FCSS_SDW_AR-7.6 Exam Study Guide Free Practice Test LAST UPDATED DATE Mar 09, 2026
The New FCSS_SDW_AR-7.6 2026 Updated Verified Study Guides & Best Courses
NEW QUESTION # 53
Refer to the exhibit.
The administrator used the SD-WAN overlay template to prepare an IPsec tunnels configuration for a hub-and-spoke SD-WAN topology. The exhibit shows the FortiManager installation preview for one FortiGate device.
Based on the exhibit, which statement best describes the configuration applied to the FortiGate device?
- A. It is a spoke device that establishes dynamic IPsec tunnels to the hub. The local subnet range is 10.10.128.0/23.
- B. It is a hub device. It can send ADVPN shortcut offers.
- C. It is a hub device. It will automatically discover the spoke devices and add them to the SD-WAN topology.
- D. It is a spoke device that establishes dynamic IPsec tunnels to the hub It can send ADVPN shortcut requests.
Answer: B
Explanation:
The FortiManager SD-WAN overlay template preview, as described in the document, indicates:
"When the device is acting as a hub, the configuration enables the sending of ADVPN shortcut offers to spokes. This means the hub can facilitate on-demand dynamic shortcut tunnel creation between spokes, improving performance for branch-to-branch communication by bypassing the hub for inter-branch traffic after initial discovery." Such a role is critical in scalable ADVPN topologies, enabling hub devices to optimize overlays dynamically.
NEW QUESTION # 54
(Refer to the exhibit.
You update the spokes configuration of an existing auto-discovery VPN (ADVPN) topology by adding the parameters shown in the exhibit.
Which is a valid objective of those settings? Choose one answer.)
- A. Prevent multiple shortcuts from being established over the same overlay.
- B. Convert the configuration from ADVPN to ADVPN 2.0.
- C. Enable the tunnels as overlay links.
- D. Prevent cross-overlay shortcuts.
Answer: D
Explanation:
The exhibit shows the following IPsec phase1-interface configuration applied on spoke tunnels:
set auto-discovery-shortcuts dependent
set network-overlay enable
set network-id <value>
In the FCSS SD-WAN 7.6 ADVPN architecture, the network-overlay and network-id parameters are used to logically group IPsec tunnels into separate overlays. When network-overlay is enabled, FortiGate treats the tunnel as part of an overlay network rather than a simple transport tunnel.
The network-id parameter is critical in multi-overlay ADVPN designs. Fortinet documentation specifies that ADVPN shortcuts are only allowed between tunnels that share the same network-id. This mechanism explicitly prevents cross-overlay shortcuts, ensuring that shortcuts are formed only within the same logical overlay and not across different overlays that may serve different purposes (for example, different hubs, regions, or transport groups).
The use of auto-discovery-shortcuts dependent further enforces correct shortcut behavior by ensuring that shortcut tunnels depend on the state of the parent overlay tunnel, but it does not by itself prevent multiple shortcuts or convert ADVPN versions.
Why the other options are incorrect:
Option A is incorrect because simply enabling network-overlay does not exist to "enable overlay links" in general; its purpose is to define overlay membership and control shortcut behavior.
Option B is incorrect because there is no concept of "ADVPN 2.0" conversion using these parameters in FortiOS 7.6.
Option D is incorrect because preventing multiple shortcuts over the same overlay is not controlled by network-id; multiple shortcuts within the same overlay are allowed when required.
Therefore, the valid objective of these settings is to prevent cross-overlay shortcuts, which corresponds to Option C.
NEW QUESTION # 55
Which three factors about SLA targets and SD-WAN rules should you consider when configuring SD-WAN rules? (Choose three.)
- A. When configuring an SD-WAN rule, you can select multiple SLA targets from different performance SLAs.
- B. Member metrics are measured only if a rule uses the SLA target.
- C. When configuring an SD-WAN rule, you can select multiple SLA targets if they are from the same performance SLA.
- D. SLA targets are used only by SD-WAN rules that are configured with a Lowest Cost (SLA) strategy.
- E. SD-WAN rules can use SLA targets to check whether the preferred members meet the SLA requirements.
Answer: A,D,E
Explanation:
The use of SLA targets is specific to certain SD-WAN strategies. The "Lowest Cost (SLA)" and
"Maximize Bandwidth (SLA)" strategies are explicitly designed to use the configured SLA targets to make routing decisions. The "Best Quality" strategy uses performance metrics but does not necessarily require or reference SLA targets in the same way, while "Manual" does not use metrics at all for path selection.
