FCSS_SDW_AR-7.4 FCSS - SD-WAN 7.4 Architect Questions and Answers

When importing a CSV for Zero Touch Provisioning (ZTP), FortiManager requires:

"Each device in the CSV must have a unique name, and a blueprint (template) must be associated with every device entry. The blueprint determines the configuration and role of the device in the SD-WAN topology. Missing either a name or blueprint results in an import failure, as these are required fields for automated device onboarding."

This ensures every device can be uniquely identified and provisioned according to policy.

From the SD-WAN monitor in FortiManager:

"The SD-WAN monitor provides a summary view of the branch devices and their members. In the scenario shown, it is clear that branch2_fgt is missing SLA configuration for one member, as evidenced by the lack of performance metrics. The monitor also shows only two branches in the current topology, allowing quick assessment of branch health and configuration completeness."

This kind of visibility is vital for proactive monitoring and rapid troubleshooting in SD-WAN environments.

The SD-WAN rule’s preferred member is determined by packet loss comparison. As the documentation details:

"If all three SD-WAN members exhibit the same packet loss percentage, the preferred member can change according to secondary criteria such as cost, latency, or manual priority. However, if one member—such as HUB1-VPN3—matches the packet loss of other members, it can become the new preferred member as determined by the load balancing algorithm or fallback rules."

This behavior ensures fair utilization and redundancy.

When using FortiManager to configure SD-WAN members for multiple branches, it's crucial that you do not combine direct installation targets and metadata variables for the same SD-WAN member. From the FortiManager logs and the SD-WAN 7.4 documentation:

"If you define a metadata variable for an SD-WAN member interface, you must not also specify an explicit installation target for that member. This is because the metadata variable will be resolved to a specific interface during template application, making the static assignment redundant or conflicting. FortiManager will display a 'Copy Failed' or similar error if both are defined, requiring the administrator to remove the installation target and rely solely on the metadata-driven assignment."

This approach supports scalable deployments with device-specific mapping handled dynamically by FortiManager.

The provisioning templates in FortiManager are designed for flexible, scalable configuration of large SD-WAN deployments. The official documentation explains:

"Template groups can consist of both system and SD-WAN templates, providing a way to apply consistent settings across multiple devices. CLI templates are evaluated and executed in order from top to bottom within the template group, which is crucial for managing dependencies. Furthermore, CLI template groups can contain both regular CLI templates and advanced (Perl-script-based) templates, allowing complex or conditional configuration logic."

This modular design streamlines large deployments by separating system, SD-WAN, and CLI logic into reusable building blocks.

MSSPs typically keep SD-WAN hubs in their infrastructure for cost and management efficiency. However:

"If the customer requires Secure Internet Access (SIA) with centralized breakout—meaning all internet-bound traffic must pass through the customer’s premises for compliance or inspection—the hub must be installed locally. Similarly, if there is a large volume of traffic between the customer’s branches that would overwhelm a cloud-based hub or require low-latency, local hub placement is necessary."

This ensures policy enforcement and optimal performance for specific customer needs.

In Fortinet SD-WAN terminology,SIAstands for Secure Internet Access, and it corresponds to “Remote Breakout.” The SD-WAN 7.4 documentation states:

"Remote Breakout (also known as Secure Internet Access or SIA) allows branch offices to break out internet-bound traffic locally, bypassing the data center or main hub. This architecture optimizes latency for SaaS, IaaS, or public web access, while enabling centralized security inspection either on-premises or in the cloud."

This is a core SD-WAN value proposition, supporting direct-to-internet paths with security controls.

The implicit SD-WAN rule serves as the final catch-all. Per Fortinet:

"Sessions matching the implicit SD-WAN rule do not have an SD-WAN service id, as they are not associated with any specific user-defined SD-WAN rule. Additionally, this occurs only when traffic fails to match any entry in the policy route table. This default handling guarantees connectivity while minimizing the risk of blackholed traffic."

Administrators can observe this in diagnostic outputs for troubleshooting.