Visit here for our full Fortinet FCSS_SDW_AR-7.4 exam dumps and practice test questions.
Question 101
What is the primary benefit of implementing SD-WAN in an enterprise network?
A) Eliminate the need for MPLS circuits completely
B) Optimize application performance and reduce WAN costs
C) Replace all security appliances with a single device
D) Increase bandwidth on existing circuits automatically
Answer: B
Explanation:
SD-WAN has emerged as a transformative technology for enterprise networking, fundamentally changing how organizations connect branch offices, data centers, and cloud resources. The primary benefit of SD-WAN is optimizing application performance while reducing WAN costs through intelligent traffic steering and efficient utilization of multiple transport types. SD-WAN enables organizations to use lower-cost internet connections alongside or instead of expensive MPLS circuits, implementing application-aware routing to direct traffic over the best available path based on real-time conditions. SD-WAN solutions provide centralized policy management, automatic failover, dynamic path selection based on application requirements, and integration with cloud services. This results in improved application experience for users, reduced operational complexity, lower transport costs, and faster deployment of new sites compared to traditional WAN architectures. Option A is incorrect because SD-WAN doesn’t necessarily eliminate MPLS circuits entirely. Many enterprises adopt a hybrid approach, maintaining MPLS for critical applications while using internet connections for less sensitive traffic. SD-WAN provides flexibility in transport selection rather than mandating specific technologies. Option C is incorrect because SD-WAN focuses on WAN optimization and traffic management, not replacing security appliances. While some SD-WAN solutions include integrated security features like Fortinet’s Secure SD-WAN, comprehensive security still requires multiple layers including firewalls, intrusion prevention, and threat intelligence. Option D is incorrect because SD-WAN doesn’t increase the physical bandwidth of existing circuits. It optimizes the utilization of available bandwidth through intelligent traffic management, but the underlying circuit capacity remains unchanged.
Question 102
Which protocol does FortiGate SD-WAN use for performance measurements between SD-WAN members?
A) ICMP echo requests
B) Performance SLA probes
C) SNMP polling
D) NetFlow analysis
Answer: B
Explanation:
Fortinet SD-WAN relies on continuous performance monitoring to make intelligent routing decisions and ensure applications receive optimal network performance. Performance SLA (Service Level Agreement) probes are the mechanism FortiGate uses to actively measure network characteristics between SD-WAN members or to specific destinations. These probes continuously monitor critical parameters including latency, jitter, packet loss, and link availability. Performance SLA probes can use various protocols including ping, HTTP, TCP echo, UDP echo, and DNS queries, providing flexibility based on network requirements and firewall policies. The collected metrics are compared against configured SLA thresholds, and when a link fails to meet the defined performance criteria, SD-WAN automatically steers traffic to alternative paths that satisfy the requirements. This proactive monitoring ensures real-time visibility into network performance and enables dynamic path selection based on actual conditions rather than static routing decisions. Performance SLA configuration includes parameters such as probe frequency, timeout values, number of probes per interval, and acceptable thresholds for each metric. Option A is incorrect because while ICMP echo requests can be one method used within Performance SLA probes, they’re not the comprehensive mechanism FortiGate uses. Performance SLA encompasses multiple probe types beyond simple ICMP. Option C is incorrect because SNMP polling is used for device monitoring and management information collection, not for measuring WAN path performance or making routing decisions in SD-WAN. Option D is incorrect because NetFlow analysis provides traffic flow information and statistics but doesn’t actively measure path performance characteristics like latency and jitter in real-time for SD-WAN routing decisions.
Question 103
What is the maximum number of SD-WAN members supported on a FortiGate device?
