- A
When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status.
Correct. If no member meets the SLA, the FortiGate uses the member with the best SLA status (least bad) to forward traffic.
- B
SD-WAN rules can use multiple members and the best member is selected based on performance SLA measurements.
Correct. SD-WAN rules can have multiple members and the best member is chosen based on the configured strategy (e.g., best quality, lowest cost) and SLA status.
- C
SD-WAN automatically fails over all sessions to the backup member if the primary member exceeds the SLA threshold.
Why wrong: Incorrect. SD-WAN failover affects only new sessions; existing sessions are not automatically moved unless the session is part of a persistent session or a static route is used.
- D
If multiple SD-WAN rules match, the rule with the highest bandwidth member is used.
Why wrong: Incorrect. SD-WAN rules are evaluated in order; the first matching rule is used, not the one with highest bandwidth.
- E
When the SD-WAN rule action is set to 'lowest cost' and no member meets the SLA, the FortiGate drops the traffic.
Why wrong: Incorrect. With 'lowest cost' and no SLA met, the FortiGate still forwards traffic using the member with the lowest cost, but it logs a warning.
Quick Answer
The answer is that when using the best quality strategy, the FortiGate selects the member with the best SLA status even if no member fully meets the threshold. This is because the best quality strategy does not require a member to pass the SLA; instead, it compares all available members and chooses the one with the least degradation, ensuring traffic is never dropped outright. On the Fortinet NSE 7 Advanced Security NSE7 exam, this concept tests your understanding of SD-WAN failover behavior under degraded conditions—a common trap is assuming traffic stops when all members fail SLA, but FortiGate’s logic prioritizes forwarding over dropping. Remember that best quality is a “least-bad” selection, not a strict pass/fail filter. A useful memory tip: think of it as “best of a bad lot”—the FortiGate always picks the healthiest link, even if all are sick.
NSE7 Advanced Networking and SD-WAN Practice Question
This NSE7 practice question tests your understanding of advanced networking and sd-wan. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
An administrator is configuring SD-WAN on a FortiGate to route traffic between two internet connections (ISP1 and ISP2). The SD-WAN rules use performance SLA to measure latency. Which TWO statements are true about SD-WAN rule matching and failover?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status.
Option A is correct because when an SD-WAN rule is configured with 'best quality' strategy, the FortiGate selects the member with the best SLA status even if no member fully meets the SLA threshold. This ensures traffic is still forwarded using the least-bad option rather than being dropped, maintaining connectivity under degraded conditions.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status.
Why this is correct
Correct. If no member meets the SLA, the FortiGate uses the member with the best SLA status (least bad) to forward traffic.
Related concept
Read the scenario before looking for a memorised answer.
- ✓
SD-WAN rules can use multiple members and the best member is selected based on performance SLA measurements.
Why this is correct
Correct. SD-WAN rules can have multiple members and the best member is chosen based on the configured strategy (e.g., best quality, lowest cost) and SLA status.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
SD-WAN automatically fails over all sessions to the backup member if the primary member exceeds the SLA threshold.
Why it's wrong here
Incorrect. SD-WAN failover affects only new sessions; existing sessions are not automatically moved unless the session is part of a persistent session or a static route is used.
- ✗
If multiple SD-WAN rules match, the rule with the highest bandwidth member is used.
Why it's wrong here
Incorrect. SD-WAN rules are evaluated in order; the first matching rule is used, not the one with highest bandwidth.
- ✗
When the SD-WAN rule action is set to 'lowest cost' and no member meets the SLA, the FortiGate drops the traffic.
Why it's wrong here
Incorrect. With 'lowest cost' and no SLA met, the FortiGate still forwards traffic using the member with the lowest cost, but it logs a warning.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume 'best quality' or 'lowest cost' actions will drop traffic when no member meets the SLA, but FortiGate always forwards traffic using the best available member to avoid connectivity loss.