This is a core function of SD-WAN rules with SLA targets. The purpose of configuring an SLA target with specific thresholds for latency, jitter, and packet loss is to define what is considered
"acceptable" performance for an application. SD-WAN rules then use these targets to check if the members (interfaces) meet these requirements before a flow is steered over them, ensuring that a preferred path still offers a good user experience.
FortiGate allows for a single SD-WAN rule to reference multiple, different performance SLAs. This is crucial for complex deployments where a single SD-WAN rule needs to handle traffic for multiple applications that have distinct performance requirements. For example, a single rule might direct VoIP traffic based on one performance SLA with strict latency/jitter targets, while simultaneously handling general web traffic using another performance SLA with more lenient requirements.
NEW QUESTION # 56
The administrator uses the FortiManager SD-WAN overlay template to prepare an SD-WAN deployment. Using information provided through the SD-WAN overlay template wizard, FortiManager creates templates ready to install on the spoke and hub devices.
What are the three templates created by the SD-WAN overlay template for a spoke device?
(Choose three.)
- A. BGP template
- B. Rules template
- C. CLI template
- D. IPsec tunnel template
- E. Static route template
Answer: A,C,D
Explanation:
CLI template → Contains device-specific parameters (like local interface IPs).
BGP template → Configures dynamic routing for overlay tunnels.
IPsec tunnel template → Builds the IPsec VPN tunnels from the spoke to the hubs.
NEW QUESTION # 57
Refer to the exhibit, which shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured latency will first make HUB1-VPN3 the new preferred member?
- A. When HUB1-VPN1 has a latency of 200 ms
- B. When HUB1-VPN3 has a latency of 80 ms
- C. When HUB1-VPN3 has a latency of 90 ms
- D. When HUB1-VPN3 has a lower latency than HUB1-VPN1 and HUB1-VPN2
Answer: B
Explanation:
If VPN3 latency drops to 80 ms (below threshold), while VPN2 is already over threshold, and if VPN1 later exceeds threshold, VPN3 becomes eligible and preferred.
NEW QUESTION # 58
Refer to the exhibit. An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network.
The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over HUB1- VPN1.
However, the traffic is routed over HUB1-VPN3.
Based on the output shown in the exhibit, which two reasons, individually or together, could explain the observed behavior? (Choose two.)
- A. HUB1-VPN1 does not have a valid route to the destination
- B. The traffic matches a regular policy route configured with HUB1-VPN3 as the outgoing device
- C. HUB1-VPN3 has a lower route priority value (higher priority) than HUB1-VPN1.
- D. HUB1-VPN3 has a higher member configuration priority than HUB1-VPN1
Answer: A,B
Explanation:
NEW QUESTION # 59
An SD-WAN member is no longer used to steer SD-WAN traffic. The administrator updated the SD-WAN configuration and deleted the unused member. After the configuration update, users report that some destinations are unreachable. You confirm that the affected flow does not match an SD-WAN rule.
What could be a possible cause of the traffic interruption?
- A. FortiGate removes the layer 3 settings for interfaces that are removed from the SD-WAN configuration.
- B. FortiGate can remove some static routes associated with an interface when the member is removed from SD-WAN.
- C. FortiGate administratively brings down interfaces when they are removed from the SD-WAN configuration.
- D. FortiGate, with SD-WAN enabled, cannot route traffic through interfaces that are not SD-WAN members.
Answer: B
Explanation:
When an SD-WAN member is deleted, FortiGate can also remove static routes that were tied to that interface. If those routes are needed for destinations not covered by SD-WAN rules, traffic to those networks becomes unreachable. This explains why flows not matching SD-WAN rules are interrupted after the member was removed.
NEW QUESTION # 60
Refer to the exhibit.
An administrator configures SD-WAN rules for a DIA setup using the FortiGate GUI. The page to configure the source and destination part of the rule looks as shown in the exhibit. The GUI page shows no option to configure an application as the destination of the SD-WAN rule Why?
- A. FortiGate allows the configuration of applications as the destination of SD-WAN rules only on the CLI.
- B. You cannot use applications as the destination when FortiGate is used for a DIA setup.
- C. You must enable the feature on the CLI.
- D. You must enable the feature first using the GUI menu System > Feature Visibility.
Answer: D
NEW QUESTION # 61
As an MSSP administrator, you are asked to configure ADVPN on an existing SD-WAN topology.
