Question 2 - Fortinet FCSS_SDW_AR-7.4 Real Exam Questions [Jan 2026 Update]

Q: 2

Refer to the exhibits.

An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in the first exhibit. After generating GoToMeeting test traffic, the administrator examined the corresponding traffic log on FortiAnalyzer, which is shown in the second exhibit. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1. Which two reasons explain why some log messages show that the traffic matched the implicit SD- WAN rule? (Choose two.)

Options

Correct Answer:

B, C

Explanation

The observed behavior occurs due to the sequence of SD-WAN session evaluation.

1. Initially, when the first packet of a new session arrives, FortiGate has only Layer 3/4 information (IPs and ports). It attempts to match this against the SD-WAN rules. If the destination IP of the GoToMeeting traffic is not yet in the local Internet Service Database (ISDB) cache, the application-based rule (ID 1) will not match. Consequently, the session is routed using the implicit SD-WAN rule (ID 0).

2. After a few packets, the application is correctly identified as "GoToMeeting". At this point, FortiGate should re-evaluate the session and steer it according to rule ID 1. The log shows sdwanruleid=0, indicating this re-routing/refresh of the session failed, leaving the traffic on the path originally chosen by the implicit rule.

Why Incorrect

A. Full SSL inspection is not enabled on the matching firewall policy.

This is incorrect because the log confirms the application was successfully identified (app="GoToMeeting"). Application identification can occur without full SSL inspection (e.g., via SNI or ISDB).

D. No configured SD-WAN rule matches the traffic related to the collaboration application GoToMeeting.

This is incorrect. The first exhibit clearly shows that SD-WAN rule ID 1 is configured to match the GoToMeeting Internet Service object.

References

1. FortiOS SD-WAN Architecture Guide 7.4.0:

Page 10

"First packet processing": "When the first packet of a new session arrives at FortiGate

the kernel forwards it to the sdwan daemon for path selection... The sdwan daemon checks the SD-WAN rules for a match based on the 5-tuple of the packet." This supports that initial matching is based on L3/L4 info. If the IP is not in the ISDB

the application rule won't match.

Page 11

"Application steering": "After an application is identified

the session is flagged for re-evaluation... The sdwan daemon updates the session with the new forwarding path information." This describes the session refresh/rerouting process that failed

as indicated by option C.

2. FortiOS Administration Guide 7.4.0 - SD-WAN:

Section: "SD-WAN rules": This section details how rules are matched. It implicitly confirms that application-based criteria require the application to be identified first. If identification happens after the session is established

a re-evaluation is necessary.

Section: "Implicit rule": "If traffic does not match any of the configured SD-WAN rules

it will match the implicit rule." This confirms the behavior when the initial IP-based lookup fails to match rule 1

supporting the scenario in option B.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE