Fortinet Guides

Study guides and field notes from working with Fortinet in production. Configuration walkthroughs, exam preparation, and the diagnostic commands that come up most often under pressure.

Sub-sections

NSE4 — FortiGate Administrator

A 10-part walk through the official NSE4 / FCP FortiGate Administrator curriculum. Concept, GUI path, CLI equivalent, and diagnostics for each lesson.

View NSE4 Series →

NSE5 — FortiManager Administrator

A 10-part walk through the official NSE5 / FCP FortiManager Administrator curriculum. ADOMs, templates, policy packages, install operations, and the diagnostic toolbox.

View NSE5 Series →

NSE6 — Secure Networking Specialist

A 14-part walk through the NSE6 Secure Networking stream. Covers all four exam tracks: FortiAuthenticator, FortiSwitch, FortiAP, and FortiNAC.

View NSE6 Series →

FortiGate Troubleshooting

Deep dives into packet flow on a 50G FortiGate — from the NP7 fast path, through stateful inspection, SD-WAN, policy, NAT, and UTM, to egress. Includes a complete diagnose / get / show command cookbook.

View Troubleshooting →

NSE4 Study Series

A 10-part walk through the official NSE4 / FCP FortiGate Administrator curriculum — concept, GUI path, CLI equivalent, and diagnostics for each lesson. Full series hub: NSE4 sub-section.

  1. NSE4 Exam Syllabus: Study Roadmap (Part 1 of 10)

    Part 1 of a study series for the Fortinet NSE 4 / FCP FortiGate Administrator certification. Covers exam logistics, the official 16-lesson curriculum grouped into topic buckets, and the roadmap for the rest of the series.

  2. The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 1: System Health & Routing

    Part 1 of a 3-part deep-dive CLI reference for the NSE 4 exam. Covers get system status, get system performance status, interface and NIC diagnostics, the routing table RIB vs FIB, ARP, and ping-options — with live output breakdowns and exam-pressure indicators for every command.

  3. NSE4 Part 2: Initial Configuration & the Security Fabric

    Part 2 of the NSE4 study series — covers the day-one FortiGate configuration (interfaces, operation modes, admin access, DHCP, FortiGuard) and how the Security Fabric stitches multiple FortiGates and Fortinet products together.

  4. The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 2: Session Table & Packet Flow

    Part 2 of 3 in the NSE 4 CLI reference series. Deep-dives into FortiOS session table internals — filtering, reading, and clearing sessions — then covers the packet sniffer verbosity levels 1–6 and the full debug flow chain with line-by-line breakdown of successful vs. dropped traces.

  5. NSE4 Part 3: Firewall Policies & NAT

    Part 3 of the NSE4 study series — firewall policy structure, lookup order, NGFW modes, central vs policy NAT, source NAT pools, virtual IPs, and the session helpers behind protocol fixups.

  6. The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 3: VPN & HA

    Part 3 of 3 in the NSE 4 CLI reference series. Covers IPsec VPN diagnostics (IKE gateway state, tunnel SAs, SPI counter discrepancies), SSL-VPN authentication traces, and HA cluster mechanics — election criteria, heartbeat state, and configuration synchronisation verification via checksum hashes.

  7. NSE4 Part 4: Authentication, FSSO & Certificates

    Part 4 of the NSE4 study series — local and remote authentication (LDAP, RADIUS), captive portal, Fortinet Single Sign-On (FSSO) modes, and certificate operations including SSL deep inspection.

  8. NSE4 Part 5: Logging, Monitoring & Diagnostics

    Part 5 of the NSE4 study series — log categories and severity, local vs remote storage, FortiAnalyzer and syslog forwarding, threat weight scoring, and the diagnostic commands you actually reach for under pressure.

  9. NSE4 Part 6: Security Profiles — Web, App Control, AV, IPS, DoS

    Part 6 of the NSE4 study series — the five security profiles you attach to firewall policies: web filter, application control, antivirus, intrusion prevention, and denial-of-service.

  10. NSE4 Part 7: SSL VPN

    Part 7 of the NSE4 study series — SSL VPN modes (web, tunnel, full), portals, realms, MFA, split tunnelling and the diagnostic commands for tracking down a stuck client.

  11. NSE4 Part 8: IPsec VPN

    Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.

  12. NSE4 Part 9: Routing & SD-WAN

    Part 9 of the NSE4 study series — static and policy routing, distance vs priority, RPF, OSPF and BGP basics, and how SD-WAN turns a pile of WAN links into a single steered zone with performance SLAs.

  13. NSE4 Part 10: High Availability

    Part 10 — the final post in the NSE4 study series. Covers FGCP, active-passive vs active-active, heartbeat and monitor interfaces, session synchronisation, failover behaviour, and the diagnostic output you'll be asked to interpret.

NSE5 Study Series

A 10-part walk through the official NSE5 / FCP FortiManager Administrator curriculum — ADOMs, templates, policy packages, install operations, workflow mode, and the diagnostic toolbox. Full series hub: NSE5 sub-section.

