NSE7_CDS_AR-7.6 Practice Questions

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

In an AWS SD-WAN Transit Gateway (TGW) Connect topology, traffic flow must be meticulously orchestrated through VPC route tables to ensure that the FortiGate-VM (Security VPC) can inspect traffic transitioning between spokes.

Spoke to TGW Redirection (Option E): For traffic to leave a Spoke VPC and reach the inspection hub, the Spoke VPC internal routing table must be configured to send all non-local traffic (0.0.0.0/0) to the Transit Gateway (TGW). This is the first step in the traffic chain.

TGW to FortiGate Redirection (Option A): Once the traffic arrives at the TGW and is forwarded to the Security VPC via a TGW attachment, it lands in the TGW subnet (or attachment subnet). To ensure this traffic is inspected, the Security VPC TGW subnet routing table must point the default route (0.0.0.0/0) to the FortiGate's internal network interface (ENI).

FortiGate Return/Egress Path (Option D): After the FortiGate processes the packet, it must be sent back to the TGW to reach its final destination in a different spoke or to exit via a different gateway. Therefore, the Security VPC FortiGate internal subnet routing table (the subnet where the FortiGate's internal leg resides) must have a default route (0.0.0.0/0) pointing back to the TGW.

Why other options are incorrect:

Option B: If the Security VPC TGW subnet routing table points to the TGW as the next hop, it creates a routing loop where traffic arrives from the TGW and is immediately sent back without being inspected by the FortiGate.

Option C: Pointing all traffic to an Internet Gateway (IGW) would bypass the Transit Gateway entirely and send traffic to the public internet rather than through the internal security fabric.