The Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator (NSE6_SDW_AD-7.6)

When a FortiGate device is onboarded using a Device Blueprint in FortiManager, the system automates the provisioning process by applying the linked templates and scripts as soon as the device is authorized and connects. In this scenario, the Device Blueprint includes a CLI Template named " LAN-interface " and Provisioning Templates (corp_st and LAN-interface).

According to Fortinet documentation regarding Zero-Touch Provisioning (ZTP) and Blueprint workflows, FortiManager processes the CLI script configuration as part of the initial onboarding sync. The provided CLI script explicitly contains instructions for port1, port2, and port5 . Specifically, it sets port1 and port2 to mode dhcp. Even though port1 already has a manual IP address ($15.1.0.154$) used for the initial FGFM connection, the FortiManager will push the configuration defined in the template.

When FortiManager pushes a configuration change to the interface used for the FGFM tunnel (port1), it does so by updating the configuration database. Since the template specifies set mode dhcp for port1 and port2, and a specific IP range for port5 using a metadata variable (10.0.$(branch_id).254), all three ports will be updated. Consequently, they may receive new IP addresses based on DHCP assignments or variable substitution. FortiManager is capable of updating the management interface as long as the new configuration does not permanently sever the FGFM connection.

In an SD-WAN rule, you can steer application traffic by using Internet Service Database (ISDB) entries. Facebook and LinkedIn are predefined ISDB objects in FortiGate, so the correct way is to select them in the Internet service field under Destination. This ensures that all traffic to these applications is matched and routed through the chosen (less costly) link.

The described design is a multi-region SD-WAN architecture , where:

Each region has its own dual-hub ADVPN domain

Most traffic is intra-region

Inter-region traffic is limited and controlled

Spokes can be single-hub or dual-hub , depending on size and redundancy requirements

According to Fortinet’s SD-WAN Architecture for Enterprise guidance, when deploying multiple ADVPN regions , eBGP is the recommended routing protocol between regions . Each region operates as an independent routing domain (typically iBGP within the region), while eBGP is used to exchange routes between regional hubs . This approach:

Prevents excessive route reflection and scaling issues

Provides clear administrative boundaries between regions

Improves stability and scalability in large global deployments

Matches the exact traffic pattern described (high intra-region, low inter-region traffic)

This is explicitly documented in Fortinet guidance for “Using eBGP between regions with intra-region ADVPN” , which confirms that the architecture described in the question is valid and recommended when eBGP is used between regions.

Why the other options are incorrect:

Option B is incorrect because FortiOS does not impose a hard “four-hub” architectural limit in the described regional model. Each region has its own hubs, not a single flat multihub domain.

Option C is incomplete. While FortiManager Overlay Orchestrator can help operationally, it is not the key architectural requirement that makes this design valid. The question asks what makes the plan correct from a design standpoint , not a tooling standpoint.

Option D is incorrect because FortiOS fully supports mixed spoke connectivity within the same region (some spokes single-hub, others dual-hub), which is a common enterprise SD-WAN design.

Therefore, the correct and documented conclusion is that the plan is possible and eBGP should be used as the routing protocol between regions , which corresponds to Answer A .

In FortiOS 7.6, when a Performance SLA probe mode is set to Prefer Passive , FortiGate attempts to measure link performance using passive monitoring first , based on real user traffic. Only when passive monitoring is not possible does FortiGate temporarily fall back to active probing.

With Prefer Passive , FortiGate passively monitors TCP traffic flowing through the SD-WAN member to calculate SLA metrics such as latency, jitter, and packet loss. This behavior directly matches option A .

During passive monitoring , FortiGate relies on observed traffic to infer link health. Because no synthetic probes are sent, a completely dead link (with no traffic passing) cannot be detected by the SLA during passive mode. As a result, dead members may not be immediately detected, which makes option D correct.

Option B is incorrect because there is no fixed 3-minute timer defined in FortiOS 7.6 that forces a return from active probing back to passive monitoring.

Option C is incorrect because passive SLA monitoring is based on TCP traffic , not ICMP traffic. ICMP is used for active probing , not passive monitoring.

