View all questions & answers for the FCSS - SD-WAN 7.4 Architect Exam Materials exam


Question 40 Discussion

Refer to the exhibit. What conclusions can you draw about the traffic received by FortiGate originating from the source LAN device 10.0.1.133 and destined for the company's SMTP mail server at 10.66.0.125? (Choose one answer)

  • A. FortiGate steers the traffic from 10.0.1.133 to 10.66.0.125 through port3
  • B. FortiGate steers the traffic from 10.0.1.133 to 10.66.0.125 through port2
  • C. FortiGate steers the traffic from 10.0.1.133 to 10.66.0.125 through the SD-WAN member ID 4
  • D. FortiGate steers the traffic from 10.0.1.133 to 10.66.0.125 through the SD-WAN member ID 1 or 2
Correct Answer: D

Brave-Dump Clients Votes

D 66.67%
C 33.33%

Comments



michael 2025-07-05 17:01:22

Selected Answers: C


confusing question. why not A. it matches source/destination. maybe gateway is not correct. Then it will match service3. C should be correct. Last match is D with perfect source/designation match. But top down approach will match service 3 before 4. any other logic ?
  • Brave-Dumps Admin 2025-07-08 21:24:24
    Dear michael, please check my comment.

Brave-Dumps Admin 2025-07-08 21:23:59

Selected Answers: D


D is the correct and logical answer:

The source IP 10.0.1.133 and destination 10.66.0.125 are a perfect match for the last policy (service=4), both ranges match exactly.

This policy (service=4) uses SD-WAN members 1 and 2 with round-robin, so FortiGate will follow that logic.

Other options:

A: Doesn’t match — source subnet in that rule is 10.0.1.128/25, which doesn’t include 10.0.1.133.
B: Port2 is part of another rule (service=1) with extra application control (Salesforce/SMTP_Signed.Email), which likely doesn’t apply here.

C: Source matches, but the destination is too broad (0.0.0.0/0) — less specific than the last rule. In top-down matching, more specific match wins, even if it comes later.

So, while service=3 comes before service=4, it’s not a better match — that's why FortiGate hits the last rule instead.

FortiGate always uses the first rule that fully matches source and destination most accurately, and in this case, that’s D.
  • michael 2025-07-11 16:48:35
    A. 10.0.1.133 is in range 10.0.1.128/25, but seems gateway is same range as source subnet. C. it matches top to bottom in SDWAN rules. this I have tested in the lab. just fyi.
  • Mattia Bruno 2025-08-27 16:22:47
    It's D but because of 2131427329, in this you can see it's for member 2or1 which are the same as the last one. and it's the only one with hit count

Elrasheed 2025-07-19 15:24:04

Selected Answers: D


D. is correct: Source and destination match and the only policy with hit_count greater than 0. Other rules has hit_count=0.