A) 16
B) 32
C) 128
D) 256
Answer: D
Explanation:
FortiGate SD-WAN architecture supports scalability to accommodate complex enterprise deployments with multiple WAN connections and diverse transport options. The maximum number of SD-WAN members supported on a FortiGate device is 256, allowing organizations to build highly redundant and flexible WAN architectures. SD-WAN members represent individual WAN interfaces or overlay tunnels that participate in the SD-WAN fabric, including physical interfaces connected to different ISPs, MPLS circuits, LTE connections, and IPsec or GRE tunnels to other sites or cloud resources. This high member count enables large enterprises to implement sophisticated designs with multiple redundant paths, granular traffic steering policies, and comprehensive failover scenarios. Each SD-WAN member can be assigned to one or more SD-WAN zones, which are logical groupings used in firewall policies and routing decisions. The ability to support 256 members provides flexibility for organizations with numerous branch locations, multiple data centers, and extensive cloud connectivity requirements, ensuring that the SD-WAN solution can scale with business growth. Option A is incorrect because 16 members would be insufficient for enterprise deployments requiring high redundancy and multiple transport options across many locations. This limitation would severely restrict SD-WAN design flexibility. Option B is incorrect because 32 members, while more than 16, still doesn’t represent the actual capability of FortiGate SD-WAN. Modern enterprise requirements often exceed this number. Option C is incorrect because 128 members, though substantial, is not the maximum supported. FortiGate supports up to 256 SD-WAN members, providing even greater scalability for large-scale deployments.
Question 104
Which SD-WAN strategy provides the lowest latency path selection for real-time applications?
A) Volume-based
B) Session-based
C) Spillover
D) Lowest-cost
Answer: B
Explanation:
FortiGate SD-WAN offers multiple strategies for path selection, each optimized for different business requirements and application characteristics. Understanding these strategies is crucial for SD-WAN architects to ensure optimal application performance. The session-based strategy, also known as best quality or lowest latency strategy, evaluates all available SD-WAN members in real-time and selects the path with the best performance characteristics for each new session. For real-time applications like VoIP, video conferencing, and interactive applications requiring minimal latency and jitter, session-based strategy provides optimal results by continuously monitoring Performance SLA metrics and directing each new session to the member currently offering the best performance. This dynamic selection ensures that latency-sensitive traffic always uses the path meeting the highest quality standards. The strategy performs per-session evaluation rather than load balancing across all available paths, prioritizing quality over load distribution. When multiple members meet SLA requirements, the strategy can use additional criteria like preference or priority for selection. Option A is incorrect because volume-based strategy distributes traffic based on the amount of data transmitted, aiming to balance utilization across members rather than selecting the lowest latency path. This strategy is better suited for bulk data transfers. Option C is incorrect because spillover strategy uses a primary member until it reaches capacity or fails SLA requirements, then overflows to secondary members. This doesn’t prioritize lowest latency but rather ordered preference. Option D is incorrect because lowest-cost strategy selects paths based on cost considerations rather than performance metrics, making it unsuitable for latency-sensitive real-time applications.
Question 105
What is the purpose of SD-WAN zones in FortiGate configuration?
A) Encrypt traffic between sites automatically
B) Group SD-WAN members for policy and routing purposes
C) Configure bandwidth allocation per application
D) Monitor network performance metrics only
Answer: B
Explanation:
SD-WAN zones are a fundamental concept in FortiGate SD-WAN architecture that simplifies policy management and routing configuration in complex deployments. SD-WAN zones are logical groupings of SD-WAN members that allow administrators to reference multiple WAN connections collectively in firewall policies and routing decisions rather than configuring policies for each individual member. This abstraction layer significantly reduces configuration complexity, especially in environments with numerous WAN connections. When creating firewall policies, administrators can specify an SD-WAN zone as the source or destination interface, and the SD-WAN logic automatically selects the appropriate member based on the configured strategy and Performance SLA status. Zones enable consistent policy application across multiple paths while maintaining the flexibility of dynamic path selection. For example, an organization might create zones like “underlay” for physical internet connections, “overlay” for IPsec tunnels, or “priority” for high-performance links. This logical organization makes configurations more maintainable, reduces errors, and aligns with business intent rather than physical topology. Changes to zone membership automatically apply to all policies referencing that zone without requiring individual policy modifications. Option A is incorrect because SD-WAN zones don’t automatically encrypt traffic. Encryption is handled by overlay technologies like IPsec VPN, which can be members of SD-WAN zones but aren’t automatically configured by zone creation. Option C is incorrect because bandwidth allocation per application is configured through traffic shaping policies and SD-WAN rules, not directly by zones. Zones group members but don’t define bandwidth parameters. Option D is incorrect because while zones participate in path selection based on performance metrics, their primary purpose is grouping members for policy application, not monitoring alone.
Question 106
Which SD-WAN feature allows traffic steering based on application identification?
