Latest Fortinet NSE6_SDW_AD-7.6 Exam questions and answers BraindumpsVCE NSE6_SDW_AD-7.6 Exam Practice Test Questions (Updated 97 Questions) NEW QUESTION # 22 (When you deploy SD-WAN, you can choose from several common designs. Each design best applies to specific contexts.Which two statements correctly associate a common SD-WAN design with its main indication or constraint?Choose two answers.) A. [...]

All Products Contact now

Latest Fortinet NSE6_SDW_AD-7.6 Exam questions and answers [Q22-Q41]

Share

Latest Fortinet NSE6_SDW_AD-7.6 Exam questions and answers

BraindumpsVCE NSE6_SDW_AD-7.6 Exam Practice Test Questions (Updated 97 Questions)

NEW QUESTION # 22
(When you deploy SD-WAN, you can choose from several common designs. Each design best applies to specific contexts.
Which two statements correctly associate a common SD-WAN design with its main indication or constraint?
Choose two answers.)

  • A. Use a cloud on-ramp topology to improve the performance of cloud applications.
  • B. Use remote breakout to centralize traffic inspection and limit local management requirements.
  • C. Use a standalone design for sites with only one WAN link to the cloud.
  • D. Use a direct internet access (DIA) design to increase the traffic security and allow local devices with limited capabilities.

Answer: A,B

Explanation:
The FCSS SD-WAN 7.6 curriculum describes multiple standard SD-WAN deployment designs, each mapped to a specific operational goal or constraint.
A cloud on-ramp topology is designed to optimize connectivity to cloud services such as SaaS and IaaS.
This design provides the most efficient and reliable path to cloud applications by establishing direct tunnels to cloud gateways or cloud workloads and by avoiding backhauling traffic through a central data center. As a result, its primary indication is improving the performance of cloud applications, which makes option A correct.
A remote breakout (centralized breakout) design forwards all internet-bound traffic from branch sites to a central hub for security inspection. This allows security policies, inspection, and logging to be centralized on a high-capacity FortiGate at the hub. Because branch devices do not need advanced local security configurations, this design also limits local management requirements, which makes option C correct.
Option B is incorrect because a standalone SD-WAN design is not selected simply because a site has only one WAN link. SD-WAN provides its main benefits when multiple WAN paths exist, and single-link sites do not gain meaningful traffic-steering advantages.
Option D is incorrect because a direct internet access (DIA) design performs local internet breakout at the branch and therefore requires strong local security capabilities. DIA does not inherently increase traffic security and is not intended for devices with limited capabilities.
Therefore, the two correct associations are A and C.


NEW QUESTION # 23
Refer to the exhibits, which show the configuration of an SD-WAN rule and the corresponding rule status and routing table.


The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule.
Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule?

  • A. The traffic will be routed over HUB1-VPN1.
  • B. The traffic will be load balanced across all three overlays
  • C. The traffic will be routed over HUB1-VPN2
  • D. The traffic will be routed over HUB1-VPN3.

Answer: C

Explanation:
The rule is in SLA mode with two SLAs. From the status, HUB1-VPN2 and HUB1-VPN3 meet the SLA (sla (0x2) and sla(0x3)), while HUB1-VPN1 does not (sla(0x0)). Among members that meet SLA, FortiGate uses the configured order (priority-members 4 5 6) to pick the first eligible one-HUB1-VPN2-so traffic is routed over HUB1-VPN2.


NEW QUESTION # 24

Refer to the exhibit.
You want to configure SD-WAN on a network as shown in the exhibit.
The network contains many FortiGate devices. Some are used as NGFW, and some are installed with extensions such as FortiSwitch. FortiAP. or Forti Ex tender.
What should you consider when planning your deployment?

  • A. You must use FortiManager to manage your SD-WAN topology.
  • B. You must build multiple SD-WAN topologies. Each topology must contain only one type of extension.
  • C. You can build an SD-WAN topology that includes all devices. The hubs must be devices without extensions.
  • D. You can build an SD-WAN topology that includes all devices. The hubs can be FortiGate devices with Forti Extender.

Answer: C

Explanation:
In Fortinet SD-WAN, hubs should not have extensions like FortiSwitch, FortiAP, or FortiExtender installed, as these can affect hub functionality and scalability. While all device types can be included in the topology, the hubs must be "clean" FortiGate devices without such extensions to ensure proper ADVPN and overlay management.
References:
[FCSS_SDW_AR-7.4 1-0.docx Q3]
Fortinet SD-WAN Reference Architecture Guide 7.4 - Hub requirements


NEW QUESTION # 25
(Refer to the exhibits.

