Fortinet Guides

Study guides and field notes from working with FortiGate and FortiManager in production. Configuration walkthroughs, exam preparation, and the diagnostic commands that come up most often under pressure.

Sub-sections

NSE4 — FortiGate Administrator

A 10-part walk through the official NSE4 / FCP FortiGate Administrator curriculum. Concept, GUI path, CLI equivalent, and diagnostics for each lesson.

View NSE4 Series →

NSE5 — FortiManager Administrator

A 10-part walk through the official NSE5 / FCP FortiManager Administrator curriculum. ADOMs, templates, policy packages, install operations, and the diagnostic toolbox.

View NSE5 Series →

FortiGate Troubleshooting

Deep dives into packet flow on a 50G FortiGate — from the NP7 fast path, through stateful inspection, SD-WAN, policy, NAT, and UTM, to egress. Includes a complete diagnose / get / show command cookbook.

View Troubleshooting →

NSE4 Study Series

A 10-part walk through the official NSE4 / FCP FortiGate Administrator curriculum — concept, GUI path, CLI equivalent, and diagnostics for each lesson. Full series hub: NSE4 sub-section.

  1. 25 April 2026 FortinetNSE4FortiGateNetworkingSecurityCertification

    NSE4 Exam Syllabus: Study Roadmap (Part 1 of 10)

    Part 1 of a study series for the Fortinet NSE 4 / FCP FortiGate Administrator certification. Covers exam logistics, the official 16-lesson curriculum grouped into topic buckets, and the roadmap for the rest of the series.

  2. 25 April 2026 FortinetNSE4FortiGateNetworkingSecurityCertification

    NSE4 Part 2: Initial Configuration & the Security Fabric

    Part 2 of the NSE4 study series — covers the day-one FortiGate configuration (interfaces, operation modes, admin access, DHCP, FortiGuard) and how the Security Fabric stitches multiple FortiGates and Fortinet products together.

  3. 25 April 2026 FortinetNSE4FortiGateNetworkingSecurityCertification

    NSE4 Part 3: Firewall Policies & NAT

    Part 3 of the NSE4 study series — firewall policy structure, lookup order, NGFW modes, central vs policy NAT, source NAT pools, virtual IPs, and the session helpers behind protocol fixups.

  4. 25 April 2026 FortinetNSE4FortiGateAuthenticationFSSOCertificatesSecurityCertification

    NSE4 Part 4: Authentication, FSSO & Certificates

    Part 4 of the NSE4 study series — local and remote authentication (LDAP, RADIUS), captive portal, Fortinet Single Sign-On (FSSO) modes, and certificate operations including SSL deep inspection.

  5. 25 April 2026 FortinetNSE4FortiGateLoggingMonitoringDiagnosticsSecurityCertification

    NSE4 Part 5: Logging, Monitoring & Diagnostics

    Part 5 of the NSE4 study series — log categories and severity, local vs remote storage, FortiAnalyzer and syslog forwarding, threat weight scoring, and the diagnostic commands you actually reach for under pressure.

  6. 25 April 2026 FortinetNSE4FortiGateSecurity ProfilesIPSAntivirusWeb FilterCertification

    NSE4 Part 6: Security Profiles — Web, App Control, AV, IPS, DoS

    Part 6 of the NSE4 study series — the five security profiles you attach to firewall policies: web filter, application control, antivirus, intrusion prevention, and denial-of-service.

  7. 25 April 2026 FortinetNSE4FortiGateVPNSSL VPNSecurityCertification

    NSE4 Part 7: SSL VPN

    Part 7 of the NSE4 study series — SSL VPN modes (web, tunnel, full), portals, realms, MFA, split tunnelling and the diagnostic commands for tracking down a stuck client.

  8. 25 April 2026 FortinetNSE4FortiGateVPNIPsecNetworkingSecurityCertification

    NSE4 Part 8: IPsec VPN

    Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.

