Blog
Technical articles, deep dives, and commentary on networking and technology.
-
VeloCloud SD-WAN and Partner Gateways Part 1: MPLS-Only Site Architecture
A deep dive into how VeloCloud SD-WAN connects MPLS-only branch sites via Partner Gateways — covering the NNI, underlay BGP peering, and why MPLS-only edges present a unique onboarding challenge.
-
VeloCloud SD-WAN and Partner Gateways Part 2: Onboarding an MPLS-Only Edge
A step-by-step walkthrough of how an MPLS-only VeloCloud Edge activates using a temporary internet path injected into the MPLS VRF, what changes once the VCMP tunnels are up, and how the production routing state differs from the onboarding state.
-
VeloCloud SD-WAN and Partner Gateways Part 3: Taming the Default Route at the NNI
Why a 0/0 leaking from the MPLS underlay into a VeloCloud Partner Gateway is dangerous, how to filter it at the NNI, and the VeloCloud best practice approach to default route handling — with BGP policy examples.
-
BGP Route Dampening Part 1: The Flapping Problem, Exponential Decay, and Cisco Configuration
A deep dive into how BGP route dampening works: the 1990s internet instability that created it, the exponential decay algorithm behind it, every Cisco parameter explained, and a full configuration and verification reference.
-
BGP Route Dampening Part 2: RFC 7454, BFD, and Where Dampening Still Belongs
Why the IETF now discourages global BGP route dampening, how Bidirectional Forwarding Detection interacts with it, what RFC 7454 actually says, and the specific modern scenarios where dampening remains the right answer.
-
RYA SRC Part 1 — GMDSS, Sea Areas, and Why the SRC Exists
An exam-grade walk through the Global Maritime Distress and Safety System — the four Sea Areas, the players that regulate it, and why a UK boater needs an SRC to legally key the PTT.
-
RYA SRC Part 10 — How to Pass the SRC Exam: Structure, Timing, and Day-of
A practical guide to actually passing the SRC — eligibility documents, the £76 fee, what's in the written paper and the practical assessment, a two-week study plan, the common gotchas the examiner watches for, and what to do on the day.
-
RYA SRC Part 11 — Practice Exam: 50 Questions (Paper A and Paper B)
Two 25-question practice papers covering the full RYA SRC syllabus — multi-choice and short-answer, with full worked explanations in the answer key. Sit each paper timed (45 minutes), mark honestly, revise the misses.
-
RYA SRC Part 2 — VHF Channels, Frequencies, and Propagation
The VHF marine band channel-by-channel — what CH16, CH70, CH13, CH67, CH80 and the M channels are for, why CH70 is sacred, how to estimate range from antenna heights, and the simplex/duplex distinctions that come up in the exam.
-
RYA SRC Part 3 — The VHF Set: Controls, Antennas, and Power
Front-panel by front-panel — squelch, hi/lo power, dual-watch, the DSC distress button under the flap, why antenna height matters more than antenna gain on a sailboat, and the battery routines that keep a handheld working when you actually need it.
-
RYA SRC Part 4 — DSC and MMSI: How the Radio Calls Other Radios
Digital Selective Calling unpacked — the four call priorities, the four call types, the nine-digit MMSI structure and what each prefix means, the nature-of-distress menu options, and what happens if a small craft tries to acknowledge a distress alert in Sea Area A1 (don't).
-
RYA SRC Part 5 — Distress: DSC Alerts, MAYDAY, and MAYDAY RELAY
The full distress procedure end to end — pressing the DSC button, the voice MAYDAY format you'll be examined on, who controls distress traffic, what SEELONCE MAYDAY and SEELONCE FEENEE mean, and when to send a MAYDAY RELAY for someone else.
-
RYA SRC Part 6 — Urgency, Safety, and Routine Voice Procedure
PAN-PAN, SECURITE, and the routine voice procedure — when to use which, the radio-medical call, the IMO Standard Marine Communication Phrases, the NATO phonetic alphabet, prowords, and what to do with an unanswered or garbled call.