The SD-WAN overlay template advanced settings and the underlay and network advertisement settings are shown. These are the configurations for the secondary hub of a dual-hub SD-WAN topology created with the FortiManager SD-WAN overlay orchestrator.
Which two conclusions can you draw from the information shown in the exhibits? Choose two answers.)

  • A. FortiManager will define port2 as a BGP neighbor.
  • B. FortiManager will create an overlay tunnel on the port1 interface.
  • C. FortiManager will define port5 as a BGP neighbor.
  • D. FortiManager will create an overlay tunnel on the port2 interface.

Answer: B,D

Explanation:
From the Underlay and network advertisement configuration exhibit for the Secondary HUB:
* Under Underlay, the template explicitly lists:
* WAN Underlay 1 = port1
* WAN Underlay 2 = port2
In FortiManager SD-WAN Overlay Orchestrator, underlay interfaces selected for a hub are the transports used to build the overlay IPsec tunnels (one overlay per underlay, per peer as defined by the template).
Because both port1 and port2 are configured as underlays, FortiManager will build overlay tunnels over both underlay links. That supports:
* Option C (overlay tunnel on port1)
* Option B (overlay tunnel on port2)
For the BGP neighbor options:
* The Network Advertisement section shows Interface 1 = port5, which indicates a LAN/internal interface whose connected or static networks may be advertised into the overlay routing domain. This does not make port5 a BGP neighbor interface; it is the interface whose routes are being advertised.
* The template indicates Dynamic BGP is enabled. In Overlay Orchestrator designs, BGP neighbor relationships are formed across the overlay tunnel interfaces / overlay endpoints, not directly on the raw underlay interfaces (port1/port2) and not on the advertised LAN interface (port5). Therefore, options A and D are not valid conclusions from what is shown.
So, the two correct conclusions are B and C.


NEW QUESTION # 26
Refer to the exhibit.

Which statement best describe the role of the ADVPN device in handling traffic?

  • A. This is a hub that has received a query from a spoke and has forwarded it to another spoke.
  • B. This is a spoke. The kernel received a shortcut request and forwards the query to another spoke.
  • C. This is a spoke that has received a shortcut query from another spoke and has forwarded the response to its hub.
  • D. This is a hub in a dual-region topology. The remote hub tunnel ID is 10.0.2.101.

Answer: C

Explanation:
Within ADVPN topologies, shortcut requests and responses traverse spokes and hubs. Fortinet documentation states:
"When a spoke receives a shortcut query from another spoke, it may forward the response to its hub for validation or to facilitate dynamic shortcut tunnel setup. This mechanism allows direct spoke-to-spoke communication for optimized routing and performance, reducing latency and offloading the hub after initial control-plane mediation." This is a core benefit of ADVPN's dynamic shortcut feature.


NEW QUESTION # 27
(Refer to the exhibit.

You configure SD-WAN on a standalone FortiGate device.
You want to create an SD-WAN rule that steers traffic related to Facebook and LinkedIn through the less costly internet link.
What must you do to set Facebook and LinkedIn applications as destinations from the GUI? Choose one answer.)

  • A. You cannot configure applications as destinations of an SD-WAN rule on a standalone FortiGate device.
  • B. Install a license to allow applications as destinations of SD-WAN rules.
  • C. Enable the visibility of the applications field as destinations of the SD-WAN rule.
  • D. In the Internet service field, select Facebook and LinkedIn.

Answer: D

Explanation:
In FortiOS 7.6, SD-WAN rules can steer traffic based on Internet Services, which represent predefined application and service signatures maintained by FortiGuard. Common applications such as Facebook and LinkedIn are included in the Internet Service database.
According to the FCSS SD-WAN 7.6 curriculum, when configuring an SD-WAN rule from the GUI on a standalone FortiGate device, applications are selected as destinations using the Internet service field, not by enabling a separate application destination field. The exhibit highlights the Internet service option under the Destination section, which is the correct method to match traffic for specific applications.
Option A is incorrect because there is no GUI option to enable application visibility as destinations for SD- WAN rules. Application matching is already abstracted through Internet Services.
Option C is incorrect because standalone FortiGate devices fully support application-based steering using Internet Services in SD-WAN rules.
Option D is incorrect because no additional license is required to use Internet Services in SD-WAN rules.
This functionality is included in FortiOS and relies on the built-in FortiGuard Internet Service database.
Therefore, to steer Facebook and LinkedIn traffic through a specific WAN link, you must select Facebook and LinkedIn in the Internet service field, which corresponds to option B.


NEW QUESTION # 28
(Refer to the exhibit.

