NSE5_SSE_AD-7.6 Fortinet NSE 5 - FortiSASE and SD-WAN 7.6 Core Administrator Questions and Answers

According to theSD-WAN 7.6 Core Administratorstudy guide and theFortiOS 7.6 Administration Guide, the selection of a preferred member in aBest Quality (priority)rule is determined by the measured quality metric (latency, in this case) and thelink-cost-threshold.

Rule Logic (Best Quality): In the exhibit, the SD-WAN rule is configured with set mode priority, which corresponds to theBest Qualitystrategy. This strategy ranks members based on the link-cost-factor, which is set tolatency.

The Link-Cost-Threshold: The exhibit shows link-cost-threshold(10), which is the default 10% value. This threshold is designed to prevent "link flapping". To replace the current preferred member, a new member must not only have a better latency but must be better bymore than 10%.

The Calculation:

The current preferred member isHUB1-VPN1with a real latency of96.349 ms.

To calculate the "target" latency a lower-priority member must achieve to take over, we use the formula: $Target = \frac{Current\_Latency}{(1 + \frac{Threshold}{100})}$.

$\frac{96.349}{1.1} = \mathbf{87.59\text{ ms}}$.

Evaluating Options:

Option A (80 ms): Since 80 ms is lower than the required 87.59 ms target, HUB1-VPN3 successfully overcomes the 10% advantage of HUB1-VPN1 and becomes the new preferred member.

Option D (90 ms): While 90 ms is lower than 96.349 ms, it isnotlower than 87.59 ms. Therefore, the 10% threshold prevents a member switch, and HUB1-VPN1 remains preferred.

Option B: Incorrect because having a "lower" latency is not enough due to the 10% threshold.

Option C: If HUB1-VPN1 moved to 200 ms, HUB1-VPN2 (at 141.278 ms) would likely become the new preferred member before HUB1-VPN3 (at 190.984 ms).

"If a flow is identified as belonging to a defined application category (such as social media), FortiGate will match it to the corresponding service rule (rule 2) and route it through the specified interface, such as port2. However, if the application is not recognized during the session setup, the system defaults to load balancing the traffic using the available tunnels according to the policy for unclassified traffic, ensuring continuous connectivity while waiting for application classification."

This guarantees both performance and resilience.

For customers with hybrid environments (on-premises SD-WAN branches and remote FortiSASE users), theFortiOS 7.6andFortiSASEcurriculum recommends centralized log aggregation for unified visibility.

Centralized Reporting:The standard architectural best practice is toforward logs from FortiSASE to an external FortiAnalyzer (Option C).

Unified View:Since the customer's on-premises FortiGate SD-WAN branches are already sending logs to an existing FortiAnalyzer, adding the FortiSASE log stream to that sameFortiAnalyzerallows for the creation ofcombined reports.

Fabric Integration:This setup leverages theSecurity Fabric, enabling the FortiAnalyzer to provide a single pane of glass for monitoring security events, application usage, and SD-WAN performance metrics across the entire distributed network.

Why other options are incorrect:

Option A:SOCaaSis a managed service for threat monitoring, not a primary tool for an administrator to generate combined SD-WAN/SASE operational reports.

Option B:FortiSASE is not designed to act as a log collector or reporting hub for external on-premises FortiGates.

Option D:Data flows from the source (FortiSASE) to the collector (FortiAnalyzer), not the other way around.

According to theFortiSASE 7.6 Architecture GuideandFCP - FortiSASE 24/25 Administratormaterials, the solution is built around three primary use cases that support a hybrid workforce:

Secure Internet Access (SIA):This enables secure web browsing by applying security profiles such asWeb Filter,Anti-Malware, andSSL Inspectionin the SASE cloud. It protects remote users from internet-based threats regardless of their location.

