Fortinet NSE5_SSE_AD-7.6 Exam Questions

According to the SD-WAN 7.6 Core Administrator curriculum and the FortiOS 7.6 Administration Guide, setting common web-based services like Facebook and LinkedIn as destinations in an SD-WAN rule is primarily accomplished through the Internet Service Database (ISDB).

Internet Service vs. Application Control: In FortiOS, there is a distinction between Internet Services (which use a database of known IP addresses and ports to identify traffic at the first packet) and Applications (which require the IPS engine to inspect deeper into the packet flow to identify Layer 7 signatures).

SD-WAN Efficiency: Fortinet recommends using the Internet service field for services like Facebook and LinkedIn in SD-WAN rules because it allows the FortiGate to steer the traffic immediately upon the first packet. If the 'Application' signatures were used instead, the first session might be misrouted because the application is not identified until after the initial handshake.

GUI Configuration: As shown in the exhibit (image_b3a4c2.png), the 'Destination' section of an SD-WAN rule includes an Internet service field by default. To steer Facebook and LinkedIn traffic, the administrator simply clicks the '+' icon in that field and selects the entries for Facebook and LinkedIn from the database.

Feature Visibility (Alternative): While you can enable a specific 'Application' field in System > Feature Visibility (by enabling 'Application Detection Based SD-WAN'), this is typically used for less common applications that do not have dedicated ISDB entries. For the specific 'applications' mentioned (Facebook and LinkedIn), they are natively available in the Internet service field, making Option B the most direct and common implementation.

Why other options are incorrect:

Option A: Licensing for application signatures is part of the standard FortiGuard services and is not a prerequisite specific only to 'applications as destinations' in SD-WAN rules.

Option C: Standalone FortiGate devices fully support application-based and ISDB-based steering in SD-WAN rules.

Option D: While enabling feature visibility would add an additional field for L7 applications, it is not a 'must' for Facebook and LinkedIn, which are already accessible via the Internet Service field provided in the default GUI layout.

According to the SD-WAN 7.6 Core Administrator curriculum and the FortiOS 7.6 Administration Guide, setting common web-based services like Facebook and LinkedIn as destinations in an SD-WAN rule is primarily accomplished through the Internet Service Database (ISDB).

Internet Service vs. Application Control: In FortiOS, there is a distinction between Internet Services (which use a database of known IP addresses and ports to identify traffic at the first packet) and Applications (which require the IPS engine to inspect deeper into the packet flow to identify Layer 7 signatures).

SD-WAN Efficiency: Fortinet recommends using the Internet service field for services like Facebook and LinkedIn in SD-WAN rules because it allows the FortiGate to steer the traffic immediately upon the first packet. If the 'Application' signatures were used instead, the first session might be misrouted because the application is not identified until after the initial handshake.

GUI Configuration: As shown in the exhibit (image_b3a4c2.png), the 'Destination' section of an SD-WAN rule includes an Internet service field by default. To steer Facebook and LinkedIn traffic, the administrator simply clicks the '+' icon in that field and selects the entries for Facebook and LinkedIn from the database.

Feature Visibility (Alternative): While you can enable a specific 'Application' field in System > Feature Visibility (by enabling 'Application Detection Based SD-WAN'), this is typically used for less common applications that do not have dedicated ISDB entries. For the specific 'applications' mentioned (Facebook and LinkedIn), they are natively available in the Internet service field, making Option B the most direct and common implementation.

Why other options are incorrect:

Option A: Licensing for application signatures is part of the standard FortiGuard services and is not a prerequisite specific only to 'applications as destinations' in SD-WAN rules.

Option C: Standalone FortiGate devices fully support application-based and ISDB-based steering in SD-WAN rules.

Option D: While enabling feature visibility would add an additional field for L7 applications, it is not a 'must' for Facebook and LinkedIn, which are already accessible via the Internet Service field provided in the default GUI layout.

According to the FortiSASE 7.6 Administration Guide and the FCP - FortiSASE 24/25 Administrator curriculum, the Agentless deployment mode---commonly referred to as Secure Web Gateway (SWG) mode---is a vital component of the Secure Internet Access (SIA) framework.

Deployment Mechanism: In an agentless deployment, FortiSASE functions as an explicit web proxy. This is achieved by distributing a PAC (Proxy Auto-Configuration) file to the user's browser, which instructs the device to send its web traffic to the nearest FortiSASE Point of Presence (PoP).

Target Use Case: This mode is specifically designed for unmanaged endpoints, such as those used by contractors, partners, or temporary workers, where the organization does not have the authority or capability to install the FortiClient agent.

