NSE6 — Secure Networking Specialist
A 14-part walk through the NSE6 Secure Networking stream. The series covers all four product exam tracks in sequence — each part combines the exam topic, the GUI path, the CLI equivalent, and the diagnostic commands you'll reach for in the field.
Jump to: FortiAuthenticator (Parts 2–4) · FortiSwitch (Parts 5–7) · FortiAP (Parts 8–10) · FortiNAC (Parts 11–14)
-
NSE6 Part 1: Stream Overview, Exam Structure, and the Secure Networking Stack
What the NSE6 Secure Networking specialist stream covers, how the four product exam tracks fit together, and how FortiAuthenticator, FortiSwitch, FortiAP, and FortiNAC form a joined-up access-layer security story.
FortiAuthenticator (Parts 2–4)
Covers the FCA-FAC exam track: deployment modes and HA, local users and groups, RADIUS service, LDAP/AD integration, FortiToken 2FA, certificate management, and the self-service/guest portal.
-
NSE6 Part 2: FortiAuthenticator Architecture and Local Authentication
FortiAuthenticator deployment modes, hardware vs VM sizing, initial setup, local user and group management, password policies, account lockout, and the admin interfaces you use to build out a working identity store before you plug in LDAP or RADIUS.
-
NSE6 Part 3: FortiAuthenticator RADIUS Service, LDAP Integration, and Remote Auth
How FortiAuthenticator acts as a RADIUS server for FortiGate, FortiSwitch, and other NAS devices; configuring realms and routing; integrating with Active Directory via LDAP; and the diagnostic commands that expose exactly where an authentication flow breaks.
-
NSE6 Part 4: FortiToken 2FA, Certificate Management, and the Self-Service Portal
Adding a second factor with FortiToken hardware and mobile tokens, certificate authority configuration and SCEP enrollment, and setting up the self-service portal for password reset, token activation, and guest account management with sponsor approval.
FortiSwitch (Parts 5–7)
Covers the FCA-FSW exam track: hardware and FortiLink managed mode, VLANs, RSTP, LACP/MCLAG, QoS, and 802.1X port security with dynamic VLAN assignment.
-
NSE6 Part 5: FortiSwitch Hardware, FortiLink Managed Mode, and Initial Provisioning
FortiSwitch hardware families and PoE considerations, how FortiLink turns a FortiGate into a wired switching controller, the discovery and authorisation process for bringing a switch under management, and firmware management from the FortiGate GUI.
-
NSE6 Part 6: FortiSwitch VLANs, RSTP, Link Aggregation, and Stacking Design
VLAN trunking and access port configuration under FortiLink, RSTP bridge priority and port roles, static and LACP link aggregation, MCLAG dual-homing for access-layer resilience, and QoS trust modes for DSCP/CoS remarking at the network edge.
-
NSE6 Part 7: FortiSwitch 802.1X, MAC Authentication Bypass, and Port Security
Port-level 802.1X authentication with FortiAuthenticator as the RADIUS backend, EAP method selection, dynamic VLAN assignment from RADIUS attributes, MAC Authentication Bypass for non-supplicant devices, sticky MAC port security, and CoA-triggered VLAN changes mid-session.
FortiAP (Parts 8–10)
Covers the FCA-FAP exam track: Wi-Fi 6 fundamentals, CAPWAP provisioning, SSIDs and security modes (WPA3/802.1X/captive portal), RF management, rogue AP detection, mesh, and wireless diagnostics.
-
NSE6 Part 8: FortiAP Hardware, CAPWAP Discovery, and AP Provisioning
Wi-Fi 6 fundamentals and the key 802.11 standards, FortiAP hardware families and PoE requirements, how CAPWAP connects APs to the FortiGate wireless controller, the four AP discovery methods, WTP profile configuration, and the authorisation and firmware management workflow.
-
NSE6 Part 9: FortiAP SSIDs, Wireless Security Modes, and RF Management
SSID and VAP configuration options, every wireless security mode from Open to WPA3-Enterprise, dynamic VLAN assignment via RADIUS for wireless, captive portal integration with FortiAuthenticator, band steering, and the RF management tools that keep channels clean in dense deployments.
-
NSE6 Part 10: FortiAP Rogue Detection, Wireless IDS, Mesh, and Troubleshooting
WIDS rogue AP classification and containment, wireless IDS signature types, FortiAP mesh topology with root and leaf APs, OfficeExtender remote AP split-tunnel deployment, and the diagnostic commands and common failure patterns for the FCA-FAP exam troubleshooting section.
FortiNAC (Parts 11–14)
Covers the FCA-FNAC exam track: architecture and HA, network device discovery, endpoint profiling, access policies and VLAN enforcement, compliance scanning, guest and BYOD management, and end-to-end troubleshooting.
-
NSE6 Part 11: FortiNAC Architecture, Network Discovery, and Device Profiling
NAC concepts and where FortiNAC sits in the Security Fabric, Control and Application server roles, HA architecture, how FortiNAC discovers network devices via SNMP and SSH, passive and active endpoint discovery, and the fingerprinting methods that determine what type of device is on each port.
-
NSE6 Part 12: FortiNAC Access Policies, CoA, and VLAN Enforcement
The FortiNAC policy model — groups, access values, and network access policies — how RADIUS and CoA enforce VLAN assignment on FortiSwitch and third-party switches, logical networks for VLAN abstraction, and the end-to-end 802.1X enforcement flow from endpoint connect to VLAN assignment.
-
NSE6 Part 13: FortiNAC Endpoint Compliance, Agents, and Host Isolation
Persistent, dissolvable, and agentless posture assessment methods, compliance rules and remediation actions, quarantine VLAN and isolation workflow, guest self-registration and sponsor approval, BYOD certificate onboarding, and MDM integration with Intune, Jamf, and FortiClient EMS.
-
NSE6 Part 14: FortiNAC HA, Reporting, and End-to-End Troubleshooting
FortiNAC HA failover mechanics, MySQL replication, syslog/FAZ integration, alarm framework, built-in and custom reports, and a systematic troubleshooting guide for discovery failures, enforcement problems, and 802.1X issues — with a complete end-to-end trace of a new endpoint joining.