How to Build a Hands-On Lab for NSE5_SSE_AD-7.6 Exam Practice

Introduction

If you are preparing for the NSE5_SSE_AD-7.6 (Fortinet NSE 5 – FortiSASE and SD-WAN 7.6 Core Administrator) exam, reading documentation and watching videos will only take you so far. This exam tests how well you can deploy, configure, and troubleshoot real FortiSASE and SD-WAN environments — and the scenario-based questions on the actual test are designed to catch candidates who only studied theory.

The good news is that you can build a fully functional, exam-relevant lab environment at home or in the cloud — for free or at very low cost — using Fortinet’s own evaluation licensing programs.

This guide walks you through everything: what hardware or software you need, how to get free licenses, the exact lab topology to build, and the specific exercises that map to each exam domain.

Why a Hands-On Lab Is Non-Negotiable for This Exam

The NSE5_SSE_AD-7.6 exam covers five domains:

Decentralized SD-WAN — configuring members, zones, and Performance SLAs (40–50% of exam weight)
Rules and Routing — SD-WAN traffic steering rules and routing policies
SASE Deployment — FortiSASE administration, user onboarding, SD-WAN integration
Secure Internet Access (SIA) and Secure SaaS Access (SSA) — security profiles and compliance rules for managed endpoints
Analytics — reading SD-WAN and FortiSASE logs, dashboards, and reports

The most common failure points for candidates who only study theory are SD-WAN traffic steering (which they confuse with traditional routing), the order of policy evaluation in SASE deployments, and the analytics section — which many candidates skip entirely during preparation. You cannot develop real confidence in these areas without clicking through the actual GUI and CLI yourself.

Hands-on experience with Fortinet FortiSASE or FortiGate SD-WAN modules is the single most effective way to prepare. Prioritize labs that cover: configuring SD-WAN rules and failover, setting up SASE policies with identity integration, and interpreting analytics dashboards.

Step 1: Choose Your Lab Platform

You have three main options for running the lab. Each has trade-offs depending on your hardware, budget, and available time.

Option A: Local Virtualization (Best for Most Candidates)

Run everything on your own laptop or desktop using a hypervisor. This is the most practical and cost-free path.

Recommended hypervisors:

VMware Workstation Pro (Windows/Linux) — the most commonly used platform for Fortinet labs; FortiGate VM images download directly from Fortinet’s support portal in OVA format
VMware Workstation Player (free for personal use)
VirtualBox (free, but networking features are more limited; works for basic labs)
KVM/QEMU (Linux-native; excellent performance, free, requires Linux comfort)

Minimum host machine specs for a basic 2-FortiGate lab:

Component	Minimum	Recommended
CPU	4 cores	8+ cores
RAM	16 GB	32 GB
Disk	100 GB free	250 GB SSD
OS	Windows 10/11 or Linux	Linux preferred

For a full lab with FortiGate Hub + FortiGate Spoke + FortiManager + FortiAnalyzer, you will want at least 32 GB RAM. Each VM requires:

FortiGate-VM: minimum 2 GB RAM, 1 vCPU
FortiManager-VM: minimum 4 GB RAM, 2 vCPU, 60 GB disk
FortiAnalyzer-VM: minimum 4 GB RAM, 2 vCPU, 60 GB disk

Option B: EVE-NG or GNS3 (Best for Network Engineers)

EVE-NG (Emulated Virtual Environment — Next Generation) and GNS3 are purpose-built network emulation platforms that many network engineers already use. Both support FortiGate VM images and allow you to build complex multi-site topologies with simulated ISP links — which is ideal for SD-WAN practice.

EVE-NG Community Edition is free and runs as a VM itself (on VMware or bare metal). EVE-NG Pro adds features but is not required for exam prep. The community has shared FortiGate SD-WAN topologies including dual-hub ADVPN designs with multiple WAN circuits, BGP route reflectors, and Performance SLA health checks — exactly the type of scenarios the NSE5_SSE_AD-7.6 exam tests.

GNS3 is also free and similarly capable. It supports FortiGate VM images and allows cloud objects for simulating internet connectivity. You can run GNS3 on your local machine with a GNS3 VM handling the heavy lifting.

