NSE6 Part 1: Stream Overview, Exam Structure, and the Secure Networking Stack
The NSE 4 exam proves you can configure a FortiGate. The NSE 5 exams prove you can manage a fleet of them. NSE 6 goes sideways rather than up — it asks whether you understand the access layer that feeds traffic into that FortiGate in the first place.
The Secure Networking stream is one of the specialist tracks within NSE 6. It covers four products that collectively answer the question: who is on the network, are they who they say they are, and is their device in a state we trust?
The Four Exam Tracks
Each NSE 6 product exam is standalone. You can sit them in any order, and each exam is typically 30–35 questions with a 60-minute time limit and a passing mark around 70%. Fortinet training portal credits for the relevant course are the prerequisite in practice, though NSE 4 is the assumed baseline for the technical content.
FCA-FAC — FortiAuthenticator Administrator
FortiAuthenticator is the identity broker at the centre of the Secure Networking stack. It handles:
- Local user and group management with password policies and lockout
- RADIUS service — acting as a RADIUS server that FortiGate, FortiSwitch, and other NAS devices send authentication requests to
- LDAP/AD integration — proxying authentication against Active Directory without exposing AD LDAP directly to every FortiGate
- Two-factor authentication — FortiToken hardware tokens, FortiToken Mobile (TOTP app), and FortiToken Cloud push notifications
- Certificate authority — issuing and revoking certificates via SCEP, CMP, or the web portal, with PKI user authentication
- Self-service and guest portal — password reset, token activation, sponsor-based guest account approval
The exam covers every one of these areas. The questions are scenario-driven: given a RADIUS auth failure or a broken guest portal flow, what is wrong and how do you fix it.
FCA-FSW — FortiSwitch Administrator
FortiSwitch is Fortinet’s access-layer switching product line. The exam focuses on:
- FortiLink managed mode — how FortiGate discovers, authorises, and configures FortiSwitch units over a dedicated control channel, turning the FortiGate into a wireless-LAN-controller equivalent for wired switching
- VLANs, RSTP, LACP, and MCLAG — the switching fundamentals you need to build resilient wiring-closet topologies
- 802.1X and MAC Authentication Bypass — port-level authentication with dynamic VLAN assignment, tying directly into FortiAuthenticator as the RADIUS server
- Port security and QoS — sticky MAC, violation policies, DSCP/CoS trust at the edge
FCA-FAP — FortiAP Administrator
FortiAP delivers the wireless equivalent of FortiSwitch managed mode. The exam covers:
- CAPWAP — the control and data plane protocol between FortiGate (acting as the wireless LAN controller) and the access points
- WTP profiles and AP provisioning — how FortiGate discovers, authorises, and pushes configuration to APs
- SSIDs and security modes — from WPA3-SAE and WPA2-Enterprise (802.1X) through captive portal workflows
- RF management — channel selection, Tx power control, DFS, and band steering
- WIDS — rogue AP detection and wireless intrusion detection signatures
- Mesh and remote AP — OfficeExtender / U-series APs with split-tunnel CAPWAP back to HQ
FCA-FNAC — FortiNAC Administrator
FortiNAC is the network access control orchestrator. It pulls data from every other product in this list and decides what VLAN a device belongs in. The exam covers:
- Network device discovery — SNMP, SSH, CDP/LLDP topology mapping of switches and APs
- Endpoint profiling — DHCP fingerprinting, HTTP User-Agent, Active Directory, MDM integration
- Access policies — mapping host groups and port groups to VLANs via RADIUS and CoA
- Compliance — persistent and dissolvable agents, AV/patch/process checks, remediation and quarantine
- Guest and BYOD — self-registration, sponsor approval, certificate-based device onboarding
How the Four Products Connect
The integration story is the reason the stream is called Secure Networking rather than just four separate product guides. Here is the flow for a typical corporate endpoint:
- Endpoint connects to a FortiSwitch port.
- FortiSwitch sends a RADIUS
Access-Requestto FortiAuthenticator (carrying the user’s 802.1X credentials or the device MAC for MAB). - FortiAuthenticator validates the credentials against its local database or the upstream AD via LDAP, optionally challenges for a second factor (FortiToken), and returns an
Access-Acceptwith aTunnel-Private-Group-IDVLAN attribute. - FortiSwitch assigns the port to the correct VLAN.
- In parallel, FortiNAC has already seen the device’s MAC on the network, profiled it (OS type, managed vs unmanaged), and checked whether the host group membership matches the expected access policy for that port and VLAN.
- If the device later fails a compliance scan, FortiNAC sends a RADIUS CoA
Disconnect-Requestor a VLAN-changeCoA-Requestto FortiSwitch, moving the endpoint to a quarantine VLAN without dropping the link.
For wireless, replace FortiSwitch with FortiAP — the CAPWAP tunnel to FortiGate carries the 802.1X exchange, FortiAuthenticator handles RADIUS auth, and FortiNAC drives the profiling and compliance enforcement side.
The Security Fabric Thread
All four products can talk to FortiGate as a Security Fabric member:
- FortiAuthenticator feeds FSSO (Fortinet Single Sign-On) identity tags to FortiGate, so firewall policies can reference user or group names rather than IP addresses.
- FortiSwitch and FortiAP are managed directly through the FortiGate GUI in the default deployment model.
- FortiNAC registers as a Fabric device and can trigger FortiGate quarantine actions (block a host at the firewall level in addition to moving it to an isolation VLAN).
The exam for each product tests that integration point, not just the product in isolation. Expect questions about what RADIUS attribute carries the dynamic VLAN, how CoA changes take effect on a FortiSwitch port, and what happens when a FortiNAC-managed AP client fails compliance mid-session.
Study Approach
For each track the pattern that works is: lab first, then official course, then exam.
Fortinet’s NSE 6 courses are available on the training portal (free with a valid NSE account). Each course maps directly to the exam objectives. The courses are short — typically 3–4 hours of video — and are best used as a checklist to confirm your lab work covers every objective.
For lab access:
- FortiAuthenticator — available as a VM image (FortiAuthenticator-VM) that runs free with a limited user licence on evaluation mode
- FortiSwitch — FortiSwitch-VM is available for lab use; alternatively, a physical FortiSwitch with a FortiGate running as the controller
- FortiAP — FortiAP-U in Wi-Fi client mode can simulate an AP; alternatively, a physical FAP-221E/231F is the most common lab choice
- FortiNAC — FortiNAC-VM with a 30-day eval licence
The following 13 parts of this series walk through each exam track in detail. Parts 2–4 cover FortiAuthenticator, Parts 5–7 cover FortiSwitch, Parts 8–10 cover FortiAP, and Parts 11–14 cover FortiNAC. Each part maps the exam objectives to configuration steps, CLI equivalents, and the diagnostic commands you reach for when something goes wrong.