  9. 25 April 2026 FortinetNSE4FortiGateRoutingSD-WANNetworkingCertification

    NSE4 Part 9: Routing & SD-WAN

    Part 9 of the NSE4 study series — static and policy routing, distance vs priority, RPF, OSPF and BGP basics, and how SD-WAN turns a pile of WAN links into a single steered zone with performance SLAs.

  10. 25 April 2026 FortinetNSE4FortiGateHAHigh AvailabilityFGCPNetworkingCertification

    NSE4 Part 10: High Availability

    Part 10 — the final post in the NSE4 study series. Covers FGCP, active-passive vs active-active, heartbeat and monitor interfaces, session synchronisation, failover behaviour, and the diagnostic output you'll be asked to interpret.

NSE5 Study Series

A 10-part walk through the official NSE5 / FCP FortiManager Administrator curriculum — ADOMs, templates, policy packages, install operations, workflow mode, and the diagnostic toolbox. Full series hub: NSE5 sub-section.

  1. 28 April 2026 FortinetNSE5FortiManagerFCPNetworkingSecurityCertification

    NSE5 Exam Syllabus: Study Roadmap (Part 1 of 10)

    Part 1 of a 10-part study series for the Fortinet NSE 5 / FCP FortiManager Administrator certification. Covers the exam logistics, the official curriculum grouped into topic buckets, and the roadmap for the rest of the series.

  2. 28 April 2026 FortinetNSE5FortiManagerFCPConfigurationCertification

    NSE5 Part 2: Initial Configuration and System Settings

    Part 2 of the NSE5 study series — covers the day-one FortiManager configuration: network, admin access, system time, DNS, FortiGuard, OFTP, the on-disk file structure, and the diagnostic commands worth memorising before anything else.

  3. 28 April 2026 FortinetNSE5FortiManagerHAHigh AvailabilityFCPCertification

    NSE5 Part 3: High Availability

    Part 3 of the NSE5 study series — covers the FortiManager HA cluster: primary and secondary roles, the sync mechanics, monitor IPs, manual vs automatic failover, and what to do when the cluster splits.

  4. 28 April 2026 FortinetNSE5FortiManagerADOMFCPMulti-tenancyCertification

    NSE5 Part 4: Administrative Domains (ADOMs)

    Part 4 of the NSE5 study series — covers Administrative Domains: normal vs advanced ADOMs, version locking, ADOM modes, RBAC scope, and the per-ADOM revision history that underpins the rest of the FortiManager workflow.

  5. 28 April 2026 FortinetNSE5FortiManagerFGFMZTPFCPCertification

    NSE5 Part 5: Device Registration and Provisioning

    Part 5 of the NSE5 study series — covers device registration: the FGFM tunnel, manual vs automatic registration, model devices, zero-touch provisioning, and the install operations that turn a registered device into a managed device.

  6. 28 April 2026 FortinetNSE5FortiManagerTemplatesSD-WANFCPCertification

    NSE5 Part 6: Device-Level Configuration and Templates

    Part 6 of the NSE5 study series — covers the FortiManager template engine: provisioning templates, CLI templates, SD-WAN, IPsec, and certificate templates, and how they compose into a single per-device install.

  7. 28 April 2026 FortinetNSE5FortiManagerPolicyFCPCertification

    NSE5 Part 7: Policy and Objects

    Part 7 of the NSE5 study series — covers ADOM-level policy management: policy packages, the object database, dynamic objects, install previews, install logs, and the cleanup workflows that keep the database lean.

  8. 28 April 2026 FortinetNSE5FortiManagerWorkflowLockingFCPCertification

    NSE5 Part 8: Workflow, Workspace Mode and Revision Control

    Part 8 of the NSE5 study series — covers workspace mode and the workflow approval engine: ADOM locking, read/write sessions, the workflow state machine, and how to recover an ADOM that two admins are fighting over.

