Big Black Friday Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

FCSS - SD-WAN 7.4 Architect Question and Answers

FCSS - SD-WAN 7.4 Architect

Last Update Nov 22, 2025
Total Questions : 68

We are offering FREE FCSS_SDW_AR-7.4 Fortinet exam questions. All you do is to just go and sign up. Give your details, prepare FCSS_SDW_AR-7.4 free exam questions and then go for complete pool of FCSS - SD-WAN 7.4 Architect test questions that will help you more.

FCSS_SDW_AR-7.4 pdf

FCSS_SDW_AR-7.4 PDF

$36.75  $104.99
 Add to Cart
FCSS_SDW_AR-7.4 Engine

FCSS_SDW_AR-7.4 Testing Engine

$43.75  $124.99
 Add to Cart
FCSS_SDW_AR-7.4 PDF + Engine

FCSS_SDW_AR-7.4 PDF + Testing Engine

$57.75  $164.99
 Add to Cart
Questions 1

Refer to the exhibit.

How does FortiGate handle the traffic with the source IP 10.0.1.130 and the destination IP 128.66.0 125?

Options:

A.  

FortiGate routes the traffic flow according to the FIB.

B.  

FortiGate load balances the traffic flow through port1 and port2.

C.  

FortiGate drops the traffic flow.

D.  

FortiGate steers the traffic flow through port2.

Discussion 0
Questions 2

Refer to the exhibits.

The exhibits show the SD-WAN zone configuration of an SD-WAN template prepared on FortiManager and the policy package configuration.

When the administrator tries to install the configuration changes, FortiManager fails to commit.

What should the administrator do to fix the issue?

Options:

A.  

Configure branch1_fgt as the installation target for policy 3.

B.  

Configure HUB1 as the destination of policy 3.

C.  

Configure a normalized interface for the IPsec tunnel HUB1-VPN1.

D.  

Configure both HUB1-VPN1 and HUB1-VPN2 as the destination of policy 3

Discussion 0
Questions 3

As an MSSP administrator, you are asked to configure ADVPN on an existing SD-WAN topology. FortiManager manages the customer devices in a dedicated ADOM. The previous administrator used the SD-WAN overlay topology.

Which two statements apply to this scenario? (Choose two.)

Options:

A.  

You can activate auto-discovery VPN in the SD-WAN overlay template only if it is a single hub topology.

B.  

When auto-discovery VPN is enabled, FortiManager updates the IPsec and BGP templates in the hub.

C.  

After you enable auto-discovery VPN in the overlay template, you must select between ADVPN 2.0 and ADVPN 1.0.

D.  

You can activate auto-discovery VPN in the SD-WAN overlay template for any type of topology, including a primary-primary dual-hub topology.

Discussion 0
Questions 4

Refer to the exhibit.

The administrator used the SD-WAN overlay template to prepare an IPsec tunnels configuration for a hub-and-spoke SD-WAN topology. The exhibit shows the FortiManager installation preview for one FortiGate device.

Based on the exhibit, which statement best describes the configuration applied to the FortiGate device?

Options:

A.  

It is a spoke device that establishes dynamic IPsec tunnels to the hub. The local subnet range is 10.10.128.0/23.

B.  

It is a hub device. It can send ADVPN shortcut offers.

C.  

It is a hub device. It will automatically discover the spoke devices and add them to the SD-WAN topology.

D.  

It is a spoke device that establishes dynamic IPsec tunnels to the hub It can send ADVPN shortcut requests.

Discussion 0
Questions 5

Exhibit.

Two hub-and-spoke groups are connected through redundant site-to-site IPsec VPNs between Hub 1 and Hub 2

Which two configuration settings are required for the spoke A1 to establish an ADVPN shortcut with the spoke B2? (Choose two.)

Options:

A.  

On hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to hubs.

B.  

On hubs, auto-discovery-receiver must be enabled on the IPsec VPNs to spokes.

C.  

On hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to spokes.

D.  

On hubs, auto-diacovery-sender must be enabled on the IPsec VPNs to spokes

Discussion 0
Questions 6

When you use the command diagnose sys session list, how do you identify the sessions that correspond to traffic steered according to SD-WAN rules?

