offers between spokes.

Policy 3 points traffic To = HUB1-VPN1, which is an SD-WAN member interface. In SD-WAN you must reference the SD-WAN zone (the logical interface) in policies, not its member tunnels. Change the policy’s To interface to the zone HUB1, and the install will succeed.

In the exhibit, the IPsec tunnel statistics event log entries include the field advpnsc .

Fortinet documents that advpnsc identifies whether the VPN event is based on an ADVPN shortcut :

advpnsc=1 → the tunnel is an ADVPN shortcut

advpnsc=0 → not an ADVPN shortcut ( Fortinet Documentation Library )

In the shown logs, the tunnel vpntunnel= " HUB1-VPN1_0 " has advpnsc=1 , which means HUB1-VPN1_0 is an ADVPN shortcut tunnel . ( Fortinet Documentation Library )

The other tunnels shown (for example VPN4_0 and HUB2-VPN3 ) have advpnsc=0 , which only indicates no shortcut is identified for those log entries —it does not prove they “cannot accept” shortcuts, only that the specific event is not a shortcut. ( Fortinet Documentation Library )

The provisioning templates in FortiManager are designed for flexible, scalable configuration of large SD-WAN deployments. The official documentation explains:

" Template groups can consist of both system and SD-WAN templates, providing a way to apply consistent settings across multiple devices. CLI templates are evaluated and executed in order from top to bottom within the template group, which is crucial for managing dependencies. Furthermore, CLI template groups can contain both regular CLI templates and advanced (Perl-script-based) templates, allowing complex or conditional configuration logic. "

This modular design streamlines large deployments by separating system, SD-WAN, and CLI logic into reusable building blocks.

From the exhibit, both branches have an SD-WAN zone named overlay with set advpn-select enable, and each SD-WAN member in that zone is assigned a transport-group value.

Branch-A members:

T1 → transport-group 1

T2 → transport-group 1

T3 → transport-group 2

Branch-B members:

TA → transport-group 1

TB → transport-group 2

TC → transport-group 3

In FCSS SD-WAN 7.6 ADVPN design, transport-group is used to constrain which underlays are allowed to form ADVPN shortcuts with each other . A spoke can establish an ADVPN shortcut only between interfaces that belong to the same transport-group on both sides. This prevents building shortcuts across dissimilar transports.

Evaluating the options:

Option D ( T2 on Branch-A with transport-group 1 and TA on Branch-B with transport-group 1) is a valid shortcut pairing.

Option C is not valid because T3 is transport-group 2 while TC is transport-group 3, so they are not permitted to form a shortcut.

Option A is incorrect because not all overlay-zone interfaces are eligible; eligibility is restricted by transport-group matching.

Option B is incorrect because ADVPN shortcuts are spoke-to-spoke tunnels (facilitated by the hub), not limited to “interfaces connected to hub only.”

Therefore, the valid shortcut pairing listed is between T2 on Branch-A and TA on Branch-B , which corresponds to Option D .

The SD-WAN rule (config service edit 1) is configured with set mode priority. This means the rule selects the best interface based on a defined performance metric, as opposed to a simple static priority or SLA. The event log (image_41cfb5.png) shows Metric latency and Message Service prioritized by performance metric will be redirected in sequence order. This indicates that the rule is using latency to determine the preferred member. Given that the log message is about a change, and the most logical reason for a change in a priority mode is that a different member is now the best performer, it implies that the latency on port2 has become lower than that on port1.

The log message Service prioritized by performance metric will be redirected in sequence order confirms that FortiGate is changing the member being used for this service. Because the mode is priority, FortiGate dynamically selects the member that currently meets the best performance criteria, which in this case is latency. The log implies a new member has been selected as the most optimal, and with the default configuration, the members are sorted based on their performance, so the outgoing interface list is effectively updated to prefer the new best-performing member (port2).

For SD-WAN deployments that span multiple regions—where most traffic is intra-region and there is no requirement for inter-region ADVPN—the best practice is to use IBGP with BGP on loopback interfaces for routing within each region and EBGP between the regions. This approach ensures robust and scalable routing, isolates regional routing domains, and enables policy control at region boundaries. BGP on loopback is preferred for its reliability and flexibility, as it enables peering that is not tied to specific physical interfaces. EBGP between regions allows each region to maintain independent routing policies and summarization, optimizing performance and manageability. By separating IBGP (intra-region) and EBGP (inter-region), you create a modular architecture that scales easily and simplifies fault isolation and troubleshooting.

This is because the setting minimum-sla-meet-members = 2 requires at least two SD-WAN zone members (in this case, HUB2-VPN1, HUB2-VPN2, and HUB2-VPN3) to pass the defined SLA health check (HUB1_HC) before the FortiGate will establish ADVPN shortcuts. If fewer than two members meet the SLA, shortcuts will not be created.

In Fortinet SD-WAN architecture, underlay and overlay have distinct meanings:

Underlay links are the physical or logical transport networks that provide basic IP connectivity (for example, broadband, MPLS, LTE/5G).

Overlay links are virtual tunnels (such as IPsec VPNs) built on top of the underlay , providing abstraction, routing control, and segmentation.