-
RYA SRC Part 7 — EPIRBs, SARTs, and NAVTEX
The rest of GMDSS that the SRC syllabus covers — 406 MHz Cospas-Sarsat EPIRBs and how to register them, the difference between AIS-SART and Radar-SART, PLBs and MOB beacons, and the NAVTEX message format including which letter codes you can never reject.
-
RYA SRC Part 8 — Protecting Distress Frequencies: False Alerts, Testing, and Guard Bands
The rules that keep the distress system credible — what's protected on CH16 and CH70, why CH15, 17, 75 and 76 are low-power guard bands, how to test a DSC set without launching a lifeboat, and the exact procedure for cancelling a false distress alert.
-
RYA SRC Part 9 — Regulations: Licences, Watchkeeping, and Who Makes the Rules
The regulatory layer of the SRC syllabus — ITU, CEPT, Ofcom, MCA and what each does; the operator licences (SRC, ROC, LRC, GOC) and the station licences (Ship Radio Licence vs Ship Portable Radio Licence); watchkeeping obligations, record keeping, secrecy, and the prohibited transmissions list.
-
Fortinet SD-WAN Jinja Orchestrator — Part 1: The Two Template Engines
Part 1 of three. FortiManager hosts two distinct template engines — classic CLI templates and Jinja CLI templates — and they aren't interchangeable. Thesis: Jinja for shape-varying network plumbing, CLI templates for shape-fixed system config, and a real deployment uses both.
-
Fortinet SD-WAN Jinja Orchestrator — Part 2: Anatomy and Patterns
Part 2 of three. We open Fortinet's sdwan-advpn-reference repo and read it end-to-end: the dynamic-bgp-on-lo directory, the four reference Project Templates, the inventory contract that feeds them, and the three Jinja patterns the templates lean on heaviest — loops, ipaddr derivation, and imports.
-
Fortinet SD-WAN Jinja Orchestrator — Part 3: PSK to Cert With FMG as CA
Part 3 of three. We take the single-hub PSK example from the reference repo and migrate it to certificate-based IPSec, with FortiManager as the CA. FMG CA setup, per-device enrolment, Project Template flag flip, what changes in the rendered config and what doesn't.
-
Arista (VMware) SD-WAN Deep Dive — Part 1: Components, Gateways, and the Three Planes
First post in a five-part deep dive on Arista (VMware) SD-WAN. We start with the components — Edges, Cloud Gateways, Partner Gateways, Orchestrator, Controller — and the three planes that bind them. Sets up a UK ISP scenario that the rest of the series will pick apart.
-
Arista (VMware) SD-WAN Deep Dive — Part 2: Routing — Overlay, Underlay, BGP, and the Gateway as Route Reflector
Part 2 of five. How prefixes get into the overlay, how the Gateway redistributes them, the three Cloud VPN modes, BGP at the Edge and the Partner Gateway, and the route-selection logic that decides which underlay a flow ends up on.
-
Arista (VMware) SD-WAN Deep Dive — Part 3: The Data Plane — VCMP, DMPO, and Per-Flow Steering
Part 3 of five. Wire-level look at VCMP encapsulation, the DMPO measurement loop, Business Policy and per-flow steering, and the on-path remediation (FEC, duplication, jitter buffer) that lets the overlay tolerate underlays that misbehave.
-
Arista (VMware) SD-WAN Deep Dive — Part 4: Topology Walkthroughs — MPLS-only meets Internet-only Across Continents
Part 4 of five. The GlobalCo packet-flow walkthroughs — Newcastle to HQ, Bristol to HQ, Chicago to a UK Cloud Gateway (why it fails), and the headline: MPLS-only Chicago talking to Internet-only Shanghai via a Partner Gateway, hop by hop.
