According to theFortiSASE 7.6 Feature Administration Guideand the latest updates to theNSE 5 SASEcurriculum, FortiSASE has introduced native lifecycle management for FortiClient agents to reduce the operational burden on IT teams who previously relied solely on third-party MDM (Mobile Device Management) or GPO (Group Policy Objects) for every update.

TheEndpoint Upgradefeature, found underSystem > Endpoint Upgradein the FortiSASE portal, allows administrators to perform the following:

Centralized Version Control: Administrators can see which versions are currently deployed and which "Recommended" versions are available from FortiGuard.

Scheduled Rollouts: You can choose to upgrade all endpoints or specific endpoint groups at a designated time, ensuring that upgrades do not disrupt business operations.

Status Monitoring: The portal provides a real-time dashboard showing the progress of the upgrade (e.g.,Downloading,Installing,Reboot Pending, orSuccess).

Manual vs. Managed: While MDM is still highly recommended for theinitial onboarding(the first time FortiClient is installed and connected to the SASE cloud), all subsequent upgrades can be handled natively by the FortiSASE portal.

Why other options are incorrect:

Option B: Manual upgrades are inefficient for large-scale deployments (~400 users in this scenario) and are not the intended "feature-rich" solution provided by FortiSASE.

Option C: "Onboarding" refers to the initial setup. Re-onboarding every time a version changes would be redundant and counterproductive.

Option D: While the system canmanagethe upgrade, it is not "auto-upgraded on demand" by the client itself without administrative configuration in the portal. The administrator must still define the target version and schedule.

According to theSD-WAN 7.6 Core Administratorstudy guide andFortiOS 7.6 Administration Guide, no configuration change is required to simplymeasurejitter.

Implicit Measurement: In FortiOS, once a Performance SLA (Health Check) is configured with anActiveprobe mode (as seen in the exhibit with Ping selected), the FortiGate automatically begins calculating three key quality metrics for every member interface:Latency,Jitter, andPacket Loss.

Visibility: Even without an SLA Target defined, these real-time measurements are visible in theSD-WAN Monitorand via the CLI command diagnose sys virtual-wan-link health-check .

Active Probes: Because the probe mode is set toActiveusing thePingprotocol, the FortiGate sends synthetic packets at the definedCheck interval(500ms in the exhibit). It calculates jitter by measuring the variation in the round-trip time (RTT) between these consecutive probes.

Why other options are incorrect:

Option B: Adding anSLA targetand defining a jitter threshold is only necessary if you want the SD-WAN engine to makesteering decisionsbased on that metric (e.g., "remove this link from the pool if jitter exceeds 50ms"). It is not required just tomeasurethe jitter.

Option C: While you can specify participants, the current setting is "All SD-WAN Members," which means it is already measuring jitter for every member.

Option D:HTTPis an alternative probe protocol, butPing (ICMP)is perfectly capable of measuring jitter and is often preferred for its lower overhead.

Questions no:9Verified Answer: B

Comprehensive and Detailed Explanation with all FortiSASE and SD-WAN 7.6 Core Administrator curriculum documents: According to theSD-WAN 7.6 Core Administratorstudy guide andFortiOS 7.6 Administration Guide, the behavior for deleting an SD-WAN member from the GUI when it is the only member in its zone is governed by the following operational logic:

Reference Checks: Before allowing the deletion of any SD-WAN member, FortiOS performs a "check for dependencies." If an interface is being used in an activePerformance SLAor anSD-WAN Rule, the GUI will typically prevent the deletion or gray out the option until those references are removed. However, the question specifies that this member isno longer usedin health-checks or rules.

Zone Integrity: Unlike some other network objects, an SD-WAN zone is permitted to exist without any members. When you delete the final member of a user-defined zone through the GUI, the zone itself remains in the configuration as an empty container.

Route Management: When an SD-WAN member is deleted, any static routes that were specifically tied to that interface's membership in the SD-WAN bundle are automatically updated or removed by the FortiGate to prevent routing loops or "black-holing" traffic. This is part of the automated cleanup process handled by the FortiOS management plane.

GUI vs. CLI: In the GUI, the process is streamlined to allow the removal of the member interface. Once the member is deleted, the interface returns to being a "regular" system interface and can be used for standard firewall policies or other functions.

Why other options are incorrect:

Option A: There is no requirement that a zone must contain at least one member; "empty" zones are valid configuration objects in FortiOS 7.6.

Option C: While the deletion is accepted, it is not with "no further action"—the system must still reconcile the routing table and interface status.

Option D: FortiGate does not automatically move deleted members into the default zone (virtual-wan-link). Once deleted, the interface is simply no longer an SD-WAN member.

Based on theFortiSASE 7.6 (and later 2025 versions)curriculum and administration guides, the Vulnerability summary dashboard is a key component of the endpoint security posture management.

