Questions no:9Verified Answer: B

Comprehensive and Detailed Explanation with all FortiSASE and SD-WAN 7.6 Core Administrator curriculum documents: According to theSD-WAN 7.6 Core Administratorstudy guide andFortiOS 7.6 Administration Guide, the behavior for deleting an SD-WAN member from the GUI when it is the only member in its zone is governed by the following operational logic:

Reference Checks: Before allowing the deletion of any SD-WAN member, FortiOS performs a "check for dependencies." If an interface is being used in an activePerformance SLAor anSD-WAN Rule, the GUI will typically prevent the deletion or gray out the option until those references are removed. However, the question specifies that this member isno longer usedin health-checks or rules.

Zone Integrity: Unlike some other network objects, an SD-WAN zone is permitted to exist without any members. When you delete the final member of a user-defined zone through the GUI, the zone itself remains in the configuration as an empty container.

Route Management: When an SD-WAN member is deleted, any static routes that were specifically tied to that interface's membership in the SD-WAN bundle are automatically updated or removed by the FortiGate to prevent routing loops or "black-holing" traffic. This is part of the automated cleanup process handled by the FortiOS management plane.

GUI vs. CLI: In the GUI, the process is streamlined to allow the removal of the member interface. Once the member is deleted, the interface returns to being a "regular" system interface and can be used for standard firewall policies or other functions.

Why other options are incorrect:

Option A: There is no requirement that a zone must contain at least one member; "empty" zones are valid configuration objects in FortiOS 7.6.

Option C: While the deletion is accepted, it is not with "no further action"—the system must still reconcile the routing table and interface status.

Option D: FortiGate does not automatically move deleted members into the default zone (virtual-wan-link). Once deleted, the interface is simply no longer an SD-WAN member.

In theSD-WAN 7.6 Core Administratorcurriculum, the "Prefer Passive" probe mode is a hybrid monitoring strategy designed to minimize the overhead of synthetic traffic (probes) while maintaining link health visibility. According to theFortiOS 7.6 Administration Guideand theSD-WAN Study Guide, the behavior and impacts are as follows:

TCP Traffic Requirement (Option E):Passive monitoring relies on the FortiGate’s ability to inspect actual user traffic to calculate health metrics such as Latency, Jitter, and Packet Loss. Specifically, it usesTCP traffic(by analyzing TCP sequence numbers and timestamps to calculate Round Trip Time - RTT). If user traffic is flowing through the member interface, the FortiGate uses those real-world sessions for SLA calculations instead of sending its own probes.

Inability to Detect Dead Members (Option C):A significant limitation of passive monitoring is that it cannot distinguish between a "dead" link and an "idle" link. If there is no traffic, the passive monitor has no data to analyze. Consequently, while in passive mode, the SD-WAN enginecannot detect a dead member. To mitigate this, "Prefer Passive" includes a fail-safe: if no traffic is detected for a specific period (typically3 minutes), the FortiGate will automatically switch toActive mode(sending ICMP/TCP pings) to verify if the link is actually alive.

Why other options are incorrect:

Option A:Passive monitoring generallydisables hardware offloading (ASIC)for the monitored traffic. This is because the CPU must inspect every packet header to calculate performance metrics; if the traffic were offloaded to the Network Processor (NP), the CPU would not see the packets, rendering passive monitoring impossible.

Option B:While active probes often use ICMP,passive monitoringis specifically designed forTCP trafficbecause the TCP protocol's ACK structure allows for accurate RTT and loss calculation without synthetic packets.

Option D:The "3-minute" timer is actually the trigger to switchfrom passive to activewhen traffic is absent, not the fallback timer to return to passive. The fallback to passive happens as soon as valid TCP traffic is detected again.

According to theFortiSASE 7.6 Administration Guideand theFCP - FortiSASE 24/25 Administratorstudy materials, FortiSASE supports three primary external (remote) authentication sources to verify the identity of remote users (SIA and SPA users). These sources allow organizations to leverage their existing identity infrastructure for seamless onboarding and policy enforcement:

Security Assertion Markup Language (SAML) (Option A):This is the most common and recommended method for modern SASE deployments. FortiSASE acts as aSAML Service Provider (SP)and integrates withIdentity Providers (IdP)such as Microsoft Entra ID (formerly Azure AD), Okta, or FortiAuthenticator. This enables Single Sign-On (SSO) and Multi-Factor Authentication (MFA).

