Free Practice Questions for Fortinet NSE6_SDW_AD-7.6 Exam

" The custom-profile-1 metric uses a formula that calculates a composite value out of the latency, jitter, packet loss, and bibandwidth. The composite value is called the link quality index. " And from page 227, the factors FortiGate uses in order are: " FortiGate determines the member with the best quality using three factors: member configuration order, the link-cost-threshold setting, and the value of the metric measured for the member. "

By default, local-out traffic does not use SD-WAN → FortiGate normally sends local-out traffic (e.g., DNS, NTP, FortiGuard updates) directly through its interfaces without applying SD-WAN rules.

You must configure each local-out feature individually to use SD-WAN → To steer local-out traffic via SD-WAN, you must explicitly configure the desired local-out features (e.g., DNS, FortiGuard, CAPWAP) to use SD-WAN rules.

FortiManager enforces a strict distinction:

" Firewall policies must reference SD-WAN zones, not individual SD-WAN members, when used in conjunction with SD-WAN templates. Attempting to install a policy that references a specific member (interface) will result in a deployment error, as member-level targeting is not supported in SD-WAN policy abstraction. This enforces centralized policy consistency and proper SD-WAN operation. "

Ensuring policies target zones allows FortiGate to dynamically select the optimal member.

The line sdwan_mbr_seq=1 sdwan_service_id=4 indicates that this session is part of an SD-WAN rule. sdwan_service_id=4 confirms that the session is being handled by SD-WAN rule ID 4. This directly links the flow to the SD-WAN configuration.

The line no_offload_reason: redir-to-ips denied-by-nturbo shows that the session is not offloaded to the NPU (Network Processing Unit) and is being processed by the main CPU. A session that is not offloaded can be re-evaluated. If the outgoing interface (the one currently being used) goes down, the FortiGate will re-evaluate the session against the SD-WAN rules to find a new active member to steer the traffic through. This is a fundamental behavior of SD-WAN, which ensures network resilience.

In Fortinet SD-WAN architecture, underlay and overlay have distinct meanings:

Underlay links are the physical or logical transport networks that provide basic IP connectivity (for example, broadband, MPLS, LTE/5G).

Overlay links are virtual tunnels (such as IPsec VPNs) built on top of the underlay , providing abstraction, routing control, and segmentation.

Option B is correct.

Overlay links (for example, IPsec tunnels used in SD-WAN and ADVPN) decouple routing from the physical transport. This allows dynamic path selection, segmentation, and flexible routing policies independent of the underlay. Providing routing flexibility is a core purpose of overlays in SD-WAN.

Option D is correct.

Wireless connections such as LTE or 5G can be used as underlay transports, and overlay tunnels can be built over them . Fortinet SD-WAN fully supports building IPsec overlays on wireless underlays, making wireless links valid for overlay construction.

Why the other options are incorrect:

Option A is incorrect because a VLAN is a Layer 2 segmentation mechanism, not an SD-WAN overlay link.

Option C is incorrect because FortiLink is used for internal management and switch/AP connectivity, not as a WAN underlay for SD-WAN.

Option E is incorrect because underlay links can be wired or wireless ; they are not limited to wired connections.

Therefore, the two correct statements are B and D .

The exhibit shows the runtime details of two SD-WAN services (rules):

Service(2)

Mode(manual hash-mode=inbandwidth)

Members(2): port2 (WAN2), port1 (WAN1)

Application matching: Facebook, LinkedIn, Game

Source: 10.0.1.0–10.0.1.255 This rule is clearly intended for internet/DIA application steering and does not show a corporate destination range.

Service(3)

Mode(sla hash-mode=round-robin)

Members(6): HUB1-VPN1/2/3 and HUB2-VPN1/2/3

Source: 10.0.1.0–10.0.1.255

Destination: 10.0.0.0–10.255.255.255

Traffic from 10.0.1.124 to 10.0.0.254 matches Service(3) because the destination IP 10.0.0.254 falls within the destination range 10.0.0.0–10.255.255.255.

Within Service(3) , the member list shows SLA results per interface:

HUB1-VPN2 has sla(0x1) and num of pass(1)

HUB2-VPN2 has sla(0x2) and num of pass(1)

The remaining members (HUB1-VPN1, HUB2-VPN1, HUB1-VPN3, HUB2-VPN3) show sla(0x0) and num of pass(0)

This indicates that, for Service(3), only HUB1-VPN2 and HUB2-VPN2 are currently meeting the SLA requirements (passing), and because the rule uses hash-mode=round-robin, FortiGate load-balances sessions across the passing members.

Therefore, FortiGate will steer the traffic using HUB1-VPN2 or HUB2-VPN2 , which corresponds to Option B .

For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there’s an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management.