Free Practice Questions for Fortinet NSE6_SDW_AD-7.6 Exam

The SD-WAN monitor’s table view in FortiManager provides a donut visualization plus a detailed table that shows each SD-WAN member’s status and SLA pass/miss, giving the per-member health view you’re after.

The described design is a multi-region SD-WAN architecture, where:

Each region has its own dual-hub ADVPN domain

Most traffic is intra-region

Inter-region traffic is limited and controlled

Spokes can be single-hub or dual-hub, depending on size and redundancy requirements

According to Fortinet’s SD-WAN Architecture for Enterprise guidance, when deploying multiple ADVPN regions, eBGP is the recommended routing protocol between regions. Each region operates as an independent routing domain (typically iBGP within the region), while eBGP is used to exchange routes between regional hubs. This approach:

Prevents excessive route reflection and scaling issues

Provides clear administrative boundaries between regions

Improves stability and scalability in large global deployments

Matches the exact traffic pattern described (high intra-region, low inter-region traffic)

This is explicitly documented in Fortinet guidance for “Using eBGP between regions with intra-region ADVPN”, which confirms that the architecture described in the question is valid and recommended when eBGP is used between regions.

Why the other options are incorrect:

Option B is incorrect because FortiOS does not impose a hard “four-hub” architectural limit in the described regional model. Each region has its own hubs, not a single flat multihub domain.

Option C is incomplete. While FortiManager Overlay Orchestrator can help operationally, it is not the key architectural requirement that makes this design valid. The question asks what makes the plan correct from a design standpoint, not a tooling standpoint.

Option D is incorrect because FortiOS fully supports mixed spoke connectivity within the same region (some spokes single-hub, others dual-hub), which is a common enterprise SD-WAN design.

Therefore, the correct and documented conclusion is that the plan is possible and eBGP should be used as the routing protocol between regions, which corresponds to Answer A.

Fortinet outlines key SD-WAN routing principles:

"Policy routes are always evaluated before SD-WAN rules, meaning if a policy route matches, SD-WAN steering is bypassed. If the best route for a destination is not via an SD-WAN member, SD-WAN rules do not apply, and members are ignored if they lack a valid route. This hierarchy ensures traffic always follows the most deterministic and valid path according to configuration."

Understanding these principles is critical for correct SD-WAN and routing integration.

FortiManager enforces a strict distinction:

"Firewall policies must reference SD-WAN zones, not individual SD-WAN members, when used in conjunction with SD-WAN templates. Attempting to install a policy that references a specific member (interface) will result in a deployment error, as member-level targeting is not supported in SD-WAN policy abstraction. This enforces centralized policy consistency and proper SD-WAN operation."

Ensuring policies target zones allows FortiGate to dynamically select the optimal member.

The line sdwan_mbr_seq=1 sdwan_service_id=4 indicates that this session is part of an SD-WAN rule. sdwan_service_id=4 confirms that the session is being handled by SD-WAN rule ID 4. This directly links the flow to the SD-WAN configuration.

The line no_offload_reason: redir-to-ips denied-by-nturbo shows that the session is not offloaded to the NPU (Network Processing Unit) and is being processed by the main CPU. A session that is not offloaded can be re-evaluated. If the outgoing interface (the one currently being used) goes down, the FortiGate will re-evaluate the session against the SD-WAN rules to find a new active member to steer the traffic through. This is a fundamental behavior of SD-WAN, which ensures network resilience.

With the Best Quality strategy, FortiGate first checks which links meet the SLA targets defined in the selected performance SLA (in this case, Custom-profile-1). Among those qualified links, FortiGate then uses the member configuration order to decide preference. If multiple links still qualify, it finally considers the member local cost to select the best path.

Traffic steering in Fortinet SD-WAN is based on defined rules and the corresponding outgoing interfaces. The exhibit (not shown here) would indicate that the traffic from the LAN subnet 10.0.1.0/24 to the server 10.2.5.254 is matched by SD-WAN rule 3 and sent out via the HUB1-VPN3 interface.

The SD-WAN rule (config service edit 1) is configured with set mode priority. This means the rule selects the best interface based on a defined performance metric, as opposed to a simple static priority or SLA. The event log (image_41cfb5.png) shows Metric latency and Message Service prioritized by performance metric will be redirected in sequence order. This indicates that the rule is using latency to determine the preferred member. Given that the log message is about a change, and the most logical reason for a change in a priority mode is that a different member is now the best performer, it implies that the latency on port2 has become lower than that on port1.

The log message Service prioritized by performance metric will be redirected in sequence order confirms that FortiGate is changing the member being used for this service. Because the mode is priority, FortiGate dynamically selects the member that currently meets the best performance criteria, which in this case is latency. The log implies a new member has been selected as the most optimal, and with the default configuration, the members are sorted based on their performance, so the outgoing interface list is effectively updated to prefer the new best-performing member (port2).