Options:

A.  

You identify sessions steered according to SD-WAN rules with the flag vwl.

B.  

You cannot identify SD-WAN sessions. You must use the sdwar. session filter.

C.  

You identify sessions steered according to SD-WAN rules with the data vwl_mbr_seq.

D.  

You identify sessions steered according to SD-WAN rules with the data 3dwan_service_id.

Discussion 0
Questions 7

The FortiGate devices are managed by ForliManager, and are configured for direct internet access (DIA). You confirm that DIA is working as expected for each branch, and check the SD-WAN zone configuration and firewall policies shown in the exhibits.

Then, you use the SD-WAN overlay template to configure the IPsec overlay tunnels. You create the associated SD-WAN rules to connect existing branches to the company hub device and apply the changes on the branches.

After those changes, users complain that they lost internet access. DIA is no longer working.

Based on the exhibit, which statement best describes the possible root cause of this issue?

Options:

A.  

The SD-WAN overlay template defines a zone for each underlay interface and moves the interfaces into those zones.

B.  

The SD-WAN overlay template didn’t configure a firewall policy to allow traffic through the overlay.

C.  

The SD-WAN overlay template redefines the interface gateway addresses if they are defined with metadata variables.

D.  

The SD-WAN overlay template updates the SD-WAN template and the rules.

Discussion 0
Questions 8

Refer to the exhibits.

An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in the first exhibit. After generating GoToMeeting test traffic, the administrator examined the corresponding traffic log on FortiAnalyzer, which is shown in the second exhibit.

The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.

Which two reasons explain why some log messages show that the traffic matched the implicit SD-WAN rule? (Choose two.)

Options:

A.  

Full SSL inspection is not enabled on the matching firewall policy.

B.  

The session 3-tuple did not match any of the existing entries in the ISDB application cache.

C.  

FortiGate could not refresh the routing information on the session after the application was detected.

D.  

No configured SD-WAN rule matches the traffic related to the collaboration application GoToMeeting

Discussion 0
Questions 9

Refer to the exhibit.

Which SD-WAN rule and interface uses FortiGate to steer the traffic from the LAN subnet 10.0.1.0/24 to the corporate server 10.2.5.254?

Options:

A.  

SD-WAN service rule 3 and interface HUB1-VPN2.

B.  

SD-WAN service rule 3 and interface HUB1-VPN3.

C.  

SD-WAN service rule 4 and port1 or port2.

D.  

SD-WAN service rule 4 and interface port2.

Discussion 0
Questions 10

Refer to the exhibit.

The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths

Which three settings must the administrator configure inside each BGP neighbor group so spokes can learn the prefixes of other spokes and their additional paths? (Choose three.)

Options:

A.  

Set additional-path to send

B.  

Set additional-path to forward

C.  

Enable route-reflector-server

D.  

Enable route-reflector-client.

E.  

Set adv-additional-path to the number of additional paths to advertise.

Discussion 0
Questions 11

Exhibit.

For your ZTP deployment, you review the CSV file shown in exhibit and note that it is missing important information. Which two elements must you change before you can import it into FortiManager? (Choose two.)

Options:

A.  

You must associate a device blueprint with each device

B.  

You must define a name for each device

C.  

You must define a value for each device and each metadata variable that defines an IP address.

D.  

You must define a value for each device and each user-defined metadata variable.

Discussion 0
Questions 12

Refer to the exhibits.

The first exhibit shows the SD-WAN zone HUB1 and SD-WAN member configuration from an SD-WAN template, and the second exhibit shows the output of command diagnose sys sdwan member collected on a FortiGate device.

Which statement best describes what the diagnose output shows?

Options:

A.  

The diagnose output shows that HUB1-VPN1 and all HUBx-VPNy members are dead.

B.  

The diagnose output does not correspond to a device configured with the SD-WAN template shown in the exhibit.

C.  

The diagnose output was collected on the device branch2_fgt.

D.  

The diagnose output was collected on the device branch1_fgt

Discussion 0
Questions 13

Refer to the exhibits.