Option C: Cloud Lab (Best for Limited Local Hardware)

If your local machine does not have enough RAM, cloud-based labs are a viable alternative.

FortiGate on Azure offers a free 30-day trial with the full-featured FortiGate-VM available directly in the Azure Marketplace. This gives you a properly licensed VM with no interface or route limitations — significantly more useful than the evaluation license for complex SD-WAN labs.

AWS and GCP also host FortiGate-VM marketplace images with trial options. The trade-off is that cloud labs incur compute costs for the duration of each study session, though you can stop VMs when not in use to minimize charges.

Step 2: Get Your Free Licenses

This is where most candidates get stuck. Here is exactly what is available and how to obtain it.

FortiGate-VM — Permanent Evaluation License (Free)

Starting with FortiOS 7.2.1, Fortinet replaced the old 15-day built-in trial with a permanent evaluation license — meaning it never expires. The process:

Create a free FortiCare/FortiCloud account at support.fortinet.com
Download the FortiGate-VM image for your hypervisor from the Fortinet support portal (requires a FortiCare account)
Deploy the VM and boot it up
Log in to the GUI; you will be prompted to sign in with your FortiCloud account
The evaluation license is generated automatically and applied to your FortiCloud account

Evaluation license limitations to be aware of:

Maximum 3 interfaces (was unlimited before 7.2.1)
Maximum 3 security policies
Maximum 3 routes (though in practice BGP routing has worked beyond this in some versions — verify for 7.6)
No support subscriptions (FortiGuard services)

For SD-WAN labs, the 3-interface limit is the most restrictive. You can work around it by using VLAN subinterfaces where the hypervisor supports them, or by using the Azure/AWS 30-day trial for more interface headroom.

Important: Each FortiCloud account can only have one evaluation VM registered at a time. To run multiple FortiGate VMs (Hub + Spoke topology), you will need multiple FortiCare accounts — one per VM.

FortiManager-VM — Free Trial License (3 Managed Devices)

Fortinet offers a built-in free trial for FortiManager-VM directly through the GUI:

Download the FortiManager-VM image from the Fortinet support portal
Deploy and start the VM; configure the management port
In the browser, access the FortiManager GUI
On the login page, select « Free Trial » and click « Login with FortiCloud »
Accept the trial license agreement
The trial license is applied — you will see « Trial License » in the Dashboard’s License Information widget

The free trial FortiManager license allows management of up to 3 devices — enough for a Hub + Spoke + SASE deployment in your lab.

FortiAnalyzer-VM — Free Trial License

The FortiAnalyzer-VM follows the same process as FortiManager — select « Free Trial » on the login screen, authenticate with your FortiCloud account, and the trial license is applied. This gives you a working log aggregation and reporting platform for practicing the Analytics exam domain.

FortiSASE — Free Trial Access

FortiSASE is a cloud-delivered SaaS platform, so there is no VM to download. Fortinet offers trial access through their sales and partner channels. If you are studying independently:

Contact Fortinet directly at fortinet.com and request a lab/evaluation tenant — sales teams regularly accommodate students preparing for NSE certifications
If your employer is a Fortinet partner or customer, they may already have access to a FortiSASE tenant that you can use for lab exercises
The Fortinet NSE training course for this exam includes access to guided lab exercises within a hosted FortiSASE environment — this is the most reliable path to FortiSASE hands-on access

For the SD-WAN portion of the exam (which represents 40–50% of the content), FortiGate-VM + FortiManager is fully sufficient without a live FortiSASE tenant.

Step 3: Build Your Lab Topology

Here is the recommended topology that covers all five exam domains efficiently.

Recommended Lab Topology: Dual-Site Hub-and-Spoke with SASE Integration

Internet (Simulated via VM Network / NAT)
        |
   [FortiGate HUB]
   (WAN1: ISP-A, WAN2: ISP-B)
   SD-WAN with ADVPN
        |
   +---------+----------+
   |                    |
[FGT Spoke-1]     [FGT Spoke-2]
(WAN1, WAN2)      (WAN1, WAN2)
   |                    |
[LAN Clients]     [LAN Clients]

