NSE4 Part 2: Initial Configuration & the Security Fabric
NSE4 Part 2: Initial Configuration & the Security Fabric
Part 2 of the NSE4 series. This post covers Lessons 1 and 2 of the official curriculum — the day-one configuration of a FortiGate and how to wire several of them (and the wider Fortinet ecosystem) together with the Security Fabric.
Operation modes
A FortiGate runs in one of two modes per VDOM:
- NAT mode — the default. The FortiGate is a layer-3 device; interfaces have IPs and routes.
- Transparent mode — the FortiGate is a bump-in-the-wire layer-2 bridge. Useful when inserting a FortiGate without re-IPing the network.
config system settings
set opmode nat ; or transparent
endSwitching mode wipes the interface config — expect questions on this.
Interfaces
Five interface types you must recognise:
| Type | Purpose |
|---|---|
| Physical | A real port |
| VLAN | 802.1Q sub-interface bound to a parent |
| Software switch | Software-bridged group of interfaces |
| Hardware switch | Bridged in ASIC (model-dependent) |
| Aggregate / Redundant | LACP bonded / active-standby pair |
Common CLI:
config system interface
edit "port1"
set ip 10.10.1.1/24
set allowaccess ping https ssh
next
endallowaccess controls administrative access per interface. telnet and http are present but should never be enabled in exam answers — both are insecure.
Administrative access
Three settings get tested repeatedly:
- idle-timeout — auto-logout after inactivity.
- admintimeout — global admin session timeout.
- trusted hosts — restrict each admin to source subnets:
config system admin
edit "admin"
set trusthost1 10.10.1.0/24
next
endDHCP, DNS, FortiGuard
DHCP servers are configured per interface:
config system dhcp server
edit 1
set interface "port2"
set default-gateway 10.10.2.1
set netmask 255.255.255.0
config ip-range
edit 1
set start-ip 10.10.2.100
set end-ip 10.10.2.200
next
end
next
endDNS lives under config system dns. The exam likes asking about the difference between system DNS (used by FortiGate itself for FortiGuard, NTP, log forwarding) and DNS server (the FortiGate acting as DNS for clients) — they are not the same setting.
FortiGuard licensing controls which security services work: AV, IPS, web filter, app control. Without an active subscription, signature databases freeze and DNS-based ratings stop returning categories. Check status with:
diagnose autoupdate versions
get system fortiguardConfiguration backup
Configs are plain text and contain the running state. Two important encoding details:
- Backups are unencrypted by default — passwords appear hashed but VPN PSKs and some secrets are recoverable.
set private-data-encryptionadds AES encryption to the backup so secrets are not readable on extraction.
The Security Fabric
The Security Fabric is the marketing name for coordinated security across Fortinet products. In NSE4 you need to know three building blocks:
Root and downstream FortiGates. A “root” FortiGate is the head of the fabric. Other FortiGates join as downstream and report telemetry, topology and threat data upstream. The CLI commands:
config system csf
set status enable
set group-name "office-fabric"
set group-password ********
set upstream-ip 10.10.1.1 ; downstream only
endThe physical and logical topology views under Security Fabric in the GUI come from this data. Exam questions often show a fabric topology and ask which FortiGate is root.
Fabric connectors. External integrations — AWS / Azure / GCP / VMware / ACI — that pull dynamic objects (instance tags, VM groups) into the FortiGate as address objects you can use in policies.
Automation stitches. Event-driven workflows. A trigger (e.g., compromised host detected by FortiAnalyzer, or a high-severity log) fires an action (quarantine the host, send a webhook, run a CLI script, notify by email). The classic exam example is compromised host → quarantine.
Diagnostics worth memorising
get system status ; serial, FortiOS version, HA state at a glance
diagnose hardware sysinfo memory
diagnose sys top ; live process view (q to quit)If a downstream FortiGate is failing to join the fabric, almost always it’s one of: mismatched group password, NAT in between rewriting the upstream IP, or admin HTTPS access not allowed on the upstream FortiGate’s join interface. Check diagnose sys csf upstream on the downstream.
Part 3 covers firewall policies and NAT — the part of the syllabus that produces the most exam questions.