TTechclick All lessons
Fortinet · FortiGate · SD-WAN🔥 ~75% of Fortinet interviews touch this · #5 in frequency · FortiSASE-era flagshipInteractive · L1 / L2 / L3

FortiGate SD-WAN — Performance SLAs, 5 Rule Strategies, and Path Selection in 11 Minutes

SD-WAN is Google Maps for your packets. It checks live traffic on every road (the performance SLA probe), picks the best path per trip, and reroutes when a jam appears. Get that mental model and the next 5 strategy modes stop feeling like alphabet soup. Recruiters at an Indian enterprise, the retail chain, an Indian IT services firm, an Indian MSP and an Indian security firm want to hear it from you in two clean sentences.

📅 2026-05-26 · ⏱ 11 min · 5 SVG infographics · 2 path-selection visualizers · 🏷 10-Q Bloom-tiered assessment + AI Tutor

Pick your path — jump to your weak spot

1

Zones + members

virtual-wan-zone, wan1, wan2, IPsec — what's a zone, what's a member, and why the order matters.

 2

Performance SLA tuning

5ms / 5ms / 0% defaults, probe targets, hold-down timers — and where they break.

 3

5 strategies decoded

Manual · Best Quality · Lowest Cost SLA · Maximize Bandwidth · Auto — pick which, when, why.

 4

Debug a bad path

`diag sys sdwan health-check`, the rule-hit counter, and one sniffer trick.

Why this matters — the Google Maps analogy

Imagine you're driving to a customer site in Bangalore. You open Google Maps. It checks every road — Outer Ring Road, Sarjapur, Hosur — sees the live traffic colour (green / yellow / red), and picks the fastest right now. Halfway through, an accident closes one road; Maps reroutes you in seconds. FortiGate SD-WAN does the same thing for your packets: it watches every WAN link's latency, jitter and loss in real time, decides per-session (and sometimes per-flow) which one to use, and reroutes when one degrades.

The part that catches L1 candidates: SD-WAN is not a routing protocol. It sits on top of routing — you still need a default route on every member. SD-WAN just picks which route to prefer for each session.

Scenario · Aman — network engineer rolling SD-WAN at a 50-branch Bangalore retail chain

Aman (L2 Network, 2.5 years in) has been handed the rollout of FortiGate SD-WAN across 50 branch offices for a manufacturing client. Each branch has two ISPs (wan1 = ACT Broadband, wan2 = Airtel) plus an IPsec tunnel to the HQ data centre over MPLS. The brief: "Microsoft 365 must use the lowest-jitter path, ERP must always go via MPLS, and general internet should load-share."

Day 1 he ships a "Best Quality" rule for everything. Day 2, voice calls on Teams start jittering mid-call because Best Quality keeps re-evaluating per-flow and flipping paths every 30 seconds. By the end of this blog you'll know exactly which strategy Aman should have picked, and why.

FortiGate SD-WAN architecture — zones, members, probes, and the rules engine A virtual WAN zone called overlay-zone holds three members — wan1 (ISP-A), wan2 (ISP-B), and ipsec-MPLS. Each member sends performance SLA probes (ICMP, HTTP, DNS) to a target like 8.8.8.8 or an HQ health URL. A rules engine in the middle reads the live SLA results and decides per-session which member to use. SD-WAN building blocks — Zone holds members, probes test them, rules pick one Branch FG-100F 10.40.1.1 virtual-wan-zone "overlay-zone" Member 1 · wan1 ISP-A · 203.0.113.30 Member 2 · wan2 ISP-B · 203.0.113.130 Member 3 · ipsec-HQ MPLS overlay · 10.10.0.1 SD-WAN rules first-match wins → pick member probe → probe → probe → SLA target · 8.8.8.8 ICMP probe · 500ms interval SLA target · M365 svc HTTP-GET · outlook.office.com SLA target · HQ /api/health HTTPS · TLS handshake check ↳ latency ↳ jitter ↳ loss Default SLA thresholds (FortiOS 7.4 / 7.6) latency ≤ 5 ms · jitter ≤ 5 ms · packet-loss ≤ 0 % Tune these per-app — voice ~30/30/1, ERP ~150/40/0.5, backups can live with 200/50/2. A zone holds members. Each member runs SLA probes. Rules read those live results and pick a member per session.
Figure 1. The full SD-WAN picture — a virtual-wan-zone bundles 2 ISP members + 1 IPsec member. Each member runs performance SLA probes (ICMP / HTTP / TLS) against a target. The rules engine reads the live latency / jitter / loss and decides which member each session goes out on.

Three terms every interviewer will test

SD-WAN zone is the logical container. Member is each WAN link inside the zone (wan1, wan2, the IPsec to HQ). Performance SLA is the live health check on each member.

The biggest L1 trap: candidates conflate zone with member. A firewall policy with srcintf=lan, dstintf=overlay-zone covers every member inside that zone. You don't write three policies for three WAN links — that's the whole point.

🏷
SD-WAN Zone
tap to flip

Logical bundle of members. Security policies and routing reference this — not the physical interfaces. Default zone is virtual-wan-link; you can create many.

🔌
Member
tap to flip

A single WAN link inside a zone — physical (wan1/wan2) or virtual (IPsec tunnel). Has a sequence number, gateway, cost, and priority.

📡
Performance SLA
tap to flip

Live latency / jitter / loss probe per member. Defaults: 5ms / 5ms / 0%. Hit thresholds = "in SLA"; miss = "out of SLA" and rule may switch.

📜
Service Rule
tap to flip

The ordered list deciding which member each session uses. Match src / dst / app / ISDB → pick strategy → choose member. First match wins.

🌐
ISDB
tap to flip

Internet Service Database — Fortinet's curated list of public-IP sets per cloud service (Microsoft-365, Salesforce, Zoom). Use it instead of typing IPs.

🚫
Implicit Rule
tap to flip

The last SD-WAN rule. Anything not matched by an explicit rule falls here. Pick the strategy carefully — it's the default behaviour for "everything else".

Performance SLA — the heartbeat that decides everything

Every SD-WAN decision depends on one signal: is this member in SLA right now? If yes, it's a candidate. If no, the rule strategy may dump it for another member. So performance SLA tuning is where 70% of real-world SD-WAN problems live.

The defaults you'll see in config system sdwan / config health-check are latency ≤ 5 ms · jitter ≤ 5 ms · packet-loss ≤ 0%. These are absurdly tight for any path that touches the internet — even a clean fibre to AWS Mumbai will fail the 5 ms target. Always tune them per app.

A session's journey through SD-WAN — from user PC to egress on the chosen member Linear horizontal flow: user at 10.40.1.50 sends a session toward outlook.office.com, the FortiGate runs ISDB lookup, identifies it as Microsoft-365 traffic, the matching SD-WAN rule uses Lowest Cost SLA strategy, the rules engine picks wan2 (lower jitter), and the packet egresses on wan2. M365 session → ISDB lookup → Lowest-Cost-SLA → egress on wan2 Aman's user 10.40.1.50 → M365 FortiGate SD-WAN pipeline (branch 10.40.1.1) ① ISDB lookup dst-IP 52.96.165.20 → ISDB="Microsoft-365" ② Service rule match rule 3 — ISDB Microsoft-365 → strategy: Lowest Cost SLA ③ Read live SLA wan1 ISP-A → lat 22ms / jit 8ms / loss 0.1% · in SLA ✓ wan2 ISP-B → lat 18ms / jit 3ms / loss 0.0% · in SLA ✓ ← lower jitter ④ Pick wan2 (lower jitter wins under Lowest-Cost-SLA tie-break) Egress wan2 Note: stickiness — once the rule chose wan2 for this session, the session stays on wan2 even if wan1 later wins by 1 ms. That's the entire point of Lowest Cost SLA vs Best Quality.
Figure 2. One M365 session walks the SD-WAN pipeline. ISDB resolves the destination to "Microsoft-365" → matching service rule picks Lowest-Cost-SLA → both members are in SLA → wan2 wins on lower jitter → packet egresses wan2 → session stays sticky on wan2.
Pause & Predict #1

Before you scroll — if both wan1 and wan2 are in SLA and the rule uses Lowest Cost SLA, what happens when wan2 (the currently-chosen member) suddenly spikes to 80 ms latency for 10 seconds, then recovers?

Lowest Cost SLA is sticky. The 10-second spike triggers "out of SLA" → if there's a healthier member (wan1), new sessions move to wan1. Existing sessions continue on wan2 until they end (TCP timeout / FIN). When wan2 recovers, sessions do not snap back automatically — the next new session matches the rule again and may stay on wan1. This is why Lowest Cost SLA is voice-friendly: no mid-call flipping. Compare with Best Quality, where the spike + recovery could flip the active session twice.
Quick check · Q1 of 10

What are the FortiOS default performance SLA thresholds for latency, jitter, and packet loss?

Correct: b. The shipped defaults are 5 ms / 5 ms / 0% (per Fortinet Docs SD-WAN performance SLA). They're aggressive on purpose — they force you to tune per app. Most production rollouts loosen them: voice 30/30/1, ERP 150/40/0.5, bulk backup 200/50/2. Memorize this — it's a top-three Fortinet SD-WAN interview question.

Real config — a tuned SLA for Microsoft 365

Aman opens his branch FG-100F and writes a fresh performance SLA for M365:

CLI — performance SLA for Microsoft 365 with HTTP probe 
config system sdwan
    config health-check
        edit "M365-Health"
            set server "outlook.office.com"
            set protocol http
            set http-get "/api/health"
            set members 1 2
            set sla-id-redistribute 1
            config sla
                edit 1
                    set latency-threshold 80
                    set jitter-threshold 30
                    set packetloss-threshold 1
                next
            end
            set interval 500
            set failtime 5
            set recoverytime 10
        next
    end
end
Verify with `diag sys sdwan health-check` 
Health Check(M365-Health):
Seq(1 wan1): state(alive), packet-loss(0.000%) latency(22.140), jitter(7.911) sla_map=0x1
Seq(2 wan2): state(alive), packet-loss(0.000%) latency(18.302), jitter(3.144) sla_map=0x1

Both members show state(alive) and sla_map=0x1 meaning they both meet SLA 1. The rule engine will pick between them — for Lowest-Cost-SLA, wan2 wins on jitter; for Best Quality, it picks whichever is best right now.

SLA probe target — pick wisely

Don't hammer 8.8.8.8 from 50 branches every 500 ms — Google rate-limits ICMP and you'll see flapping. For per-app SLA, probe a target that reflects the actual service: outlook.office.com for M365, salesforce.com for SF, an internal HTTPS health endpoint for ERP. Or run two health-checks per member — one ICMP to the ISP gateway for liveness, one HTTP to the real service for quality.

The 5 rule strategies — which to pick and why

FortiGate SD-WAN gives you five strategy modes. Each is a different answer to the same question: "when more than one member is eligible, which do I use?" Get this matrix straight and 30% of your interview SD-WAN round is over.

Decision tree — which SD-WAN rule strategy to pick Branching tree starting from "do I need a fixed primary member?" leading to Manual mode, otherwise asking "do I need session stickiness once SLA is met?" leading to Lowest Cost SLA, otherwise "do I want load-share across members?" leading to Maximize Bandwidth, otherwise Best Quality (re-evaluates per flow), with a warning that Best Quality flips paths mid-call and is bad for VoIP. Auto sits as a catch-all default. Which SD-WAN rule strategy should I pick? Do you need a FIXED primary member (e.g. always MPLS for ERP)? YES → Manual pin to one member · fallback to next if down NO → Session stickiness once SLA is met? (voice / video / TCP-sensitive apps) YES → Lowest Cost SLA ★ stay on cheapest in-SLA member. Sticky once chosen → voice-safe. Want active load-share across members? YES → Maximize Bandwidth round-robin / weighted across members. Asymmetric routing risk — pair with SNAT. Best Quality re-eval per FLOW · highest-quality wins → flips mid-call · BAD for VoIP Auto = catch-all default FortiOS picks based on SLA + cost. Fine for "general internet" rule. Don't use for voice / VPN-overlay. ⚠ The #1 SD-WAN VoIP mistake Best Quality on voice = jitter spikes. Use Manual (pin to MPLS) or Lowest-Cost-SLA with stickiness.
Figure 3. Strategy chooser. Best Quality looks clever but flips mid-call — never use it for voice or anything stateful. Lowest Cost SLA is the safe default for most app-aware rules; Manual is the safe default for "always MPLS"; Maximize Bandwidth is the safe default for general internet.
5 SD-WAN strategies × 4 attributes — comparison matrix Comparison table with 5 rows (Manual, Best Quality, Lowest Cost SLA, Maximize Bandwidth, Auto) and 4 columns (Stickiness, SLA-aware, Load-share, Best for which app type). 5 strategies × 4 attributes — at-a-glance matrix Strategy Sticky? SLA-aware? Load-share? Best for… Manual ✓ pinned ERP "always MPLS" Best Quality ✗ flips ✓ live partial Stateless HTTP only · NOT voice Lowest Cost SLA ★ ✓ session Voice · M365 · TCP-sensitive Maximize Bandwidth ✓ per-session partial ✓ active General internet · bulk download Auto depends passive Implicit/default rule · catch-all Star = the strategy that solves Aman's the retail chain problem. Best Quality looks tempting but the no-stickiness column is its undoing.
Figure 4. The 5 strategies side-by-side. The "Sticky?" column is the one most candidates miss — it's the single attribute that decides VoIP success or failure on SD-WAN.
The #1 SD-WAN voice mistake