   [FortiManager-VM]    ← Manages Hub + Spoke-1 + Spoke-2
   [FortiAnalyzer-VM]   ← Receives logs from all FortiGates
   [FortiClient]        ← Installed on a test PC/VM (ZTNA endpoint)
   [FortiSASE Tenant]   ← Cloud (if available) or simulated via docs

This topology lets you practice:

SD-WAN member configuration, zones, and Performance SLAs on Hub and Spokes
ADVPN hub-and-spoke IPsec tunnels with BGP route sharing (spoke-to-spoke shortcuts)
SD-WAN traffic steering rules (latency-based, SLA-based, application-based)
FortiManager centralized policy management and SD-WAN overlay templates
FortiAnalyzer log collection, dashboards, and report generation
FortiClient ZTNA agent configuration
FortiSASE integration with the SD-WAN hub (Secure Private Access)

Networking Inside Your Hypervisor

Create the following virtual networks (VMware port groups or VirtualBox host-only networks):

Network Name	Purpose	CIDR Suggestion
MGMT	Out-of-band management for all VMs	192.168.100.0/24
ISP-A	Simulated ISP for WAN1	10.10.1.0/24
ISP-B	Simulated ISP for WAN2	10.10.2.0/24
HUB-LAN	Hub site local network	172.16.0.0/24
SPOKE1-LAN	Spoke 1 local network	172.16.1.0/24
SPOKE2-LAN	Spoke 2 local network	172.16.2.0/24

Use a Linux VM (Ubuntu Server is fine) as a simulated client behind each spoke, and a Linux VM as a simulated internet server behind the Hub to generate SD-WAN traffic.

Step 4: Lab Exercises by Exam Domain

Work through these exercises in order — they build on each other and map directly to the five NSE5_SSE_AD-7.6 exam domains.

Domain 1: Decentralized SD-WAN (40–50% Exam Weight)

These exercises are the most important. Allocate the most time here.

Exercise 1.1 — SD-WAN Member and Zone Configuration On Spoke-1:

Add WAN1 and WAN2 as SD-WAN members
Create an SD-WAN zone called « OVERLAY »
Set interface roles, cost values, and gateway addresses

Exercise 1.2 — Performance SLA (Health Check) Setup

Configure a Performance SLA targeting 8.8.8.8 (or your simulated internet server)
Set probe type to ICMP
Define SLA thresholds: latency < 100ms, jitter < 20ms, packet loss < 5%
Switch probe mode to HTTP and observe the difference
Practice passive SLA mode — understand the two observable impacts on traffic monitoring

Exercise 1.3 — ADVPN Hub-and-Spoke IPsec Tunnel Setup

Configure dynamic IPsec tunnels from Spoke-1 and Spoke-2 to Hub
Enable auto-discovery VPN (ADVPN) on phase 1
Configure mode-cfg on Hub for automatic IP assignment to spoke tunnel interfaces
Verify spoke-to-spoke shortcuts are established when traffic flows directly between sites

Exercise 1.4 — BGP Configuration for Route Distribution

Configure BGP on Hub as route reflector
Configure iBGP on Spoke-1 and Spoke-2 peering to Hub
Advertise LAN subnets from each spoke to Hub
Verify that Spoke-1 can reach Spoke-2’s LAN via Hub, and that shortcut tunnels form for direct spoke-to-spoke paths

Domain 2: Rules and Routing

Exercise 2.1 — Basic SD-WAN Rule: Application-Based Steering

Create an SD-WAN rule that steers Microsoft 365 traffic over WAN1 (preferred) with WAN2 as failover
Use application signatures for Office 365 rather than destination IPs
Test by generating traffic and observing the SD-WAN monitor

Exercise 2.2 — SLA-Based Traffic Steering

Create an SD-WAN rule that selects the member with the lowest latency
Force WAN1 to simulate high latency (in your lab, block or delay it)
Verify that traffic shifts to WAN2 automatically when SLA thresholds are breached

Exercise 2.3 — Link Selection Strategies

Configure « lowest latency » link selection on one rule
Configure « best quality » on another
Understand when to use each strategy — this is a common exam question

Exercise 2.4 — Static Route and SD-WAN Route Interaction

Add a static default route on a spoke
Observe how SD-WAN rules take precedence over static routing for matched traffic
Understand the policy lookup order: SD-WAN rules → firewall policies → static routes