-
Arista (VMware) SD-WAN Deep Dive — Part 5: Best Practice, Failure Modes, and a Design Checklist
Part 5 of five. Gateway design rules, Partner Gateway sizing, segmentation, security service insertion, MTU, the failure modes that catch teams the first time, and a one-page design checklist for an Arista (VMware) SD-WAN rollout.
-
Finding the Hop That's Eating Your Packets: pmtud-sweeper
A per-hop Path-MTU sweeper that binary-searches the largest DF-set packet each hop will pass, then names the router that's clamping your tunnel. ICMP, UDP, TCP-SYN, end-to-end TCP MSS — pick the probe your network actually lets through.
-
Who Sent That RST? Forensic Classification of TCP Resets with rst-forensics
A pure-Python classifier that takes a TCP RST and tells you whether the server, a mid-path firewall, or the client actually sent it. Six independent scorers — TTL, IP-ID, window, options, sequence, and timing — vote on the origin so the verdict is reproducible instead of tribal.
-
Diffing FortiGate configs the way an admin reads them — fgt-config-diff
A small Python tool that parses FortiGate configs into a tree, aligns nodes by section path and edit key, and reports what was added, removed, or modified — in the language of policies and objects, not unified-diff line numbers. CLI plus a Flask web UI.
-
spectre-meltdown-checker: Auditing CPU Vulnerability Mitigations on Linux
A deep dive into spectre-meltdown-checker — how it actually works under the hood, what it tells you that /sys/devices/system/cpu/vulnerabilities does not, the alternative tools (lscpu, vendor microcode checkers, in-tree kernel reporting), and when to reach for each one on a production Linux box.
-
SDWAN Resilience Part 1: Design and Assumptions
A multi-part deep dive into building a resilient Fortinet SD-WAN on a real, slightly unfashionable topology — HA FortiManager, dual hubs in active/standby, no DCI, and an independent DCE. Part 1 lays out the topology, the AS plan, and challenges the design choices up front.
-
SDWAN Resilience Part 2: BGP on Loopback
Why we peer BGP on loopbacks instead of tunnel-interface IPs, the FortiOS dynamic-IPsec config that makes it work, the spoke-side reciprocal config, and why hub-to-hub iBGP is the wrong answer in a no-DCI active/standby topology.
-
SDWAN Resilience Part 3: DC to DCE Routing — Static, OSPF, and BGP
The hub FortiGate has to glue the spoke overlay to the data-centre environment that hosts the services. Static, OSPF, and eBGP each work — but only two of them fail correctly when the DCE peering goes down on one DC and not the other.
-
SDWAN Resilience Part 4: BFD and Convergence Tuning
Default BGP timers detect failure in three minutes. That's unacceptable for active/standby SD-WAN. This post is the timer-math: DPD vs BFD on tunnels, BFD-for-BGP, holdtime ratios, the Graceful Restart trade-off, and what convergence numbers each combination actually delivers.
-
SDWAN Resilience Part 5: Performance SLAs and Service Steering
BGP and BFD catch every failure that takes a tunnel or session with it. They don't catch the failure where everything looks healthy at the network layer but the application is gone. That's the gap SD-WAN Performance SLAs fill — and the place where careful health-check design earns its keep.
-
SDWAN Resilience Part 6: Building It Right — Full DCI and Dual-Active ADVPN
The first five parts defended a topology with real constraints. This final post is the version without those constraints — Fortinet's reference design: full DCI, dual-active ADVPN, iBGP between hubs, symmetric routing, ECMP across both paths. The full shebang.
-
Designing an Arista SD-WAN Spoke with Enhanced HA, Dual DIA, and OSPF
Building a resilient Arista (formerly VeloCloud) SD-WAN spoke: two Edges in Enhanced HA, two DIA circuits wired the optimal way, a multi-VLAN LAN, OSPF for route exchange, and the caveats that bite in practice.
-
Generating a Constant Stream of Web Traffic with Python
A small, polite Python script that round-robins through ten popular public sites at a configurable rate — useful for homelab traffic, exercising a proxy, or learning the requests library. Walks through the full code, the safety rails, and how to run it under tmux.
