Questions no: 9 Verified Answer : B

Comprehensive and Detailed Explanation with all FortiSASE and SD-WAN 7.6 Core Administrator curriculum documents : According to the SD-WAN 7.6 Core Administrator study guide and FortiOS 7.6 Administration Guide , the behavior for deleting an SD-WAN member from the GUI when it is the only member in its zone is governed by the following operational logic:

Reference Checks : Before allowing the deletion of any SD-WAN member, FortiOS performs a "check for dependencies." If an interface is being used in an active Performance SLA or an SD-WAN Rule , the GUI will typically prevent the deletion or gray out the option until those references are removed. However, the question specifies that this member is no longer used in health-checks or rules.

Zone Integrity : Unlike some other network objects, an SD-WAN zone is permitted to exist without any members. When you delete the final member of a user-defined zone through the GUI, the zone itself remains in the configuration as an empty container.

Route Management : When an SD-WAN member is deleted, any static routes that were specifically tied to that interface's membership in the SD-WAN bundle are automatically updated or removed by the FortiGate to prevent routing loops or "black-holing" traffic. This is part of the automated cleanup process handled by the FortiOS management plane.

GUI vs. CLI : In the GUI, the process is streamlined to allow the removal of the member interface. Once the member is deleted, the interface returns to being a "regular" system interface and can be used for standard firewall policies or other functions.

Why other options are incorrect :

Option A : There is no requirement that a zone must contain at least one member; "empty" zones are valid configuration objects in FortiOS 7.6.

Option C : While the deletion is accepted, it is not with "no further action"—the system must still reconcile the routing table and interface status.

Option D : FortiGate does not automatically move deleted members into the default zone (virtual-wan-link). Once deleted, the interface is simply no longer an SD-WAN member.

"If a flow is identified as belonging to a defined application category (such as social media), FortiGate will match it to the corresponding service rule (rule 2) and route it through the specified interface, such as port2. However, if the application is not recognized during the session setup, the system defaults to load balancing the traffic using the available tunnels according to the policy for unclassified traffic, ensuring continuous connectivity while waiting for application classification."

This guarantees both performance and resilience.

According to the SD-WAN 7.6 Core Administrator curriculum and the FortiOS 7.6 Administration Guide , setting common web-based services like Facebook and LinkedIn as destinations in an SD-WAN rule is primarily accomplished through the Internet Service Database (ISDB) .

Internet Service vs. Application Control : In FortiOS, there is a distinction between Internet Services (which use a database of known IP addresses and ports to identify traffic at the first packet) and Applications (which require the IPS engine to inspect deeper into the packet flow to identify Layer 7 signatures).

SD-WAN Efficiency : Fortinet recommends using the Internet service field for services like Facebook and LinkedIn in SD-WAN rules because it allows the FortiGate to steer the traffic immediately upon the first packet. If the "Application" signatures were used instead, the first session might be misrouted because the application is not identified until after the initial handshake.

GUI Configuration : As shown in the exhibit (image_b3a4c2.png), the "Destination" section of an SD-WAN rule includes an Internet service field by default. To steer Facebook and LinkedIn traffic, the administrator simply clicks the "+" icon in that field and selects the entries for Facebook and LinkedIn from the database.

Feature Visibility (Alternative) : While you can enable a specific "Application" field in System > Feature Visibility (by enabling "Application Detection Based SD-WAN"), this is typically used for less common applications that do not have dedicated ISDB entries. For the specific "applications" mentioned (Facebook and LinkedIn), they are natively available in the Internet service field, making Option B the most direct and common implementation.

Why other options are incorrect :

Option A : Licensing for application signatures is part of the standard FortiGuard services and is not a prerequisite specific only to "applications as destinations" in SD-WAN rules.

Option C : Standalone FortiGate devices fully support application-based and ISDB-based steering in SD-WAN rules.

Option D : While enabling feature visibility would add an additional field for L7 applications, it is not a "must" for Facebook and LinkedIn, which are already accessible via the Internet Service field provided in the default GUI layout.

