Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Fortinet
  3. FCSS_SDW_AR-7.6

Fortinet FCSS_SDW_AR-7.6 Exam (page: 2)
Fortinet FCSS - SD-WAN 7.6 Architect
Updated on: 12-Feb-2026

Viewing Page 2 of 13
FCSS_SDW_AR-7.6 PDF 94 Questions

Refer to the exhibit.



An administrator configures SD-WAN rules for a DIA setup using the FortiGate GUI. The page to configure the source and destination part of the rule looks as shown in the exhibit. The GUI page shows no option to configure an application as the destination of the SD-WAN rule Why?

  1. You cannot use applications as the destination when FortiGate is used for a DIA setup.
  2. FortiGate allows the configuration of applications as the destination of SD-WAN rules only on the CLI.
  3. You must enable the feature on the CLI.
  4. You must enable the feature first using the GUI menu System > Feature Visibility.

Answer(s): D



You are planning a new SD-WAN deployment with the following criteria:

- Two regions

- Most of the traffic is expected to remain within its region

- No requirement for inter-region ADVPN

To remain within the recommended best practices, which routing protocol should you select for the overlays?

  1. OSPF for the routing within each region and EBGP between the regions.
  2. IBGP with BGP on loopback within each region and EBGP between the regions.
  3. IBGP with BGP per overlays within each region and IBGP with BGP on loopback between the regions.
  4. IBGP within each region and between the regions.

Answer(s): B

Explanation:

For SD-WAN deployments that span multiple regions--where most traffic is intra-region and there is no requirement for inter-region ADVPN--the best practice is to use IBGP with BGP on loopback interfaces for routing within each region and EBGP between the regions. This approach ensures robust and scalable routing, isolates regional routing domains, and enables policy control at region boundaries. BGP on loopback is preferred for its reliability and flexibility, as it enables peering that is not tied to specific physical interfaces. EBGP between regions allows each region to maintain independent routing policies and summarization, optimizing performance and manageability. By separating IBGP (intra-region) and EBGP (inter-region), you create a modular architecture that scales easily and simplifies fault isolation and troubleshooting.


Reference:

Fortinet SD-WAN Reference Architecture Guide 7.4, "Regional Routing Best Practices"

FortiOS 7.4 SD-WAN Overlay Design Guidelines



Exhibit.



The administrator configured the IPsec tunnel VPN1 on a FortiGate device with the parameters shown in exhibit.

Based on the configuration, which three conclusions can you draw about the characteristics and requirements of the VPN tunnel? (Choose three.)

  1. The tunnel interface IP address on the spoke side is provided by the hub.
  2. The remote end can be a third-party IPsec device.
  3. The administrator must manually assign the tunnel interface IP address on the hub side
  4. The remote end must support IKEv2.
  5. This configuration allows user-defined overlay IP addresses.

Answer(s): B,C,E

Explanation:

This configuration demonstrates a typical IPsec setup for SD-WAN overlays where the hub side requires a manually defined tunnel IP address, and the spoke can be flexibly configured, including interoperability with third-party IPsec devices. As described in the Fortinet SD-WAN Architect Guide:
"For some overlays, the tunnel interface IP is configured statically on the hub side, which allows more control over overlay subnetting and facilitates the use of user-defined overlay IP addresses. This approach is also a requirement for compatibility with non-FortiGate endpoints, such as third- party IPsec devices that may not support dynamic address assignment via IKE or proprietary mechanisms." This enables hybrid SD-WAN environments and advanced designs involving external partners or cloud services. Overlay IP flexibility is critical for route control and segmentation.


Reference:

FortiOS 7.4 SD-WAN Reference Architecture, "Overlay IP Address Management"

SD-WAN 7.4 Concept Guide, Section: "Interoperability with Third-Party Devices"



You have a FortiGate configuration with three user-defined SD-WAN zones and two members in each of these zones. One SD-WAN member is no longer in use in health-check and SD-WAN rules. You want to delete it.

What happens if you delete the SD-WAN member from the FortiGate GUI?

  1. FodiGate accepts the deletion and removes routes as required.
  2. FortiGate displays an error message. You must use the CLI to delete an SD-WAN member.
  3. FortiGate displays an error message. SD-WAN zones must contain at least two members
  4. FortiGate accepts the deletion and places the member in the default SD-WAN zone.

