Fortinet NSE6_SDW_AD-7.6 - Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator

In Fortinet SD-WAN architecture, underlay and overlay have distinct meanings:

Underlay links are the physical or logical transport networks that provide basic IP connectivity (for example, broadband, MPLS, LTE/5G).

Overlay links are virtual tunnels (such as IPsec VPNs) built on top of the underlay, providing abstraction, routing control, and segmentation.

Option B is correct.

Overlay links (for example, IPsec tunnels used in SD-WAN and ADVPN) decouple routing from the physical transport. This allows dynamic path selection, segmentation, and flexible routing policies independent of the underlay. Providing routing flexibility is a core purpose of overlays in SD-WAN.

Option D is correct.

Wireless connections such as LTE or 5G can be used as underlay transports, and overlay tunnels can be built over them. Fortinet SD-WAN fully supports building IPsec overlays on wireless underlays, making wireless links valid for overlay construction.

Why the other options are incorrect:

Option A is incorrect because a VLAN is a Layer 2 segmentation mechanism, not an SD-WAN overlay link.

Option C is incorrect because FortiLink is used for internal management and switch/AP connectivity, not as a WAN underlay for SD-WAN.

Option E is incorrect because underlay links can be wired or wireless; they are not limited to wired connections.

Therefore, the two correct statements are B and D.

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive, FortiGate attempts to measure link performance using passive monitoring first, based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive, FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A.

During passive monitoring, FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic, not ICMP traffic. ICMP is used for active probing, not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware. Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D.

In FortiOS 7.6, local-out traffic is traffic generated by the FortiGate itself, such as ping, traceroute, FortiGuard updates, DNS, NTP, and SNMP. Local-out traffic does not traverse the firewall policy engine and therefore behaves differently from forwarded traffic in SD-WAN.

According to the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture documentation, local-out traffic does not use SD-WAN by default. Instead, it follows the routing table (static and dynamic routes). To allow local-out traffic to be evaluated by SD-WAN rules, the administrator must explicitly enable local-out SD-WAN processing.

The curriculum also states that only SD-WAN rules using the manual strategy are supported for local-out traffic. SLA-based, application-based, and dynamic strategies are not evaluated for traffic generated by the FortiGate itself. This is a fundamental architectural limitation of SD-WAN in FortiOS 7.6.

Option B is incorrect because FortiGate does not automatically apply SD-WAN rules to ping or traceroute traffic by default. Even these tools follow the routing table unless local-out SD-WAN is enabled.

Option D is incorrect because local-out SD-WAN configuration is global. Individual local-out features do not require separate SD-WAN enablement.

The log shows messages on HUB1-VPN1 where the device processes a SHORTCUT_QUERY and performs NAT hole punching (peer at 192.2.0.1:4500). This indicates that the device is acting as a hub, helping two spokes (192.2.0.1 and 10.0.3.101) establish a direct ADVPN shortcut tunnel between each other, instead of routing their traffic through the hub.

Enforce Device Configuration is enabled and the blueprint applies the provisioning CLI templates. The LAN-interface script sets port1 and port2 to DHCP and assigns a static IP to port5 (using the branch_id variable). Therefore, when FortiManager pushes the blueprint, it updates the configurations of port1, port2, and port5 - and their IP addresses may change accordingly.

When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.

In FortiOS 7.6, when SD-WAN is enabled, physical and logical WAN interfaces are added as SD-WAN members and are abstracted behind the SD-WAN interface (virtual-wan-link or SD-WAN zone). Traffic forwarding decisions are then made by SD-WAN rules instead of individual interfaces.

As documented in the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture guides, firewall policies must reference the SD-WAN interface or SD-WAN zone, not the individual WAN interfaces that are members of SD-WAN. Therefore, during the configuration update process, existing firewall policies that reference physical WAN interfaces must be updated to reference the SD-WAN interface.

Option A is incorrect because routing configuration does not require replacing interface references when SD-WAN is enabled. Static and dynamic routes typically point to the SD-WAN interface automatically, and SD-WAN rules handle path selection.

Option B is incorrect because SD-WAN is a built-in FortiOS feature. It does not require a separate license and does not require a reboot when enabled.

Option D is incorrect because interfaces must remain enabled to function as SD-WAN members. Disabling an interface would prevent SD-WAN from using it for traffic forwarding.

Therefore, the required action during the SD-WAN configuration update process is to replace references to interfaces used as SD-WAN members in the firewall policies, which corresponds to option C.

The diagnose output shows multiple ADVPN tunnels (HUB1-VPN1, HUB1-VPN2, HUB1-VPN3) with detailed latency, jitter, and packet loss values being reported for each. In ADVPN, the spoke performs embedded health checks and provides the hub with the performance metrics for each tunnel. Therefore, the device in the exhibit is a spoke, and it is sending health-check measurements for each tunnel to the hub.