Secure Private Access (SPA):This provides granular, explicit access to private applications hosted in data centers or the cloud. It is achieved throughZTNA (Zero Trust Network Access)for session-based security or throughSD-WAN integrationwhere FortiSASE acts as a spoke to an existing corporate SD-WAN hub.

SaaS Security:FortiSASE utilizesInline-CASBandShadow IT visibilityto monitor and control the use of cloud applications.Data Loss Prevention (DLP)is integrated into these workflows to prevent sensitive corporate data from being uploaded to unauthorized SaaS platforms.

Why other options are incorrect:

Option A:While it mentions SD-WAN and Shadow IT, it misses the core definition of SIA (secure web browsing) which is the primary driver for SASE deployments.

Option B:Remote Browser Isolation (RBI)is typically applied to risky or uncategorized websites, not "all websites," due to the high performance and resource overhead.

Option D:FortiSASE is designed to protect data in motion (via security profiles) as well as data stored in sanctioned cloud apps, not "at rest only".

In theSD-WAN 7.6 Core Administratorcurriculum, steering "local-out" traffic (traffic generated by the FortiGate itself, such as DNS queries, FortiGuard updates, or diagnostic pings) requires specific configuration because this traffic follows a different path than "forward" traffic.

Individual Configuration (Option A): By default, local-out traffic bypasses the SD-WAN engine and uses the standard system routing table (RIB/FIB). To use SD-WAN rules for specific features like DNS or RADIUS, you must individually enable the sdwan interface-select-method within that feature's configuration (e.g., config system dns or config user radius).

Default Steerable Traffic (Option B): In FortiOS 7.6, while most local-out traffic is excluded from SD-WAN by default, the system is designed so that when SD-WAN is active, it primarily considers SD-WAN rules for specific diagnostic local-out traffic—specificallypingandtraceroute—to allow administrators to verify path quality using the same logic as user traffic.

Why other options are incorrect:

Option C: Local-out traffic can be steered using any SD-WAN strategy (Manual, Best Quality, etc.), provided the interface-selection-method is set to sdwan.

According to theSD-WAN 7.6 Core Administratorstudy guide andFortiOS 7.6 Administration Guide, the "implicit rule" is the default rule at the bottom of the SD-WAN rule list (ID 0). It is only evaluated if traffic does not match any manually configured SD-WAN rules.

Policy Route Table Context (Option B): SD-WAN rules are technically a specialized form of policy-based routing. For a packet to match theimplicit rule, it must first pass through the routing hierarchy. If traffic matches the implicit rule, it indicates that it did not match any higher-priority user-defined SD-WAN rules or any specific entries in the manualpolicy route tablethat would have intercepted the traffic earlier.

Session Information (Option E): When you use the CLI to inspect an active session (e.g., diagnose sys session list), the output contains a field for theSD-WAN Service ID. If traffic is steered by a user-defined rule, it displays the ID of that rule (e.g., service_id=1). However, when traffic falls through to theimplicit rule, the session information displaysno SD-WAN service ID(it often shows as 0 or is omitted), because the implicit rule does not function as a "service" in the same way user-defined rules do.

Routing Behavior: The implicit rule follows the standard routing table (RIB/FIB) logic. It uses thepriorityanddistanceof the static routes to determine the path. If multiple paths have the same distance and priority, it uses the algorithm set by v4-ecmp-mode, but this is a function of the routing engine, not the SD-WAN engine itself.

Why other options are incorrect:

Option A: While v4-ecmp-mode (e.g., source-ip-based) is used for ECMP routing, this is part of the general FortiOS routing behavior for equal-cost paths in the FIB, whereas the implicit rule simply "hands over" the decision to that routing table.

Option C: When traffic matches the implicit rule, the session is actually flagged with vwl_id=0 and potentially dirty if a route change occurs, but vwl_default is not the standard flag name used in this specific context in the curriculum.

Option D: This is incorrect because the implicit ruledoes respect weight, distance, and priorityas defined in the static routes within the routing table; it does not distribute traffic "regardless" of these values.