You enable a Best Quality rule for "all important traffic" thinking quality = good. Best Quality re-evaluates every flow — and for a long-running SIP/RTP voice call, that means the path can switch mid-conversation, causing jitter spikes and one-way audio. Use Manual (pin to MPLS) or Lowest-Cost-SLA (sticky once chosen). Verify with diag sys sdwan service — the strategy is printed in the rule output.

Quick check · Q2 of 10

Aman has two SD-WAN service rules. Rule 1 (sequence 1): src LAN → ISDB Microsoft-365, strategy Lowest Cost SLA. Rule 2 (sequence 2): src LAN → any, strategy Maximize Bandwidth. A user opens outlook.office.com. Which rule applies?

Correct: b. SD-WAN service rules are ordered, top-down, first-match. Rule 1 matches the ISDB → Lowest-Cost-SLA → stickiness → great for M365. Rule 2 acts as the implicit catch-all for everything else (general browsing, bulk downloads). Rule order is the lever — get it wrong and your M365 traffic ends up on the bulk-internet path.

Real config — Aman's three-rule layout

Here's exactly how Aman should have written it on day 1:

CLI — three SD-WAN service rules (the retail chain branch) 
config system sdwan
    config service
        edit 1
            set name "ERP-pin-MPLS"
            set dst "ERP-servers-HQ"
            set src "internal-lan"
            set mode manual
            set priority-members 3
        next
        edit 2
            set name "M365-LowestCostSLA"
            set internet-service enable
            set internet-service-name "Microsoft-365"
            set src "internal-lan"
            set mode sla
            config sla
                edit "M365-Health"
                    set id 1
                next
            end
            set priority-members 1 2
        next
        edit 3
            set name "General-Internet-LoadShare"
            set dst "all"
            set src "internal-lan"
            set mode load-balance
            set priority-members 1 2
        next
    end
end
Verify with `diag sys sdwan service` 
Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
  Tie break: cfg
  Members(1): 1: Seq_num(3 ipsec-MPLS), alive, selected
Service(2): Address Mode(IPV4) flags=0x4200 use-shortcut-sla
  Internet Service(327681): Microsoft-365.0(327681,0,0)
  SLA(1): jitter 3 latency 18 packet-loss 0.000% (member 2)
  Members(2): 2: Seq_num(2 wan2), alive, selected · 1: Seq_num(1 wan1), alive
Service(3): Address Mode(IPV4) flags=0x0 load-balance
  Members(2): 1: Seq_num(1 wan1), alive · 2: Seq_num(2 wan2), alive
Pro tip — default route on every member is still mandatory

SD-WAN is a steering layer — it doesn't replace routing. If an SD-WAN rule fails to find any healthy member (or no rule matches), the packet falls back to the regular routing table. Every SD-WAN member must have a default route via its gateway (config router static). Without that, traffic black-holes when the SLA goes bad. Check with get router info routing-table sdwan.

▶ Watch a voice session — wan1 SLA degrades, Lowest-Cost-SLA picks wan2

Aman's branch — a Teams call originates on wan1 (current best). Mid-call wan1 jitter spikes. Watch what happens with the Lowest-Cost-SLA strategy.

