FCSS_SDW_AR-7.6 FCSS - SD-WAN 7.6 Architect Question and Answers

From the SD-WAN service configuration, rule edit 3 (name "Corp") is configured with:

set mode sla

set load-balance enable

set dst "Corp-net"

set src "LAN-net"

SLA checks referenced under config sla

Traffic from 10.0.1.101 to 10.0.0.126 matches this rule because the destination is within the corporate network range (shown in the policy-route/proute output as destination 10.0.0.0–10.255.255.255 for the Corp service).

In the diagnose firewall proute list output for vwl_service=3 (Corp), FortiGate shows which SD-WAN members are eligible based on SLA pass results:

oif=21 (HUB1-VPN3) num_pass=2

oif=20 (HUB1-VPN2) num_pass=0

oif=19 (HUB1-VPN1) num_pass=0

This indicates that, for the SLA-based rule, only HUB1-VPN3 is meeting the SLA requirements (it is the only member with num_pass=2). The other members have num_pass=0, so they are not eligible for forwarding under this SLA rule even though links are up.

The sniffer trace further corroborates the forwarding decision by showing the traffic egressing through HUB1-VPN3.

Therefore, FortiGate will steer the HTTP traffic through only HUB1-VPN3, which corresponds to Option A.

In the SD-WAN GUI, the absence of members in a zone is visually represented, and the Fortinet guide confirms:

"If a zone such as overlay-factories contains no members, it will be displayed as empty in the SD-WAN GUI. This may occur when the zone is reserved for future expansion, or if members have been temporarily removed for maintenance or reconfiguration. Traffic cannot be steered via an empty zone until at least one SD-WAN member is added."

Such visual cues help operators quickly assess configuration status and readiness.

For FortiGate to steer traffic using SD-WAN rules, two foundational elements must be in place: available WAN paths (underlay links) and firewall policies that allow traffic to reach the SD-WAN interface.

Underlay links (Option B) are mandatory because SD-WAN operates by selecting among multiple WAN transports (for example, broadband, MPLS, LTE, or IPsec tunnels). These links are configured as SD-WAN members and form the physical or logical paths over which traffic can be steered. Without underlay links, SD-WAN has no paths to evaluate or select.

Firewall policies (Option E) are also mandatory because FortiGate only processes and forwards traffic that is explicitly permitted by a firewall policy. When SD-WAN is enabled, firewall policies must reference the SD-WAN interface or SD-WAN zone as the outgoing interface. If no such policy exists, traffic will not be forwarded and SD-WAN rules will never be evaluated.

Why the other options are incorrect:

Security profiles (Option A) are optional and relate to inspection, not SD-WAN steering.

Overlay links (Option C) are used in specific designs such as ADVPN or hub-and-spoke overlays, but SD-WAN can steer traffic without overlays (for example, DIA-only designs).

Traffic shaping (Option D) is not required for SD-WAN decision-making; it is an optional optimization feature.

Therefore, the two required features that must be configured before FortiGate can steer traffic according to SD-WAN rules are underlay links and firewall policies, which correspond to B and E.

To allow spokes in different hub-and-spoke groups to establish ADVPN shortcuts, the hubs must be configured to forward and send ADVPN shortcut offers. The key required settings on the hub are auto-discovery-forwarder (for VPNs to hubs) and auto-discovery-sender (for VPNs to spokes). This ensures the hub can facilitate and advertise ADVPN shortcut offers between spokes.

The command shown in the exhibit is:

diagnose sys sdwan service 4 3

This command displays the runtime state of SD-WAN rule ID 3 on the device. The output explicitly shows:

Service(3) which confirms the SD-WAN rule being evaluated is rule number 3

Members(9) which indicates that nine SD-WAN members are associated with this rule

The listed members include multiple IPsec tunnel interfaces such as HUB1-VPN1, HUB1-VPN2, HUB1-VPN3, HUB2-VPN1, HUB2-VPN2, and HUB2-VPN3, which is characteristic of a spoke device connecting to multiple hubs in a hub-and-spoke ADVPN topology, as defined in the FCSS SD-WAN 7.6 architecture.

