NSE6_SDW_AD-7.6 Fortinet NSE 6 - SD-WAN 7.6 Enterprise Administrator Free Practice Exam Questions (2026 Updated)

Policy 3 points traffic To = HUB1-VPN1, which is an SD-WAN member interface. In SD-WAN you must reference the SD-WAN zone (the logical interface) in policies, not its member tunnels. Change the policy’s To interface to the zone HUB1, and the install will succeed.

Specify the gateway of the SD-WAN member port1 with an IP address or use the default value → The error log shows invalid ip – prop[gateway]: ip4class(${sdwan_port1_gw}) invalid ip addr, meaning the variable ${sdwan_port1_gw} does not have a valid mapping. Assigning a valid IP address or default value for the gateway resolves this error.

Review the per-device mapping configuration for metadata variables → The issue is tied to how the metadata variable ${sdwan_port1_gw} is mapped for branch1_fgt. If this device does not have the variable properly defined in per-device mapping, the configuration will fail. Correcting the mapping ensures that the install works.

The FortiManager SD-WAN overlay template preview, as described in the document, indicates:

" When the device is acting as a hub, the configuration enables the sending of ADVPN shortcut offers to spokes. This means the hub can facilitate on-demand dynamic shortcut tunnel creation between spokes, improving performance for branch-to-branch communication by bypassing the hub for inter-branch traffic after initial discovery. "

Such a role is critical in scalable ADVPN topologies, enabling hub devices to optimize overlays dynamically.

When SD-WAN load balancing is required with link quality awareness , FortiOS relies on SLA-based strategies . These strategies evaluate link performance using performance SLAs (latency, jitter, packet loss, MOS) and then make forwarding decisions accordingly.

Option A is correct.

In FortiOS 7.6, when an SLA-based SD-WAN rule has load balancing enabled , FortiGate distributes traffic only across the members that meet the SLA targets . Any member that is out of SLA is excluded from load balancing. This behavior ensures that traffic is not forwarded over degraded links while still allowing load distribution across healthy paths.

Option C is correct.

The lowest cost (SLA) strategy is an SLA-based strategy that considers link quality while also allowing SD-WAN load balancing . When multiple members meet the SLA requirements and have equal cost, FortiGate can load balance traffic across them using the configured hash mode. This makes the lowest cost SLA strategy suitable when both link quality and load balancing are required.

Why the other options are incorrect:

Option B is incorrect because the best quality strategy is designed to select the single best-performing link based on SLA metrics. It does not support SD-WAN load balancing across multiple links.

Option D is incorrect because the best quality strategy does not support load balancing at all, so the statement about round-robin hash mode is invalid.

Therefore, the two correct facts to consider are A and C .

" Another popular MSSP choice is to deploy the hubs on the customer premises, such as at a central office or a data center. The traffic flow in this blueprint is quite different from the two previous scenarios described. The majority of the traffic is likely to be either spoke-to-hub—branch sites accessing workloads hosted in the data center or an RIA through a centralized breakout owned by the customer—or DIA on the spokes. In this type of topology, occasional spoke-to-spoke traffic is possible, but rare, and usually non-existent. "

Enforce Device Configuration is enabled and the blueprint applies the provisioning CLI templates. The LAN-interface script sets port1 and port2 to DHCP and assigns a static IP to port5 (using the branch_id variable). Therefore, when FortiManager pushes the blueprint, it updates the configurations of port1, port2, and port5 - and their IP addresses may change accordingly.

From the exhibit, both branches have an SD-WAN zone named overlay with set advpn-select enable, and each SD-WAN member in that zone is assigned a transport-group value.

Branch-A members:

T1 → transport-group 1

T2 → transport-group 1

T3 → transport-group 2

Branch-B members:

TA → transport-group 1

TB → transport-group 2

TC → transport-group 3

In FCSS SD-WAN 7.6 ADVPN design, transport-group is used to constrain which underlays are allowed to form ADVPN shortcuts with each other . A spoke can establish an ADVPN shortcut only between interfaces that belong to the same transport-group on both sides. This prevents building shortcuts across dissimilar transports.