A) Static routing
B) SD-WAN rules
C) Policy routes only
D) Link aggregation
Answer: B
Explanation:
Application-aware routing is a cornerstone capability of SD-WAN that differentiates it from traditional WAN architectures. FortiGate SD-WAN rules provide granular control over traffic steering based on application identification, enabling organizations to align network behavior with business priorities and application requirements. SD-WAN rules evaluate traffic characteristics including source and destination, services, applications identified through deep packet inspection, users, and internet service databases. Based on these criteria, rules can direct traffic to specific SD-WAN members or zones using various strategies like lowest latency, highest bandwidth, or cost optimization. FortiGate’s application identification capabilities, powered by FortiGuard, recognize thousands of applications and can classify traffic accordingly. For example, rules can ensure that Office 365 traffic uses the lowest-latency path, backup traffic uses the highest-bandwidth connection, and guest internet access uses the lowest-cost link. SD-WAN rules are processed in order, with the first matching rule determining traffic handling. Rules can also specify multiple members with load balancing strategies, providing both optimization and redundancy. The combination of application awareness and flexible routing strategies enables true intent-based networking where business requirements drive network behavior. Option A is incorrect because static routing provides fixed paths regardless of application type or network conditions, lacking the intelligence and flexibility of SD-WAN. Option C is incorrect because while policy routes can redirect traffic, they lack the application awareness, performance monitoring, and dynamic path selection capabilities integrated into SD-WAN rules. Option D is incorrect because link aggregation combines multiple physical links into a single logical link for bandwidth and redundancy but doesn’t provide application-based steering.
Question 107
What happens when all SD-WAN members fail their Performance SLA requirements?
A) Traffic is blocked completely until SLA is restored
B) Traffic continues using the last active member
C) Traffic uses members despite SLA failure
D) Traffic is redirected to a backup firewall
Answer: C
Explanation:
Understanding SD-WAN behavior during degraded network conditions is critical for maintaining business continuity and avoiding unexpected outages. When all SD-WAN members fail to meet their configured Performance SLA requirements, FortiGate implements a fail-open behavior where traffic continues to flow using available members despite the SLA violations. This design philosophy prioritizes connectivity over perfect performance, recognizing that degraded connectivity is typically preferable to no connectivity. In this scenario, FortiGate continues to evaluate all members and selects the best available option based on the configured strategy, even though none meet the defined SLA thresholds. The system logs SLA violations for monitoring and alerting purposes, enabling administrators to investigate and resolve underlying issues. This behavior prevents complete service interruption during widespread network degradation events like ISP routing problems or DDoS attacks affecting multiple paths. Organizations can implement additional controls through firewall policies or SD-WAN configurations to override this default behavior if specific applications should be blocked rather than use suboptimal paths. For critical applications requiring strict SLA compliance, administrators might configure backup LTE connections with more lenient SLA requirements or implement application-specific policies that block traffic when quality falls below acceptable thresholds. Option A is incorrect because blocking all traffic when SLA fails would cause complete service outages, which is generally less desirable than degraded connectivity. FortiGate prioritizes availability. Option B is incorrect because the system doesn’t simply continue with the last active member but rather continues evaluating all members and selecting based on current conditions. Option D is incorrect because SD-WAN SLA failures don’t automatically trigger failover to backup firewalls. High availability configurations are separate from SD-WAN path selection.
Question 108
Which feature provides automatic tunnel establishment between FortiGate devices in SD-WAN deployments?
A) Static IPsec tunnels
B) ADVPN
C) GRE tunnels
D) VXLAN overlay
Answer: B
Explanation:
Scalable VPN architectures are essential for SD-WAN deployments connecting numerous branch locations, and traditional hub-and-spoke topologies can create bottlenecks when branch-to-branch communication is required. ADVPN (Auto Discovery VPN) is Fortinet’s dynamic tunnel establishment protocol that automatically creates IPsec tunnels between FortiGate devices as needed, enabling efficient branch-to-branch communication without requiring traffic to transit through hub sites. ADVPN operates by maintaining hub-and-spoke tunnels as the permanent infrastructure, then dynamically establishing spoke-to-spoke shortcuts when traffic patterns indicate they would be beneficial. When a branch needs to communicate with another branch, ADVPN automatically negotiates and establishes a direct IPsec tunnel between them, reducing latency and eliminating unnecessary hub processing. These dynamic tunnels remain active as long as traffic flows and are automatically torn down after an idle timeout, optimizing resource utilization. ADVPN significantly simplifies configuration because administrators only need to configure hub-and-spoke relationships; spoke-to-spoke tunnels are created automatically without manual intervention. This capability is particularly valuable in SD-WAN deployments where traffic patterns may change frequently and where optimal routing requires direct paths between branches. ADVPN integrates seamlessly with SD-WAN features, allowing performance SLA monitoring and intelligent path selection across both static and dynamic tunnels. Option A is incorrect because static IPsec tunnels require manual configuration for each site-to-site relationship, creating exponential configuration complexity in large deployments and lacking dynamic establishment. Option C is incorrect because while GRE tunnels provide overlay connectivity, they don’t automatically establish based on traffic patterns and lack the dynamic discovery capabilities of ADVPN. Option D is incorrect because VXLAN is a network virtualization overlay protocol typically used in data center environments, not for dynamic WAN tunnel establishment.