Drill Down Capability (Option C): According to theFortiSASE Administration Guide, the Vulnerability summary widget on the Security dashboard is interactive. An administrator can click on specific risk categories (e.g., Critical, High) or application types (e.g., Operating System, Web Client) todrill down. This action opens a detailed pane showing the specific affected endpoints, associatedCVE identifiers, and severity classifications based on the CVSS standard.

Automatic Vulnerability Patching (Option D): In theFortiSASE 7.6/2025feature sets, the endpoint profile configuration (underEndpoint > Configuration > Profiles) includes an "Automatic Patching" section. This feature allows the system to automatically install security updates for supported third-party applications and the underlying operating system (Windows/macOS) when vulnerabilities are detected. Furthermore, administrators can schedule these patches directly from theVulnerability Summarywidget by selecting specific vulnerabilities.

Why other options are incorrect:

Option A: The dashboard categories (Operating System, Web Client, Microsoft Office, etc.) are based on known software signatures. While there is an "Other" category, the dashboard primarily provides scores for recognized applications where CVE data is available.

Option B: The exhibit shows active data (157 total vulnerabilities), which indicates that thevulnerability scan is enabledand currently reporting data from the endpoints. If it were disabled, the widget would be empty or show zeros.

According to theSD-WAN 7.6 Core Administratorcurriculum and theFortiOS 7.6 Administration Guide, setting common web-based services like Facebook and LinkedIn as destinations in an SD-WAN rule is primarily accomplished through theInternet Service Database (ISDB).

Internet Service vs. Application Control: In FortiOS, there is a distinction betweenInternet Services(which use a database of known IP addresses and ports to identify traffic at the first packet) andApplications(which require the IPS engine to inspect deeper into the packet flow to identify Layer 7 signatures).

SD-WAN Efficiency: Fortinet recommends using theInternet service fieldfor services like Facebook and LinkedIn in SD-WAN rules because it allows the FortiGate to steer the traffic immediately upon the first packet. If the "Application" signatures were used instead, the first session might be misrouted because the application is not identified until after the initial handshake.

GUI Configuration: As shown in the exhibit (image_b3a4c2.png), the "Destination" section of an SD-WAN rule includes anInternet servicefield by default. To steer Facebook and LinkedIn traffic, the administrator simply clicks the "+" icon in that field and selects the entries for Facebook and LinkedIn from the database.

Feature Visibility (Alternative): While youcanenable a specific "Application" field inSystem > Feature Visibility(by enabling "Application Detection Based SD-WAN"), this is typically used for less common applications that do not have dedicated ISDB entries. For the specific "applications" mentioned (Facebook and LinkedIn), they are natively available in theInternet servicefield, making Option B the most direct and common implementation.

Why other options are incorrect:

Option A: Licensing for application signatures is part of the standard FortiGuard services and is not a prerequisite specific only to "applications as destinations" in SD-WAN rules.

Option C: Standalone FortiGate devices fully support application-based and ISDB-based steering in SD-WAN rules.

Option D: While enabling feature visibility would add anadditionalfield for L7 applications, it is not a "must" for Facebook and LinkedIn, which are already accessible via the Internet Service field provided in the default GUI layout.

According to theSD-WAN 7.6 Core Administratorcurriculum and the diagnostic outputs shown in the exhibit, the reason traffic is steered toHUB1-VPN3instead of the expectedHUB1-VPN1(defined in SD-WAN rule ID 1) can be explained by two core routing principles in FortiOS:

Valid Route Requirement (Option A): In thediagnose sys sdwan service 4output (which corresponds to Rule ID 1), it shows the rule has membersHUB1-VPN1,HUB1-VPN2, andHUB1-VPN3. A key principle of SD-WAN steering is that for a member to be "selectable" by a rule, itmust have a valid route to the destinationin the routing table (RIB/FIB). If the routing table output (the third section of the exhibit) shows a route to 10.0.0.0/8 viaHUB1-VPN3butnotthroughHUB1-VPN1, the SD-WAN engine will skip HUB1-VPN1 entirely because it is considered a "non-reachable" path for that specific destination.

Policy Route Precedence (Option D): In the FortiOS route lookup hierarchy,Regular Policy Routes (PBR)are evaluatedbeforeSD-WAN rules. If an administrator has configured a traditional Policy Route (found underNetwork > Policy Routes) that matches traffic destined for 10.0.0.0/8 and specifiesHUB1-VPN3as the outgoing interface, the FortiGate will forward the packet based on that policy route and willnever evaluate the SD-WAN rulesfor that session. This "bypass" occurs regardless of whether the SD-WAN rule would have chosen a "better" link.

Why other options are incorrect:

Option B: While member configuration priority (cfg_order) is a tie-breaker in some strategies, the SD-WAN rule logic is only applied if the routing table allows it or if a higher-priority policy route doesn't intercept the traffic first.

Option C: Lower route priority (which means higher preference in the RIB) affects theImplicit Rule(standard routing). However, SD-WAN rules are designed tooverrideRIB priority for matching traffic. If HUB1-VPN1 was a valid candidate and no Policy Route existed, the SD-WAN rule would typically ignore RIB priority to enforce its own steering strategy.