Based on the output shown in the exhibit, what can you conclude about the device role and how it handles health checks? Choose one answer.)

  • A. The device is a spoke and it provides embedded health-check measures for each tunnel to the hub.
  • B. The device is a spoke and it receives health-check measures for the tunnels of another spoke.
  • C. The device is a hub and it receives health-check measures for the tunnels of a spoke.
  • D. The device is a hub and it receives embedded health-check measures for each tunnel from the spoke.

Answer: A


NEW QUESTION # 29
Refer to the exhibits.



The first exhibit shows the SD-WAN zone HUB1 and SD-WAN member configuration from an SD-WAN template, and the second exhibit shows the output of command diagnose sys sdwan member collected on a FortiGate device.
Which statement best describes what the diagnose output shows?

  • A. The diagnose output was collected on the device branch2_fgt.
  • B. The diagnose output was collected on the device branch1_fgt
  • C. The diagnose output shows that HUB1-VPN1 and all HUBx-VPNy members are dead.
  • D. The diagnose output does not correspond to a device configured with the SD-WAN template shown in the exhibit.

Answer: B

Explanation:
The diagnose output lists SD-WAN members 4(HUB1-VPN1), 5(HUB1-VPN2), 7(HUB2-VPN1), 8(HUB2- VPN2), and 9(HUB2-VPN3). It does not include member 6 (HUB1-VPN3). From the template, HUB1-VPN3 is installed only on branch2_fgt and branch3_fgt - not on branch1_fgt. Therefore, the output must be from branch1_fgt.


NEW QUESTION # 30
What are three key routing principles of SD-WAN? (Choose three.)

  • A. SD-WAN rules are skipped if the best route to the destination is a static route
  • B. Directly connected routes have precedence over SD-WAN rules.
  • C. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
  • D. Policy routes have precedence over SD-WAN rules.
  • E. SD-WAN members are skipped if they do not have a valid route to the destination.

Answer: C,D,E

Explanation:
Fortinet outlines key SD-WAN routing principles:
"Policy routes are always evaluated before SD-WAN rules, meaning if a policy route matches, SD-WAN steering is bypassed. If the best route for a destination is not via an SD-WAN member, SD-WAN rules do not apply, and members are ignored if they lack a valid route. This hierarchy ensures traffic always follows the most deterministic and valid path according to configuration." Understanding these principles is critical for correct SD-WAN and routing integration.


NEW QUESTION # 31
Which two statements correctly describe what happens when traffic matches the implicit SD-WAN rule?
(Choose two.)

  • A. The session information output displays no SD-WAN service id.
  • B. FortiGate flags the session with may_dirty and vwl_def ault.
  • C. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.
  • D. Traffic does not match any of the entries in the policy route table.
  • E. The traffic is distributed, regardless of weight, through all available static routes.

Answer: A,D

Explanation:
The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:
"Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic." Administrators can observe this in diagnostic outputs for troubleshooting.


NEW QUESTION # 32
(In which order does FortiGate consider the following elements during the route lookup process? Choose one answer.)

  • A. Policy routes, SD-WAN rules, Internet Service Database (ISDB) routes, BGP routes
  • B. SD-WAN rules, policy routes, static routes, ISDB routes
  • C. Policy routes, ISDB routes, SD-WAN rules, static routes
  • D. SD-WAN rules, ISDB routes, policy routes, BGP routes

Answer: C

Explanation:
In FortiOS (including FortiOS 7.6), FortiGate follows a strict and well-defined route lookup order when determining how to forward traffic. This order is critical for understanding SD-WAN behavior and is explicitly referenced in the FCSS SD-WAN curriculum.
The correct lookup sequence is:
* Policy routes (Policy-Based Routing)Policy routes are evaluated first. If traffic matches a policy route, FortiGate immediately forwards the traffic according to that policy and bypasses all other routing mechanisms.
* Internet Service Database (ISDB) routesIf no policy route matches, FortiGate checks ISDB routes.
These routes match traffic based on Internet Services rather than destination IP prefixes.
* SD-WAN rulesIf neither a policy route nor an ISDB route matches, FortiGate evaluates SD-WAN rules to determine the outgoing interface based on the configured SD-WAN strategy.
* Routing table (connected, static, and dynamic routes such as BGP)If no SD-WAN rule matches, FortiGate performs a normal routing table lookup.
* FIB (Forwarding Information Base)The FIB is used to forward the packet based on the selected route.
* DropIf no valid route exists, the packet is dropped.
Among the options provided, only Option D correctly reflects the beginning of this sequence by placing policy routes first, followed by ISDB routes, then SD-WAN rules, and finally static routes (representing the routing table).
Therefore, the correct answer is D.