-
Adding Vendor Route-Table Parsers to route-compare, and Why the Work Lives on a Branch
A follow-up on the route-compare tool: I taught it to read raw show ip route, get router info routing-table all, show route, and show routing route output directly — no Excel cleanup step. The work lives on a branch rather than on main, and this is why.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 1: Ingress, NP7, and the Fast Path
Where the packet is born on a 50G FortiGate. From the wire and DMA, through the NP7 SoC's session cache, IPSA, NTurbo, and the moment a packet either flies through hardware or crosses the bridge into the kernel slow path.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 2: Stateful Inspection, Session Lookup, and Anti-Spoofing
The packet has been punted from the NP7 to the kernel. Now FortiOS does the things ASICs cannot: IP integrity, DoS sensors, RPF, session table lookup, helpers, and the state machine that decides whether this is a brand new flow or one we already know.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 3: Routing, Policy Routes, and SD-WAN Service Rules
The packet has a session entry and now needs to know where to go. FortiOS resolves that in a strict order: policy routes, then SD-WAN service rules, then the FIB. Each layer has its own logic, its own match criteria, and its own diagnostic surface.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 4: Firewall Policy, NAT, and Security Profiles
Routing told the packet where it's going. Firewall policy decides whether it's allowed, NAT rewrites it, and security profiles inspect it. Inside the iprope chain, central NAT vs policy NAT, VIPs, IP pools, and the flow-vs-proxy UTM pipeline.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 5: Egress, NPU Offload, and the Full Troubleshooting Cookbook
The packet is decided. Now it has to actually leave. Egress shaping, NPU offload re-evaluation, IPsec encap, ARP, transmit. Then a single-page reference of every diagnose, get, and show command from across this series.
-
Comparing Route Tables Between Two Sources: A Small Python Tool for Audits and Migrations
A self-contained Python utility that takes two Excel route lists, normalises every prefix through ipaddress, finds exact matches and overlaps, preserves invalid entries for audit, and writes a colour-coded Excel report plus CSVs. Includes install guide and full source.
-
Configuring RADIUS Admin Auth on FortiGate SD-WAN: RBAC and Three User Profiles (Part 2 of 2)
Part 2 of 2 on RADIUS for FortiGate SD-WAN. Walks through the FortiOS config end-to-end — RADIUS server entry, group-to-profile mapping via VSA, three worked RBAC examples (senior engineer, NOC operator, compliance auditor), and the verification commands you'll need.
-
NSE5 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a 10-part study series for the Fortinet NSE 5 / FCP FortiManager Administrator certification. Covers the exam logistics, the official curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE5 Part 10: Advanced Features and Integrations
Part 10 — the final post in the NSE5 study series. Covers the advanced features that make FortiManager more than a config pusher: FortiGuard distribution, scripting, the JSON-RPC API, SSO, and FortiAnalyzer integration.
-
NSE5 Part 2: Initial Configuration and System Settings
Part 2 of the NSE5 study series — covers the day-one FortiManager configuration: network, admin access, system time, DNS, FortiGuard, OFTP, the on-disk file structure, and the diagnostic commands worth memorising before anything else.
-
NSE5 Part 3: High Availability
Part 3 of the NSE5 study series — covers the FortiManager HA cluster: primary and secondary roles, the sync mechanics, monitor IPs, manual vs automatic failover, and what to do when the cluster splits.
-
NSE5 Part 4: Administrative Domains (ADOMs)
Part 4 of the NSE5 study series — covers Administrative Domains: normal vs advanced ADOMs, version locking, ADOM modes, RBAC scope, and the per-ADOM revision history that underpins the rest of the FortiManager workflow.
-
NSE5 Part 5: Device Registration and Provisioning
Part 5 of the NSE5 study series — covers device registration: the FGFM tunnel, manual vs automatic registration, model devices, zero-touch provisioning, and the install operations that turn a registered device into a managed device.