FortiManager manages the customer devices in a dedicated ADOM. The previous administrator used the SD-WAN overlay topology.
Which two statements apply to this scenario? (Choose two.)
- A. When auto-discovery VPN is enabled, FortiManager updates the IPsec and BGP templates in the hub.
- B. You can activate auto-discovery VPN in the SD-WAN overlay template only if it is a single hub topology.
- C. After you enable auto-discovery VPN in the overlay template, you must select between ADVPN
2.0 and ADVPN 1.0. - D. You can activate auto-discovery VPN in the SD-WAN overlay template for any type of topology, including a primary-primary dual-hub topology.
Answer: A,D
Explanation:
When you enable ADVPN (auto-discovery VPN) in the overlay template, FortiManager automatically updates both the IPsec and BGP templates on the hub so that shortcut tunnels can be established dynamically.
ADVPN can be activated in the SD-WAN overlay template for any supported topology, including dual-hub primary-primary, not just single hub.
NEW QUESTION # 62
Exhibit.
The administrator configured the IPsec tunnel VPN1 on a FortiGate device with the parameters shown in exhibit.
Based on the configuration, which three conclusions can you draw about the characteristics and requirements of the VPN tunnel? (Choose three.)
- A. The remote end must support IKEv2.
- B. The tunnel interface IP address on the spoke side is provided by the hub.
- C. The administrator must manually assign the tunnel interface IP address on the hub side
- D. This configuration allows user-defined overlay IP addresses.
- E. The remote end can be a third-party IPsec device.
Answer: C,D,E
Explanation:
This configuration demonstrates a typical IPsec setup for SD-WAN overlays where the hub side requires a manually defined tunnel IP address, and the spoke can be flexibly configured, including interoperability with third-party IPsec devices. As described in the Fortinet SD-WAN Architect Guide: "For some overlays, the tunnel interface IP is configured statically on the hub side, which allows more control over overlay subnetting and facilitates the use of user-defined overlay IP addresses. This approach is also a requirement for compatibility with non-FortiGate endpoints, such as third-party IPsec devices that may not support dynamic address assignment via IKE or proprietary mechanisms." This enables hybrid SD-WAN environments and advanced designs involving external partners or cloud services. Overlay IP flexibility is critical for route control and segmentation.
Reference:
[FCSS_SDW_AR-7.4 1-0.docx Q11]
FortiOS 7.4 SD-WAN Reference Architecture, "Overlay IP Address Management" SD-WAN 7.4 Concept Guide, Section: "Interoperability with Third-Party Devices"
NEW QUESTION # 63
Refer to the exhibit. You configure SD-WAN on a standalone FortiGate device. You want to create an SD-WAN rule that steers Facebook and Linkedin traffic through the less costly internet link. The FortiGate GUI page appears as shown in the exhibit.
What should you do to set Facebook and LinkedIn as destinations?
- A. In the Internet service field, select Facebook and LinkedIn.
- B. Install a license to allow applications as destinations of SD-WAN rules.
- C. Enable the applications as destinations of the SD-WAN rule feature visibility.
- D. You cannot configure applications as destinations of an SD-WAN rule on a standalone FortiGate device.
Answer: A
Explanation:
In an SD-WAN rule, you can steer application traffic by using Internet Service Database (ISDB) entries. Facebook and LinkedIn are predefined ISDB objects in FortiGate, so the correct way is to select them in the Internet service field under Destination. This ensures that all traffic to these applications is matched and routed through the chosen (less costly) link.
NEW QUESTION # 64
Refer to the exhibit that shows VPN event logs on FortiGate.
Based on the output shown in the exhibit, which statement is true?
- A. The master tunnel T_INET_0 cannot accept the ADVPN shortcut.
- B. There are no IPsec tunnel statistics log messages for ADVPN shortcuts.
- C. The VPN tunnel T_MPLS_0 is a shortcut tunnel.
- D. There is one shortcut tunnel built from master tunnel T_MPLS_0.
Answer: C
Explanation:
When reviewing VPN log messages, the field advpnsc will help you identify the shortcut VPN tunnels.
FortiGate will set advpnsc value 1 for any log messages related to shortcut tunnels; for any other tunnel, the advpnsc value is set to 0.
NEW QUESTION # 65
Refer to the exhibit. Which statement best describe the role of the ADVPN device in handling traffic?
- A. This is a hub, and two spokes, 192.2.0.1and 10.0.3.101, establish a shortcut.