Answer(s): A



Refer to the exhibits.



The exhibits show the source NAT (SNAT) global setting. port2 interface settings, and the routing table on FortiGate.

The administrator increases the member priority on port2 to 20.

Upon configuration changes and the receipt of new packets, which two actions does FortiGate perform on existing sessions established over port2? (Choose two.)

  1. FortiGate continues routing all existing sessions over port2.
  2. FortiGate routes only new sessions over port2.
  3. FortiGate flags the SNAT session as dirty only if the administrator has assigned an IP pool to the firewall policies with NAT.
  4. FortiGate flags the sessions as dirty.
  5. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

Answer(s): D,E

Explanation:

When the member priority of a port is increased (e.g., port2 to 20), FortiGate evaluates existing sessions and applies "dirty" flags where applicable. The SD-WAN session management mechanism is described in detail: "Upon a change in SD-WAN member priority, all existing sessions using that member are marked as dirty. For SNAT sessions, the gateway information is updated to ensure future packets are routed through the newly preferred member, in this case, port1. This automatic re- evaluation allows SD-WAN to dynamically respond to topology or priority changes, maintaining optimal routing." This is fundamental to seamless failover and session persistence in Fortinet SD- WAN, ensuring active flows are redirected based on updated priorities or health status.


Reference:

FortiOS 7.4 SD-WAN Concept Guide, "Session Management During Path Change"

FortiGate CLI diagnose sys session list



Refer to the exhibits.



The exhibits show the configuration for SD-WAN performance. SD-WAN rule, the application IDs of Facebook and YouTube along with the firewall policy configuration and the underlay zone status.

Which two statements are true about the health and performance of SD-WAN members 3 and 4? (Choose two.)

  1. Only related TCP traffic is used for performance measurement.
  2. The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
  3. Encrypted traffic is not used for the performance measurement.
  4. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Answer(s): B,D



When you use the command diagnose sys session list, how do you identify the sessions that correspond to traffic steered according to SD-WAN rules?

  1. You identify sessions steered according to SD-WAN rules with the flag vwl.
  2. You cannot identify SD-WAN sessions. You must use the sdwar. session filter.
  3. You identify sessions steered according to SD-WAN rules with the data vwl_mbr_seq.
  4. You identify sessions steered according to SD-WAN rules with the data 3dwan_service_id.

Answer(s): D

Explanation:

When using the diagnose sys session list command, SD-WAN-specific session steering is indicated by the presence of the sdwan_service_id field in the session data. This identifier ties the session directly to a specific SD-WAN rule or service. As noted in the Fortinet documentation: "Sessions that are handled according to SD-WAN rules will include a service ID tag (sdwan_service_id) in their session listing. This allows administrators to correlate live sessions with SD-WAN policy matches for troubleshooting and visibility." This is a crucial diagnostic tool, as it distinguishes between traffic managed by traditional routing and that explicitly controlled by SD-WAN steering logic, aiding in operational insight and troubleshooting.


Reference:

FortiOS 7.4 CLI Reference, "diagnose sys session list: SD-WAN Service ID Tagging"

SD-WAN 7.4 Concept Guide, Section: "Session Identification for SD-WAN Traffic"



SD-WAN interacts with many other FortiGate features. Some of them are required to allow SD-WAN to steer the traffic.

Which three configuration elements that you must configure before FortiGate can steer traffic according to SD-WAN rules? (Choose three.)

  1. Firewall policies
  2. Interfaces
  3. Security profiles
  4. Traffic shaping
  5. Routing

Answer(s): A,B,E

Explanation:

Before FortiGate can steer traffic according to SD-WAN rules, certain configuration elements must be present. The guide states:
"SD-WAN is not a standalone feature and interacts with several fundamental FortiGate configurations. Specifically, you must: (1) Define the interfaces (physical, VLAN, or IPsec) that will act as SD-WAN members, (2) Create firewall policies to allow traffic to be steered by SD-WAN, and (3) Set up routing so that traffic has valid routes via SD-WAN members. Without these, SD-WAN rules will not be able to match or steer any traffic."
Security profiles and traffic shaping are not mandatory for basic SD-WAN steering but can be layered on for enhanced security and QoS once foundational elements are present.