Option B is incorrect because, although members are listed under different interfaces, the output does not indicate SD-WAN zones. Zones are shown only in configuration output, not in this diagnostic command.

Option C is incorrect because this is not a hub device. The presence of multiple hub tunnels as SD-WAN members indicates a spoke role. Additionally, the output does not confirm the number of established ADVPN shortcuts.

Option D is incorrect because the output clearly references SD-WAN rule 3, not rule 4, and it does not state that exactly three shortcut tunnels are allowed.

Therefore, the correct conclusion is that this is a spoke device and SD-WAN rule 3 is configured with nine members, which matches option A.

From the SD-WAN rule configuration (service ID 3, name "Corp"), the rule is configured as:

set mode sla

set load-balance enable

set hash-mode source-ip-based

set priority-members 3 4 5

Two SLAs are referenced under config sla

In the diagnose firewall proute list output for service=3 (Corp), FortiGate shows the actual members considered for this rule and their SLA pass status:

oif=19 (HUB1-VPN1) num_pass=2

oif=20 (HUB1-VPN2) num_pass=2

oif=21 (HUB1-VPN3) num_pass=1

Because the rule is SLA-based, FortiGate selects only members that meet the SLA requirements for the rule. The output indicates that HUB1-VPN1 and HUB1-VPN2 pass both SLA checks (num_pass=2), while HUB1-VPN3 passes only one (num_pass=1) and therefore is not selected as an eligible forwarding interface for this rule.

Since load-balance is enabled and the rule uses hash-mode source-ip-based, FortiGate will consistently choose an eligible member based on the source IP hash. For traffic sourced from 10.0.1.101, the session can be steered through either HUB1-VPN1 or HUB1-VPN2 (whichever the hash selects), but not HUB1-VPN3.

Therefore, the correct answer is B.

Policy 3 points traffic To = HUB1-VPN1, which is an SD-WAN member interface. In SD-WAN you must reference the SD-WAN zone (the logical interface) in policies, not its member tunnels. Change the policy’s To interface to the zone HUB1, and the install will succeed.

In FortiOS (including FortiOS 7.6), FortiGate follows a strict and well-defined route lookup order when determining how to forward traffic. This order is critical for understanding SD-WAN behavior and is explicitly referenced in the FCSS SD-WAN curriculum.

The correct lookup sequence is:

Policy routes (Policy-Based Routing)Policy routes are evaluated first. If traffic matches a policy route, FortiGate immediately forwards the traffic according to that policy and bypasses all other routing mechanisms.

Internet Service Database (ISDB) routesIf no policy route matches, FortiGate checks ISDB routes. These routes match traffic based on Internet Services rather than destination IP prefixes.

SD-WAN rulesIf neither a policy route nor an ISDB route matches, FortiGate evaluates SD-WAN rules to determine the outgoing interface based on the configured SD-WAN strategy.

Routing table (connected, static, and dynamic routes such as BGP)If no SD-WAN rule matches, FortiGate performs a normal routing table lookup.

FIB (Forwarding Information Base)The FIB is used to forward the packet based on the selected route.

DropIf no valid route exists, the packet is dropped.

Among the options provided, only Option D correctly reflects the beginning of this sequence by placing policy routes first, followed by ISDB routes, then SD-WAN rules, and finally static routes (representing the routing table).

Therefore, the correct answer is D.

The SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones. This statement perfectly describes the likely sequence of events. The template, when applied, re-organizes the interfaces and zones, causing the existing firewall policy that relies on the old zone configuration to fail. This is the most plausible root cause.

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN's application-aware steering, which uses dynamic performance metrics to select the optimal path.

Your requirements map to two key MSSP goals described in the FCSS SD-WAN 7.6 blueprint patterns:

Delegate as much administration and management as possible to the MSSPThis is best achieved when the hub security and SD-WAN control point is located on the MSSP premises, because the MSSP can centrally operate the core enforcement and overlay control. Both option B (dedicated hub at MSSP) and option D (shared hub at MSSP with customer isolation) meet this requirement.