Domain 3: SASE Deployment

Exercise 3.1 — FortiSASE Administration Settings

If you have a FortiSASE tenant: log in and explore the administration dashboard
Locate the SD-WAN hub integration section (Secure Private Access)
Review the PoP selection and geolocation settings

Exercise 3.2 — User Onboarding Methods Practice each of the three onboarding methods in FortiSASE or study the configuration deeply:

FortiClient-based (agent): configure FortiClient EMS connection to FortiSASE
Browser-based (agentless): configure agentless web access for unmanaged devices
IPsec/SSL VPN from FortiGate branch: connect a FortiGate spoke to FortiSASE as a site connector

Exercise 3.3 — ZTNA Tag Configuration

On your FortiGate lab, configure ZTNA tags via FortiClient
Create a ZTNA firewall policy that requires a valid ZTNA tag for access
Test access with and without the ZTNA tag to understand how device posture affects access

Exercise 3.4 — FortiSASE and SD-WAN Hub Integration Using the FortiSASE SPA (Secure Private Access) deployment guide:

Configure the IPsec VPN on your FortiGate Hub to accept FortiSASE PoP spokes
Configure BGP to allow FortiSASE users to reach the hub LAN
Verify that a test user connecting through FortiSASE can reach resources behind the Hub

Domain 4: Secure Internet Access (SIA) and Secure SaaS Access (SSA)

Exercise 4.1 — Security Profile Configuration in FortiSASE

Configure a web filter profile (block social media categories, allow business applications)
Configure SSL deep inspection
Assign the profile to a FortiSASE security policy for managed endpoints

Exercise 4.2 — Inline CASB for SaaS Access Control

In FortiSASE, configure inline CASB to restrict uploads to personal cloud storage (e.g., block uploads to personal Dropbox while allowing corporate Dropbox)
Understand the difference between inline CASB and API-based CASB

Exercise 4.3 — FortiSASE Standard vs Advanced License Features Study the feature matrix carefully — exam questions specifically test knowledge of which features require Standard vs Advanced licensing:

Standard: SWG, ZTNA, basic CASB, basic DLP
Advanced: Full DLP, inline CASB, Digital Experience Monitoring (DEM), Secure SD-WAN integration

Exercise 4.4 — Agentless Access Configuration

Configure an agentless security policy in FortiSASE for BYOD/unmanaged devices
Understand the limitations compared to agent-based (FortiClient) enforcement

Domain 5: Analytics

This domain is the most skipped in study plans — and shows up on the exam. Do not skip it.

Exercise 5.1 — FortiAnalyzer Dashboard Configuration

In your FortiAnalyzer VM, connect your FortiGate VMs as log sources
Explore the default dashboards: Top Threats, Traffic, Application Usage
Build a custom dashboard that shows SD-WAN bandwidth usage by WAN member

Exercise 5.2 — SD-WAN Monitor in FortiGate GUI

Open the SD-WAN Monitor under Network > SD-WAN
Generate traffic and observe real-time bandwidth, latency, jitter, and packet loss per member
Practice identifying which link a specific application flow is using

Exercise 5.3 — Log Interpretation

Generate a blocked web access event (trigger your web filter)
Find the log in FortiAnalyzer: Log View > Traffic
Identify the key log fields: srcip, dstip, action, policyid, app, catdesc
Practice filtering logs by source IP, time range, and action

Exercise 5.4 — FortiSASE Analytics Dashboard

In FortiSASE (or from documentation/screenshots if no tenant available), study the Analytics section
Identify: Security posture summary, top blocked threats, user activity reports
Understand how to generate a compliance report for a SASE deployment

Exercise 5.5 — FortiManager SD-WAN Monitoring

In FortiManager, navigate to SD-WAN Monitor
Observe the health status of managed FortiGate WAN links
Practice reading Performance SLA history graphs for link quality trends

Step 5: Common Lab Mistakes to Avoid

Mistake 1 — Only building one FortiGate The SD-WAN exam content requires you to understand hub-and-spoke topologies with multiple sites. A single FortiGate cannot replicate the scenarios tested on the exam.

Mistake 2 — Skipping FortiManager The exam specifically tests FortiSASE administration settings and SD-WAN integration through FortiManager. Getting comfortable with the centralized management interface is not optional.

