Tagged: FortiGate
21 posts · browse all tags
-
Adding Vendor Route-Table Parsers to route-compare, and Why the Work Lives on a Branch
A follow-up on the route-compare tool: I taught it to read raw show ip route, get router info routing-table all, show route, and show routing route output directly — no Excel cleanup step. The work lives on a branch rather than on main, and this is why.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 1: Ingress, NP7, and the Fast Path
Where the packet is born on a 50G FortiGate. From the wire and DMA, through the NP7 SoC's session cache, IPSA, NTurbo, and the moment a packet either flies through hardware or crosses the bridge into the kernel slow path.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 2: Stateful Inspection, Session Lookup, and Anti-Spoofing
The packet has been punted from the NP7 to the kernel. Now FortiOS does the things ASICs cannot: IP integrity, DoS sensors, RPF, session table lookup, helpers, and the state machine that decides whether this is a brand new flow or one we already know.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 3: Routing, Policy Routes, and SD-WAN Service Rules
The packet has a session entry and now needs to know where to go. FortiOS resolves that in a strict order: policy routes, then SD-WAN service rules, then the FIB. Each layer has its own logic, its own match criteria, and its own diagnostic surface.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 4: Firewall Policy, NAT, and Security Profiles
Routing told the packet where it's going. Firewall policy decides whether it's allowed, NAT rewrites it, and security profiles inspect it. Inside the iprope chain, central NAT vs policy NAT, VIPs, IP pools, and the flow-vs-proxy UTM pipeline.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 5: Egress, NPU Offload, and the Full Troubleshooting Cookbook
The packet is decided. Now it has to actually leave. Egress shaping, NPU offload re-evaluation, IPsec encap, ARP, transmit. Then a single-page reference of every diagnose, get, and show command from across this series.
-
Configuring RADIUS Admin Auth on FortiGate SD-WAN: RBAC and Three User Profiles (Part 2 of 2)
Part 2 of 2 on RADIUS for FortiGate SD-WAN. Walks through the FortiOS config end-to-end — RADIUS server entry, group-to-profile mapping via VSA, three worked RBAC examples (senior engineer, NOC operator, compliance auditor), and the verification commands you'll need.
-
RADIUS vs TACACS+ on FortiGate SD-WAN: Choosing the Right AAA Backend (Part 1 of 2)
Part 1 of 2 on RADIUS for FortiGate SD-WAN. Covers the protocol differences vs TACACS+, the RADIUS server options worth knowing (NPS, FortiAuthenticator, FreeRADIUS, ISE, Okta, Duo, Entra), and when each protocol is the right call for FortiOS.
-
Building a FortiManager Lab on Proxmox — Part 4: A Lab Edge FortiGate VM in Front of FortiManager
Part 4 of the FortiManager-on-Proxmox series. Builds a FortiGate-VM as the lab edge in front of FortiManager, with four NICs mapped to the lab bridges, a scoped policy set, FortiGuard pinhole, local-in policy hardening, and the deny-with-log rule that proves the boundary works.
-
Building a FortiManager Lab on Proxmox — Part 5: Registering Managed FortiGates, ADOMs and Policy Package Installs
Part 5 of the FortiManager-on-Proxmox series. Builds two managed FortiGate VMs, registers them via FGFM through the lab edge, splits them across two ADOMs, deploys a shared policy package with FMG, exercises revision history and rollback, and turns the lab into a snapshotted training platform.
-
tcpdump Deep Dive: BPF Filters, Capture Rotation, and Cross-Mapping to FortiGate's diagnose sniffer packet
A practical, command-heavy guide to getting real value out of tcpdump — precise BPF filters, production-grade ring-buffer captures, and a side-by-side mapping to FortiGate's diagnose sniffer packet so you can switch between the two without losing your place.
-
NSE4 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a study series for the Fortinet NSE 4 / FCP FortiGate Administrator certification. Covers exam logistics, the official 16-lesson curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE4 Part 10: High Availability
Part 10 — the final post in the NSE4 study series. Covers FGCP, active-passive vs active-active, heartbeat and monitor interfaces, session synchronisation, failover behaviour, and the diagnostic output you'll be asked to interpret.
-
NSE4 Part 2: Initial Configuration & the Security Fabric
Part 2 of the NSE4 study series — covers the day-one FortiGate configuration (interfaces, operation modes, admin access, DHCP, FortiGuard) and how the Security Fabric stitches multiple FortiGates and Fortinet products together.
-
NSE4 Part 3: Firewall Policies & NAT
Part 3 of the NSE4 study series — firewall policy structure, lookup order, NGFW modes, central vs policy NAT, source NAT pools, virtual IPs, and the session helpers behind protocol fixups.
-
NSE4 Part 4: Authentication, FSSO & Certificates
Part 4 of the NSE4 study series — local and remote authentication (LDAP, RADIUS), captive portal, Fortinet Single Sign-On (FSSO) modes, and certificate operations including SSL deep inspection.
-
NSE4 Part 5: Logging, Monitoring & Diagnostics
Part 5 of the NSE4 study series — log categories and severity, local vs remote storage, FortiAnalyzer and syslog forwarding, threat weight scoring, and the diagnostic commands you actually reach for under pressure.
-
NSE4 Part 6: Security Profiles — Web, App Control, AV, IPS, DoS
Part 6 of the NSE4 study series — the five security profiles you attach to firewall policies: web filter, application control, antivirus, intrusion prevention, and denial-of-service.
-
NSE4 Part 7: SSL VPN
Part 7 of the NSE4 study series — SSL VPN modes (web, tunnel, full), portals, realms, MFA, split tunnelling and the diagnostic commands for tracking down a stuck client.
-
NSE4 Part 8: IPsec VPN
Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.
-
NSE4 Part 9: Routing & SD-WAN
Part 9 of the NSE4 study series — static and policy routing, distance vs priority, RPF, OSPF and BGP basics, and how SD-WAN turns a pile of WAN links into a single steered zone with performance SLAs.