Question 109
What is the default SD-WAN load balancing algorithm when multiple members meet SLA requirements?
A) Source IP hash
B) Round robin
C) Weighted round robin
D) Source-destination IP hash
Answer: D
Explanation:
When multiple SD-WAN members satisfy Performance SLA requirements and are eligible to carry traffic, FortiGate must determine how to distribute sessions across these paths. The default load balancing algorithm used by FortiGate SD-WAN is source-destination IP hash, which calculates a hash value based on the source and destination IP addresses of each session and uses this value to consistently select the same SD-WAN member for a given communication pair. This algorithm provides several important benefits for SD-WAN deployments. First, it ensures session persistence, meaning that all traffic between two specific endpoints consistently uses the same path, preventing packet reordering issues that can degrade TCP performance and application behavior. Second, it provides reasonable load distribution across available members when there are many unique source-destination pairs. Third, it’s computationally efficient and doesn’t require maintaining complex state information. The hash-based approach is particularly well-suited for SD-WAN because it balances the needs of performance optimization and operational simplicity. While this is the default, FortiGate SD-WAN supports multiple load balancing algorithms including session-based, volume-based, and spillover strategies that can be configured based on specific requirements. Option A is incorrect because source IP hash alone would create imbalanced distribution when a branch site communicates with many destinations, as all traffic from that branch would use the same member. Option B is incorrect because simple round robin distributes sessions sequentially without considering the relationship between endpoints, potentially causing packet reordering when packets from the same session traverse different paths. Option C is incorrect because weighted round robin considers member priorities or bandwidth but isn’t the default algorithm and can also cause packet reordering issues.
Question 110
Which CLI command displays the current status of all SD-WAN members?
A) get router info routing-table all
B) diagnose sys sdwan service
C) diagnose sys sdwan member
D) show system sdwan
Answer: C
Explanation:
Monitoring and troubleshooting SD-WAN deployments requires understanding the operational status of all WAN connections and their performance characteristics. The CLI command “diagnose sys sdwan member” provides comprehensive real-time information about all configured SD-WAN members, making it an essential tool for SD-WAN administrators. This command displays critical information including member status (up/down), interface name, gateway IP address, priority, weight, volume statistics, and current Performance SLA measurements such as latency, jitter, and packet loss. The output helps administrators quickly identify which members are active, which have failed SLA requirements, and the current performance characteristics of each path. This diagnostic command is particularly valuable during troubleshooting when trying to understand why traffic is being steered to specific members or when investigating performance issues. The command also shows sequence numbers and packet statistics that help verify bidirectional connectivity and identify potential asymmetric routing issues. For ongoing monitoring, this information can be captured in scripts or integrated with monitoring systems to track SD-WAN health over time. Option A is incorrect because “get router info routing-table all” displays the routing table showing learned routes and next hops, but doesn’t provide SD-WAN-specific information like Performance SLA status or member health. Option B is incorrect because “diagnose sys sdwan service” shows SD-WAN service information and rules, not the operational status of individual members. This command is useful for verifying rule configuration but not member status. Option D is incorrect because “show system sdwan” displays the SD-WAN configuration rather than operational status, showing configured settings like zones, members, and health checks but not real-time performance data.
Question 111
What is the purpose of link quality monitoring in FortiGate SD-WAN?
A) Increase physical bandwidth on WAN links
B) Detect and measure network performance characteristics
C) Encrypt traffic automatically based on quality
D) Compress data to improve throughput
Answer: B
Explanation:
Link quality monitoring is fundamental to SD-WAN’s ability to make intelligent routing decisions and ensure applications receive appropriate network performance. FortiGate implements link quality monitoring through Performance SLA health checks that continuously detect and measure critical network performance characteristics including latency, jitter, packet loss, and link availability. These measurements provide the real-time data necessary for SD-WAN to evaluate whether each member satisfies configured SLA requirements and to make informed path selection decisions. Health checks operate by sending probe packets at configured intervals to specific targets, which can be gateway addresses, specific servers, or internet destinations. The system analyzes probe responses to calculate performance metrics with high accuracy. Link quality data is used in multiple ways: determining which members are viable for traffic, selecting the best path based on configured strategies, triggering automatic failover when quality degrades, and providing visibility for capacity planning and troubleshooting. Organizations can configure different health check parameters based on application requirements, using more frequent probes for critical applications requiring rapid failover and less frequent probes for non-critical traffic to reduce overhead. The granular performance data enables predictive rather than reactive network management, identifying degrading links before they impact user experience. Option A is incorrect because link quality monitoring measures existing bandwidth and performance but cannot increase the physical capacity of WAN circuits. Bandwidth is determined by the service provider and circuit type. Option C is incorrect because encryption decisions are made based on security requirements and configured VPN policies, not automatically based on link quality measurements. Option D is incorrect because data compression, when implemented, is configured separately and isn’t an automatic function of link quality monitoring.
Question 112
Which SD-WAN rule action allows traffic to use any available member meeting SLA requirements?
A) Manual
B) Priority
C) Best quality
D) Load balance
Answer: D
Explanation:
SD-WAN rules in FortiGate provide granular control over how traffic is distributed across available WAN connections through various action types that define path selection behavior. The load balance action allows traffic matching the rule to use any available SD-WAN member that meets configured Performance SLA requirements, distributing sessions across all qualifying members according to the specified load balancing algorithm. This action is ideal for applications that can benefit from the aggregate bandwidth of multiple connections and don’t require the absolute lowest latency or highest priority path. Load balancing distributes the traffic load, preventing any single member from becoming saturated while others remain underutilized. When using load balance, FortiGate evaluates all members in the configured SD-WAN zone or member list, excludes any that fail SLA requirements, and distributes new sessions across the remaining eligible members. The distribution algorithm can be configured as source-destination IP hash, source IP hash, weighted, spillover, or volume-based depending on traffic characteristics and business requirements. Load balancing is particularly effective for bulk data transfers, general internet browsing, and applications where aggregate throughput is more important than having every session use the absolute best path. It maximizes WAN investment by utilizing all available capacity. Option A is incorrect because manual action requires explicitly specifying which member to use, removing the intelligence and automatic path selection that defines SD-WAN. Option B is incorrect because priority action uses members in strict preference order, only using lower-priority members when higher-priority options fail or violate SLA. Option C is incorrect because best quality action selects the single best-performing member for each session rather than distributing across multiple members, prioritizing quality over load distribution.
Question 113
What protocol does FortiGate use for SD-WAN orchestration and centralized management?
A) NETCONF
B) FortiManager
C) RESTCONF
D) Ansible
Answer: B
Explanation:
Managing SD-WAN deployments across numerous branch locations requires centralized orchestration and configuration management to ensure consistency, reduce operational overhead, and enable rapid deployment. FortiManager is Fortinet’s centralized management platform specifically designed for orchestrating FortiGate devices including comprehensive SD-WAN management capabilities. FortiManager provides a unified interface for configuring SD-WAN policies, health checks, member configurations, and firewall rules across the entire SD-WAN fabric. It enables template-based provisioning where administrators create SD-WAN configuration templates that can be applied to multiple devices simultaneously, ensuring consistency and reducing configuration errors. FortiManager supports zero-touch provisioning, allowing new FortiGate devices to automatically receive their configurations upon initial connection, dramatically accelerating branch deployment. The platform provides centralized monitoring and reporting for SD-WAN performance, showing health check status, bandwidth utilization, and Performance SLA violations across all managed devices. FortiManager also integrates with FortiAnalyzer for comprehensive logging and analytics. Through the SD-WAN orchestrator feature, administrators can design the entire WAN topology graphically, define templates for different branch types, and deploy configurations at scale. FortiManager uses secure communication protocols to connect with managed FortiGate devices and can manage thousands of devices from a single console. Option A is incorrect because NETCONF is a network configuration protocol standard but isn’t the primary orchestration tool for FortiGate SD-WAN. While FortiGate supports various APIs, FortiManager is the native management solution. Option C is incorrect because RESTCONF is another configuration protocol that could be used for automation but isn’t the primary SD-WAN orchestration platform. Option D is incorrect because while Ansible can automate FortiGate configurations through APIs, it’s a third-party automation tool rather than Fortinet’s dedicated SD-WAN orchestration platform.