Lightweight Directory Access Protocol (LDAP) (Option C):FortiSASE can connect to on-premises or cloud-based LDAP servers (such as Windows Active Directory). This allows the administrator to map existing AD groups to FortiSASE user groups for granular security policy application.

Remote Authentication Dial-in User Service (RADIUS) (Option E):RADIUS is supported for organizations that use centralized authentication servers or traditional MFA solutions (like RSA SecurID). FortiSASE can query a RADIUS server to validate user credentials before granting access to the SASE tunnel.

Why other options are incorrect:

OpenID Connect (OIDC) (Option B):While OIDC is a modern authentication protocol similar to SAML, FortiSASE's primary integration for external Identity Providers is currently standardized onSAML 2.0.

TACACS+ (Option D):Terminal Access Controller Access-Control System Plus is primarily used foradministrative access(AAA) to network devices (like logging into a FortiGate CLI or FortiManager). It is not used for end-user VPN or SASE authentication in the Fortinet ecosystem.

According to theSD-WAN 7.6 Core Administratorstudy guide and theFortiOS 7.6 Administration Guide, when you are migrating a production FortiGate to use SD-WAN, the most critical step involves reconfiguring how traffic is permitted and routed.

Reference Removal Requirement: Before an interface (such as wan1 or wan2) can be added as anSD-WAN member, it must be "unreferenced" in most parts of the FortiGate configuration. Specifically, if an interface is currently being used in an activeFirewall Policy, the system will prevent you from adding it to the SD-WAN bundle.

Firewall Policy Migration (Option A): In a production environment, you mustreplace the references to the physical interfacesin your firewall policies with the newSD-WAN virtual interface(or an SD-WAN Zone). For example, if your previous policy allowed traffic from internal to wan1, you must update that policy so theOutgoing Interfaceis now SD-WAN. This allows the SD-WAN engine to take over the traffic and apply its steering rules.

Modern Tools: While this used to be a purely manual process, FortiOS 7.x includes anInterface Migration Wizard(found underNetwork > Interfaces). This tool automates the "search and replace" function, moving all existing policy and routing references from the physical port to the SD-WAN object to ensure minimal downtime.

Why other options are incorrect:

Option B: While you do need to update your routing (e.g., creating a static route for 0.0.0.0/0 pointing to the SD-WAN interface), the curriculum specifically emphasizes the replacement of references infirewall policiesas the primary administrative hurdle, as policies are often more numerous and complex than the single static route required for SD-WAN.

Option C: You donotneed to disable the interface. It must be up and configured, just removed from other configuration references so it can be "absorbed" into the SD-WAN bundle.

Option D: SD-WAN is abase featureof FortiOS and doesnot require a separate licenseor a reboot to enable.

In theSD-WAN 7.6 Core Administratorcurriculum, steering "local-out" traffic (traffic generated by the FortiGate itself, such as DNS queries, FortiGuard updates, or diagnostic pings) requires specific configuration because this traffic follows a different path than "forward" traffic.

Individual Configuration (Option A): By default, local-out traffic bypasses the SD-WAN engine and uses the standard system routing table (RIB/FIB). To use SD-WAN rules for specific features like DNS or RADIUS, you must individually enable the sdwan interface-select-method within that feature's configuration (e.g., config system dns or config user radius).

Default Steerable Traffic (Option B): In FortiOS 7.6, while most local-out traffic is excluded from SD-WAN by default, the system is designed so that when SD-WAN is active, it primarily considers SD-WAN rules for specific diagnostic local-out traffic—specificallypingandtraceroute—to allow administrators to verify path quality using the same logic as user traffic.

Why other options are incorrect:

Option C: Local-out traffic can be steered using any SD-WAN strategy (Manual, Best Quality, etc.), provided the interface-selection-method is set to sdwan.

According to theSD-WAN 7.6 Core Administratorcurriculum, to implement an SD-WAN solution that ensures high network availability for business-critical applications while managing costs, the administrator mustconfigure at least two WAN links.

SD-WAN Fundamentals: SD-WAN operates by creating a virtual overlay across multiple physical or logical transport links (e.g., broadband, LTE, MPLS). Without at least two links, the SD-WAN engine has no alternative path to steer traffic toward if the primary link fails or degrades.

