Tagged: Fortinet
84 posts · browse all tags
-
Ansible Deep Dive Part 10 Lab: Automating a Cisco and FortiGate Fleet With Ansible
Part 10, the second lab: network-specific Ansible modules against a mixed Cisco IOS and FortiGate fleet — cisco.ios facts and config, fortinet.fortios firewall policy objects, connection: network_cli vs httpapi, and a config-drift check playbook.
-
SD-WAN Control Plane Showdown: Three Philosophies for Solving the Same Problem
Fortinet collapses control onto the data-plane device. Arista/VeloCloud collocates it on a multi-tenant Gateway. Cisco/Viptela decouples it fully into vSmart and OMP. Three architectures covered on this site, lined up side by side, right before the Cisco series picks up the third one.
-
Chronos Keeps Time: Building an Enterprise-Grade NTP Service with chrony and Integrating it with FortiGate
Why we chose chrony over ntpd and timesyncd, what CIS and Fortinet hardening guides say about NTP, a full build walkthrough, the deny-all ordering mistake every network engineer will make, and how to generate NTP keys that FortiOS will actually accept.
-
One Box, Many Firewalls: A Practical Guide to FortiGate VDOMs
Virtual domains let a single FortiGate behave as several independent firewalls — separate routing tables, policies, and administrative boundaries on shared hardware. When that's the right tool, when a VRF is the better one, and how inter-VDOM routing actually moves a packet between them.
-
Watching the Fabric: FortiAnalyzer and FortiMonitor for SD-WAN SLA Observability
The operational bookend to the SD-WAN design series — how FortiAnalyzer and FortiMonitor turn the performance-SLA assumptions baked into your hub placement and resilience design into something you can actually alert on, trend, and defend with data months later.
-
The Cutover Playbook: Migrating from MPLS to SD-WAN Without a Bad Weekend
A phased, dual-running migration plan for moving a branch off MPLS and onto SD-WAN — route-map-based preference during transition, what to validate before each cutover step, and the rollback triggers that keep a bad change from becoming an outage.
-
IPsec Deep Dive Part 1: ESP, AH, and How IKE Phase 1 Actually Brings a Tunnel Up
IPsec underpins every Fortinet SD-WAN overlay this blog has built, and it's never had its own deep dive. Part 1 fixes that: the SA model, ESP vs AH, tunnel vs transport, and a message-by-message walk through IKEv1 main mode, aggressive mode, and IKEv2.
-
IPsec Deep Dive Part 2: Phase 2, Child SAs, and the Anatomy of an ESP Packet
Phase 1 built a control channel and protected nothing. Part 2 covers the negotiation that actually moves data: quick mode and child SAs, traffic selectors, PFS, rekeying, and anti-replay — then dissects an ESP packet field by field, down to the MTU math.
-
IPsec Deep Dive Part 3: NAT vs IPsec — NAT-T, Port Forwarding, and the Fortinet SD-WAN Reality
NAT breaks IPsec three distinct ways — AH's ICV, ESP's missing ports, and IKE's rewritten source port. Part 3 covers each break, how NAT-D detects it and NAT-T's UDP 4500 encapsulation repairs it, when port forwarding is still required, and what it all means for SD-WAN spokes behind CPE NAT.
-
Policed, Not Just Routed: Traffic Shaping and QoS Internals on Fortinet SD-WAN
Application-aware routing decides which path a flow takes. Shaping decides what happens to it once it's there — shaping profiles, per-IP and per-policy shapers, queue assignment, and how it all interacts with NP7 hardware offload.
-
NSE6 Part 1: Stream Overview, Exam Structure, and the Secure Networking Stack
What the NSE6 Secure Networking specialist stream covers, how the four product exam tracks fit together, and how FortiAuthenticator, FortiSwitch, FortiAP, and FortiNAC form a joined-up access-layer security story.
-
NSE6 Part 10: FortiAP Rogue Detection, Wireless IDS, Mesh, and Troubleshooting
WIDS rogue AP classification and containment, wireless IDS signature types, FortiAP mesh topology with root and leaf APs, OfficeExtender remote AP split-tunnel deployment, and the diagnostic commands and common failure patterns for the FCA-FAP exam troubleshooting section.
-
NSE6 Part 11: FortiNAC Architecture, Network Discovery, and Device Profiling
NAC concepts and where FortiNAC sits in the Security Fabric, Control and Application server roles, HA architecture, how FortiNAC discovers network devices via SNMP and SSH, passive and active endpoint discovery, and the fingerprinting methods that determine what type of device is on each port.
-
NSE6 Part 12: FortiNAC Access Policies, CoA, and VLAN Enforcement
The FortiNAC policy model — groups, access values, and network access policies — how RADIUS and CoA enforce VLAN assignment on FortiSwitch and third-party switches, logical networks for VLAN abstraction, and the end-to-end 802.1X enforcement flow from endpoint connect to VLAN assignment.
-
NSE6 Part 13: FortiNAC Endpoint Compliance, Agents, and Host Isolation
Persistent, dissolvable, and agentless posture assessment methods, compliance rules and remediation actions, quarantine VLAN and isolation workflow, guest self-registration and sponsor approval, BYOD certificate onboarding, and MDM integration with Intune, Jamf, and FortiClient EMS.
-
NSE6 Part 14: FortiNAC HA, Reporting, and End-to-End Troubleshooting
FortiNAC HA failover mechanics, MySQL replication, syslog/FAZ integration, alarm framework, built-in and custom reports, and a systematic troubleshooting guide for discovery failures, enforcement problems, and 802.1X issues — with a complete end-to-end trace of a new endpoint joining.
-
NSE6 Part 2: FortiAuthenticator Architecture and Local Authentication
FortiAuthenticator deployment modes, hardware vs VM sizing, initial setup, local user and group management, password policies, account lockout, and the admin interfaces you use to build out a working identity store before you plug in LDAP or RADIUS.
-
NSE6 Part 3: FortiAuthenticator RADIUS Service, LDAP Integration, and Remote Auth
How FortiAuthenticator acts as a RADIUS server for FortiGate, FortiSwitch, and other NAS devices; configuring realms and routing; integrating with Active Directory via LDAP; and the diagnostic commands that expose exactly where an authentication flow breaks.
-
NSE6 Part 4: FortiToken 2FA, Certificate Management, and the Self-Service Portal
Adding a second factor with FortiToken hardware and mobile tokens, certificate authority configuration and SCEP enrollment, and setting up the self-service portal for password reset, token activation, and guest account management with sponsor approval.
-
NSE6 Part 5: FortiSwitch Hardware, FortiLink Managed Mode, and Initial Provisioning
FortiSwitch hardware families and PoE considerations, how FortiLink turns a FortiGate into a wired switching controller, the discovery and authorisation process for bringing a switch under management, and firmware management from the FortiGate GUI.
-
NSE6 Part 6: FortiSwitch VLANs, RSTP, Link Aggregation, and Stacking Design
VLAN trunking and access port configuration under FortiLink, RSTP bridge priority and port roles, static and LACP link aggregation, MCLAG dual-homing for access-layer resilience, and QoS trust modes for DSCP/CoS remarking at the network edge.
-
NSE6 Part 7: FortiSwitch 802.1X, MAC Authentication Bypass, and Port Security
Port-level 802.1X authentication with FortiAuthenticator as the RADIUS backend, EAP method selection, dynamic VLAN assignment from RADIUS attributes, MAC Authentication Bypass for non-supplicant devices, sticky MAC port security, and CoA-triggered VLAN changes mid-session.
-
NSE6 Part 8: FortiAP Hardware, CAPWAP Discovery, and AP Provisioning
Wi-Fi 6 fundamentals and the key 802.11 standards, FortiAP hardware families and PoE requirements, how CAPWAP connects APs to the FortiGate wireless controller, the four AP discovery methods, WTP profile configuration, and the authorisation and firmware management workflow.
-
NSE6 Part 9: FortiAP SSIDs, Wireless Security Modes, and RF Management
SSID and VAP configuration options, every wireless security mode from Open to WPA3-Enterprise, dynamic VLAN assignment via RADIUS for wireless, captive portal integration with FortiAuthenticator, band steering, and the RF management tools that keep channels clean in dense deployments.
-
Zero Trust Meets the Overlay: Converging ZTNA and SD-WAN on Fortinet
The capstone to the SD-WAN series: how Fortinet's ZTNA tags and access proxy let you fold per-application, identity-aware access control directly into the SD-WAN fabric — built on the RADIUS/TACACS AAA backend and the PKI you already stood up for IPsec.