NEW QUESTION # 33
You are planning a large SD-WAN deployment with approximately 1000 spokes and want to allow ADVPN between the spokes. Some remote sites use FortiSASE to connect to the company's SD-WAN hub. Which overlay routing configuration should you use?

  • A. BGP per overlay with BGP next-hop convergence for ADVPN shortcut routing.
  • B. BGP on loopback with IPsec phase2 selectors for ADVPN shortcut routing.
  • C. BGP on loopback with dynamic BGP for ADVPN shortcut routing.
  • D. BGP per overlay with dynamic BGP for ADVPN shortcut routing.

Answer: C

Explanation:
For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there's an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management.
References:
[FCSS_SDW_AR-7.4 1-0.docx Q6]
Fortinet SD-WAN Reference Architecture Guide 7.4, "Scalable Routing with BGP on Loopback and ADVPN Shortcuts" Fortinet SD-WAN Concept Guide, "Overlay Routing Designs for Large Deployments"


NEW QUESTION # 34
Within the context of SD-WAN, what does SIA correspond to?

  • A. Secure Internet Authorization
  • B. Software Internet Access
  • C. Local Breakout
  • D. Remote Breakout

Answer: C


NEW QUESTION # 35
Which statement describes FortiGate behavior when you reference a zone in a static route?

  • A. FortiGate installs a static route for each member in the zone.
  • B. FortiGate routes the traffic through the best performing member of the zone.
  • C. FortiGate ignores the static routes defined through members referenced in the zone.
  • D. FoftiGate installs ECMP static routes for the first two members of the zone.

Answer: A

Explanation:
When referencing a zone in a static route, FortiGate's behavior is described as:
"Referencing a zone in a static route causes FortiGate to install a static route for each member interface of the zone. This enables ECMP (Equal-Cost Multi-Path) and load balancing where supported and ensures that traffic can be steered over any valid zone member according to SD-WAN rules or standard routing." This mechanism is fundamental to Fortinet's implementation of SD-WAN and simplifies large, multi- interface deployments.
References:
[FCSS_SDW_AR-7.4 1-0.docx Q21]
FortiOS 7.4 Routing Guide, "Zone-based Routing and ECMP Behavior"


NEW QUESTION # 36
Refer to the exhibits.

The exhibits show the source NAT (SNAT) global setting. port2 interface settings, and the routing table on FortiGate.
The administrator increases the member priority on port2 to 20.
Upon configuration changes and the receipt of new packets, which two actions does FortiGate perform on existing sessions established over port2? (Choose two.)

  • A. FortiGate flags the sessions as dirty.
  • B. FortiGate continues routing all existing sessions over port2.
  • C. FortiGate routes only new sessions over port2.
  • D. FortiGate flags the SNAT session as dirty only if the administrator has assigned an IP pool to the firewall policies with NAT.
  • E. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

Answer: A,E

Explanation:
When the member priority of a port is increased (e.g., port2 to 20), FortiGate evaluates existing sessions and applies "dirty" flags where applicable. The SD-WAN session management mechanism is described in detail:
"Upon a change in SD-WAN member priority, all existing sessions using that member are marked as dirty.
For SNAT sessions, the gateway information is updated to ensure future packets are routed through the newly preferred member, in this case, port1. This automatic re-evaluation allows SD-WAN to dynamically respond to topology or priority changes, maintaining optimal routing." This is fundamental to seamless failover and session persistence in Fortinet SD-WAN, ensuring active flows are redirected based on updated priorities or health status.
References:
[FCSS_SDW_AR-7.4 1-0.docx Q13]
FortiOS 7.4 SD-WAN Concept Guide, "Session Management During Path Change" FortiGate CLI Reference: diagnose sys session list


NEW QUESTION # 37
When a customer delegate the installation and management of its SD-WAN infrastructure to an MSSP, the MSSP usually keeps the hub within its infrastructure for ease of management and to share costly resources.
In which two situations will the MSSP install the hub in customer premises? (Choose two.)

  • A. The customer expects a large amount of VoIP traffic.
  • B. The customer requires SIA with centralized breakout.
  • C. The administrator expects a large volume of traffic between the branches.
  • D. The majority of the branch traffic is directed to a corporate data center.

Answer: C,D


NEW QUESTION # 38
(Refer to the exhibit.

You update the spokes configuration of an existing auto-discovery VPN (ADVPN) topology by adding the parameters shown in the exhibit.
Which is a valid objective of those settings? Choose one answer.)