-
NSE5 Part 6: Device-Level Configuration and Templates
Part 6 of the NSE5 study series — covers the FortiManager template engine: provisioning templates, CLI templates, SD-WAN, IPsec, and certificate templates, and how they compose into a single per-device install.
-
NSE5 Part 7: Policy and Objects
Part 7 of the NSE5 study series — covers ADOM-level policy management: policy packages, the object database, dynamic objects, install previews, install logs, and the cleanup workflows that keep the database lean.
-
NSE5 Part 8: Workflow, Workspace Mode and Revision Control
Part 8 of the NSE5 study series — covers workspace mode and the workflow approval engine: ADOM locking, read/write sessions, the workflow state machine, and how to recover an ADOM that two admins are fighting over.
-
NSE5 Part 9: Diagnostics and Troubleshooting
Part 9 of the NSE5 study series — covers the FortiManager diagnostic toolbox: device-manager diagnostics, the FGFM tunnel, install-failure forensics, oftpd, packet capture, and the debug commands worth knowing under exam pressure.
-
RADIUS vs TACACS+ on FortiGate SD-WAN: Choosing the Right AAA Backend (Part 1 of 2)
Part 1 of 2 on RADIUS for FortiGate SD-WAN. Covers the protocol differences vs TACACS+, the RADIUS server options worth knowing (NPS, FortiAuthenticator, FreeRADIUS, ISE, Okta, Duo, Entra), and when each protocol is the right call for FortiOS.
-
Resilient DNS at Home: Building an HA Pi-hole Pair on Raspberry Pi
A complete walkthrough for installing Pi-hole on a Raspberry Pi running current Raspbian, then turning a single box into a highly available pair using keepalived and Orbital Sync — with the config examples and show commands you'll actually use.
-
Building a FortiManager Lab on Proxmox — Part 1: Lab Goals, Compute Sizing and Proxmox Host Preparation
Part 1 of a five-part series on building a FortiManager lab on Proxmox. Covers lab goals, compute sizing for FMG and FGT VMs, host prerequisites, and a clean Proxmox 8.x baseline before the qcow2 build in Part 2.
-
Building a FortiManager Lab on Proxmox — Part 2: Obtaining the Image, qcow2 Conversion and First Boot
Part 2 of the FortiManager-on-Proxmox series. Walks through obtaining the KVM image from the Fortinet portal, validating the qcow2 files, building the VM shell with the right machine type and SCSI controller, importing both disks, and first-boot verification.
-
Building a FortiManager Lab on Proxmox — Part 3: Proxmox Networking, Linux Bridges, VLAN-Aware Bridges and SDN for the Lab
Part 3 of the FortiManager-on-Proxmox series. Designs the four-segment lab network, compares Linux bridges, VLAN-aware bridges and Proxmox SDN, walks through the /etc/network/interfaces shape, and explains why the lab bridges should never have an IP on the host.
-
Building a FortiManager Lab on Proxmox — Part 4: A Lab Edge FortiGate VM in Front of FortiManager
Part 4 of the FortiManager-on-Proxmox series. Builds a FortiGate-VM as the lab edge in front of FortiManager, with four NICs mapped to the lab bridges, a scoped policy set, FortiGuard pinhole, local-in policy hardening, and the deny-with-log rule that proves the boundary works.
-
Building a FortiManager Lab on Proxmox — Part 5: Registering Managed FortiGates, ADOMs and Policy Package Installs
Part 5 of the FortiManager-on-Proxmox series. Builds two managed FortiGate VMs, registers them via FGFM through the lab edge, splits them across two ADOMs, deploys a shared policy package with FMG, exercises revision history and rollback, and turns the lab into a snapshotted training platform.
-
FortiOS 7.6.6 SD-WAN: VRF1 Transport and Loopback Design
A refined VRF reference design for FortiOS 7.6.6 — transport in VRF 1, separate transport and management loopbacks, complete management-plane pinning, and NPU-VLINK guidance for inter-VRF acceleration.