① CALL STARTS 10.40.1.50:51234teams.microsoft.com:443
wan1 lat 18ms jit 3ms · wan2 lat 22ms jit 4ms · rule 2 (Lowest-Cost-SLA) picks wan1 (cheapest in-SLA)
② 30 SECONDS IN Stable. Voice clear. Session sticks to wan1 (Lowest-Cost-SLA stickiness).
③ WAN1 DEGRADES wan1 jit climbs to 35ms (above 30ms threshold) → SLA fail → wan1 marked OUT of SLA
④ NEW SESSIONS ROUTE TO WAN2 New M365 sessions match rule 2 → wan2 (in-SLA, sticky). Current Teams call: still on wan1.
⑤ CALL ENDS, NEW CALL Teams renegotiates → new session → rule 2 picks wan2 (only in-SLA member). Quality recovers.
⑥ KEY DIFFERENCE Under Best Quality, step 4 would have flipped the live call mid-conversation → audio glitch.
Press Play to step through the 6 stages of a voice session under Lowest-Cost-SLA. Each Next advances one stage.
Scenario continued · Aman fixes Teams audio

Two days after Aman flips rule 2 from Best Quality to Lowest-Cost-SLA, the call-drop tickets stop. He confirms in diag sys sdwan service that rule 2 is sticky on wan2 and diag sys session list | grep sdwan shows long-running Teams sessions hugging their initial member. The trade-off: when wan2 briefly worsens, Lowest-Cost-SLA waits for current sessions to finish before re-evaluating — better than mid-call flipping.

Pause & Predict #2

A branch has wan1 + wan2 + an IPsec tunnel to HQ all in one zone. Aman wants ERP traffic to ALWAYS go via the IPsec tunnel even if wan1/wan2 are faster — but he wants automatic fallback to wan1 if the tunnel is down. Which strategy and which fields?

Manual mode with priority-members ordered. set mode manual and set priority-members 3 1 (3 = the IPsec tunnel member's sequence number, 1 = wan1 as fallback). Manual mode pins to the first listed member if alive; falls through to the next if it goes dead. SLA-aware modes don't apply because Aman doesn't want SLA-based reshuffling. The tunnel's link-detect (or BGP next-hop check) decides "alive" — define a health-check on the tunnel member to make that explicit.

▶ ISDB-aware steering — Microsoft-365 across both ISPs

Same user, same packet, but watch how the ISDB ID picks a different rule than a destination-IP match would.

① SESSION ARRIVES User → 52.96.165.20:443 (a public M365 endpoint that day)
② ISDB LOOKUP FortiGuard ISDB DB → 52.96.165.20 → category: Microsoft-365
③ RULE 2 MATCHES rule 2 (M365-LowestCostSLA, ISDB=Microsoft-365) MATCHES → strategy Lowest-Cost-SLA
④ MEMBER PICK Both wan1 + wan2 in-SLA → cheapest cost wins (wan2 set cost=10 vs wan1 cost=20) → pick wan2
⑤ EGRESS WAN2 Session installed → sticky → next M365 session → ISDB matches again → wan2
⑥ POWER OF ISDB Tomorrow M365 IP changes to 52.108.42.10. ISDB DB updates. Same rule still works — no manual IP list.
Same firewall, same user. ISDB is the trick — Fortinet keeps the IP list fresh so you don't have to.
Quick check · Q3 of 10

Aman has rule 2 using ISDB Microsoft-365. Microsoft adds 200 new IPs to its public range. A week later users complain M365 traffic is on the wrong path. Most likely cause?

Correct: a. ISDB needs a live FortiGuard ISDB / Internet Service contract to receive cloud-IP updates. Without that, new IPs Microsoft adds are unknown — the rule's ISDB filter doesn't match → packet falls through to the catch-all rule. Check the update status with diag autoupdate versions and confirm the Internet Service Database is current.

Debug a bad path — settle every SD-WAN argument in 90 seconds

Vikram, an L3 at an Indian security firm, doesn't open the GUI to debug SD-WAN. He runs three commands. You should too.

