FCSS_SDW_AR-7.4 Exam Dumps - Fortinet Certified Solution Specialist Questions and Answers

FortiManager enforces a strict distinction:

"Firewall policies must reference SD-WAN zones, not individual SD-WAN members, when used in conjunction with SD-WAN templates. Attempting to install a policy that references a specific member (interface) will result in a deployment error, as member-level targeting is not supported in SD-WAN policy abstraction. This enforces centralized policy consistency and proper SD-WAN operation."

Ensuring policies target zones allows FortiGate to dynamically select the optimal member.

The SD-WAN load balancing algorithm selection is nuanced. Fortinet documentation states:

"Outbandwidth hash mode can be used with any load balancing strategy that permits multiple simultaneous paths. However, SD-WAN load balancing in practice is only enabled when the strategy is either 'best quality' or 'lowest cost (SLA)'. Manual strategies do not support automated load balancing, and are typically used for deterministic or failover scenarios."

Selecting the correct strategy is key for achieving desired distribution and redundancy.

This configuration demonstrates a typical IPsec setup for SD-WAN overlays where the hub side requires a manually defined tunnel IP address, and the spoke can be flexibly configured, including interoperability with third-party IPsec devices. As described in the Fortinet SD-WAN Architect Guide: “For some overlays, the tunnel interface IP is configured statically on the hub side, which allows more control over overlay subnetting and facilitates the use of user-defined overlay IP addresses. This approach is also a requirement for compatibility with non-FortiGate endpoints, such as third-party IPsec devices that may not support dynamic address assignment via IKE or proprietary mechanisms.” This enables hybrid SD-WAN environments and advanced designs involving external partners or cloud services. Overlay IP flexibility is critical for route control and segmentation.

Before FortiGate can steer traffic according to SD-WAN rules, certain configuration elements must be present. The guide states:

"SD-WAN is not a standalone feature and interacts with several fundamental FortiGate configurations. Specifically, you must: (1) Define the interfaces (physical, VLAN, or IPsec) that will act as SD-WAN members, (2) Create firewall policies to allow traffic to be steered by SD-WAN, and (3) Set up routing so that traffic has valid routes via SD-WAN members. Without these, SD-WAN rules will not be able to match or steer any traffic."

Security profiles and traffic shaping are not mandatory for basic SD-WAN steering but can be layered on for enhanced security and QoS once foundational elements are present.

For SD-WAN deployments that span multiple regions—where most traffic is intra-region and there is no requirement for inter-region ADVPN—the best practice is to use IBGP with BGP on loopback interfaces for routing within each region and EBGP between the regions. This approach ensures robust and scalable routing, isolates regional routing domains, and enables policy control at region boundaries. BGP on loopback is preferred for its reliability and flexibility, as it enables peering that is not tied to specific physical interfaces. EBGP between regions allows each region to maintain independent routing policies and summarization, optimizing performance and manageability. By separating IBGP (intra-region) and EBGP (inter-region), you create a modular architecture that scales easily and simplifies fault isolation and troubleshooting.

Based on the provided scenario, when initiating a ping test to a device (10.0.1.101) behind the branch FortiGate, the test traffic is steered through port1. This is determined by analyzing the SD-WAN rules, interface priorities, and routing table on the branch device. In typical Fortinet SD-WAN configurations, the port used for steering is determined by a combination of static routes, SD-WAN rules, and interface health checks. If port1 is the preferred member for that traffic—due to route metrics, health check status, or explicit SD-WAN rule configuration—then all eligible traffic from the LAN to the destination will be forwarded through port1. This not only ensures optimal traffic flow but also leverages SD-WAN’s dynamic path selection features to provide resilience and application steering.

For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there’s an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management.

The FortiManager SD-WAN overlay system allows only one IPsec template to be assigned to each device per overlay operation. The guide clarifies:

"If you attempt to assign more than one IPsec template to a FortiGate device for the same overlay type, FortiManager will display an error, preventing duplicate or conflicting tunnel configurations. This limitation ensures a one-to-one mapping between device and overlay template per operation, maintaining configuration integrity and preventing routing issues."

This prevents complex troubleshooting scenarios and enforces best practices for overlay design.

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:

"Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic."

Administrators can observe this in diagnostic outputs for troubleshooting.

Traffic steering decisions in SD-WAN are based on both SD-WAN member priorities and route metrics. The guide states:

"If HUB1-VPN3 has a higher member configuration priority (lower numerical value) or a route with a lower priority value (which actually represents higher precedence in routing), it will be chosen over HUB1-VPN1, even if an SD-WAN rule would otherwise match HUB1-VPN1. These dual factors—member configuration and route table priority—govern traffic egress decisions."

Administrators should carefully align route and SD-WAN member priorities for predictable path selection.