Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. NSE5_SSE_AD-7.6

Fortinet NSE5_SSE_AD-7.6 Exam
Fortinet NSE 5 - FortiSASE and SD-WAN 7.6 Core Administrator (Page 2 )

Updated On: 1-Feb-2026
Page 2 of 8
PDF with 49 Questions

SD-WAN interacts with many other FortiGate features. Some of them are required to allow SD-WAN to steer the traffic.

Which three configuration elements must you configure before FortiGate can steer traffic according to SD-WAN rules? (Choose three.)

  1. Firewall policies
  2. Security profiles
  3. Interfaces
  4. Routing
  5. Traffic shaping

Answer(s): A,C,D

Explanation:

According to the SD-WAN 7.6 Core Administrator study guide and the FortiOS 7.6 Administration Guide, for the FortiGate SD-WAN engine to successfully steer traffic using SD-WAN rules, three fundamental configuration components must be in place. This is because the SD-WAN rule lookup occurs only after certain initial conditions are met in the packet flow:

Interfaces (Option C): You must first define the physical or logical interfaces (such as ISP links, LTE, or VPN tunnels) as SD-WAN members. These members are then typically grouped into SD-WAN Zones. Without designated member interfaces, there is no "pool" of links for the SD-WAN rules to select from.

Routing (Option D): For a packet to even be considered by the SD-WAN engine, there must be a matching route in the Forwarding Information Base (FIB). Usually, this is a static route where the destination is the network you want to reach, and the gateway interface is set to the SD-WAN virtual interface (or a specific SD-WAN zone). If there is no route pointing to SD-WAN, the FortiGate will use other routing table entries (like a standard static route) and bypass the SD-WAN rule-based steering logic entirely.

Firewall Policies (Option A): In FortiOS, no traffic is allowed to pass through the device unless a Firewall Policy permits it. To steer traffic, you must have a policy where the Incoming Interface is the internal network and the Outgoing Interface is the SD-WAN zone (or the virtual-wan-link). The SD- WAN rule selection happens during the "Dirty" session state, which requires a policy match to proceed with the session creation.

Why other options are incorrect:

Security Profiles (Option B): While mandatory for Application-level steering (to identify L7 signatures), basic SD-WAN steering based on IP addresses, ports, or ISDB objects does not require security profiles to be active.

Traffic Shaping (Option E): This is an optimization feature used to manage bandwidth once steering is already determined; it is not a prerequisite for the steering engine itself to function.



The IT team is wondering whether they will need to continue using MDM tools for future FortiClient upgrades.

What options are available for handling future FortiClient upgrades?

  1. Enable the Endpoint Upgrade feature on the FortiSASE portal.
  2. FortiClient will need to be manually upgraded.
  3. Perform onboarding for managed endpoint users with a newer FortiClient version.
  4. A newer FortiClient version will be auto-upgraded on demand.

Answer(s): A

Explanation:

According to the FortiSASE 7.6 Feature Administration Guide and the latest updates to the NSE 5 SASE curriculum, FortiSASE has introduced native lifecycle management for FortiClient agents to reduce the operational burden on IT teams who previously relied solely on third-party MDM (Mobile Device Management) or GPO (Group Policy Objects) for every update.

The Endpoint Upgrade feature, found under System > Endpoint Upgrade in the FortiSASE portal, allows administrators to perform the following:

Centralized Version Control: Administrators can see which versions are currently deployed and which "Recommended" versions are available from FortiGuard.

Scheduled Rollouts: You can choose to upgrade all endpoints or specific endpoint groups at a designated time, ensuring that upgrades do not disrupt business operations.

Status Monitoring: The portal provides a real-time dashboard showing the progress of the upgrade (e.g., Downloading, Installing, Reboot Pending, or Success).

Manual vs. Managed: While MDM is still highly recommended for the initial onboarding (the first time FortiClient is installed and connected to the SASE cloud), all subsequent upgrades can be handled natively by the FortiSASE portal.