According to the FortiSASE 7.6 Administration Guide and the FCP - FortiSASE 24/25 Administrator curriculum, FortiSASE is designed with a hybrid deployment architecture to support various user and device requirements. It primarily operates in two modes:

Endpoint Mode (Agent-based) : This mode requires the installation of FortiClient on the user's laptop or device. The agent establishes an "always-up" secure VPN tunnel to the nearest FortiSASE Point of Presence (PoP), providing full Secure Internet Access (SIA), Secure Private Access (SPA), and endpoint posture checks (ZTNA).

Secure Web Gateway (SWG) Mode (Agentless) : This mode is used for users or devices where installing an agent is not feasible (e.g., unmanaged devices or Chromebooks). It relies on explicit web proxy settings or a PAC (Proxy Auto-Configuration) file to redirect web traffic (HTTP/HTTPS) to the SASE PoP for inspection.

Why other options are incorrect:

Option A : While it supports VPN, "VPN mode" is not the formal name of the deployment type; it is "Endpoint mode".

Option C : FortiSASE is not limited to SWG; it is a full SSE (Security Service Edge) solution including FWaaS and ZTNA.

Option D : ZTNA is a capability within the platform, not a replacement for the overall endpoint or SWG functions.

According to the FortiSASE 7.6 Architecture Guide and FCP - FortiSASE 24/25 Administrator materials, the solution is built around three primary use cases that support a hybrid workforce:

Secure Internet Access (SIA): This enables secure web browsing by applying security profiles such as Web Filter , Anti-Malware , and SSL Inspection in the SASE cloud. It protects remote users from internet-based threats regardless of their location.

Secure Private Access (SPA): This provides granular, explicit access to private applications hosted in data centers or the cloud. It is achieved through ZTNA (Zero Trust Network Access) for session-based security or through SD-WAN integration where FortiSASE acts as a spoke to an existing corporate SD-WAN hub.

SaaS Security: FortiSASE utilizes Inline-CASB and Shadow IT visibility to monitor and control the use of cloud applications. Data Loss Prevention (DLP) is integrated into these workflows to prevent sensitive corporate data from being uploaded to unauthorized SaaS platforms.

Why other options are incorrect:

Option A: While it mentions SD-WAN and Shadow IT, it misses the core definition of SIA (secure web browsing) which is the primary driver for SASE deployments.

Option B: Remote Browser Isolation (RBI) is typically applied to risky or uncategorized websites, not "all websites," due to the high performance and resource overhead.

Option D: FortiSASE is designed to protect data in motion (via security profiles) as well as data stored in sanctioned cloud apps, not "at rest only".

According to the FortiSASE 7.6 Architecture Guide and Administration Guide , the Site-based remote user internet access use case is the only deployment model that completely eliminates the need for individual endpoint configuration.

Centralized Enforcement : In a site-based deployment, a "thin edge" device (such as a FortiExtender or a FortiGate in LAN extension mode) is installed at the remote site. This device establishes a secure tunnel to the FortiSASE Point of Presence (PoP).

Zero Endpoint Configuration : Because the traffic redirection happens at the network gateway level, individual devices (laptops, IoT devices, mobile phones) behind the site-based device do not require any specialized software or settings. They simply connect to the local network as they would normally, and their traffic is automatically secured by the SASE cloud.

Comparison with Other Modes :

Agent-based (Option B) : Requires the installation and maintenance of FortiClient software on every device, often managed via MDM tools.

Agentless (Option A) : While it doesn't need an agent, it typically requires the configuration of Explicit Web Proxy settings or the distribution of a PAC (Proxy Auto-Configuration) file via GPO or SCCM to each device's browser.

ZTNA (Option D) : Generally requires an endpoint agent (FortiClient) to perform posture checks and identity verification, involving significant endpoint-level configuration.

Why other options are incorrect :

Option A : Agentless mode is often confused with being "configuration-free," but it still requires endpoints to be pointed toward the FortiSASE proxy.

Option B : This is the most configuration-intensive mode, requiring full software lifecycles for every endpoint.

Option D : ZTNA is an access methodology that adds configuration complexity (tags, certificates, posture checks) rather than minimizing it.