- B. This is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke.
- C. This is a spoke that has received a shortcut query from a remote hub.
- D. This is a spoke that has received a direct shortcut query from a remote spoke.
Answer: B
Explanation:
NEW QUESTION # 66
The FortiGate devices are managed by ForliManager, and are configured for direct internet access (DIA). You confirm that DIA is working as expected for each branch, and check the SD- WAN zone configuration and firewall policies shown in the exhibits.
Then, you use the SD-WAN overlay template to configure the IPsec overlay tunnels. You create the associated SD-WAN rules to connect existing branches to the company hub device and apply the changes on the branches.
After those changes, users complain that they lost internet access. DIA is no longer working.
Based on the exhibit, which statement best describes the possible root cause of this issue?
- A. The SD-WAN overlay template updates the SD-WAN template and the rules.
- B. The SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones.
- C. The SD-WAN overlay template redefines the interface gateway addresses if they are defined with metadata variables.
- D. The SD-WAN overlay template didn't configure a firewall policy to allow traffic through the overlay.
Answer: B
Explanation:
The SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones. This statement perfectly describes the likely sequence of events. The template, when applied, re-organizes the interfaces and zones, causing the existing firewall policy that relies on the old zone configuration to fail. This is the most plausible root cause.
NEW QUESTION # 67
(You are configuring SD-WAN to load balance network traffic and you want to take into account the link quality.
Which two facts should you consider? Choose two answers.)
- A. You can select the best quality strategy and allow SD-WAN load balancing.
- B. When applicable, FortiGate load balances the traffic through all members that meet the SLA target.
- C. The best quality strategy supports only the round-robin hash mode.
- D. You can select the lowest cost service level agreement (SLA) strategy and allow SD-WAN load balancing.
Answer: B,D
Explanation:
When SD-WAN load balancing is required with link quality awareness, FortiOS relies on SLA-based strategies. These strategies evaluate link performance using performance SLAs (latency, jitter, packet loss, MOS) and then make forwarding decisions accordingly.
Option A is correct.
In FortiOS 7.6, when an SLA-based SD-WAN rule has load balancing enabled, FortiGate distributes traffic only across the members that meet the SLA targets. Any member that is out of SLA is excluded from load balancing. This behavior ensures that traffic is not forwarded over degraded links while still allowing load distribution across healthy paths.
Option C is correct.
The lowest cost (SLA) strategy is an SLA-based strategy that considers link quality while also allowing SD-WAN load balancing. When multiple members meet the SLA requirements and have equal cost, FortiGate can load balance traffic across them using the configured hash mode. This makes the lowest cost SLA strategy suitable when both link quality and load balancing are required.
Why the other options are incorrect:
Option B is incorrect because the best quality strategy is designed to select the single best-performing link based on SLA metrics. It does not support SD-WAN load balancing across multiple links.
Option D is incorrect because the best quality strategy does not support load balancing at all, so the statement about round-robin hash mode is invalid.
Therefore, the two correct facts to consider are A and C.
NEW QUESTION # 68
Exhibit.
Refer to the exhibit, which shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured packet loss will make HUB1-VPN3 the new preferred member?
- A. When HUB1-VPN3 has 4% packet loss
- B. When all three members have the same packet loss
- C. When HUB1-VPN1 has 4% packet loss
- D. When HUB1-VPN1 has 12% packet loss
Answer: B
NEW QUESTION # 69
Refer to the exhibit. The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate device that supports hardware offloading.
Based on the information shown in the exhibits, which two conclusions can you draw? (Choose two.)
- A. The reply direction of the asymmetric traffic flows from port2 to port3.
- B. By default, FortiGate offloads symmetric and asymmetric flows.
- C. The auxiliary session can be offloaded to hardware.
- D. The original direction of the symmetric traffic flows from port3 to port2.
Answer: A,C
Explanation:
The session output shows reflect info: dev=7->6/6->7. From the netlink list, index 6 = port2 and 7
= port3, so the reply direction of the asymmetric (auxiliary) session is port2 → port3.
The auxiliary session has npu info ... offload=8/8 (non-zero), indicating it can be offloaded to hardware.
NEW QUESTION # 70
......
Fortinet FCSS_SDW_AR-7.6 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Get Prepared for Your FCSS_SDW_AR-7.6 Exam With Actual 96 Questions: https://pass4sure.dumps4pdf.com/FCSS_SDW_AR-7.6-valid-braindumps.html