  9. 28 April 2026 FortinetNSE5FortiManagerTroubleshootingFGFMFCPCertification

    NSE5 Part 9: Diagnostics and Troubleshooting

    Part 9 of the NSE5 study series — covers the FortiManager diagnostic toolbox: device-manager diagnostics, the FGFM tunnel, install-failure forensics, oftpd, packet capture, and the debug commands worth knowing under exam pressure.

  10. 28 April 2026 FortinetNSE5FortiManagerFortiGuardScriptingAPIFCPCertification

    NSE5 Part 10: Advanced Features and Integrations

    Part 10 — the final post in the NSE5 study series. Covers the advanced features that make FortiManager more than a config pusher: FortiGuard distribution, scripting, the JSON-RPC API, SSO, and FortiAnalyzer integration.

FortiGate Troubleshooting — A Day in the Life of a Packet

A five-part deep dive following one packet through a 50G FortiGate — NP7 fast path, stateful inspection, SD-WAN service rules, firewall policy and NAT, UTM, and egress. Ends with a complete diagnostic command cookbook. Full series hub: FortiGate Troubleshooting sub-section.

  1. 29 April 2026 fortigatefortiosnp7packet-flowdeep-divetroubleshooting

    A Day in the Life of a Packet on a 50G FortiGate, Part 1: Ingress, NP7, and the Fast Path

    Where the packet is born on a 50G FortiGate. From the wire and DMA, through the NP7 SoC's session cache, IPSA, NTurbo, and the moment a packet either flies through hardware or crosses the bridge into the kernel slow path.

  2. 29 April 2026 fortigatefortiospacket-flowsession-tablerpfdosdeep-divetroubleshooting

    A Day in the Life of a Packet on a 50G FortiGate, Part 2: Stateful Inspection, Session Lookup, and Anti-Spoofing

    The packet has been punted from the NP7 to the kernel. Now FortiOS does the things ASICs cannot: IP integrity, DoS sensors, RPF, session table lookup, helpers, and the state machine that decides whether this is a brand new flow or one we already know.

RADIUS for FortiGate SD-WAN

A focused two-part series on running admin AAA against a FortiGate SD-WAN edge — RADIUS vs TACACS+ at the protocol level, the RADIUS server options worth knowing, and the FortiOS configuration with three worked RBAC examples.

  1. 28 April 2026 FortinetFortiGateSD-WANRADIUSTACACSAAAAuthenticationSecurity

    RADIUS vs TACACS+ on FortiGate SD-WAN: Choosing the Right AAA Backend (Part 1 of 2)

    Part 1 of 2 on RADIUS for FortiGate SD-WAN. Covers the protocol differences vs TACACS+, the RADIUS server options worth knowing (NPS, FortiAuthenticator, FreeRADIUS, ISE, Okta, Duo, Entra), and when each protocol is the right call for FortiOS.

  2. 28 April 2026 FortinetFortiGateSD-WANRADIUSRBACAuthenticationSecurityConfiguration

    Configuring RADIUS Admin Auth on FortiGate SD-WAN: RBAC and Three User Profiles (Part 2 of 2)

    Part 2 of 2 on RADIUS for FortiGate SD-WAN. Walks through the FortiOS config end-to-end — RADIUS server entry, group-to-profile mapping via VSA, three worked RBAC examples (senior engineer, NOC operator, compliance auditor), and the verification commands you'll need.

Other Fortinet Posts

  • 15 May 2026 FortinetSDWAN

    Fortinet SD-WAN Jinja Orchestrator — Part 1: The Two Template Engines

    Part 1 of three. FortiManager hosts two distinct template engines — classic CLI templates and Jinja CLI templates — and they aren't interchangeable. Thesis: Jinja for shape-varying network plumbing, CLI templates for shape-fixed system config, and a real deployment uses both.