Why other options are incorrect:

Option B: Manual upgrades are inefficient for large-scale deployments (~400 users in this scenario) and are not the intended "feature-rich" solution provided by FortiSASE.

Option C: "Onboarding" refers to the initial setup. Re-onboarding every time a version changes would be redundant and counterproductive.

Option D: While the system can manage the upgrade, it is not "auto-upgraded on demand" by the client itself without administrative configuration in the portal. The administrator must still define the target version and schedule.



Refer to the exhibit.

The exhibit shows output of the command diagnose sys sdwan service collected on a FortiGate device.

The administrator wants to know through which interface FortiGate will steer traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the social media application Facebook.

Based on the exhibits, which two statements are correct? (Choose two.)

  1. FortiGate steers traffic for social media applications according to the service rule 2 and steers traffic through port2.
  2. There is no service defined for the Facebook application, so FortiGate applies service rule 3 and directs the traffic to headquarters.
  3. When FortiGate cannot recognize the application of the flow, it load balances the traffic through the tunnels HQ_T1, HQ_T2, HQ_T3.
  4. When FortiGate cannot recognize the application of the flow, it steers the traffic through the preferred member of rule 3, HQ_T1.

Answer(s): A,C

Explanation:

"If a flow is identified as belonging to a defined application category (such as social media), FortiGate will match it to the corresponding service rule (rule 2) and route it through the specified interface, such as port2. However, if the application is not recognized during the session setup, the system defaults to load balancing the traffic using the available tunnels according to the policy for unclassified traffic, ensuring continuous connectivity while waiting for application classification." This guarantees both performance and resilience.



You have configured the performance SLA with the probe mode as Prefer Passive.

What are two observable impacts of this configuration? (Choose two.)

  1. FortiGate can offload the traffic that is subject to passive monitoring to hardware.
  2. FortiGate passively monitors the member if ICMP traffic is passing through the member.
  3. During passive monitoring, the SLA performance rule cannot detect dead members.
  4. After FortiGate switches to active mode, the SLA performance rule falls back to passive monitoring after 3 minutes.
  5. FortiGate passively monitors the member if TCP traffic is passing through the member.

Answer(s): C,E

Explanation:

In the SD-WAN 7.6 Core Administrator curriculum, the "Prefer Passive" probe mode is a hybrid monitoring strategy designed to minimize the overhead of synthetic traffic (probes) while maintaining link health visibility. According to the FortiOS 7.6 Administration Guide and the SD-WAN Study Guide, the behavior and impacts are as follows:

TCP Traffic Requirement (Option E): Passive monitoring relies on the FortiGate's ability to inspect actual user traffic to calculate health metrics such as Latency, Jitter, and Packet Loss. Specifically, it uses TCP traffic (by analyzing TCP sequence numbers and timestamps to calculate Round Trip Time - RTT). If user traffic is flowing through the member interface, the FortiGate uses those real-world sessions for SLA calculations instead of sending its own probes.

Inability to Detect Dead Members (Option C): A significant limitation of passive monitoring is that it cannot distinguish between a "dead" link and an "idle" link. If there is no traffic, the passive monitor has no data to analyze. Consequently, while in passive mode, the SD-WAN engine cannot detect a dead member. To mitigate this, "Prefer Passive" includes a fail-safe: if no traffic is detected for a specific period (typically 3 minutes), the FortiGate will automatically switch to Active mode (sending ICMP/TCP pings) to verify if the link is actually alive.

Why other options are incorrect:

Option A: Passive monitoring generally disables hardware offloading (ASIC) for the monitored traffic. This is because the CPU must inspect every packet header to calculate performance metrics; if the traffic were offloaded to the Network Processor (NP), the CPU would not see the packets, rendering passive monitoring impossible.

