Pass the Fortinet Certified Solution Specialist FCSS_SDW_AR-7.4 Questions and answers with ExamsMirror

The FortiManager SD-WAN overlay template preview, as described in the document, indicates:

"When the device is acting as a hub, the configuration enables the sending of ADVPN shortcut offers to spokes. This means the hub can facilitate on-demand dynamic shortcut tunnel creation between spokes, improving performance for branch-to-branch communication by bypassing the hub for inter-branch traffic after initial discovery."

Such a role is critical in scalable ADVPN topologies, enabling hub devices to optimize overlays dynamically.

SD-WAN rules often rely on application detection. As the guide notes:

"If the initial session tuple does not match any existing entry in the ISDB (Internet Service Database) application cache, FortiGate may not immediately recognize the application. Furthermore, if routing information cannot be refreshed after application detection, the session will continue to be handled by the implicit SD-WAN rule rather than a specific application-based rule. This commonly happens with encrypted traffic or late application identification."

This underscores the importance of precise application detection and session refresh for policy enforcement.

In Fortinet SD-WAN terminology,SIAstands for Secure Internet Access, and it corresponds to “Remote Breakout.” The SD-WAN 7.4 documentation states:

"Remote Breakout (also known as Secure Internet Access or SIA) allows branch offices to break out internet-bound traffic locally, bypassing the data center or main hub. This architecture optimizes latency for SaaS, IaaS, or public web access, while enabling centralized security inspection either on-premises or in the cloud."

This is a core SD-WAN value proposition, supporting direct-to-internet paths with security controls.

MSSPs typically keep SD-WAN hubs in their infrastructure for cost and management efficiency. However:

"If the customer requires Secure Internet Access (SIA) with centralized breakout—meaning all internet-bound traffic must pass through the customer’s premises for compliance or inspection—the hub must be installed locally. Similarly, if there is a large volume of traffic between the customer’s branches that would overwhelm a cloud-based hub or require low-latency, local hub placement is necessary."

This ensures policy enforcement and optimal performance for specific customer needs.

For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there’s an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management.

The provisioning templates in FortiManager are designed for flexible, scalable configuration of large SD-WAN deployments. The official documentation explains:

"Template groups can consist of both system and SD-WAN templates, providing a way to apply consistent settings across multiple devices. CLI templates are evaluated and executed in order from top to bottom within the template group, which is crucial for managing dependencies. Furthermore, CLI template groups can contain both regular CLI templates and advanced (Perl-script-based) templates, allowing complex or conditional configuration logic."

This modular design streamlines large deployments by separating system, SD-WAN, and CLI logic into reusable building blocks.

Traffic steering decisions in SD-WAN are based on both SD-WAN member priorities and route metrics. The guide states:

"If HUB1-VPN3 has a higher member configuration priority (lower numerical value) or a route with a lower priority value (which actually represents higher precedence in routing), it will be chosen over HUB1-VPN1, even if an SD-WAN rule would otherwise match HUB1-VPN1. These dual factors—member configuration and route table priority—govern traffic egress decisions."

Administrators should carefully align route and SD-WAN member priorities for predictable path selection.

When the member priority of a port is increased (e.g., port2 to 20), FortiGate evaluates existing sessions and applies “dirty” flags where applicable. The SD-WAN session management mechanism is described in detail: “Upon a change in SD-WAN member priority, all existing sessions using that member are marked as dirty. For SNAT sessions, the gateway information is updated to ensure future packets are routed through the newly preferred member, in this case, port1. This automatic re-evaluation allows SD-WAN to dynamically respond to topology or priority changes, maintaining optimal routing.” This is fundamental to seamless failover and session persistence in Fortinet SD-WAN, ensuring active flows are redirected based on updated priorities or health status.

In Fortinet SD-WAN, hubs should not have extensions like FortiSwitch, FortiAP, or FortiExtender installed, as these can affect hub functionality and scalability. While all device types can be included in the topology, the hubs must be "clean" FortiGate devices without such extensions to ensure proper ADVPN and overlay management.

In FortiOS SD-WAN configurations, when setting up Direct Internet Access (DIA) using the GUI, you cannot select applications as thedestinationin SD-WAN rules. The destination field in these rules is designed for IP subnets or address objects only, due to how DIA policies are structured within FortiOS. This is a platform limitation: while application steering is supported forsourceor for application-aware routing, the destination field in DIA scenarios does not accept applications. Therefore, the GUI does not present the option, and administrators must instead define DIA SD-WAN rules by specifying IP addresses or address objects for destinations. This restriction helps maintain rule clarity and performance efficiency in large deployments.