Question 114
Which traffic shaping option controls bandwidth usage per SD-WAN rule?
A) Interface bandwidth limits only
B) Traffic shaping policy
C) QoS profiles
D) SD-WAN bandwidth allocation
Answer: B
Explanation:
Bandwidth management is critical in SD-WAN deployments to ensure fair resource allocation, prevent congestion, and guarantee performance for priority applications. Traffic shaping policies in FortiGate provide granular control over bandwidth usage and can be applied at multiple levels including interfaces, firewall policies, and SD-WAN rules. When applied to SD-WAN rules, traffic shaping policies control how much bandwidth specific applications or traffic types can consume across selected WAN connections. Traffic shaping policies define parameters including guaranteed bandwidth (minimum allocation), maximum bandwidth (hard limit), and priority for competing traffic. These policies use token bucket algorithms to enforce bandwidth limits while allowing brief bursts above guaranteed rates when capacity is available. Traffic shaping can be bidirectional, controlling both outbound and inbound traffic independently. In SD-WAN contexts, traffic shaping ensures that critical applications receive sufficient bandwidth even during congestion while preventing less important traffic from consuming excessive resources. For example, a rule steering VoIP traffic might include a traffic shaping policy guaranteeing 1 Mbps and allowing bursts to 2 Mbps, while a rule for guest internet traffic might be limited to 5 Mbps maximum. Traffic shaping works in conjunction with SD-WAN path selection, so traffic is both routed optimally and bandwidth-controlled appropriately. Option A is incorrect because interface bandwidth limits apply to all traffic on an interface without the granularity to control specific applications or SD-WAN rules independently. Option C is incorrect because while QoS profiles provide packet marking and prioritization, traffic shaping policies are the specific mechanism for bandwidth rate limiting in SD-WAN rules. Option D is incorrect because SD-WAN bandwidth allocation isn’t a separate feature; bandwidth control is implemented through traffic shaping policies.
Question 115
What is the minimum number of members required to configure an SD-WAN zone?
A) 1
B) 2
C) 3
D) 4
Answer: A
Explanation:
SD-WAN zones provide logical grouping of SD-WAN members for simplified policy management and routing configuration. Understanding zone requirements is important for flexible SD-WAN design that can accommodate various deployment scenarios from simple dual-WAN setups to complex multi-path architectures. FortiGate allows creating an SD-WAN zone with a minimum of just one member, providing maximum flexibility in network design. While the primary value of zones emerges when grouping multiple members, single-member zones remain valid and useful in several scenarios. A zone with one member might represent a specific connection type that requires distinct policy treatment, serve as a placeholder during phased deployments before additional members are added, or represent a unique path like a dedicated cloud connection that shouldn’t be grouped with general internet links. The single-member minimum ensures that SD-WAN configurations can evolve gracefully as networks grow without requiring architectural changes. As additional WAN connections are deployed, they can simply be added to existing zones or placed in new zones as appropriate. This flexibility supports various deployment models from small branches with limited connectivity to large sites with numerous redundant paths. The ability to use single-member zones also simplifies migration from traditional routing to SD-WAN by allowing incremental adoption without requiring multiple connections upfront. Option B is incorrect because requiring two members would unnecessarily restrict SD-WAN deployment options and prevent valid use cases with single unique connections. FortiGate intentionally allows single-member zones for flexibility. Option C is incorrect because three members as a minimum would be overly restrictive and prevent SD-WAN use in typical dual-WAN scenarios or during phased deployments. Option D is incorrect because requiring four members would severely limit SD-WAN adoption and doesn’t reflect FortiGate’s actual capabilities or design philosophy.
Question 116
Which feature provides application steering based on Microsoft 365 service endpoints?