Security Capabilities: Even without an agent, FortiSASE applies a full security stack to the redirected traffic. This includes Web Filtering, Anti-Malware, SSL Inspection, and Inline-CASB to secure HTTP and HTTPS sessions.

Protocol Limitations: Because it relies on proxy settings, this mode is limited to web protocols (HTTP/HTTPS) and does not inherently secure non-web traffic like ICMP, DNS, or custom TCP/UDP applications unless they are specifically proxied.

Why other options are incorrect:

Option A: While it provides secure browsing, session isolation (RBI) is a specific feature that can be used in either mode; the defining characteristic of the agentless use case is the proxy-based redirection for unmanaged devices.

Option C: A PAC file can only secure web traffic (protocols that support proxying), not non-web traffic protocols.

Option D: Agentless mode is the opposite of requiring FortiClient; ZTNA tags generally require the FortiClient agent to provide the necessary telemetry for tag evaluation.

According to the SD-WAN 7.6 Core Administrator study guide and the FortiOS 7.6 Administration Guide, the selection process for the Best Quality (priority) strategy depends on two primary factors: the measured link quality metric and the configured member priority order.

Based on the provided exhibit (image_b40dfc.png), we can determine the following:

Strategy and Metric: The rule is in Mode(priority) (Best Quality) using link-cost-factor(packet loss).

Strict Comparison: The link-cost-threshold is set to 0. This means there is no 'advantage' given to the current preferred link; the FortiGate performs a strict comparison where the link with the objectively best metric is chosen.

Tie-Breaker Logic: When multiple links have the same packet loss, the FortiGate uses the Member Priority Order defined in the rule (set priority-members 6 4 5) as the tie-breaker.

Member 6 (HUB1-VPN3) is the highest priority.

Member 4 (HUB1-VPN1) is the second priority.

Member 5 (HUB1-VPN2) is the lowest priority.

Current State: HUB1-VPN1 is currently selected because its packet loss (2.000%) is lower than HUB1-VPN2 (4.000%) and HUB1-VPN3 (12.000%). Even though HUB1-VPN3 has a higher configuration priority, its significantly higher packet loss prevents it from being chosen.

Evaluation of Options:

Option A (Verified): If all three members have the same packet loss (e.g., they all show 2%), the quality metrics are equal. The SD-WAN engine then refers to the priority-members list. Since HUB1-VPN3 (Seq 6) is the first member in that list, it will immediately become the new preferred member.

Option B: If HUB1-VPN1 reaches 4%, it matches HUB1-VPN2 (4%). HUB1-VPN3 remains at 12%. The system will choose between VPN1 and VPN2. Since VPN1 (Seq 4) is higher in the priority list than VPN2 (Seq 5), HUB1-VPN1 stays preferred.

Option C: If HUB1-VPN1 reaches 12%, it matches HUB1-VPN3. However, HUB1-VPN2 is still better at 4.000%. Therefore, HUB1-VPN2 would become the new preferred member, not HUB1-VPN3.

Option D: If HUB1-VPN3 drops to 4%, it matches HUB1-VPN2. However, HUB1-VPN1 is still the best link at 2.000%, so it remains selected.

According to the SD-WAN 7.6 Core Administrator study guide and the FortiOS 7.6 Administration Guide, configuring load balancing within SD-WAN rules requires an understanding of how the engine selects and distributes sessions across multiple links.

SLA Target Logic (Option A): In FortiOS 7.6, the Lowest Cost (SLA) strategy has been enhanced. When the load-balance option is enabled for this strategy, the FortiGate does not just pick a single 'best' link; it identifies all member interfaces that currently meet the configured SLA target (e.g., latency < 100ms). It then load balances the traffic across all those healthy links to maximize resource utilization.

Hash Modes (Option D): When an SD-WAN rule is configured for load balancing (valid for Manual and Lowest Cost (SLA) strategies in 7.6), the administrator must define a hash mode to determine how sessions are distributed. While 'outsessions' in the question is a common exam-variant typo for outbandwidth (or sessions-based hashing), the core principle remains: you can select the specific load-balancing algorithm (e.g., source-ip, round-robin, or bandwidth-based) for all strategies where load-balancing is enabled.

Why other options are incorrect:

Option B and C: These options are too restrictive. In FortiOS 7.6, load balancing is not limited to only 'manual and best quality' or 'manual and lowest cost' in a singular way. The documentation highlights that Manual and Lowest Cost (SLA) are the primary strategies that support the explicit load-balance toggle to steer traffic through multiple healthy members simultaneously.