The SD-WAN rule uses the Lowest Cost (SLA) strategy. This strategy selects the member with the lowest cost that is also meeting the criteria of the performance SLA. The InternetSLA specifies a packet loss threshold of 5%.

For HUB1-VPN3 (cost 20) to become the preferred member, the lower-cost members, HUB1-VPN1 (cost 0) and HUB1-VPN2 (cost 10), must both fail to meet the SLA. A member fails the SLA if its packet loss exceeds 5%.

Option B states that HUB1-VPN1 has 12% packet loss. Since 12% is greater than the 5% threshold, HUB1-VPN1 is disqualified. This is a necessary condition for the FortiGate to consider the next-lowest-cost member. The question implies this change leads to HUB1-VPN3 being selected, meaning HUB1-VPN2 is also assumed to be out of SLA.

A. When HUB1-VPN1 has 4% packet loss: A packet loss of 4% is within the 5% SLA threshold, so HUB1-VPN1 would remain the preferred, lowest-cost member.

C. When HUB1-VPN3 has 4% packet loss: This change does not affect the status of HUB1-VPN1, which remains in SLA and has a lower cost, so it continues to be the preferred member.

D. When all three members have the same packet loss: If the shared packet loss is below 5%, HUB1-VPN1 is still chosen due to its lower cost. If it's above 5%, all members are out of SLA.

1. FortiOS 7.4.0 SD-WAN Administration Guide

Page 53

"SD-WAN rules > Strategy": "Lowest Cost (SLA): FortiGate first checks which members meet the SLA criteria defined in the performance SLA. From this subset of members

FortiGate chooses the one with the lowest cost."

2. FortiOS 7.4.0 SD-WAN Administration Guide

Page 41

"Performance SLA > Link health monitor": "A performance SLA is considered to have failed

or be out of SLA

if any of the measured metrics (latency

jitter

or packet loss) have exceeded their configured thresholds." This confirms that a packet loss value greater than the threshold (5% in the exhibit) constitutes an SLA failure.