Reference:

FortiOS 7.4 SD-WAN Concept Guide, "Prerequisite Configuration Elements for SD-WAN Steering



Viewing Page 2 of 13



Share your comments for Fortinet FCSS_SDW_AR-7.6 exam with other users:

Mars 11/16/2023 1:53:00 AM

good and very useful
TAIWAN PROVINCE OF CHINA


ronaldo7 10/24/2023 5:34:00 AM

i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!
UNITED STATES


Palash Ghosh 9/11/2023 8:30:00 AM

easy questions
Anonymous


Noor 10/2/2023 7:48:00 AM

could you please upload ad0-127 dumps
INDIA


Kotesh 7/27/2023 2:30:00 AM

good content
Anonymous


Biswa 11/20/2023 9:07:00 AM

understanding about joins
Anonymous


Jimmy Lopez 8/25/2023 10:19:00 AM

please upload oracle cloud infrastructure 2023 foundations associate exam braindumps. thank you.
Anonymous


Lily 4/24/2023 10:50:00 PM

questions made studying easy and enjoyable, passed on the first try!
UNITED STATES


John 8/7/2023 12:12:00 AM

has anyone recently attended safe 6.0 exam? did you see any questions from here?
Anonymous


Big Dog 6/24/2023 4:47:00 PM

question 13 should be dhcp option 43, right?
UNITED STATES


B.Khan 4/19/2022 9:43:00 PM

the buy 1 get 1 is a great deal. so far i have only gone over exam. it looks promissing. i report back once i write my exam.
INDIA


Ganesh 12/24/2023 11:56:00 PM

is this dump good
Anonymous


Albin 10/13/2023 12:37:00 AM

good ................
EUROPEAN UNION


Passed 1/16/2022 9:40:00 AM

passed
GERMANY


Harsh 6/12/2023 1:43:00 PM

yes going good
Anonymous


Salesforce consultant 1/2/2024 1:32:00 PM

good questions for practice
FRANCE


Ridima 9/12/2023 4:18:00 AM

need dump and sap notes for c_s4cpr_2308 - sap certified application associate - sap s/4hana cloud, public edition - sourcing and procurement
Anonymous


Tanvi Rajput 10/6/2023 6:50:00 AM

question 11: d i personally feel some answers are wrong.
UNITED KINGDOM


Anil 7/18/2023 9:38:00 AM

nice questions
Anonymous


Chris 8/26/2023 1:10:00 AM

looking for c1000-158: ibm cloud technical advocate v4 questions
Anonymous


sachin 6/27/2023 1:22:00 PM

can you share the pdf
Anonymous


Blessious Phiri 8/13/2023 10:26:00 AM

admin ii is real technical stuff
Anonymous


Luis Manuel 7/13/2023 9:30:00 PM

could you post the link
UNITED STATES


vijendra 8/18/2023 7:54:00 AM

hello send me dumps
Anonymous


Simeneh 7/9/2023 8:46:00 AM

it is very nice
Anonymous


john 11/16/2023 5:13:00 PM

i gave the amazon dva-c02 tests today and passed. very helpful.
Anonymous


Tao 11/20/2023 8:53:00 AM

there is an incorrect word in the problem statement. for example, in question 1, there is the word "speci c". this is "specific. in the other question, there is the word "noti cation". this is "notification. these mistakes make this site difficult for me to use.
Anonymous


patricks 10/24/2023 6:02:00 AM

passed my az-120 certification exam today with 90% marks. studied using the dumps highly recommended to all.
Anonymous


Ananya 9/14/2023 5:17:00 AM

i need it, plz make it available
UNITED STATES


JM 12/19/2023 2:41:00 PM

q47: intrusion prevention system is the correct answer, not patch management. by definition, there are no patches available for a zero-day vulnerability. the way to prevent an attacker from exploiting a zero-day vulnerability is to use an ips.
UNITED STATES


Ronke 8/18/2023 10:39:00 AM

this is simple but tiugh as well
Anonymous


CesarPA 7/12/2023 10:36:00 PM

questão 4, segundo meu compilador local e o site https://www.jdoodle.com/online-java-compiler/, a resposta correta é "c" !
UNITED STATES


Jeya 9/13/2023 7:50:00 AM

its very useful
INDIA


Tracy 10/24/2023 6:28:00 AM

i mastered my skills and aced the comptia 220-1102 exam with a score of 920/1000. i give the credit to for my success.
Anonymous