  1. NSE5 Exam Syllabus: Study Roadmap (Part 1 of 10)

    Part 1 of a 10-part study series for the Fortinet NSE 5 / FCP FortiManager Administrator certification. Covers the exam logistics, the official curriculum grouped into topic buckets, and the roadmap for the rest of the series.

  2. NSE5 Part 2: Initial Configuration and System Settings

    Part 2 of the NSE5 study series — covers the day-one FortiManager configuration: network, admin access, system time, DNS, FortiGuard, OFTP, the on-disk file structure, and the diagnostic commands worth memorising before anything else.

  3. NSE5 Part 3: High Availability

    Part 3 of the NSE5 study series — covers the FortiManager HA cluster: primary and secondary roles, the sync mechanics, monitor IPs, manual vs automatic failover, and what to do when the cluster splits.

  4. NSE5 Part 4: Administrative Domains (ADOMs)

    Part 4 of the NSE5 study series — covers Administrative Domains: normal vs advanced ADOMs, version locking, ADOM modes, RBAC scope, and the per-ADOM revision history that underpins the rest of the FortiManager workflow.

  5. NSE5 Part 5: Device Registration and Provisioning

    Part 5 of the NSE5 study series — covers device registration: the FGFM tunnel, manual vs automatic registration, model devices, zero-touch provisioning, and the install operations that turn a registered device into a managed device.

  6. NSE5 Part 6: Device-Level Configuration and Templates

    Part 6 of the NSE5 study series — covers the FortiManager template engine: provisioning templates, CLI templates, SD-WAN, IPsec, and certificate templates, and how they compose into a single per-device install.

  7. NSE5 Part 7: Policy and Objects

    Part 7 of the NSE5 study series — covers ADOM-level policy management: policy packages, the object database, dynamic objects, install previews, install logs, and the cleanup workflows that keep the database lean.

  8. NSE5 Part 8: Workflow, Workspace Mode and Revision Control

    Part 8 of the NSE5 study series — covers workspace mode and the workflow approval engine: ADOM locking, read/write sessions, the workflow state machine, and how to recover an ADOM that two admins are fighting over.

  9. NSE5 Part 9: Diagnostics and Troubleshooting

    Part 9 of the NSE5 study series — covers the FortiManager diagnostic toolbox: device-manager diagnostics, the FGFM tunnel, install-failure forensics, oftpd, packet capture, and the debug commands worth knowing under exam pressure.

  10. NSE5 Part 10: Advanced Features and Integrations

    Part 10 — the final post in the NSE5 study series. Covers the advanced features that make FortiManager more than a config pusher: FortiGuard distribution, scripting, the JSON-RPC API, SSO, and FortiAnalyzer integration.

NSE6 Secure Networking Series

A 14-part walk through the NSE6 Secure Networking stream — FortiAuthenticator, FortiSwitch, FortiAP, and FortiNAC. Full series hub: NSE6 sub-section.

  1. NSE6 Part 1: Stream Overview, Exam Structure, and the Secure Networking Stack

    What the NSE6 Secure Networking specialist stream covers, how the four product exam tracks fit together, and how FortiAuthenticator, FortiSwitch, FortiAP, and FortiNAC form a joined-up access-layer security story.

  2. NSE6 Part 2: FortiAuthenticator Architecture and Local Authentication

    FortiAuthenticator deployment modes, hardware vs VM sizing, initial setup, local user and group management, password policies, account lockout, and the admin interfaces you use to build out a working identity store before you plug in LDAP or RADIUS.

  3. NSE6 Part 3: FortiAuthenticator RADIUS Service, LDAP Integration, and Remote Auth

    How FortiAuthenticator acts as a RADIUS server for FortiGate, FortiSwitch, and other NAS devices; configuring realms and routing; integrating with Active Directory via LDAP; and the diagnostic commands that expose exactly where an authentication flow breaks.

  4. NSE6 Part 4: FortiToken 2FA, Certificate Management, and the Self-Service Portal

    Adding a second factor with FortiToken hardware and mobile tokens, certificate authority configuration and SCEP enrollment, and setting up the self-service portal for password reset, token activation, and guest account management with sponsor approval.

  5. NSE6 Part 5: FortiSwitch Hardware, FortiLink Managed Mode, and Initial Provisioning

    FortiSwitch hardware families and PoE considerations, how FortiLink turns a FortiGate into a wired switching controller, the discovery and authorisation process for bringing a switch under management, and firmware management from the FortiGate GUI.

  6. NSE6 Part 6: FortiSwitch VLANs, RSTP, Link Aggregation, and Stacking Design

    VLAN trunking and access port configuration under FortiLink, RSTP bridge priority and port roles, static and LACP link aggregation, MCLAG dual-homing for access-layer resilience, and QoS trust modes for DSCP/CoS remarking at the network edge.