  • 15 May 2026 FortinetSDWAN

    Fortinet SD-WAN Jinja Orchestrator — Part 2: Anatomy and Patterns

    Part 2 of three. We open Fortinet's sdwan-advpn-reference repo and read it end-to-end: the dynamic-bgp-on-lo directory, the four reference Project Templates, the inventory contract that feeds them, and the three Jinja patterns the templates lean on heaviest — loops, ipaddr derivation, and imports.

  • 15 May 2026 FortinetSDWAN

    Fortinet SD-WAN Jinja Orchestrator — Part 3: PSK to Cert With FMG as CA

    Part 3 of three. We take the single-hub PSK example from the reference repo and migrate it to certificate-based IPSec, with FortiManager as the CA. FMG CA setup, per-device enrolment, Project Template flag flip, what changes in the rendered config and what doesn't.

  • 10 May 2026 PythonFortinet

    Finding the Hop That's Eating Your Packets: pmtud-sweeper

    A per-hop Path-MTU sweeper that binary-searches the largest DF-set packet each hop will pass, then names the router that's clamping your tunnel. ICMP, UDP, TCP-SYN, end-to-end TCP MSS — pick the probe your network actually lets through.

  • 10 May 2026 PythonFortinet

    Who Sent That RST? Forensic Classification of TCP Resets with rst-forensics

    A pure-Python classifier that takes a TCP RST and tells you whether the server, a mid-path firewall, or the client actually sent it. Six independent scorers — TTL, IP-ID, window, options, sequence, and timing — vote on the origin so the verdict is reproducible instead of tribal.

  • 9 May 2026 PythonFortinet

    Diffing FortiGate configs the way an admin reads them — fgt-config-diff

    A small Python tool that parses FortiGate configs into a tree, aligns nodes by section path and edit key, and reports what was added, removed, or modified — in the language of policies and objects, not unified-diff line numbers. CLI plus a Flask web UI.

  • 8 May 2026 FortinetSDWANResilienceBGPNetworking

    SDWAN Resilience Part 1: Design and Assumptions

    A multi-part deep dive into building a resilient Fortinet SD-WAN on a real, slightly unfashionable topology — HA FortiManager, dual hubs in active/standby, no DCI, and an independent DCE. Part 1 lays out the topology, the AS plan, and challenges the design choices up front.

  • 8 May 2026 FortinetSDWANResilienceBGPIPsecNetworking

    SDWAN Resilience Part 2: BGP on Loopback

    Why we peer BGP on loopbacks instead of tunnel-interface IPs, the FortiOS dynamic-IPsec config that makes it work, the spoke-side reciprocal config, and why hub-to-hub iBGP is the wrong answer in a no-DCI active/standby topology.

  • 8 May 2026 FortinetSDWANResilienceBGPOSPFNetworking

    SDWAN Resilience Part 3: DC to DCE Routing — Static, OSPF, and BGP

    The hub FortiGate has to glue the spoke overlay to the data-centre environment that hosts the services. Static, OSPF, and eBGP each work — but only two of them fail correctly when the DCE peering goes down on one DC and not the other.

  • 8 May 2026 FortinetSDWANResilienceBGPBFDNetworking

    SDWAN Resilience Part 4: BFD and Convergence Tuning

    Default BGP timers detect failure in three minutes. That's unacceptable for active/standby SD-WAN. This post is the timer-math: DPD vs BFD on tunnels, BFD-for-BGP, holdtime ratios, the Graceful Restart trade-off, and what convergence numbers each combination actually delivers.

  • 8 May 2026 FortinetSDWANResilienceBGPNetworking

    SDWAN Resilience Part 5: Performance SLAs and Service Steering

    BGP and BFD catch every failure that takes a tunnel or session with it. They don't catch the failure where everything looks healthy at the network layer but the application is gone. That's the gap SD-WAN Performance SLAs fill — and the place where careful health-check design earns its keep.

