Unlock
Page: 1
/
19
Total 95 questions
Master Fortinet NSE6_SDW_AD-7.6: NSE 6 - SD-WAN 7.6 Enterprise Administrator Exam Prep
Question 1
Refer to the exhibits.
The first exhibit shows the SD-WAN zone HUB1 and SD-WAN member configuration from an SD-WAN template, and the second exhibit shows the output of command diagnose sys sdwan member collected on a FortiGate device.
Which statement best describes what the diagnose output shows?
Correct : D
The diagnose output lists SD-WAN members 4(HUB1-VPN1), 5(HUB1-VPN2), 7(HUB2-VPN1), 8(HUB2-VPN2), and 9(HUB2-VPN3). It does not include member 6 (HUB1-VPN3). From the template, HUB1-VPN3 is installed only on branch2_fgt and branch3_fgt - not on branch1_fgt. Therefore, the output must be from branch1_fgt.
Start a Discussions
Submit Your Answer:
Question 2
Refer to the exhibits.
You collected the output shown in the exhibits and want to know which interface HTTP traffic will flow through from the user device 10.0.1.101 to the corporate web server 10.0.0.126. All SD-WAN links are stable.
Which interface will FortiGate use to steer the traffic? Choose one answer.)
Correct : D
From the SD-WAN service configuration, rule edit 3 (name 'Corp') is configured with:
set mode sla
set load-balance enable
set dst 'Corp-net'
set src 'LAN-net'
SLA checks referenced under config sla
Traffic from 10.0.1.101 to 10.0.0.126 matches this rule because the destination is within the corporate network range (shown in the policy-route/proute output as destination 10.0.0.0--10.255.255.255 for the Corp service).
In the diagnose firewall proute list output for vwl_service=3 (Corp), FortiGate shows which SD-WAN members are eligible based on SLA pass results:
oif=21 (HUB1-VPN3) num_pass=2
oif=20 (HUB1-VPN2) num_pass=0
oif=19 (HUB1-VPN1) num_pass=0
This indicates that, for the SLA-based rule, only HUB1-VPN3 is meeting the SLA requirements (it is the only member with num_pass=2). The other members have num_pass=0, so they are not eligible for forwarding under this SLA rule even though links are up.
The sniffer trace further corroborates the forwarding decision by showing the traffic egressing through HUB1-VPN3.
Therefore, FortiGate will steer the HTTP traffic through only HUB1-VPN3, which corresponds to Option A.
Start a Discussions
Submit Your Answer:
Question 3
Refer to the exhibit.
You update the spokes configuration of an existing auto-discovery VPN (ADVPN) topology by adding the parameters shown in the exhibit.
Which is a valid objective of those settings? Choose one answer.)
Correct : C
The exhibit shows the following IPsec phase1-interface configuration applied on spoke tunnels:
set auto-discovery-shortcuts dependent
set network-overlay enable
set network-id <value>
In the FCSS SD-WAN 7.6 ADVPN architecture, the network-overlay and network-id parameters are used to logically group IPsec tunnels into separate overlays. When network-overlay is enabled, FortiGate treats the tunnel as part of an overlay network rather than a simple transport tunnel.
The network-id parameter is critical in multi-overlay ADVPN designs. Fortinet documentation specifies that ADVPN shortcuts are only allowed between tunnels that share the same network-id. This mechanism explicitly prevents cross-overlay shortcuts, ensuring that shortcuts are formed only within the same logical overlay and not across different overlays that may serve different purposes (for example, different hubs, regions, or transport groups).
The use of auto-discovery-shortcuts dependent further enforces correct shortcut behavior by ensuring that shortcut tunnels depend on the state of the parent overlay tunnel, but it does not by itself prevent multiple shortcuts or convert ADVPN versions.
Why the other options are incorrect:
Option A is incorrect because simply enabling network-overlay does not exist to ''enable overlay links'' in general; its purpose is to define overlay membership and control shortcut behavior.
Option B is incorrect because there is no concept of ''ADVPN 2.0'' conversion using these parameters in FortiOS 7.6.
Option D is incorrect because preventing multiple shortcuts over the same overlay is not controlled by network-id; multiple shortcuts within the same overlay are allowed when required.
Therefore, the valid objective of these settings is to prevent cross-overlay shortcuts, which corresponds to Option C.
Start a Discussions
Submit Your Answer:
Question 4
Your FortiGate is in production. To optimize WAN link use and improve redundancy, you enable and configure SD-WAN.
What must you do as part of this configuration update process?
Correct : C
In FortiOS 7.6, when SD-WAN is enabled, physical and logical WAN interfaces are added as SD-WAN members and are abstracted behind the SD-WAN interface (virtual-wan-link or SD-WAN zone). Traffic forwarding decisions are then made by SD-WAN rules instead of individual interfaces.
As documented in the FCSS SD-WAN 7.6 curriculum and Fortinet SD-WAN architecture guides, firewall policies must reference the SD-WAN interface or SD-WAN zone, not the individual WAN interfaces that are members of SD-WAN. Therefore, during the configuration update process, existing firewall policies that reference physical WAN interfaces must be updated to reference the SD-WAN interface.
Option A is incorrect because routing configuration does not require replacing interface references when SD-WAN is enabled. Static and dynamic routes typically point to the SD-WAN interface automatically, and SD-WAN rules handle path selection.
Option B is incorrect because SD-WAN is a built-in FortiOS feature. It does not require a separate license and does not require a reboot when enabled.
Option D is incorrect because interfaces must remain enabled to function as SD-WAN members. Disabling an interface would prevent SD-WAN from using it for traffic forwarding.
Therefore, the required action during the SD-WAN configuration update process is to replace references to interfaces used as SD-WAN members in the firewall policies, which corresponds to option C.
Start a Discussions
Submit Your Answer:
Question 5
Exhibit.
The administrator configured the IPsec tunnel VPN1 on a FortiGate device with the parameters shown in exhibit.
Based on the configuration, which three conclusions can you draw about the characteristics and requirements of the VPN tunnel? (Choose three.)
Correct : B, C, E
This configuration demonstrates a typical IPsec setup for SD-WAN overlays where the hub side requires a manually defined tunnel IP address, and the spoke can be flexibly configured, including interoperability with third-party IPsec devices. As described in the Fortinet SD-WAN Architect Guide: ''For some overlays, the tunnel interface IP is configured statically on the hub side, which allows more control over overlay subnetting and facilitates the use of user-defined overlay IP addresses. This approach is also a requirement for compatibility with non-FortiGate endpoints, such as third-party IPsec devices that may not support dynamic address assignment via IKE or proprietary mechanisms.'' This enables hybrid SD-WAN environments and advanced designs involving external partners or cloud services. Overlay IP flexibility is critical for route control and segmentation. Reference:
[FCSS_SDW_AR-7.4 1-0.docx Q11]
FortiOS 7.4 SD-WAN Reference Architecture, ''Overlay IP Address Management''
SD-WAN 7.4 Concept Guide, Section: 'Interoperability with Third-Party Devices'
Start a Discussions
Submit Your Answer:
Want to Unlock Everything for
Fortinet NSE6_SDW_AD-7.6 Exam?
Fortinet NSE6_SDW_AD-7.6 Exam?
By upgrading to Premium Access, you’ll instantly unlock:
Unlock 95 Premium Questions
- Exam Name: Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator
- Exam Code: NSE6_SDW_AD-7.6
- Last Update: 16-Mar-2026
- Formats: PDF, Web-based,
Desktop Practice - 24/7 Customer Support
Price: $59 (PDF Format)