Question 480 of 1,000
Advanced Networking and SD-WANmediumMultiple SelectObjective-mapped

Quick Answer

The answer is that when using the best quality strategy, the FortiGate selects the member with the best SLA status even if no member fully meets the threshold. This is because the best quality strategy does not require a member to pass the SLA; instead, it compares all available members and chooses the one with the least degradation, ensuring traffic is never dropped outright. On the Fortinet NSE 7 Advanced Security NSE7 exam, this concept tests your understanding of SD-WAN failover behavior under degraded conditions—a common trap is assuming traffic stops when all members fail SLA, but FortiGate’s logic prioritizes forwarding over dropping. Remember that best quality is a “least-bad” selection, not a strict pass/fail filter. A useful memory tip: think of it as “best of a bad lot”—the FortiGate always picks the healthiest link, even if all are sick.

NSE7 Advanced Networking and SD-WAN Practice Question

This NSE7 practice question tests your understanding of advanced networking and sd-wan. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An administrator is configuring SD-WAN on a FortiGate to route traffic between two internet connections (ISP1 and ISP2). The SD-WAN rules use performance SLA to measure latency. Which TWO statements are true about SD-WAN rule matching and failover?

Question 1mediummulti select
Study the full SD-WAN breakdown →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status.

Option A is correct because when an SD-WAN rule is configured with 'best quality' strategy, the FortiGate selects the member with the best SLA status even if no member fully meets the SLA threshold. This ensures traffic is still forwarded using the least-bad option rather than being dropped, maintaining connectivity under degraded conditions.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status.

    Why this is correct

    Correct. If no member meets the SLA, the FortiGate uses the member with the best SLA status (least bad) to forward traffic.

    Related concept

    Read the scenario before looking for a memorised answer.

  • SD-WAN rules can use multiple members and the best member is selected based on performance SLA measurements.

    Why this is correct

    Correct. SD-WAN rules can have multiple members and the best member is chosen based on the configured strategy (e.g., best quality, lowest cost) and SLA status.

    Related concept

    Read the scenario before looking for a memorised answer.

  • SD-WAN automatically fails over all sessions to the backup member if the primary member exceeds the SLA threshold.

    Why it's wrong here

    Incorrect. SD-WAN failover affects only new sessions; existing sessions are not automatically moved unless the session is part of a persistent session or a static route is used.

  • If multiple SD-WAN rules match, the rule with the highest bandwidth member is used.

    Why it's wrong here

    Incorrect. SD-WAN rules are evaluated in order; the first matching rule is used, not the one with highest bandwidth.

  • When the SD-WAN rule action is set to 'lowest cost' and no member meets the SLA, the FortiGate drops the traffic.

    Why it's wrong here

    Incorrect. With 'lowest cost' and no SLA met, the FortiGate still forwards traffic using the member with the lowest cost, but it logs a warning.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume 'best quality' or 'lowest cost' actions will drop traffic when no member meets the SLA, but FortiGate always forwards traffic using the best available member to avoid connectivity loss.

Detailed technical explanation

How to think about this question

Under the hood, FortiGate SD-WAN uses performance SLA probes (e.g., ICMP, HTTP, or DNS) to measure latency, jitter, and packet loss against configured thresholds. The 'best quality' strategy evaluates all members and selects the one with the lowest composite metric (e.g., weighted sum of latency, jitter, loss), even if all are above the SLA threshold, ensuring traffic is never blackholed. In contrast, 'lowest cost' strategy selects the member with the lowest configured cost, but still forwards traffic if no SLA is met, using the lowest-cost member regardless of SLA status.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A practitioner preparing for the NSE7 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related NSE7 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free NSE7 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this NSE7 question test?

Advanced Networking and SD-WAN — This question tests Advanced Networking and SD-WAN — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status. — Option A is correct because when an SD-WAN rule is configured with 'best quality' strategy, the FortiGate selects the member with the best SLA status even if no member fully meets the SLA threshold. This ensures traffic is still forwarded using the least-bad option rather than being dropped, maintaining connectivity under degraded conditions.

What should I do if I get this NSE7 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on NSE7

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. An administrator is troubleshooting an SD-WAN deployment where traffic from the branch to the datacenter is being sent over the backup LTE link even though the primary MPLS link has low latency and jitter. The SD-WAN rule uses 'Best Quality' strategy with latency and jitter metrics. The performance SLA for MPLS shows 'alive'. Which TWO configurations could cause this behavior?

hard
  • A.BFD is enabled on MPLS but not on LTE.
  • B.The SD-WAN rule has 'set member' configured to only include LTE.
  • C.The performance SLA is not associated with the SD-WAN rule.
  • D.The route to the datacenter is learned via OSPF with a lower cost over LTE.
  • E.The latency threshold is set too low for MPLS.

Why B: If the SD-WAN rule has an 'input-device' match that excludes MPLS, or if the rule's 'set member' does not include MPLS, traffic will not use it even if the SLA is good. Another possibility is that the performance SLA is not associated with the rule, so the rule treats MPLS as unavailable. Options A and B are the most likely.

Variation 2. An administrator is configuring SD-WAN with two members: MPLS and Broadband. The requirement is that voice traffic (UDP ports 16384-32768) should use MPLS primarily, and if MPLS fails SLA, then use Broadband. Which two configurations are needed? (Choose TWO.)

medium
  • A.Disable the Broadband member from the SD-WAN zone
  • B.Configure a performance SLA for the MPLS member
  • C.Create an SD-WAN rule that matches voice traffic and uses 'best quality' strategy
  • D.Configure policy-based routing for voice traffic
  • E.Set the load balancing algorithm to 'sessions'

Why B: A performance SLA monitors the MPLS link quality, and an SD-WAN rule is configured to match voice traffic with a strategy that prefers MPLS but falls back to Broadband if SLA fails. Without the SLA, the rule cannot detect failure.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This NSE7 practice question is part of Courseiva's free Fortinet certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the NSE7 exam.