A) Static IP-based routing
B) Internet Service Database
C) Manual application lists
D) Custom URL filters
Answer: B
Explanation:
Cloud application access has become a dominant component of enterprise WAN traffic, and optimizing connectivity to cloud services like Microsoft 365 requires intelligent routing based on service provider infrastructure. FortiGate’s Internet Service Database (ISDB) provides dynamic, automatically updated information about internet services including cloud applications, content delivery networks, and SaaS providers. The ISDB contains IP address ranges, domain names, and other identifiers for thousands of internet services, updated regularly by FortiGuard Labs as service providers change their infrastructure. For Microsoft 365, the ISDB includes all published service endpoints across the various Microsoft 365 services including Exchange Online, SharePoint, Teams, and others. SD-WAN rules can reference these ISDB entries to steer traffic destined for Microsoft 365 directly to internet breakouts rather than backhauling through data centers, implementing the Microsoft-recommended local breakout architecture. This approach reduces latency, improves user experience, and reduces WAN bandwidth consumption. The ISDB integration eliminates the need for manual maintenance of IP address lists that would quickly become outdated as Microsoft modifies their infrastructure. FortiGate automatically downloads ISDB updates, ensuring SD-WAN policies remain accurate without administrator intervention. ISDB can be used in combination with application identification for comprehensive traffic classification and steering. Option A is incorrect because static IP-based routing requires manual maintenance and quickly becomes inaccurate as cloud services dynamically change their IP addresses and add new endpoints. Option C is incorrect because manual application lists require significant administrative overhead to maintain and don’t automatically update as service providers modify infrastructure. Option D is incorrect because URL filters operate on web traffic and domain names but don’t provide the comprehensive service endpoint information needed for optimal cloud application routing.
Question 117
What happens to existing sessions when an SD-WAN member fails?
A) All sessions immediately terminate
B) Existing sessions continue, new sessions use alternate members
C) Sessions automatically migrate to other members
D) Traffic is buffered until the member recovers
Answer: C
Explanation:
Session failover behavior is critical for understanding the user experience during WAN link failures and planning appropriate redundancy strategies. When an SD-WAN member fails, FortiGate’s behavior depends on the configuration of session synchronization and failover settings. By default, with session failover enabled, existing sessions can automatically migrate to alternate SD-WAN members that meet SLA requirements, maintaining application connectivity without user intervention. FortiGate tracks active sessions and their associated SD-WAN members, and when a member fails health checks or experiences physical link down, the system evaluates alternative paths for existing sessions. TCP sessions benefit from the protocol’s built-in recovery mechanisms, where temporary disruption triggers retransmission and the session continues over the new path. UDP-based applications may experience brief disruption but typically recover quickly. The session migration happens transparently for most applications, though some applications sensitive to IP address changes or requiring persistent connections may experience interruption. The effectiveness of session migration depends on factors including application protocol, whether NAT is involved, and the specific configuration of SD-WAN rules and zones. For critical applications, implementing application-layer redundancy in addition to network-layer SD-WAN failover provides the most resilient solution. FortiGate logs member failures and session migrations, providing visibility into failover events for troubleshooting and capacity planning. Option A is incorrect because immediately terminating all sessions would create poor user experience and isn’t how modern SD-WAN implementations handle failures. Option B is incorrect because FortiGate attempts to maintain existing sessions, not just route new sessions differently, when session failover is properly configured. Option D is incorrect because traffic isn’t buffered waiting for recovery; it’s either migrated to functioning members or experiences application-layer timeout depending on the duration and configuration.
Question 118
Which command shows the SD-WAN rules and their hit counts?
A) diagnose sys sdwan service
B) get router info routing-table sdwan
C) show system sdwan
D) diagnose firewall proute list
Answer: A
Explanation:
Verifying that SD-WAN rules are correctly matching intended traffic and understanding traffic patterns across different rules requires visibility into rule utilization. The CLI command “diagnose sys sdwan service” displays comprehensive information about configured SD-WAN rules including rule identifiers, match criteria, selected members or zones, configured strategy, and importantly, hit counts showing how many times each rule has matched traffic. This diagnostic command is essential for troubleshooting SD-WAN policy issues because it reveals whether traffic is matching the expected rules or falling through to default handling. Hit counts help administrators verify that newly created rules are functioning correctly, identify unused rules that might be candidates for removal, and understand traffic distribution across different rule categories. The command also shows the current status of members associated with each rule, including which members are active and meeting SLA requirements versus those that have failed health checks. This information is particularly valuable when investigating why traffic might not be using expected paths, as it reveals both the rule matching behavior and the member availability that influences actual path selection. The output includes details about configured SLA requirements, priority settings, and path selection algorithms for each rule. For operational monitoring, this command can be incorporated into scripts to track SD-WAN rule utilization over time. Option B is incorrect because there is no command “get router info routing-table sdwan” in FortiOS; this isn’t valid syntax. Option C is incorrect because “show system sdwan” displays the SD-WAN configuration rather than operational statistics like hit counts and current member status. Option D is incorrect because “diagnose firewall proute list” shows policy routes, which are different from SD-WAN rules, though they can work together in traffic steering.