  • A. Prevent multiple shortcuts from being established over the same overlay.
  • B. Convert the configuration from ADVPN to ADVPN 2.0.
  • C. Enable the tunnels as overlay links.
  • D. Prevent cross-overlay shortcuts.

Answer: D

Explanation:
The exhibit shows the following IPsec phase1-interface configuration applied on spoke tunnels:
* set auto-discovery-shortcuts dependent
* set network-overlay enable
* set network-id <value>
In the FCSS SD-WAN 7.6 ADVPN architecture, the network-overlay and network-id parameters are used to logically group IPsec tunnels into separate overlays. When network-overlay is enabled, FortiGate treats the tunnel as part of an overlay network rather than a simple transport tunnel.
The network-id parameter is critical in multi-overlay ADVPN designs. Fortinet documentation specifies that ADVPN shortcuts are only allowed between tunnels that share the same network-id. This mechanism explicitly prevents cross-overlay shortcuts, ensuring that shortcuts are formed only within the same logical overlay and not across different overlays that may serve different purposes (for example, different hubs, regions, or transport groups).
The use of auto-discovery-shortcuts dependent further enforces correct shortcut behavior by ensuring that shortcut tunnels depend on the state of the parent overlay tunnel, but it does not by itself prevent multiple shortcuts or convert ADVPN versions.
Why the other options are incorrect:
* Option A is incorrect because simply enabling network-overlay does not exist to "enable overlay links" in general; its purpose is to define overlay membership and control shortcut behavior.
* Option B is incorrect because there is no concept of "ADVPN 2.0" conversion using these parameters in FortiOS 7.6.
* Option D is incorrect because preventing multiple shortcuts over the same overlay is not controlled by network-id; multiple shortcuts within the same overlay are allowed when required.
Therefore, the valid objective of these settings is to prevent cross-overlay shortcuts, which corresponds to Option C.


NEW QUESTION # 39
Refer to the exhibit.

The exhibit shows the health-check configuration on a FortiGate device used as a spoke. You notice that the hub FortiGate doesn't prioritize the traffic as expected.
Which two configuration elements should you check on the hub? (Choose two.)

  • A. This performance SLA uses the same members.
  • B. The performance SLA is configured with set embedded-measure accept.
  • C. The performance SLA has the parameter priority-out-sla configured.
  • D. The performance SLA uses the same criteria.

Answer: B,D

Explanation:
The hub must use a performance SLA with the same criteria as the spoke's health check. The spoke's health check is using ping (protocol ping) and measuring latency (link-cost-factor latency). For the hub to use the data sent by the spoke, its performance SLA must be configured to measure the same metrics. If the hub is looking for jitter or packet loss, it will not use the latency data sent by the spoke.
When a spoke sends embedded health data, the hub FortiGate must be configured to receive and use it. This is done by setting set embedded-measure accept within the performance SLA configuration on the hub. This setting explicitly tells the hub to trust and use the performance metrics received from the remote FortiGate (the spoke). Without this setting, the hub will likely ignore the embedded health data and rely on its own health checks, which could lead to incorrect traffic prioritization.


NEW QUESTION # 40
Refer to the exhibit, which shows the SD-WAN rule status and configuration.

Based on the exhibit, which change in the measured latency will first make HUB1-VPN3 the new preferred member?

  • A. When HUB1-VPN1 has a latency of 200 ms
  • B. When HUB1-VPN3 has a latency of 90 ms
  • C. When HUB1-VPN3 has a lower latency than HUB1-VPN1 and HUB1-VPN2
  • D. When HUB1-VPN3 has a latency of 80 ms

Answer: A

Explanation:
The rule is in priority mode with HUB1-VPN1 (seq 4) as the first preferred member, HUB1-VPN2 second, and HUB1-VPN3 third. Latency itself does not cause HUB1-VPN3 to become preferred unless a higher- priority member fails SLA. If HUB1-VPN1's latency exceeds the SLA threshold (here simulated by latency reaching 200 ms), FortiGate stops using it and moves down the priority list. That is when HUB1-VPN3 could become the active path.


NEW QUESTION # 41
......

Pass Your Fortinet Exam with NSE6_SDW_AD-7.6 Exam Dumps: https://www.braindumpsvce.com/NSE6_SDW_AD-7.6_exam-dumps-torrent.html

Pass NSE6_SDW_AD-7.6 Exam Info and Free Practice Test: https://drive.google.com/open?id=1bA0qiUKOY8zdju1BDwqmwF5C7anonU_I

Related Articles

more
Fortinet NSE6_SDW_AD-7.6 Certification Practice Exam