Option B: While active probes often use ICMP, passive monitoring is specifically designed for TCP traffic because the TCP protocol's ACK structure allows for accurate RTT and loss calculation without synthetic packets.

Option D: The "3-minute" timer is actually the trigger to switch from passive to active when traffic is absent, not the fallback timer to return to passive. The fallback to passive happens as soon as valid

TCP traffic is detected again.

According to the FortiSASE 7.6 Administration Guide and the FCP - FortiSASE 24/25 Administrator study materials, FortiSASE supports three primary external (remote) authentication sources to verify the identity of remote users (SIA and SPA users). These sources allow organizations to leverage their existing identity infrastructure for seamless onboarding and policy enforcement:

Security Assertion Markup Language (SAML) (Option A): This is the most common and recommended method for modern SASE deployments. FortiSASE acts as a SAML Service Provider (SP) and integrates with Identity Providers (IdP) such as Microsoft Entra ID (formerly Azure AD), Okta, or FortiAuthenticator. This enables Single Sign-On (SSO) and Multi-Factor Authentication (MFA).

Lightweight Directory Access Protocol (LDAP) (Option C): FortiSASE can connect to on-premises or cloud-based LDAP servers (such as Windows Active Directory). This allows the administrator to map existing AD groups to FortiSASE user groups for granular security policy application.

Remote Authentication Dial-in User Service (RADIUS) (Option E): RADIUS is supported for organizations that use centralized authentication servers or traditional MFA solutions (like RSA SecurID). FortiSASE can query a RADIUS server to validate user credentials before granting access to the SASE tunnel.

Why other options are incorrect:

OpenID Connect (OIDC) (Option B): While OIDC is a modern authentication protocol similar to SAML, FortiSASE's primary integration for external Identity Providers is currently standardized on SAML 2.0.

TACACS+ (Option D): Terminal Access Controller Access-Control System Plus is primarily used for administrative access (AAA) to network devices (like logging into a FortiGate CLI or FortiManager). It is not used for end-user VPN or SASE authentication in the Fortinet ecosystem.



Refer to the exhibit.



You want the performance service-level agreement (SLA) to measure the jitter of each member.
Which configuration change must you make to achieve this result?

  1. No change is required.
  2. Add an SLA target and define a jitter threshold.
  3. Specify the participant members.
  4. Set the protocol to HTTP.

Answer(s): A

Explanation:

According to the SD-WAN 7.6 Core Administrator study guide and FortiOS 7.6 Administration Guide, no configuration change is required to simply measure jitter.

Implicit Measurement: In FortiOS, once a Performance SLA (Health Check) is configured with an Active probe mode (as seen in the exhibit with Ping selected), the FortiGate automatically begins calculating three key quality metrics for every member interface: Latency, Jitter, and Packet Loss.

Visibility: Even without an SLA Target defined, these real-time measurements are visible in the SD- WAN Monitor and via the CLI command diagnose sys virtual-wan-link health-check <SLA_Name>.

Active Probes: Because the probe mode is set to Active using the Ping protocol, the FortiGate sends synthetic packets at the defined Check interval (500ms in the exhibit). It calculates jitter by measuring the variation in the round-trip time (RTT) between these consecutive probes.

Why other options are incorrect:

Option B: Adding an SLA target and defining a jitter threshold is only necessary if you want the SD- WAN engine to make steering decisions based on that metric (e.g., "remove this link from the pool if jitter exceeds 50ms"). It is not required just to measure the jitter.

Option C: While you can specify participants, the current setting is "All SD-WAN Members," which means it is already measuring jitter for every member.

Option D: HTTP is an alternative probe protocol, but Ping (ICMP) is perfectly capable of measuring jitter and is often preferred for its lower overhead.



Viewing page 2 of 8
Viewing questions 6 - 10 out of 49 questions



Post your Comments and Discuss Fortinet NSE5_SSE_AD-7.6 exam prep with other Community members:

Join the NSE5_SSE_AD-7.6 Discussion