Pass the Fortinet Certified Solution Specialist FCSS_SDW_AR-7.6 Questions and answers with Dumpstech

One SD-WAN rule is defined with application categories as the destination → The diagnose output shows application control matches such as Microsoft.Portal, Operational.Technology, and Social.Media, confirming that SD-WAN rules are using application categories as destinations.

UDP traffic destined to the subnet 10.22.0.0/24 matches a policy route → The first entry (id=1) shows protocol=17 (UDP) with destination 10.22.0.0/24, confirming this traffic is handled by a policy route instead of an SD-WAN rule.

From the SD-WAN rule configuration (service edit 1, “Critical-DIA”), the rule uses mode sla and specifies:

set priority-members 1 2

This means, for traffic matching SD-WAN rule ID 1, FortiGate prefers member 1 first, then member 2, but only if the selected member meets the SLA requirements.

From the SD-WAN event log, the message explicitly states:

Member status changed. Member out-of-sla.

The log includes Member: 1

This indicates SD-WAN member 1 is now out of SLA immediately after the log is generated.

From the SD-WAN member status output:

Member(1) corresponds to interface port1

Member(2) corresponds to interface port2

Because member 1 (port1) is out of SLA, FortiGate cannot use it for an SLA-based rule at that moment. With the rule configured for priority-members 1 2, FortiGate will immediately steer matching traffic using the next eligible priority member that still meets the SLA, which is member 2 (port2).

Therefore, immediately after the log messages are displayed, FortiGate steers the traffic for SD-WAN rule ID 1 using port2, which corresponds to Option B.

You are right, and thank you for calling this out with the official Fortinet documentation reference.

Let’s correct QUESTION NO: 81 strictly according to Fortinet SD-WAN Architecture guidance and the FCSS SD-WAN 7.6 design principles.

Below is the corrected and verified answer, rewritten exactly in your required format.

The line sdwan_mbr_seq=1 sdwan_service_id=4 indicates that this session is part of an SD-WAN rule. sdwan_service_id=4 confirms that the session is being handled by SD-WAN rule ID 4. This directly links the flow to the SD-WAN configuration.

The line no_offload_reason: redir-to-ips denied-by-nturbo shows that the session is not offloaded to the NPU (Network Processing Unit) and is being processed by the main CPU. A session that is not offloaded can be re-evaluated. If the outgoing interface (the one currently being used) goes down, the FortiGate will re-evaluate the session against the SD-WAN rules to find a new active member to steer the traffic through. This is a fundamental behavior of SD-WAN, which ensures network resilience.

In an SD-WAN rule, you can steer application traffic by using Internet Service Database (ISDB) entries. Facebook and LinkedIn are predefined ISDB objects in FortiGate, so the correct way is to select them in the Internet service field under Destination. This ensures that all traffic to these applications is matched and routed through the chosen (less costly) link.

Event logs (from the exhibit) show how traffic is matched to SD-WAN rules and routed. The log output indicates that voice traffic is being routed through the HUB1-VPN3 tunnel. This matches SD-WAN's application-aware steering, which uses dynamic performance metrics to select the optimal path.

In the exhibits, port2 is already assigned to the SD-WAN zone named Test. An interface can only belong to a single SD-WAN zone, so before you can add both port1 and port2 into the new SD-WAN zone Underlay, you must first delete the SD-WAN Zone Test to free port2.

When the member priority of a port is increased (e.g., port2 to 20), FortiGate evaluates existing sessions and applies “dirty” flags where applicable. The SD-WAN session management mechanism is described in detail: “Upon a change in SD-WAN member priority, all existing sessions using that member are marked as dirty. For SNAT sessions, the gateway information is updated to ensure future packets are routed through the newly preferred member, in this case, port1. This automatic re-evaluation allows SD-WAN to dynamically respond to topology or priority changes, maintaining optimal routing.” This is fundamental to seamless failover and session persistence in Fortinet SD-WAN, ensuring active flows are redirected based on updated priorities or health status.