Refer to the exhibit. You configure SD-WAN on a standalone FortiGate device. You want to create an SD-WAN rule that steers traffic related to Facebook and LinkedIn through the less costly internet link. What must you do to set Facebook and LinkedIn applications as destinations from the GUI?
Correct Answer: B
According to theSD-WAN 7.6 Core Administratorcurriculum and theFortiOS 7.6 Administration Guide, setting common web-based services like Facebook and LinkedIn as destinations in an SD-WAN rule is primarily accomplished through theInternet Service Database (ISDB). * Internet Service vs. Application Control: In FortiOS, there is a distinction betweenInternet Services (which use a database of known IP addresses and ports to identify traffic at the first packet) and Applications(which require the IPS engine to inspect deeper into the packet flow to identify Layer 7 signatures). * SD-WAN Efficiency: Fortinet recommends using theInternet service fieldfor services like Facebook and LinkedIn in SD-WAN rules because it allows the FortiGate to steer the traffic immediately upon the first packet. If the "Application" signatures were used instead, the first session might be misrouted because the application is not identified until after the initial handshake. * GUI Configuration: As shown in the exhibit (image_b3a4c2.png), the "Destination" section of an SD- WAN rule includes anInternet servicefield by default. To steer Facebook and LinkedIn traffic, the administrator simply clicks the "+" icon in that field and selects the entries for Facebook and LinkedIn from the database. * Feature Visibility (Alternative): While youcanenable a specific "Application" field inSystem > Feature Visibility(by enabling "Application Detection Based SD-WAN"), this is typically used for less common applications that do not have dedicated ISDB entries. For the specific "applications" mentioned (Facebook and LinkedIn), they are natively available in theInternet servicefield, making Option B the most direct and common implementation. Why other options are incorrect: * Option A: Licensing for application signatures is part of the standard FortiGuard services and is not a prerequisite specific only to "applications as destinations" in SD-WAN rules. * Option C: Standalone FortiGate devices fully support application-based and ISDB-based steering in SD-WAN rules. * Option D: While enabling feature visibility would add anadditionalfield for L7 applications, it is not a "must" for Facebook and LinkedIn, which are already accessible via the Internet Service field provided in the default GUI layout.
NSE5_SSE_AD-7.6 Exam Question 7
Refer to the exhibit. The SD-WAN rule status and configuration is shown. Based on the exhibit, which change in the measured latency will first make HUB1-VPN3 the new preferred member?
Correct Answer: A
According to theSD-WAN 7.6 Core Administratorstudy guide and theFortiOS 7.6 Administration Guide, the selection of a preferred member in aBest Quality (priority)rule is determined by the measured quality metric (latency, in this case) and thelink-cost-threshold. * Rule Logic (Best Quality): In the exhibit, the SD-WAN rule is configured with set mode priority, which corresponds to theBest Qualitystrategy. This strategy ranks members based on the link-cost- factor, which is set tolatency. * The Link-Cost-Threshold: The exhibit shows link-cost-threshold(10), which is the default 10% value. This threshold is designed to prevent "link flapping". To replace the current preferred member, a new member must not only have a better latency but must be better bymore than 10%. * The Calculation: * The current preferred member isHUB1-VPN1with a real latency of96.349 ms. * To calculate the "target" latency a lower-priority member must achieve to take over, we use the formula: $Target = \frac{Current\_Latency}{(1 + \frac{Threshold}{100})}$. * $\frac{96.349}{1.1} = \mathbf{87.59\text{ ms}}$. * Evaluating Options: * Option A (80 ms): Since 80 ms is lower than the required 87.59 ms target, HUB1-VPN3 successfully overcomes the 10% advantage of HUB1-VPN1 and becomes the new preferred member. * Option D (90 ms): While 90 ms is lower than 96.349 ms, it isnotlower than 87.59 ms. Therefore, the 10% threshold prevents a member switch, and HUB1-VPN1 remains preferred. * Option B: Incorrect because having a "lower" latency is not enough due to the 10% threshold. * Option C: If HUB1-VPN1 moved to 200 ms, HUB1-VPN2 (at 141.278 ms) would likely become the new preferred member before HUB1-VPN3 (at 190.984 ms).
NSE5_SSE_AD-7.6 Exam Question 8
In which order does a FortiGate device consider the following elements shown in the left column during the route lookup process? Select the element in the left column, hold and drag it to a blank position in the column on the right. Place the four correct elements in order, placing the first element in the first position at the top of the column. Once you place an element, you can move it again if you want to change your answer before moving to the next question. You need to drop four elements in the work area. Select and drag the screen divider to change the viewable area of the source and work areas.
Correct Answer:
NSE5_SSE_AD-7.6 Exam Question 9
An existing Fortinet SD-WAN customer who has recently deployed FortiSASE wants to have a comprehensive view of, and combined reports for, both SD-WAN branches and remote users. How can the customer achieve this?
Correct Answer: C
For customers with hybrid environments (on-premises SD-WAN branches and remote FortiSASE users), the FortiOS 7.6andFortiSASEcurriculum recommends centralized log aggregation for unified visibility. * Centralized Reporting:The standard architectural best practice is toforward logs from FortiSASE to an external FortiAnalyzer (Option C). * Unified View:Since the customer's on-premises FortiGate SD-WAN branches are already sending logs to an existing FortiAnalyzer, adding the FortiSASE log stream to that sameFortiAnalyzerallows for the creation ofcombined reports. * Fabric Integration:This setup leverages theSecurity Fabric, enabling the FortiAnalyzer to provide a single pane of glass for monitoring security events, application usage, and SD-WAN performance metrics across the entire distributed network. Why other options are incorrect: * Option A:SOCaaSis a managed service for threat monitoring, not a primary tool for an administrator to generate combined SD-WAN/SASE operational reports. * Option B:FortiSASE is not designed to act as a log collector or reporting hub for external on-premises FortiGates. * Option D:Data flows from the source (FortiSASE) to the collector (FortiAnalyzer), not the other way around.
NSE5_SSE_AD-7.6 Exam Question 10
Which two statements about configuring a steering bypass destination in FortiSASE are correct? (Choose two.)
Correct Answer: B,C
According to theFortiSASE 7.6 Feature Administration Guide, steering bypass destinations (also known as split tunneling) allow administrators to optimize bandwidth by redirecting specific trusted traffic away from the SASE tunnel to the endpoint's local physical interface. * Destination Types (Option C): When creating a bypass destination, administrators can select from four distinct types:Infrastructure(pre-defined apps like Zoom/O365),FQDN(specific domains),Local Application(identifying processes on the laptop), orSubnet(specific IP ranges). * Apply Condition (Option B): The "Apply" condition is a flexible setting that allows the administrator to choose when the bypass is active. It can be applied to endpoints that areOn-net(inside the office),Off- net(remote), orBoth. This ensures that if a user is in the office, they don't use the SASE tunnel for local resources, but if they are home, they might still bypass high-bandwidth sites like YouTube to preserve tunnel capacity. Why other options are incorrect: * Option A: Subnet is one of four types and is not the only type supporting these conditions. * Option D: The system explicitly supports "Both" to ensure consistency across network transitions.