  7. NSE6 Part 7: FortiSwitch 802.1X, MAC Authentication Bypass, and Port Security

    Port-level 802.1X authentication with FortiAuthenticator as the RADIUS backend, EAP method selection, dynamic VLAN assignment from RADIUS attributes, MAC Authentication Bypass for non-supplicant devices, sticky MAC port security, and CoA-triggered VLAN changes mid-session.

  8. NSE6 Part 8: FortiAP Hardware, CAPWAP Discovery, and AP Provisioning

    Wi-Fi 6 fundamentals and the key 802.11 standards, FortiAP hardware families and PoE requirements, how CAPWAP connects APs to the FortiGate wireless controller, the four AP discovery methods, WTP profile configuration, and the authorisation and firmware management workflow.

  9. NSE6 Part 9: FortiAP SSIDs, Wireless Security Modes, and RF Management

    SSID and VAP configuration options, every wireless security mode from Open to WPA3-Enterprise, dynamic VLAN assignment via RADIUS for wireless, captive portal integration with FortiAuthenticator, band steering, and the RF management tools that keep channels clean in dense deployments.

  10. NSE6 Part 10: FortiAP Rogue Detection, Wireless IDS, Mesh, and Troubleshooting

    WIDS rogue AP classification and containment, wireless IDS signature types, FortiAP mesh topology with root and leaf APs, OfficeExtender remote AP split-tunnel deployment, and the diagnostic commands and common failure patterns for the FCA-FAP exam troubleshooting section.

  11. NSE6 Part 11: FortiNAC Architecture, Network Discovery, and Device Profiling

    NAC concepts and where FortiNAC sits in the Security Fabric, Control and Application server roles, HA architecture, how FortiNAC discovers network devices via SNMP and SSH, passive and active endpoint discovery, and the fingerprinting methods that determine what type of device is on each port.

  12. NSE6 Part 12: FortiNAC Access Policies, CoA, and VLAN Enforcement

    The FortiNAC policy model — groups, access values, and network access policies — how RADIUS and CoA enforce VLAN assignment on FortiSwitch and third-party switches, logical networks for VLAN abstraction, and the end-to-end 802.1X enforcement flow from endpoint connect to VLAN assignment.

  13. NSE6 Part 13: FortiNAC Endpoint Compliance, Agents, and Host Isolation

    Persistent, dissolvable, and agentless posture assessment methods, compliance rules and remediation actions, quarantine VLAN and isolation workflow, guest self-registration and sponsor approval, BYOD certificate onboarding, and MDM integration with Intune, Jamf, and FortiClient EMS.

  14. NSE6 Part 14: FortiNAC HA, Reporting, and End-to-End Troubleshooting

    FortiNAC HA failover mechanics, MySQL replication, syslog/FAZ integration, alarm framework, built-in and custom reports, and a systematic troubleshooting guide for discovery failures, enforcement problems, and 802.1X issues — with a complete end-to-end trace of a new endpoint joining.

FortiGate Troubleshooting — A Day in the Life of a Packet

A five-part deep dive following one packet through a 50G FortiGate — NP7 fast path, stateful inspection, SD-WAN service rules, firewall policy and NAT, UTM, and egress. Ends with a complete diagnostic command cookbook. Full series hub: FortiGate Troubleshooting sub-section.

  1. A Day in the Life of a Packet on a 50G FortiGate, Part 1: Ingress, NP7, and the Fast Path

    Where the packet is born on a 50G FortiGate. From the wire and DMA, through the NP7 SoC's session cache, IPSA, NTurbo, and the moment a packet either flies through hardware or crosses the bridge into the kernel slow path.

  2. A Day in the Life of a Packet on a 50G FortiGate, Part 2: Stateful Inspection, Session Lookup, and Anti-Spoofing

    The packet has been punted from the NP7 to the kernel. Now FortiOS does the things ASICs cannot: IP integrity, DoS sensors, RPF, session table lookup, helpers, and the state machine that decides whether this is a brand new flow or one we already know.

RADIUS for FortiGate SD-WAN

A focused two-part series on running admin AAA against a FortiGate SD-WAN edge — RADIUS vs TACACS+ at the protocol level, the RADIUS server options worth knowing, and the FortiOS configuration with three worked RBAC examples.

  1. RADIUS vs TACACS+ on FortiGate SD-WAN: Choosing the Right AAA Backend (Part 1 of 2)

    Part 1 of 2 on RADIUS for FortiGate SD-WAN. Covers the protocol differences vs TACACS+, the RADIUS server options worth knowing (NPS, FortiAuthenticator, FreeRADIUS, ISE, Okta, Duo, Entra), and when each protocol is the right call for FortiOS.

  2. Configuring RADIUS Admin Auth on FortiGate SD-WAN: RBAC and Three User Profiles (Part 2 of 2)

    Part 2 of 2 on RADIUS for FortiGate SD-WAN. Walks through the FortiOS config end-to-end — RADIUS server entry, group-to-profile mapping via VSA, three worked RBAC examples (senior engineer, NOC operator, compliance auditor), and the verification commands you'll need.

Other Fortinet Posts