CLI — the three commands that settle every SD-WAN debate 
# 1. What is each member's live SLA?
diagnose sys sdwan health-check

# 2. Which rule matched and which member is selected?
diagnose sys sdwan service

# 3. Which member did a given session land on?
diagnose sys session list | grep -E 'policy|sdwan'
Expected output of health-check (good case) 
Health Check(M365-Health):
Seq(1 wan1): state(alive), packet-loss(0.000%) latency(22.140), jitter(7.911) sla_map=0x1
Seq(2 wan2): state(alive), packet-loss(0.000%) latency(18.302), jitter(3.144) sla_map=0x1
Seq(3 ipsec-MPLS): state(alive), packet-loss(0.000%) latency(8.011), jitter(1.022) sla_map=0x1

If a member shows state(dead) or sla_map=0x0, that's your culprit — the rule won't pick that member until probes recover. If all members are dead, your probe target is the problem (firewall rule blocking 8.8.8.8, ISP DNS hijacking your health-check URL).

FortiGate SD-WAN CLI cheat-sheet — nine commands A 3-column grid of nine mini-tiles, each showing a FortiOS SD-WAN diagnostic CLI command and the one-line use case. SD-WAN CLI cheat-sheet — nine commands that settle every path argument ① HEALTH-CHECK diag sys sdwan health-check Live latency/jitter/loss per member ② SERVICE RULES diag sys sdwan service Which rule + which member won ③ MEMBER STATE diag sys sdwan member Per-member status, cost, packets ④ SHOW CONFIG config system sdwan show Dump full SD-WAN config ⑤ SDWAN ROUTES get router info routing-table sdwan SD-WAN-installed routes only ⑥ SESSION TABLE diag sys session list | grep sdwan Active sessions per member ⑦ SNIFFER PROBE diag sniffer packet any 'host 8.8.8.8 and icmp' See if SLA probes actually leave ⑧ MANUAL PROBE execute sdwan service-monitor Force-trigger SLA recheck ⑨ DEEP DEBUG diag debug application sdwan -1 Full SD-WAN engine trace logs Bookmark this page. These 9 commands handle ~80% of SD-WAN incidents in the field. Tested on FortiOS 7.4 / 7.6. Output format identical on FG-60F, 100F, 600F, 1500D.
Figure 5. Cheat-sheet — 9 commands that handle ~80% of SD-WAN incidents. Print this for your lab bench or paste into your runbook before the next interview.
Verify a member swap actually happened

After tuning an SLA or moving a rule, run:

diagnose sys sdwan service

Look for the line Members(N): X: Seq_num(Y intf), alive, selected. The "selected" tag tells you exactly which member is currently active for that rule. If "selected" doesn't change after your config push, restart probes with execute sdwan service-monitor.

ADVPN vs SD-WAN — when which?

This is a high-level L3 question. Both ADVPN and SD-WAN solve "smart overlay across multiple paths", but they live at different layers. ADVPN is the transport — it builds a dynamic mesh of IPsec tunnels so spokes can shortcut through each other instead of hairpinning via HQ. SD-WAN is the steering brain — it chooses which of those tunnels (or which raw internet member) a session uses based on live SLA. Real production setups run SD-WAN on top of ADVPN: ADVPN gives many encrypted paths; SD-WAN picks the best one per app per moment.

Pro tip — avoid asymmetric routing on dual-WAN

If your SD-WAN rule load-shares outbound across wan1 + wan2 but reply traffic comes back via a different ISP than it went out (asymmetric), stateful inspection breaks. Two clean fixes: (1) SNAT every session at the egress member with a per-member IP pool — so return traffic naturally lands on the same WAN; (2) use Manual or Lowest-Cost-SLA strategy so a session sticks to one member end-to-end. Diagnose with diag sys session list and check asic` flag.

2024-25 production incident every Fortinet candidate should know

Mid-2024, a large Indian MSP rolled out FortiGate SD-WAN to 300+ retail branches with a default ICMP performance SLA probe targeting 8.8.8.8 every 500 ms. Google began rate-limiting their /24 — ICMP started dropping intermittently, every branch's SLA flapped, sessions thrashed between wan1 and wan2 with Best-Quality rules in play, voice quality collapsed across the fleet. Root cause: they hammered a public anycast endpoint from 300 sources at 2 Hz each.

Fix: probe target moved to each ISP's own gateway for liveness + an internal HTTPS health endpoint for quality. Reduced probe interval to 2s. Switched voice rules from Best-Quality to Lowest-Cost-SLA. The lesson: never let an SD-WAN probe become an unintended DoS against your dependency. Source: 2024 NSE 7 SD-WAN field report compiled across CBT Nuggets + community forum threads.