Question 119
What is the purpose of the implicit SD-WAN rule in FortiGate?
A) Block all traffic not matching explicit rules
B) Provide default handling for unmatched traffic
C) Enable automatic rule creation
D) Synchronize rules across HA cluster
Answer: B
Explanation:
SD-WAN rule processing follows a sequential evaluation model where traffic is compared against configured rules in order until a match is found. Understanding how traffic is handled when it doesn’t match any explicit rule is important for predictable network behavior and avoiding unexpected routing. The implicit SD-WAN rule in FortiGate provides default handling for traffic that doesn’t match any explicitly configured SD-WAN rules. This implicit rule ensures that all traffic can be forwarded even when administrators haven’t created specific rules for every traffic type. The implicit rule uses all available SD-WAN members that meet their Performance SLA requirements and applies a default load balancing strategy, typically source-destination IP hash, to distribute traffic across available paths. This behavior prevents traffic from being dropped simply because no explicit rule was configured while still providing basic SD-WAN benefits like automatic failover and load distribution. The implicit rule appears at the bottom of the rule list and cannot be deleted, though its behavior is influenced by overall SD-WAN configuration including member priorities and health check status. While relying on the implicit rule works for simple deployments or non-critical traffic, best practice for production environments involves creating explicit rules for all important traffic types to ensure predictable routing behavior aligned with business requirements. The implicit rule serves as a safety net, ensuring connectivity even during misconfigurations or for unexpected traffic types. Option A is incorrect because FortiGate doesn’t block traffic by default when it doesn’t match explicit SD-WAN rules; this would cause widespread connectivity issues and doesn’t align with SD-WAN design principles. Option C is incorrect because the implicit rule doesn’t enable automatic creation of other rules; it simply provides default handling. Rule creation requires explicit administrator configuration. Option D is incorrect because rule synchronization across HA clusters is handled by the HA synchronization mechanism, not by the implicit rule which handles traffic routing.
Question 120
Which SD-WAN health check protocol is best for monitoring voice quality metrics?
A) Ping
B) HTTP
C) TCP echo
D) UDP echo
Answer: A
Explanation:
Selecting appropriate health check protocols is essential for accurately measuring the performance characteristics relevant to different application types. Voice applications have specific requirements including low latency, minimal jitter, and low packet loss, making appropriate health check selection critical for SD-WAN path selection. Ping-based health checks using ICMP echo requests are best suited for monitoring voice quality metrics because they provide accurate measurements of latency and packet loss with minimal overhead. Ping health checks send small ICMP packets at configured intervals and measure round-trip time and packet loss percentage, which are the primary factors affecting voice quality. The small packet size of ping probes closely matches VoIP packet characteristics, making the measurements representative of actual voice traffic performance. FortiGate can configure multiple ping probes per interval to calculate jitter (variation in latency), which is another critical voice quality metric. Ping health checks consume minimal bandwidth, allowing frequent probing without impacting actual voice traffic. The measurements from ping health checks map directly to voice quality metrics used in Mean Opinion Score (MOS) calculations, enabling administrators to set SLA thresholds that correlate with acceptable voice quality levels. For example, thresholds might specify maximum latency of 150ms, jitter under 30ms, and packet loss below 1 percent to ensure good voice quality. When these thresholds are violated, SD-WAN automatically steers voice traffic to alternative paths meeting the requirements. Option B is incorrect because HTTP health checks measure web service availability and response time, which doesn’t accurately reflect the consistent, low-latency requirements of voice traffic. HTTP involves larger packets and different network behavior. Option C is incorrect because TCP echo health checks measure TCP connection establishment and reliability, but the connection-oriented nature of TCP doesn’t match the connectionless UDP-based protocol used by most VoIP implementations. Option D is incorrect because while UDP echo might seem appropriate since VoIP uses UDP, standard ping provides more accurate latency measurements and is universally supported without requiring special server configurations.