-
MP-BGP and VRFs on FortiGate SD-WAN
A practical reference design using MP-BGP (VPNv4) and VRFs on FortiOS to keep management (VRF20), customer SD-WAN (VRF30), and Guest Wi-Fi DIA (VRF99) isolated end-to-end. Includes config, traffic flows, and the gotchas that bite people in production.
-
AI Part 1: Why I Gave Claude Write Access to My Site
A year ago I would have called this irresponsible. Today an MCP server lets Claude write to my site. The trust model isn't "I trust the model" — it's "I trust the blast radius".
-
AI Part 2: The Minimum Viable MCP Server
A personal MCP server is a tiny HTTP service. The spec accommodates a lot of complexity that, if you're the only user, you can stop building. Here's the inventory of what I have running, and what I deliberately left out.
-
AI Part 3: Designing Tools for an LLM, Not for Yourself
The verb in the tool name is the most important part. Descriptions answer the questions a chooser asks, not the questions a maintainer asks. Allowlists fail closed; blocklists fail open. Error messages are also instructions.
-
AI Part 4: Safety Rails — Allowlists, Atomic Writes, Audit Logs, Rollback
About two hundred lines of code, none of them clever, all of them the reason I sleep fine with the service running. Allowlists, atomic writes, an audit log, and a manual rollback path.
-
AI Part 5: Prompt-Driven Authoring in Practice
What's it actually like to use? The honest answer, including where the loop is tight, where it's still clumsy, and the three things I'd warn anyone trying this.
-
AI Part 6: Connector Quirks, Cache Traps, and What I'd Do Differently
Six months in. The cache layer you don't see, OAuth refresh edge cases, and the short list of decisions I'd make differently if I were doing this again from scratch.
-
Building a Polished CLI Tool with Click and Rich: Packaging Network Automation for Other Humans
Turn a working network-automation script into a tool your colleagues will use — moving from argparse to Click, formatted output with Rich, environment-loaded secrets, and pip-installable packaging.
-
iptables to nftables: Migrating Production Firewalls Without Downtime
A working engineer's guide to moving from iptables to nftables on production Linux firewalls — the mental model shift, where iptables-translate misleads you, atomic ruleset swaps, and a clean rollback strategy that means a bad migration costs you seconds, not your weekend.
-
Linux Networking from the Ground Up: Network Namespaces, veth Pairs, and Building a Multi-Router Lab on One Host
Build a real multi-router BGP and OSPF lab on a single Linux box using network namespaces, veth pairs, and FRRouting — no VMs, no containers, no GNS3. A practical walk-through of the primitives that GNS3, Docker, and Kubernetes are quietly using under the hood.
-
NAPALM vs Netmiko: Vendor-Agnostic Config vs Raw CLI, and When You Want Both
A practical comparison of NAPALM and Netmiko for network automation — where Netmiko's raw CLI access is the right answer, where NAPALM's compare/replace/rollback abstraction earns its keep, and the hybrid pattern that most production tooling actually settles on.
-
Netmiko in Practice: From a Show-Command Script to a Repeatable Audit Tool
A working network engineer's guide to Netmiko — starting from a small repo of mine that runs show commands across a JSON inventory, and extending it into something you can use as a real audit tool with structured output, concurrency, secure credentials, and a sane dry-run for config changes.
-
Network Emulation with NETEM: Simulating Latency, Loss, Jitter, and Bandwidth Constraints for Realistic Lab Testing
A practical guide to using Linux's NETEM qdisc to bend networks to your will — adding latency, loss, jitter, duplication, reordering, and bandwidth caps so you can test how applications and protocols actually behave when the network is anything other than perfect.
-
Nornir for Network Engineers: Running Automation Across an Inventory at Scale
A practical introduction to Nornir for engineers whose Netmiko script has grown too big — inventory plugins, structured tasks, parallelism, filtering by site or role, and integrating Netmiko, NAPALM, and pyATS as connection plugins. The framework you reach for once one box has become a hundred.
