Free Practice Questions for Fortinet FCSS_SDW_AR-7.6 Exam

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive, FortiGate attempts to measure link performance using passive monitoring first, based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive, FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A.

During passive monitoring, FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic, not ICMP traffic. ICMP is used for active probing, not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware. Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D.

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN's application-aware steering, which uses dynamic performance metrics to select the optimal path.

Within ADVPN topologies, shortcut requests and responses traverse spokes and hubs. Fortinet documentation states:

"When a spoke receives a shortcut query from another spoke, it may forward the response to its hub for validation or to facilitate dynamic shortcut tunnel setup. This mechanism allows direct spoke-to-spoke communication for optimized routing and performance, reducing latency and offloading the hub after initial control-plane mediation."

This is a core benefit of ADVPN’s dynamic shortcut feature.

When referencing a zone in a static route, FortiGate’s behavior is described as:

"Referencing a zone in a static route causes FortiGate to install a static route for each member interface of the zone. This enables ECMP (Equal-Cost Multi-Path) and load balancing where supported and ensures that traffic can be steered over any valid zone member according to SD-WAN rules or standard routing."

This mechanism is fundamental to Fortinet’s implementation of SD-WAN and simplifies large, multi-interface deployments.

When using the diagnose sys session list command, SD-WAN-specific session steering is indicated by the presence of the sdwan_service_id field in the session data. This identifier ties the session directly to a specific SD-WAN rule or service. As noted in the Fortinet documentation: “Sessions that are handled according to SD-WAN rules will include a service ID tag (sdwan_service_id) in their session listing. This allows administrators to correlate live sessions with SD-WAN policy matches for troubleshooting and visibility.” This is a crucial diagnostic tool, as it distinguishes between traffic managed by traditional routing and that explicitly controlled by SD-WAN steering logic, aiding in operational insight and troubleshooting.

The SD-WAN rule (config service edit 1) is configured with set mode priority. This means the rule selects the best interface based on a defined performance metric, as opposed to a simple static priority or SLA. The event log (image_41cfb5.png) shows Metric latency and Message Service prioritized by performance metric will be redirected in sequence order. This indicates that the rule is using latency to determine the preferred member. Given that the log message is about a change, and the most logical reason for a change in a priority mode is that a different member is now the best performer, it implies that the latency on port2 has become lower than that on port1.

The log message Service prioritized by performance metric will be redirected in sequence order confirms that FortiGate is changing the member being used for this service. Because the mode is priority, FortiGate dynamically selects the member that currently meets the best performance criteria, which in this case is latency. The log implies a new member has been selected as the most optimal, and with the default configuration, the members are sorted based on their performance, so the outgoing interface list is effectively updated to prefer the new best-performing member (port2).

From the SD-WAN rule configuration (service ID 3, name "Corp"), the rule is configured as:

set mode sla

set load-balance enable

set hash-mode source-ip-based

set priority-members 3 4 5

Two SLAs are referenced under config sla

In the diagnose firewall proute list output for service=3 (Corp), FortiGate shows the actual members considered for this rule and their SLA pass status:

oif=19 (HUB1-VPN1) num_pass=2

oif=20 (HUB1-VPN2) num_pass=2

oif=21 (HUB1-VPN3) num_pass=1

Because the rule is SLA-based, FortiGate selects only members that meet the SLA requirements for the rule. The output indicates that HUB1-VPN1 and HUB1-VPN2 pass both SLA checks (num_pass=2), while HUB1-VPN3 passes only one (num_pass=1) and therefore is not selected as an eligible forwarding interface for this rule.

Since load-balance is enabled and the rule uses hash-mode source-ip-based, FortiGate will consistently choose an eligible member based on the source IP hash. For traffic sourced from 10.0.1.101, the session can be steered through either HUB1-VPN1 or HUB1-VPN2 (whichever the hash selects), but not HUB1-VPN3.

Therefore, the correct answer is B.

The policy-route output shows the matching SD-WAN service for destination 10.66.0.0/24 is vwl_service=4 (LAN-to-Corp2) with vwl_mbr_seq=1 2 and paths oif=3(port1) and oif=4(port2). Therefore, traffic from 10.0.1.133 to 10.66.0.125 is steered via SD-WAN member ID 1 or 2.