Each site must maintain direct internet access (DIA) and be secure, with significant site-to-site trafficIn Fortinet SD-WAN MSSP designs, spokes can still use local breakout for DIA while also building secure overlays for inter-site traffic. Placing the hub at the MSSP enables centralized security services and scalable inter-site connectivity management while preserving DIA where required. Options B and D support this operating model.

Why the other options do not best match:

A includes a dedicated hub on the customer premises, which reduces how much the MSSP can centralize and operate from its own environment, so it does not maximize delegation.

C places both hub and spokes on the customer premises. While the MSSP can manage using a dedicated ADOM, this blueprint does not align as strongly with “delegate installation and management” to the MSSP as the designs where the hub is hosted and operated from the MSSP premises.

Therefore, the two MSSP deployment blueprints that address your requirements are B and D.

With the Best Quality strategy, FortiGate first checks which links meet the SLA targets defined in the selected performance SLA (in this case, Custom-profile-1). Among those qualified links, FortiGate then uses the member configuration order to decide preference. If multiple links still qualify, it finally considers the member local cost to select the best path.

Rules template → Defines the SD-WAN rules for traffic steering.

BGP template → Configures dynamic routing for overlay tunnels.

IPsec tunnel template → Builds the IPsec VPN tunnels from the spoke to the hubs.

When you enable ADVPN (auto-discovery VPN) in the overlay template, FortiManager automatically updates both the IPsec and BGP templates on the hub so that shortcut tunnels can be established dynamically.

ADVPN can be activated in the SD-WAN overlay template for any supported topology, including dual-hub primary–primary, not just single hub.

In the exhibit, the IPsec tunnel statistics event log entries include the field advpnsc.

Fortinet documents that advpnsc identifies whether the VPN event is based on an ADVPN shortcut:

advpnsc=1 → the tunnel is an ADVPN shortcut

advpnsc=0 → not an ADVPN shortcut (Fortinet Documentation Library)

In the shown logs, the tunnel vpntunnel="HUB1-VPN1_0" has advpnsc=1, which means HUB1-VPN1_0 is an ADVPN shortcut tunnel. (Fortinet Documentation Library)

The other tunnels shown (for example VPN4_0 and HUB2-VPN3) have advpnsc=0, which only indicates no shortcut is identified for those log entries—it does not prove they “cannot accept” shortcuts, only that the specific event is not a shortcut. (Fortinet Documentation Library)

From the exhibit, both branches have an SD-WAN zone named overlay with set advpn-select enable, and each SD-WAN member in that zone is assigned a transport-group value.

Branch-A members:

T1 → transport-group 1

T2 → transport-group 1

T3 → transport-group 2

Branch-B members:

TA → transport-group 1

TB → transport-group 2

TC → transport-group 3

In FCSS SD-WAN 7.6 ADVPN design, transport-group is used to constrain which underlays are allowed to form ADVPN shortcuts with each other. A spoke can establish an ADVPN shortcut only between interfaces that belong to the same transport-group on both sides. This prevents building shortcuts across dissimilar transports.

Evaluating the options:

Option D (T2 on Branch-A with transport-group 1 and TA on Branch-B with transport-group 1) is a valid shortcut pairing.

Option C is not valid because T3 is transport-group 2 while TC is transport-group 3, so they are not permitted to form a shortcut.

Option A is incorrect because not all overlay-zone interfaces are eligible; eligibility is restricted by transport-group matching.

Option B is incorrect because ADVPN shortcuts are spoke-to-spoke tunnels (facilitated by the hub), not limited to “interfaces connected to hub only.”

Therefore, the valid shortcut pairing listed is between T2 on Branch-A and TA on Branch-B, which corresponds to Option D.