-
Parsing show Command Output: TextFSM, Genie, and TTP for Structured Data
A practical comparison of the three main ways to turn Cisco show output into structured Python data — TextFSM with NTC Templates, Genie/pyATS, and TTP — with worked examples and rules of thumb for picking the right one.
-
Route Leaking Between VRFs on Cisco IOS: From BGP First Principles to Advanced Manipulation
A practical end-to-end walkthrough of route leaking between VRFs on Cisco IOS — starting with the BGP and VRF fundamentals you need to actually understand what's happening, the static and MP-BGP options for the leak itself, and the route-map machinery that lets you control exactly what crosses.
-
SSH Hardening Beyond the Basics: Certificate Authorities, Bastion Patterns, and Session Auditing
A production-grade SSH setup that goes beyond disabling password auth — running your own SSH CA with short-lived user and host certificates, ProxyJump bastions, ForceCommand restrictions, and recording sessions with tlog and auditd.
-
tcpdump Deep Dive: BPF Filters, Capture Rotation, and Cross-Mapping to FortiGate's diagnose sniffer packet
A practical, command-heavy guide to getting real value out of tcpdump — precise BPF filters, production-grade ring-buffer captures, and a side-by-side mapping to FortiGate's diagnose sniffer packet so you can switch between the two without losing your place.
-
NSE4 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a study series for the Fortinet NSE 4 / FCP FortiGate Administrator certification. Covers exam logistics, the official 16-lesson curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE4 Part 10: High Availability
Part 10 — the final post in the NSE4 study series. Covers FGCP, active-passive vs active-active, heartbeat and monitor interfaces, session synchronisation, failover behaviour, and the diagnostic output you'll be asked to interpret.
-
NSE4 Part 2: Initial Configuration & the Security Fabric
Part 2 of the NSE4 study series — covers the day-one FortiGate configuration (interfaces, operation modes, admin access, DHCP, FortiGuard) and how the Security Fabric stitches multiple FortiGates and Fortinet products together.
-
NSE4 Part 3: Firewall Policies & NAT
Part 3 of the NSE4 study series — firewall policy structure, lookup order, NGFW modes, central vs policy NAT, source NAT pools, virtual IPs, and the session helpers behind protocol fixups.
-
NSE4 Part 4: Authentication, FSSO & Certificates
Part 4 of the NSE4 study series — local and remote authentication (LDAP, RADIUS), captive portal, Fortinet Single Sign-On (FSSO) modes, and certificate operations including SSL deep inspection.
-
NSE4 Part 5: Logging, Monitoring & Diagnostics
Part 5 of the NSE4 study series — log categories and severity, local vs remote storage, FortiAnalyzer and syslog forwarding, threat weight scoring, and the diagnostic commands you actually reach for under pressure.
-
NSE4 Part 6: Security Profiles — Web, App Control, AV, IPS, DoS
Part 6 of the NSE4 study series — the five security profiles you attach to firewall policies: web filter, application control, antivirus, intrusion prevention, and denial-of-service.
-
NSE4 Part 7: SSL VPN
Part 7 of the NSE4 study series — SSL VPN modes (web, tunnel, full), portals, realms, MFA, split tunnelling and the diagnostic commands for tracking down a stuck client.
-
NSE4 Part 8: IPsec VPN
Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.
-
NSE4 Part 9: Routing & SD-WAN
Part 9 of the NSE4 study series — static and policy routing, distance vs priority, RPF, OSPF and BGP basics, and how SD-WAN turns a pile of WAN links into a single steered zone with performance SLAs.
-
Route Leaking Between VRFs on FortiGate: Why It's Trickier Than You Think
VRF route leaking is a daily reality in any multi-tenant or shared-services network design. On FortiGate it's harder to find — and harder to get right — than the equivalent on Cisco or Juniper. Here's how to do it, why it's easy to miss, and the practical pitfalls.