The exhibits show the source NAT (SNAT) global setting. port2 interface settings, and the routing table on FortiGate.

The administrator increases the member priority on port2 to 20.

Upon configuration changes and the receipt of new packets, which two actions does FortiGate perform on existing sessions established over port2? (Choose two.)

Options:

A.  

FortiGate continues routing all existing sessions over port2.

B.  

FortiGate routes only new sessions over port2.

C.  

FortiGate flags the SNAT session as dirty only if the administrator has assigned an IP pool to the firewall policies with NAT.

D.  

FortiGate flags the sessions as dirty.

E.  

FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

Discussion 0
Questions 14

Refer to the exhibit, which shows the SD-WAN rule status and configuration.

Based on the exhibit, which change in the measured latency will first make HUB1-VPN3 the new preferred member?

Options:

A.  

When HUB1-VPN3 has a lower latency than HUB1-VPN1 and HUB1-VPN2

B.  

When HUB1-VPN3 has a latency of 80 ms

C.  

When HUB1-VPN3 has a latency of 90 ms

D.  

When HUB1-VPN1 has a latency of 200 ms

Discussion 0
Questions 15

Your FortiGate is in production. To optimize WAN link use and improve redundancy, you enable and configure SD-WAN.

What must you do as part of this configuration update process?

Options:

A.  

Replace references to interfaces used as SD-WAN members in the routing configuration.

B.  

Purchase and install the SD-WAN license, and reboot the FortiGate device.

C.  

Replace references to interfaces used as SD-WAN members in the firewall policies.

D.  

Disable the interface that you want to use as an SD-WAN member.

Discussion 0
Questions 16

Refer to the exhibit that shows a diagnose output on FortiGate.

Based on the output shown in the exhibit, what can you say about the device role and how it handles health checks?

Options:

A.  

The device is a spoke. It receives health-check measures for the tunnels of another spoke.

B.  

The device is a hub. It receives embedded health-check measures for each tunnel from the spoke.

C.  

The device is a spoke. It provides embedded health-check measures for each tunnel to the hub.

D.  

The device is a hub. It receives health-check measures for the tunnels of a spoke.

Discussion 0
Questions 17

You want FortiGate to use SD-WAN rules to steer local-out traffic.

Which two constraints should you consider? (Choose two.)

Options:

A.  

By default, FortiGate uses SD-WAN rules only for local-out traffic that corresponds to ping and traceroute.

B.  

By default, local-out traffic does not use SD-WAN.

C.  

You can steer local-out traffic only with SD-WAN rules that use the manual strategy.

D.  

You must configure each local-out feature individually to use SD-WAN.

Discussion 0
Questions 18

Refer to the exhibit.

An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network.

The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over HUB1-VPN1. However, the traffic is routed over HUB1-VPN3.

Based on the output shown in the exhibit, which two reasons, individually or together, could explain the observed behavior? (Choose two.)

Options:

A.  

HUB1-VPN3 has a higher member configuration priority than HUB1-VPN1.

B.  

The traffic matches a regular policy route configured with HUB1-VPN3 as the outgoing device

C.  

HUB1-VPN1 does not have a valid route to the destination

D.  

HUB1-VPN3 has a lower route priority value (higher priority) than HUB1-VPN1.

Discussion 0
Questions 19

Refer to the exhibits.

The exhibits show the configuration for SD-WAN performance. SD-WAN rule, the application IDs of Facebook and YouTube along with the firewall policy configuration and the underlay zone status.

Which two statements are true about the health and performance of SD-WAN members 3 and 4? (Choose two.)

Options:

A.  

Only related TCP traffic is used for performance measurement.

B.  

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

C.  

Encrypted traffic is not used for the performance measurement.

D.  

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Discussion 0
Questions 20

Refer to the exhibit.

Which statement best describe the role of the ADVPN device in handling traffic?

Options:

A.  

This is a spoke that has received a direct shortcut query from a remote spoke.

B.  

This is a hub, and two spokes, 192.2.0.1 and 10.0.3.101, establish a shortcut.

C.  

This is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke.

D.  

This is a spoke that has received a shortcut query from a remote hub.

Discussion 0