  • 8 May 2026 FortinetSDWANResilienceBGPADVPNNetworking

    SDWAN Resilience Part 6: Building It Right — Full DCI and Dual-Active ADVPN

    The first five parts defended a topology with real constraints. This final post is the version without those constraints — Fortinet's reference design: full DCI, dual-active ADVPN, iBGP between hubs, symmetric routing, ECMP across both paths. The full shebang.

  • 27 April 2026 FortinetFortiManagerProxmoxLabVirtualisation

    Building a FortiManager Lab on Proxmox — Part 1: Lab Goals, Compute Sizing and Proxmox Host Preparation

    Part 1 of a five-part series on building a FortiManager lab on Proxmox. Covers lab goals, compute sizing for FMG and FGT VMs, host prerequisites, and a clean Proxmox 8.x baseline before the qcow2 build in Part 2.

  • 27 April 2026 FortinetFortiManagerProxmoxLabqcow2KVM

    Building a FortiManager Lab on Proxmox — Part 2: Obtaining the Image, qcow2 Conversion and First Boot

    Part 2 of the FortiManager-on-Proxmox series. Walks through obtaining the KVM image from the Fortinet portal, validating the qcow2 files, building the VM shell with the right machine type and SCSI controller, importing both disks, and first-boot verification.

  • 27 April 2026 FortinetFortiManagerProxmoxLabNetworkingLinux

    Building a FortiManager Lab on Proxmox — Part 3: Proxmox Networking, Linux Bridges, VLAN-Aware Bridges and SDN for the Lab

    Part 3 of the FortiManager-on-Proxmox series. Designs the four-segment lab network, compares Linux bridges, VLAN-aware bridges and Proxmox SDN, walks through the /etc/network/interfaces shape, and explains why the lab bridges should never have an IP on the host.

  • 27 April 2026 FortinetFortiManagerFortiGateProxmoxLabFirewall

    Building a FortiManager Lab on Proxmox — Part 4: A Lab Edge FortiGate VM in Front of FortiManager

    Part 4 of the FortiManager-on-Proxmox series. Builds a FortiGate-VM as the lab edge in front of FortiManager, with four NICs mapped to the lab bridges, a scoped policy set, FortiGuard pinhole, local-in policy hardening, and the deny-with-log rule that proves the boundary works.

  • 27 April 2026 FortinetFortiManagerFortiGateProxmoxLabADOM

    Building a FortiManager Lab on Proxmox — Part 5: Registering Managed FortiGates, ADOMs and Policy Package Installs

    Part 5 of the FortiManager-on-Proxmox series. Builds two managed FortiGate VMs, registers them via FGFM through the lab edge, splits them across two ADOMs, deploys a shared policy package with FMG, exercises revision history and rollback, and turns the lab into a snapshotted training platform.

  • 27 April 2026 FortinetSD-WANBGPVRFNetworkingFortiOS-7.6

    FortiOS 7.6.6 SD-WAN: VRF1 Transport and Loopback Design

    A refined VRF reference design for FortiOS 7.6.6 — transport in VRF 1, separate transport and management loopbacks, complete management-plane pinning, and NPU-VLINK guidance for inter-VRF acceleration.

  • 27 April 2026 FortinetSD-WANBGPVRFNetworking

    MP-BGP and VRFs on FortiGate SD-WAN

    A practical reference design using MP-BGP (VPNv4) and VRFs on FortiOS to keep management (VRF20), customer SD-WAN (VRF30), and Guest Wi-Fi DIA (VRF99) isolated end-to-end. Includes config, traffic flows, and the gotchas that bite people in production.

  • 25 April 2026 fortinetsdwanbgpvrfnetworking

    Route Leaking Between VRFs on FortiGate: Why It's Trickier Than You Think

    VRF route leaking is a daily reality in any multi-tenant or shared-services network design. On FortiGate it's harder to find — and harder to get right — than the equivalent on Cisco or Juniper. Here's how to do it, why it's easy to miss, and the practical pitfalls.