Evaluating the options:

Option D ( T2 on Branch-A with transport-group 1 and TA on Branch-B with transport-group 1) is a valid shortcut pairing.

Option C is not valid because T3 is transport-group 2 while TC is transport-group 3, so they are not permitted to form a shortcut.

Option A is incorrect because not all overlay-zone interfaces are eligible; eligibility is restricted by transport-group matching.

Option B is incorrect because ADVPN shortcuts are spoke-to-spoke tunnels (facilitated by the hub), not limited to “interfaces connected to hub only.”

Therefore, the valid shortcut pairing listed is between T2 on Branch-A and TA on Branch-B , which corresponds to Option D .

The described design is a multi-region SD-WAN architecture , where:

Each region has its own dual-hub ADVPN domain

Most traffic is intra-region

Inter-region traffic is limited and controlled

Spokes can be single-hub or dual-hub , depending on size and redundancy requirements

According to Fortinet’s SD-WAN Architecture for Enterprise guidance, when deploying multiple ADVPN regions , eBGP is the recommended routing protocol between regions . Each region operates as an independent routing domain (typically iBGP within the region), while eBGP is used to exchange routes between regional hubs . This approach:

Prevents excessive route reflection and scaling issues

Provides clear administrative boundaries between regions

Improves stability and scalability in large global deployments

Matches the exact traffic pattern described (high intra-region, low inter-region traffic)

This is explicitly documented in Fortinet guidance for “Using eBGP between regions with intra-region ADVPN” , which confirms that the architecture described in the question is valid and recommended when eBGP is used between regions.

Why the other options are incorrect:

Option B is incorrect because FortiOS does not impose a hard “four-hub” architectural limit in the described regional model. Each region has its own hubs, not a single flat multihub domain.

Option C is incomplete. While FortiManager Overlay Orchestrator can help operationally, it is not the key architectural requirement that makes this design valid. The question asks what makes the plan correct from a design standpoint , not a tooling standpoint.

Option D is incorrect because FortiOS fully supports mixed spoke connectivity within the same region (some spokes single-hub, others dual-hub), which is a common enterprise SD-WAN design.

Therefore, the correct and documented conclusion is that the plan is possible and eBGP should be used as the routing protocol between regions , which corresponds to Answer A .

In the exhibits, port2 is already assigned to the SD-WAN zone named Test. An interface can only belong to a single SD-WAN zone, so before you can add both port1 and port2 into the new SD-WAN zone Underlay, you must first delete the SD-WAN Zone Test to free port2.

From the SD-WAN rule configuration (service ID 3 , name " Corp " ), the rule is configured as:

set mode sla

set load-balance enable

set hash-mode source-ip-based

set priority-members 3 4 5

Two SLAs are referenced under config sla

In the diagnose firewall proute list output for service=3 (Corp) , FortiGate shows the actual members considered for this rule and their SLA pass status:

oif=19 (HUB1-VPN1) num_pass=2

oif=20 (HUB1-VPN2) num_pass=2

oif=21 (HUB1-VPN3) num_pass=1

Because the rule is SLA-based , FortiGate selects only members that meet the SLA requirements for the rule. The output indicates that HUB1-VPN1 and HUB1-VPN2 pass both SLA checks (num_pass=2) , while HUB1-VPN3 passes only one (num_pass=1) and therefore is not selected as an eligible forwarding interface for this rule.

Since load-balance is enabled and the rule uses hash-mode source-ip-based, FortiGate will consistently choose an eligible member based on the source IP hash. For traffic sourced from 10.0.1.101 , the session can be steered through either HUB1-VPN1 or HUB1-VPN2 (whichever the hash selects), but not HUB1-VPN3.

Therefore, the correct answer is B .