Detailed technical explanation
How to think about this question
Under the hood, FortiGate SD-WAN uses performance SLA probes (e.g., ICMP, HTTP, or DNS) to measure latency, jitter, and packet loss against configured thresholds. The 'best quality' strategy evaluates all members and selects the one with the lowest composite metric (e.g., weighted sum of latency, jitter, loss), even if all are above the SLA threshold, ensuring traffic is never blackholed. In contrast, 'lowest cost' strategy selects the member with the lowest configured cost, but still forwards traffic if no SLA is met, using the lowest-cost member regardless of SLA status.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A practitioner preparing for the NSE7 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Advanced Networking and SD-WAN — study guide chapter
Learn the concepts, then practise the questions
- →
Advanced Networking and SD-WAN practice questions
Targeted practice on this topic area only
- →
All NSE7 questions
1,000 questions across all exam domains
- →
Fortinet NSE 7 Advanced Security NSE7 study guide
Full concept coverage aligned to exam objectives
- →
NSE7 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related NSE7 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Advanced Networking and SD-WAN practice questions
Practise NSE7 questions linked to Advanced Networking and SD-WAN.
Advanced VPN and Zero Trust practice questions
Practise NSE7 questions linked to Advanced VPN and Zero Trust.
Enterprise Firewall and VDOMs practice questions
Practise NSE7 questions linked to Enterprise Firewall and VDOMs.
Advanced Threat Protection practice questions
Practise NSE7 questions linked to Advanced Threat Protection.
Troubleshooting and Diagnostics practice questions
Practise NSE7 questions linked to Troubleshooting and Diagnostics.
NSE7 fundamentals practice questions
Practise NSE7 questions linked to NSE7 fundamentals.
NSE7 scenario practice questions
Practise NSE7 questions linked to NSE7 scenario.
NSE7 troubleshooting practice questions
Practise NSE7 questions linked to NSE7 troubleshooting.
Practice this exam
Start a free NSE7 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this NSE7 question test?
Advanced Networking and SD-WAN — This question tests Advanced Networking and SD-WAN — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status. — Option A is correct because when an SD-WAN rule is configured with 'best quality' strategy, the FortiGate selects the member with the best SLA status even if no member fully meets the SLA threshold. This ensures traffic is still forwarded using the least-bad option rather than being dropped, maintaining connectivity under degraded conditions.
What should I do if I get this NSE7 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
2 more ways this is tested on NSE7
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. An administrator is troubleshooting an SD-WAN deployment where traffic from the branch to the datacenter is being sent over the backup LTE link even though the primary MPLS link has low latency and jitter. The SD-WAN rule uses 'Best Quality' strategy with latency and jitter metrics. The performance SLA for MPLS shows 'alive'. Which TWO configurations could cause this behavior?
hard- A.BFD is enabled on MPLS but not on LTE.
- ✓ B.The SD-WAN rule has 'set member' configured to only include LTE.
- ✓ C.The performance SLA is not associated with the SD-WAN rule.
- D.The route to the datacenter is learned via OSPF with a lower cost over LTE.
- E.The latency threshold is set too low for MPLS.
Why B: If the SD-WAN rule has an 'input-device' match that excludes MPLS, or if the rule's 'set member' does not include MPLS, traffic will not use it even if the SLA is good. Another possibility is that the performance SLA is not associated with the rule, so the rule treats MPLS as unavailable. Options A and B are the most likely.
Variation 2. An administrator is configuring SD-WAN with two members: MPLS and Broadband. The requirement is that voice traffic (UDP ports 16384-32768) should use MPLS primarily, and if MPLS fails SLA, then use Broadband. Which two configurations are needed? (Choose TWO.)
medium- A.Disable the Broadband member from the SD-WAN zone
- ✓ B.Configure a performance SLA for the MPLS member
- ✓ C.Create an SD-WAN rule that matches voice traffic and uses 'best quality' strategy
- D.Configure policy-based routing for voice traffic
- E.Set the load balancing algorithm to 'sessions'
Why B: A performance SLA monitors the MPLS link quality, and an SD-WAN rule is configured to match voice traffic with a strategy that prefers MPLS but falls back to Broadband if SLA fails. Without the SLA, the rule cannot detect failure.
Last reviewed: Jun 11, 2026
This NSE7 practice question is part of Courseiva's free Fortinet certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the NSE7 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.