Cost Management: By using multiple links, administrators can implement theLowest Cost (SLA)orMaximize Bandwidthstrategies. This allows the site to use a low-cost broadband connection for primary traffic and only failover to a "pay-per-use" backup (like LTE) when the primary link's quality falls below the defined SLA target.

High Availability (Link Level): While a "High Availability (HA) cluster" (Option C) provides device redundancy (protecting against a hardware failure of the FortiGate itself), it does not address link redundancy or steering, which are the core functions of SD-WAN for application uptime.

Why other options are incorrect:

Option A: Using a mid-range device refers to hardware capacity but does not solve the requirement for link-level redundancy and cost-steering logic.

Option B: Dynamic routing (like BGP or OSPF) is often usedwithSD-WAN in large topologies, but for a small site, the primary mechanism for meeting availability and cost goals is the configuration of the SD-WAN member links and rules themselves.

Option C: HA clusters protect against hardware failure, but the question specifically asks about ensuring availability forapplicationswhile limitingbackup link costs, which is a traffic-steering (SD-WAN) requirement rather than a hardware-redundancy requirement.

According to theFortiSASE 7.6 Architecture Guideand theFCP - FortiSASE 24/25 Administratorstudy materials, the FortiSASE solution is structured around three primary pillars or "use cases" that address the security requirements of a modern distributed workforce.

Secure Internet Access (SIA) (Option A): This use case focus on protecting remote users as they browse the public internet. It utilizes a full cloud-delivered security stack includingWeb Filtering,DNS Filtering,Anti-Malware, andIntrusion Prevention (IPS)to ensure that users are protected from web-based threats regardless of their physical location.

Secure SaaS Access (SSA) (Option B): This use case addresses the security of cloud-based applications (like Microsoft 365, Salesforce, and Dropbox). It leveragesInline-CASB (Cloud Access Security Broker)to identify and control "Shadow IT"—unauthorized cloud applications used by employees—and appliesData Loss Prevention (DLP)to prevent sensitive information from being leaked into unsanctioned SaaS platforms.

Secure Private Access (SPA) (Option C): This use case provides secure, granular access to private applications hosted in on-premises data centers or private clouds. It can be achieved through two main methods:ZTNA (Zero Trust Network Access), which provides session-specific access based on identity and device posture, or throughSD-WAN integration, where the FortiSASE cloud acts as a spoke connecting to a corporate SD-WAN Hub.

Why other options are incorrect:

Secure VPN Access (SVA) (Option D): While SASE uses VPN technology (SSL or IPsec) as a transport for the Endpoint mode, "SVA" is not a formal curriculum-defined use case. The SASE framework is intended to evolve beyond traditional "Secure VPN Access" into the SIA and SPA models.

Secure Browser Access (SBA) (Option E): Although FortiSASE offersRemote Browser Isolation (RBI), it is considered a feature or a component of the broaderSecure Internet Access (SIA)use case rather than a separate, standalone use case in the core administrator curriculum.

According to theSD-WAN 7.6 Core Administratorstudy guide and theFortinet Document Library, FortiOS maintains strict referential integrity for SD-WAN objects. An SD-WAN member interface cannot be deleted or removed from the configuration if it is still being "used" or referenced by other features.

Reference Locking: In the FortiOS GUI, the "Delete" button for an SD-WAN member is typically grayed out or an error message appears if the interface is part of an active service or monitoring tool.

Performance SLA Dependency: Performance SLAs (health checks) monitor specific member interfaces. If an interface is a participant in an SLA, it is considered "active" by the system. Therefore, a critical first step in the decommissioning process is toremove the member from all Performance SLA definitions. Once the health check is no longer polling that interface, one major reference lock is released.

Other Dependencies: While firewall policies and SD-WAN rules (service rules) also create references, the question specifies the member is "no longer used to steer traffic," implying it may have already been removed from steering rules. However, Performance SLAs often remain active in the background, making their removal the essential next step to permit the deletion of the member itself.

Why other options are incorrect:

Option A: Moving a member between zones doesn't help you delete it; it just changes its logical grouping. It still remains an active SD-WAN member.

Option B: Disabling the physical interface does not remove the configuration references within the SD-WAN engine. The FortiGate will simply report the member as "Down," but it will still exist in the configuration as a member.

Option D: In modern SD-WAN deployments, static routes usually point to theSD-WAN Zone(like virtual-wan-link) rather than individual physical interfaces. Therefore, you don't typically need to delete the static route to remove a single member from the zone.