When planning to deploy a large number of branches (e.g., 50), Fortinet recommends several preparatory steps to simplify and automate the rollout. Creating model devices allows you to predefine configurations and settings that can be cloned or adapted for each branch, saving time and minimizing manual errors. Preparing a Zero Touch Provisioning (ZTP) template enables automatic onboarding and provisioning of new FortiGates as soon as they come online, reducing manual intervention. Lastly, creating a policy blueprint allows for standardized policy deployment across all branches, ensuring consistent security and SD-WAN rule enforcement. This holistic approach streamlines the deployment process, allows for rapid scaling, and ensures that all devices are configured according to corporate policy from day one.

The exhibit shows the following IPsec phase1-interface configuration applied on spoke tunnels:

set auto-discovery-shortcuts dependent

set network-overlay enable

set network-id

In the FCSS SD-WAN 7.6 ADVPN architecture, the network-overlay and network-id parameters are used to logically group IPsec tunnels into separate overlays. When network-overlay is enabled, FortiGate treats the tunnel as part of an overlay network rather than a simple transport tunnel.

The network-id parameter is critical in multi-overlay ADVPN designs. Fortinet documentation specifies that ADVPN shortcuts are only allowed between tunnels that share the same network-id. This mechanism explicitly prevents cross-overlay shortcuts, ensuring that shortcuts are formed only within the same logical overlay and not across different overlays that may serve different purposes (for example, different hubs, regions, or transport groups).

The use of auto-discovery-shortcuts dependent further enforces correct shortcut behavior by ensuring that shortcut tunnels depend on the state of the parent overlay tunnel, but it does not by itself prevent multiple shortcuts or convert ADVPN versions.

Why the other options are incorrect:

Option A is incorrect because simply enabling network-overlay does not exist to “enable overlay links” in general; its purpose is to define overlay membership and control shortcut behavior.

Option B is incorrect because there is no concept of “ADVPN 2.0” conversion using these parameters in FortiOS 7.6.

Option D is incorrect because preventing multiple shortcuts over the same overlay is not controlled by network-id; multiple shortcuts within the same overlay are allowed when required.

Therefore, the valid objective of these settings is to prevent cross-overlay shortcuts, which corresponds to Option C.

The FortiManager SD-WAN overlay system allows only one IPsec template to be assigned to each device per overlay operation. The guide clarifies:

"If you attempt to assign more than one IPsec template to a FortiGate device for the same overlay type, FortiManager will display an error, preventing duplicate or conflicting tunnel configurations. This limitation ensures a one-to-one mapping between device and overlay template per operation, maintaining configuration integrity and preventing routing issues."

This prevents complex troubleshooting scenarios and enforces best practices for overlay design.

The exhibit shows the runtime details of two SD-WAN services (rules):

Service(2)

Mode(manual hash-mode=inbandwidth)

Members(2): port2 (WAN2), port1 (WAN1)

Application matching: Facebook, LinkedIn, Game

Source: 10.0.1.0–10.0.1.255This rule is clearly intended for internet/DIA application steering and does not show a corporate destination range.

Service(3)

Mode(sla hash-mode=round-robin)

Members(6): HUB1-VPN1/2/3 and HUB2-VPN1/2/3

Source: 10.0.1.0–10.0.1.255

Destination: 10.0.0.0–10.255.255.255

Traffic from 10.0.1.124 to 10.0.0.254 matches Service(3) because the destination IP 10.0.0.254 falls within the destination range 10.0.0.0–10.255.255.255.

Within Service(3), the member list shows SLA results per interface:

HUB1-VPN2 has sla(0x1) and num of pass(1)

HUB2-VPN2 has sla(0x2) and num of pass(1)

The remaining members (HUB1-VPN1, HUB2-VPN1, HUB1-VPN3, HUB2-VPN3) show sla(0x0) and num of pass(0)

This indicates that, for Service(3), only HUB1-VPN2 and HUB2-VPN2 are currently meeting the SLA requirements (passing), and because the rule uses hash-mode=round-robin, FortiGate load-balances sessions across the passing members.

Therefore, FortiGate will steer the traffic using HUB1-VPN2 or HUB2-VPN2, which corresponds to Option B.