Mistake 3 — Ignoring the CLI The GUI is great for understanding concepts, but the exam uses CLI output in several questions. Practice key diagnostic commands:

get router info routing-table all — verify route table
diagnose sys sdwan health-check — view Performance SLA status
diagnose sys sdwan service — view SD-WAN rule hit counts
get vpn ipsec tunnel summary — verify ADVPN tunnels

Mistake 4 — Not practicing failover Traffic steering during link failure is a core exam topic. In your lab, deliberately shut down WAN1 (or block it with a firewall rule) and verify that traffic moves to WAN2 as expected within the SLA recovery window.

Mistake 5 — Skipping passive SLA mode Passive probe mode is a specific exam topic. Configure it, observe the behavioral differences from active mode, and understand why it matters for zero-added-traffic health checking.

Step 6: Supplementary Resources for Your Lab

Official Fortinet Resources (Free):

Fortinet Document Library (docs.fortinet.com) — the FortiOS 7.6 Administration Guide, FortiSASE Administration Guide, and FortiManager Administration Guide are your primary references
Fortinet Video Library (video.fortinet.com) — product demonstration videos covering many lab scenarios
Fortinet NSE Training (training.fortinet.com) — the official NSE 5 FortiSASE & Secure SD-WAN course includes guided lab access; check if free access is available via the NSE Institute

GitHub:

Search « Fortinet SD-WAN lab » on GitHub — Fortinet’s own GitHub (github.com/fortinet) includes 4-D SD-WAN demonstration configurations for various topologies, including ADVPN multi-hub setups

Community:

Fortinet Community Forums (community.fortinet.com) — active community with SD-WAN and FortiSASE configuration examples and troubleshooting discussions
r/fortinet on Reddit — candidates share exam experiences and lab tips

Recommended Study Schedule Using Your Lab

Week	Focus	Lab Exercises
Week 1	Lab setup + SD-WAN basics	Step 1–3: Deploy VMs, get licenses, build topology; Exercises 1.1–1.2
Week 2	ADVPN + BGP + SD-WAN rules	Exercises 1.3–1.4, 2.1–2.4
Week 3	SASE Deployment + SIA/SSA	Exercises 3.1–3.4, 4.1–4.4
Week 4	Analytics + Review	Exercises 5.1–5.5; full topology teardown and rebuild from memory

Final Tips Before the Exam

The NSE5_SSE_AD-7.6 exam has 30–35 questions with a 65-minute time limit. The scenario-based questions — where you are given a network description and asked what configuration or troubleshooting step applies — are the ones that lab practice directly prepares you for.

Before your exam date:

Rebuild your entire lab topology from scratch at least once without referring to notes. If you can configure it without guidance, you can answer exam questions about it confidently.
Review Performance SLA passive vs active mode, link selection strategies (lowest latency, best quality, lowest cost), and SD-WAN rule priority order — these appear frequently.
In the final week, spend one full session only on the Analytics domain. Read FortiAnalyzer logs, build a custom report, and study the FortiSASE analytics dashboards from screenshots or documentation if you do not have a live tenant.
Simulate the 65-minute exam condition using practice tests to build time management habits.

A lab environment is not just a study tool — it is the difference between a candidate who recognizes exam scenarios and one who truly understands them. Build it early, use it consistently, and the NSE5_SSE_AD-7.6 exam will reflect exactly what you have already done with your own hands.

Key Takeaways

A local virtualization lab (VMware Workstation + FortiGate-VM + FortiManager-VM) is free and covers all five exam domains
FortiGate-VM uses a permanent (non-expiring) evaluation license available with a free FortiCare account; FortiManager-VM offers a free trial supporting 3 managed devices
The recommended lab topology is a dual-site hub-and-spoke with ADVPN, BGP, and FortiManager/FortiAnalyzer management
Domain 1 (Decentralized SD-WAN) carries 40–50% of exam weight — prioritize ADVPN, Performance SLA, and member/zone configuration
Domain 5 (Analytics) is the most skipped but appears consistently on the exam — do not neglect it
Practice failover scenarios, passive SLA mode, and CLI diagnostics — all are exam-tested