Option E is incorrect because traffic subject to passive SLA monitoring cannot be offloaded to hardware . Passive SLA measurement requires software inspection of packets, which prevents NPU offloading.

Therefore, the two correct observable impacts of configuring the probe mode as Prefer Passive are A and D .

In FortiOS 7.6, SD-WAN rules can steer traffic based on Internet Services , which represent predefined application and service signatures maintained by FortiGuard. Common applications such as Facebook and LinkedIn are included in the Internet Service database.

According to the FCSS SD-WAN 7.6 curriculum, when configuring an SD-WAN rule from the GUI on a standalone FortiGate device, applications are selected as destinations using the Internet service field , not by enabling a separate application destination field. The exhibit highlights the Internet service option under the Destination section, which is the correct method to match traffic for specific applications.

Option A is incorrect because there is no GUI option to enable application visibility as destinations for SD-WAN rules. Application matching is already abstracted through Internet Services.

Option C is incorrect because standalone FortiGate devices fully support application-based steering using Internet Services in SD-WAN rules.

Option D is incorrect because no additional license is required to use Internet Services in SD-WAN rules. This functionality is included in FortiOS and relies on the built-in FortiGuard Internet Service database.

Therefore, to steer Facebook and LinkedIn traffic through a specific WAN link, you must select Facebook and LinkedIn in the Internet service field , which corresponds to option B.

To allow spokes in different hub-and-spoke groups to establish ADVPN shortcuts, the hubs must be configured to forward and send ADVPN shortcut offers. The key required settings on the hub are auto-discovery-forwarder (for VPNs to hubs) and auto-discovery-sender (for VPNs to spokes). This ensures the hub can facilitate and advertise ADVPN shortcut offers between spokes.

For FortiGate to steer traffic using SD-WAN rules , two foundational elements must be in place: available WAN paths (underlay links) and firewall policies that allow traffic to reach the SD-WAN interface .

Underlay links (Option B) are mandatory because SD-WAN operates by selecting among multiple WAN transports (for example, broadband, MPLS, LTE, or IPsec tunnels). These links are configured as SD-WAN members and form the physical or logical paths over which traffic can be steered. Without underlay links, SD-WAN has no paths to evaluate or select.

Firewall policies (Option E) are also mandatory because FortiGate only processes and forwards traffic that is explicitly permitted by a firewall policy. When SD-WAN is enabled, firewall policies must reference the SD-WAN interface or SD-WAN zone as the outgoing interface. If no such policy exists, traffic will not be forwarded and SD-WAN rules will never be evaluated.

Why the other options are incorrect:

Security profiles (Option A) are optional and relate to inspection, not SD-WAN steering.

Overlay links (Option C) are used in specific designs such as ADVPN or hub-and-spoke overlays, but SD-WAN can steer traffic without overlays (for example, DIA-only designs).

Traffic shaping (Option D) is not required for SD-WAN decision-making; it is an optional optimization feature.

Therefore, the two required features that must be configured before FortiGate can steer traffic according to SD-WAN rules are underlay links and firewall policies , which correspond to B and E .

When you enable ADVPN (auto-discovery VPN) in the overlay template, FortiManager automatically updates both the IPsec and BGP templates on the hub so that shortcut tunnels can be established dynamically.

ADVPN can be activated in the SD-WAN overlay template for any supported topology, including dual-hub primary–primary, not just single hub.

The SD-WAN rule (config service edit 1) is configured with set mode priority. This means the rule selects the best interface based on a defined performance metric, as opposed to a simple static priority or SLA. The event log (image_41cfb5.png) shows Metric latency and Message Service prioritized by performance metric will be redirected in sequence order. This indicates that the rule is using latency to determine the preferred member. Given that the log message is about a change, and the most logical reason for a change in a priority mode is that a different member is now the best performer, it implies that the latency on port2 has become lower than that on port1.

The log message Service prioritized by performance metric will be redirected in sequence order confirms that FortiGate is changing the member being used for this service. Because the mode is priority, FortiGate dynamically selects the member that currently meets the best performance criteria, which in this case is latency. The log implies a new member has been selected as the most optimal, and with the default configuration, the members are sorted based on their performance, so the outgoing interface list is effectively updated to prefer the new best-performing member (port2).