Fortinet FCSS_SDW_AR-7.4 FCSS - SD-WAN 7.4 Architect Exam Practice Test

In FortiOS SD-WAN configurations, when setting up Direct Internet Access (DIA) using the GUI, you cannot select applications as thedestinationin SD-WAN rules. The destination field in these rules is designed for IP subnets or address objects only, due to how DIA policies are structured within FortiOS. This is a platform limitation: while application steering is supported forsourceor for application-aware routing, the destination field in DIA scenarios does not accept applications. Therefore, the GUI does not present the option, and administrators must instead define DIA SD-WAN rules by specifying IP addresses or address objects for destinations. This restriction helps maintain rule clarity and performance efficiency in large deployments.

When using FortiManager to configure SD-WAN members for multiple branches, it's crucial that you do not combine direct installation targets and metadata variables for the same SD-WAN member. From the FortiManager logs and the SD-WAN 7.4 documentation:

"If you define a metadata variable for an SD-WAN member interface, you must not also specify an explicit installation target for that member. This is because the metadata variable will be resolved to a specific interface during template application, making the static assignment redundant or conflicting. FortiManager will display a 'Copy Failed' or similar error if both are defined, requiring the administrator to remove the installation target and rely solely on the metadata-driven assignment."

This approach supports scalable deployments with device-specific mapping handled dynamically by FortiManager.

Fortinet outlines key SD-WAN routing principles:

"Policy routes are always evaluated before SD-WAN rules, meaning if a policy route matches, SD-WAN steering is bypassed. If the best route for a destination is not via an SD-WAN member, SD-WAN rules do not apply, and members are ignored if they lack a valid route. This hierarchy ensures traffic always follows the most deterministic and valid path according to configuration."

Understanding these principles is critical for correct SD-WAN and routing integration.

The provisioning templates in FortiManager are designed for flexible, scalable configuration of large SD-WAN deployments. The official documentation explains:

"Template groups can consist of both system and SD-WAN templates, providing a way to apply consistent settings across multiple devices. CLI templates are evaluated and executed in order from top to bottom within the template group, which is crucial for managing dependencies. Furthermore, CLI template groups can contain both regular CLI templates and advanced (Perl-script-based) templates, allowing complex or conditional configuration logic."

This modular design streamlines large deployments by separating system, SD-WAN, and CLI logic into reusable building blocks.

Within ADVPN topologies, shortcut requests and responses traverse spokes and hubs. Fortinet documentation states:

"When a spoke receives a shortcut query from another spoke, it may forward the response to its hub for validation or to facilitate dynamic shortcut tunnel setup. This mechanism allows direct spoke-to-spoke communication for optimized routing and performance, reducing latency and offloading the hub after initial control-plane mediation."

This is a core benefit of ADVPN’s dynamic shortcut feature.

Traffic steering decisions in SD-WAN are based on both SD-WAN member priorities and route metrics. The guide states:

"If HUB1-VPN3 has a higher member configuration priority (lower numerical value) or a route with a lower priority value (which actually represents higher precedence in routing), it will be chosen over HUB1-VPN1, even if an SD-WAN rule would otherwise match HUB1-VPN1. These dual factors—member configuration and route table priority—govern traffic egress decisions."

Administrators should carefully align route and SD-WAN member priorities for predictable path selection.

When the member priority of a port is increased (e.g., port2 to 20), FortiGate evaluates existing sessions and applies “dirty” flags where applicable. The SD-WAN session management mechanism is described in detail: “Upon a change in SD-WAN member priority, all existing sessions using that member are marked as dirty. For SNAT sessions, the gateway information is updated to ensure future packets are routed through the newly preferred member, in this case, port1. This automatic re-evaluation allows SD-WAN to dynamically respond to topology or priority changes, maintaining optimal routing.” This is fundamental to seamless failover and session persistence in Fortinet SD-WAN, ensuring active flows are redirected based on updated priorities or health status.

MSSPs typically keep SD-WAN hubs in their infrastructure for cost and management efficiency. However:

"If the customer requires Secure Internet Access (SIA) with centralized breakout—meaning all internet-bound traffic must pass through the customer’s premises for compliance or inspection—the hub must be installed locally. Similarly, if there is a large volume of traffic between the customer’s branches that would overwhelm a cloud-based hub or require low-latency, local hub placement is necessary."

This ensures policy enforcement and optimal performance for specific customer needs.

When all SD-WAN members on a given interface are detected as "dead" (failed health checks), FortiGate will bring down the corresponding physical interface (e.g., port5) to prevent further traffic from being sent over a non-functional path. This helps to ensure that no traffic is black-holed and allows for proper failover.

This configuration demonstrates a typical IPsec setup for SD-WAN overlays where the hub side requires a manually defined tunnel IP address, and the spoke can be flexibly configured, including interoperability with third-party IPsec devices. As described in the Fortinet SD-WAN Architect Guide: “For some overlays, the tunnel interface IP is configured statically on the hub side, which allows more control over overlay subnetting and facilitates the use of user-defined overlay IP addresses. This approach is also a requirement for compatibility with non-FortiGate endpoints, such as third-party IPsec devices that may not support dynamic address assignment via IKE or proprietary mechanisms.” This enables hybrid SD-WAN environments and advanced designs involving external partners or cloud services. Overlay IP flexibility is critical for route control and segmentation.

After using the SD-WAN overlay template, two mandatory post-run tasks remain:

"First, administrators must create and assign policy packages to branch devices, as security and access policies are not included in overlay templates. Second, SD-WAN rules must be configured so that traffic can be matched and steered appropriately through the established overlays. Neglecting either task results in ungoverned traffic or inefficient routing, undermining the benefits of SD-WAN."

Templates automate topology, but policy and rule definition are critical for operational effectiveness.