Pause & Predict #3

Aman runs diag sys sdwan health-check and sees wan1 with latency(100.412) but the manual ping from CLI to the same SLA target completes in 22 ms. What's the most likely cause?

The SLA probe isn't going out wan1. The CLI ping uses the default route (whichever member is active), not necessarily the wan1 source-interface. The SLA probe is bound to wan1 with set source-ip / set source-interface — if that source-IP can't egress wan1 (asymmetric NAT upstream, ISP filtering source IP), the probe takes a longer path or fails. Fix: confirm set source-ip in the health-check, sniff with diag sniffer packet wan1 'icmp and host 8.8.8.8' — if no packets, the probe never leaves the interface.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. Tuned on FortiOS 7.4 / 7.6 SD-WAN docs + NSE 7 SD-WAN exam blueprint + community threads.

Pre-curated answers grounded in FortiOS 7.4 / 7.6 docs + NSE 7 SD-WAN blueprint + LIVECommunity. For complex prod issues, paste your diag sys sdwan service + diag sys sdwan health-check output into chat.techclick.in.

📝 Final round — seven more

You've already answered 3 inline. Seven more. 70% (7 of 10) total marks this lesson complete on your Techclick profile. Tap Submit all answers at the end.

Q4 · Remember

Which of the following best describes the difference between an SD-WAN zone and an SD-WAN member?

Correct: a. Zone = logical group. Member = the physical or virtual WAN link inside it (wan1, wan2, IPsec). Policies / routing reference the zone — that's the whole point. Memorize for L1 screening; this is a textbook NSE 4 / NSE 7 SD-WAN question.
Q5 · Apply

Aman has a branch with wan1 (cheap), wan2 (slightly more expensive but lower latency), and ipsec-MPLS (most expensive). He wants Microsoft Teams voice to use the LOWEST-LATENCY in-SLA path and STICK to it for the duration of each call. Pick the right strategy.

Correct: c. Lowest Cost SLA gives you (1) SLA-awareness so a bad member is skipped, (2) stickiness so a live call doesn't flip mid-conversation. Manual would force MPLS even when wan2 is healthier; Best Quality flips per-flow → mid-call jitter; Maximize Bandwidth splits sessions across members → asymmetric / out-of-order RTP. This single answer is worth maybe 8 marks in an L2 SD-WAN interview round.
Q6 · Apply

A new SD-WAN rule is configured but no traffic is hitting it according to diag sys sdwan service. Which is the FIRST thing to confirm?

Correct: b. Rule order is the #1 reason a new SD-WAN rule "doesn't work". Service rules use first-match-wins. Drag the new rule above the catch-all; verify it became "selected" in diag sys sdwan service. Same mental model as firewall policy ordering — a top rule that's broader will swallow the traffic before your specific rule is even evaluated.
Q7 · Analyze

Riya inherits a FortiGate where SD-WAN rules are perfectly tuned but during a brief wan1 outage, traffic goes nowhere — even though wan2 is up and in SLA. diag sys sdwan service shows the rule has "selected" wan2 already. What's the most likely cause?

Correct: d. SD-WAN is a steering layer that runs ON TOP of routing. The rule says "use wan2" but the FIB must have a usable route via wan2's gateway. Default route on every member is mandatory — verify with get router info routing-table all. Without it, the steered packet black-holes silently.
Q8 · Analyze

Across 300 branches in an MSP rollout, voice quality collapses one Monday morning. Common configs: ICMP SLA probes hitting 8.8.8.8 every 500 ms, Best-Quality strategy on voice. What is the most likely chain of cause?

Correct: c. Two compounding problems: noisy probe target (mass ICMP to a public anycast) + voice strategy that flips paths. Either alone would have been survivable. Together they wiped a whole fleet. Always size probe load to the destination; never use Best-Quality on stateful protocols. Real-world Indian MSP incident documented across community threads.
Q9 · Evaluate

An auditor proposes "for simplicity, use ONE SD-WAN rule covering all internal source addresses + ANY destination, with Maximize Bandwidth strategy across wan1 + wan2 + IPsec-HQ." Is this proposal sound for a branch that runs ERP + voice + general internet?