Option B is correct.

Overlay links (for example, IPsec tunnels used in SD-WAN and ADVPN) decouple routing from the physical transport. This allows dynamic path selection, segmentation, and flexible routing policies independent of the underlay. Providing routing flexibility is a core purpose of overlays in SD-WAN.

Option D is correct.

Wireless connections such as LTE or 5G can be used as underlay transports, and overlay tunnels can be built over them . Fortinet SD-WAN fully supports building IPsec overlays on wireless underlays, making wireless links valid for overlay construction.

Why the other options are incorrect:

Option A is incorrect because a VLAN is a Layer 2 segmentation mechanism, not an SD-WAN overlay link.

Option C is incorrect because FortiLink is used for internal management and switch/AP connectivity, not as a WAN underlay for SD-WAN.

Option E is incorrect because underlay links can be wired or wireless ; they are not limited to wired connections.

Therefore, the two correct statements are B and D .

Specify the gateway of the SD-WAN member port1 with an IP address or use the default value → The error log shows invalid ip – prop[gateway]: ip4class(${sdwan_port1_gw}) invalid ip addr, meaning the variable ${sdwan_port1_gw} does not have a valid mapping. Assigning a valid IP address or default value for the gateway resolves this error.

Review the per-device mapping configuration for metadata variables → The issue is tied to how the metadata variable ${sdwan_port1_gw} is mapped for branch1_fgt. If this device does not have the variable properly defined in per-device mapping, the configuration will fail. Correcting the mapping ensures that the install works.

When a FortiGate device is onboarded using a Device Blueprint in FortiManager, the system automates the provisioning process by applying the linked templates and scripts as soon as the device is authorized and connects. In this scenario, the Device Blueprint includes a CLI Template named " LAN-interface " and Provisioning Templates (corp_st and LAN-interface).

According to Fortinet documentation regarding Zero-Touch Provisioning (ZTP) and Blueprint workflows, FortiManager processes the CLI script configuration as part of the initial onboarding sync. The provided CLI script explicitly contains instructions for port1, port2, and port5 . Specifically, it sets port1 and port2 to mode dhcp. Even though port1 already has a manual IP address ($15.1.0.154$) used for the initial FGFM connection, the FortiManager will push the configuration defined in the template.

When FortiManager pushes a configuration change to the interface used for the FGFM tunnel (port1), it does so by updating the configuration database. Since the template specifies set mode dhcp for port1 and port2, and a specific IP range for port5 using a metadata variable (10.0.$(branch_id).254), all three ports will be updated. Consequently, they may receive new IP addresses based on DHCP assignments or variable substitution. FortiManager is capable of updating the management interface as long as the new configuration does not permanently sever the FGFM connection.

" Secure internet access (SIA), also known as remote breakout, is another use case for SD-WAN. "

Enforce Device Configuration is enabled and the blueprint applies the provisioning CLI templates. The LAN-interface script sets port1 and port2 to DHCP and assigns a static IP to port5 (using the branch_id variable). Therefore, when FortiManager pushes the blueprint, it updates the configurations of port1, port2, and port5 - and their IP addresses may change accordingly.

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive , FortiGate attempts to measure link performance using passive monitoring first , based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive , FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A .

During passive monitoring , FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic , not ICMP traffic. ICMP is used for active probing , not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware . Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D .

The FortiManager SD-WAN overlay system allows only one IPsec template to be assigned to each device per overlay operation. The guide clarifies:

" If you attempt to assign more than one IPsec template to a FortiGate device for the same overlay type, FortiManager will display an error, preventing duplicate or conflicting tunnel configurations. This limitation ensures a one-to-one mapping between device and overlay template per operation, maintaining configuration integrity and preventing routing issues. "

This prevents complex troubleshooting scenarios and enforces best practices for overlay design.

For FortiGate to steer traffic using SD-WAN rules , two foundational elements must be in place: available WAN paths (underlay links) and firewall policies that allow traffic to reach the SD-WAN interface .

Underlay links (Option B) are mandatory because SD-WAN operates by selecting among multiple WAN transports (for example, broadband, MPLS, LTE, or IPsec tunnels). These links are configured as SD-WAN members and form the physical or logical paths over which traffic can be steered. Without underlay links, SD-WAN has no paths to evaluate or select.

Firewall policies (Option E) are also mandatory because FortiGate only processes and forwards traffic that is explicitly permitted by a firewall policy. When SD-WAN is enabled, firewall policies must reference the SD-WAN interface or SD-WAN zone as the outgoing interface. If no such policy exists, traffic will not be forwarded and SD-WAN rules will never be evaluated.

Why the other options are incorrect:

Security profiles (Option A) are optional and relate to inspection, not SD-WAN steering.

Overlay links (Option C) are used in specific designs such as ADVPN or hub-and-spoke overlays, but SD-WAN can steer traffic without overlays (for example, DIA-only designs).

Traffic shaping (Option D) is not required for SD-WAN decision-making; it is an optional optimization feature.

Therefore, the two required features that must be configured before FortiGate can steer traffic according to SD-WAN rules are underlay links and firewall policies , which correspond to B and E .