Correct: c. One mega-rule with Maximize Bandwidth defeats the entire purpose of SD-WAN. The right model is application-aware: ERP on Manual (pinned MPLS), voice on Lowest-Cost-SLA (sticky, SLA-aware), bulk internet on Maximize Bandwidth (load-share). Reject the auditor's proposal politely with a layered alternative.
Q10 · Evaluate

A senior interviewer asks: "What's the relationship between ADVPN and SD-WAN, and would you use both?" Pick the most accurate answer.

Correct: d. ADVPN = dynamic mesh transport. SD-WAN = steering brain. They live at different layers and complement each other. Real branches run both. Memorize the one-sentence version: "ADVPN builds the paths; SD-WAN picks among them." This is the textbook L3 / NSE 7 SD-WAN architecture answer.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

Self-explanation prompt

In 2-3 sentences, explain to a hypothetical batchmate: "Why is Lowest Cost SLA the safer choice than Best Quality for voice traffic on a FortiGate SD-WAN?" Writing it out cements the concept faster than re-reading.

📤 Teach a friend on WhatsApp: Share

📖 Mini-glossary — terms used in this blog

SD-WAN zone
Logical bundle of one or more SD-WAN members. Policies and routing reference the zone.
Member
A single WAN link inside an SD-WAN zone — wan1, wan2, an IPsec tunnel, etc.
Performance SLA
Live latency/jitter/loss probe per member. Defaults 5 ms / 5 ms / 0%.
Service rule
Ordered SD-WAN rule deciding which member each session uses (top-down, first-match).
ISDB
Internet Service Database — Fortinet's curated public-IP sets per cloud service.
Best Quality
Strategy that picks the highest-quality member per flow — flips mid-session.
Lowest Cost SLA
Strategy that picks the cheapest in-SLA member and sticks per session. Voice-safe.
Manual
Strategy that pins to one preferred member; fails over only if it's down.
Maximize Bandwidth
Strategy that load-shares sessions across members. Watch asymmetry.
Auto
Catch-all strategy; FortiOS picks based on SLA + cost. Fine for the implicit rule.
ADVPN
Auto-Discovery VPN — dynamic IPsec mesh between spokes. Transport beneath SD-WAN.
Application steering
Routing decisions based on application identity (ISDB, app-id), not just IP/port.
FortiSASE
Fortinet's SASE — SD-WAN + SSE / ZTNA / SWG in a cloud-delivered service.
Where this gets asked: SD-WAN is a top-3 technical filter at an Indian enterprise, the retail chain, an Indian IT services firm, an Indian MSP and an Indian security firm for any branch-transformation / FortiSASE role. L2 rounds expect the 5-strategy matrix + ISDB + performance SLA defaults. L3 rounds add ADVPN-vs-SD-WAN, asymmetric routing, and the diag sys sdwan health-check + diag sys sdwan service debug muscle memory.

What's next?

Blog 5 opens up FortiGate Security Profiles — flow-based vs proxy-based inspection, web filter, app control, IPS, AV, and the inline-CASB additions in 7.4+ that the FortiSASE-era recruiters love to test.

Blog 5 · FortiGate Security Profiles → ← All Fortinet lessons

📚 Sources

  1. Fortinet Docs — SD-WAN Performance SLA (FortiOS 7.6 Administration Guide). docs.fortinet.com/document/fortigate/7.6.6/administration-guide/584396/sd-wan-performance-sla
  2. Fortinet Docs — SD-WAN Rules and Strategy Modes (FortiOS 7.4 / 7.6). docs.fortinet.com
  3. Resume Pro — Fortinet SD-WAN Key Interview Questions (2025). resumeprofessionalwriters.com/fortinet-sd-wan-key-interview-questions
  4. CBT Nuggets — What is covered on the NSE 7 SD-WAN exam (2025). cbtnuggets.com/blog/certifications/security/what-is-covered-on-the-nse-7-sd-wan-exam
  5. Fortinet Community — Routing Methods in FortiGate (Policy, ISDB, SD-WAN, Static, Dynamic). community.fortinet.com/fortigate-3/technical-tip-routing-methods-in-fortigate-policy-isdb-sd-wan-static-and-dynamic-routes-105196
  6. Fortinet Community — SD-WAN troubleshooting — diag sys sdwan and friends. community.fortinet.com (multiple troubleshooting threads, 2024–2025)
  7. UniNets — Top Fortinet Firewall Interview Q&A 2025 (SD-WAN section). uninets.com/blog/fortinet-firewall-interview-questions-answers