-
Pairing a FortiGate and FortiSwitch the Right Way, Part 1: Get the Firmware Right First
Before a FortiGate and FortiSwitch will even talk to each other over FortiLink, both need to be on compatible, fully-patched firmware — and NTP/DNS need to be solid. Part 1 covers the upgrade plan we should have run before touching FortiLink at all.
-
Pairing a FortiGate and FortiSwitch the Right Way, Part 2: FortiLink, and Where We Actually Went Wrong
The FortiLink handshake looks trivial in the docs: cable it in, authorize, done. Ours didn't go that way. Part 2 walks the correct pairing process, then dissects exactly where — and why — our first attempt stalled, with the redo plan for when we factory-reset both boxes.
-
Beyond PSK: PKI for Fortinet SD-WAN IPsec, Part 1 — The Architecture Decision
FortiManager-as-CA vs. a dedicated external CA for certificate-based IPsec on Fortinet SD-WAN: the honest trade-offs, SCEP vs EST, CRL vs OCSP, certificate lifetime philosophy, and why "who is your CA" is the real question hiding inside "switch to certificates."
-
Beyond PSK: PKI for Fortinet SD-WAN IPsec, Part 2 — Standing Up the PKI
Standing up a real PKI for Fortinet SD-WAN IPsec: offline root, online issuing CA, a certificate role scoped to IPsec end entities, an EST front-end, CRL/OCSP placed where the chicken-and-egg overlay problem can't reach it, and FortiManager's much smaller supporting role.
-
Beyond PSK: PKI for Fortinet SD-WAN IPsec, Part 3 — Enrollment, Automation, and the Cutover
Closing the series: solving EST's bootstrap-credential problem on purpose, monitoring certificate renewal at scale before it becomes an outage, and executing the PSK-to-certificate cutover — explicitly diffed against the FMG-as-CA migration path.
-
Cloud On-Ramp Part 1: The Architecture Decision and AWS Transit Gateway
Hub Placement Part 3 said the hub goes where the VPC is. This post answers the question that raises immediately: how does it actually get there? BGP-over-IPsec to AWS Transit Gateway, ASN selection, and mapping on-prem VRFs onto TGW route tables.
-
Cloud On-Ramp Part 2: Azure Virtual WAN and a Dual-Cloud Resilience Design
Azure Virtual WAN looks like AWS Transit Gateway from a distance — a managed hub that attachments plug into. Up close, the BGP mechanics, the route-propagation model, and the failure modes all differ in ways that decide whether a dual-cloud on-ramp actually survives a bad day.
-
Local Internet Breakout in Practice: SD-WAN Zones, Rules, and a Multi-VRF Guest Wi-Fi Walkthrough
How SD-WAN zones, members, and performance-SLA rules actually decide where a session breaks out — and a full walkthrough of giving Guest Wi-Fi its own VRF, its own zone, and a local internet path that never touches the corporate tunnel.
-
Fortinet SD-WAN Hub Placement Part 1: The Traditional Model — Hubs in the DC
Why hubs traditionally sit in the DC, the job they actually do there, how they protect FMG/FAZ, and how BGP on loopback ties it together. Part 1 of a series that goes on to challenge the assumption that the hub belongs in the DC at all.
-
Fortinet SD-WAN Hub Placement Part 2: The MSSP Shift — When the Hub Becomes Customer-Centric
What changes when one FMG/FAZ pair manages many customers through ADOMs: the hub stops being "the DC's hub" and becomes a per-customer design decision, with its own routing domain, AS plan, and placement logic.
-
Fortinet SD-WAN Hub Placement Part 3: Cloud, SASE, and the Death of "The DC" as the Default
Closing out the hub-placement series: what changes about hub design when the destination is Azure, AWS, or GCP rather than a DC, and what changes again for customers migrating from a DC-centric WAN to a SASE-centric one.
-
From DSCP to Deep Packet Inspection: Why SD-WAN Application-Aware Routing Killed Traditional QoS
A deep technical comparison of legacy QoS (DSCP/CoS, static priority queues, box-by-box CLI) against SD-WAN Application-Aware Routing — plus a vendor-by-vendor breakdown of how Cisco Catalyst SD-WAN, Fortinet, Juniper Mist (128T), and VeloCloud actually identify and steer application traffic.
-
The Packet Never Lies: Advanced tcpdump Recipes for the Enterprise Engineer
Bitwise BPF masking, enterprise recipes for asymmetric routing and retransmission hunting, a safe SSH-to-Wireshark live-streaming setup that won't loop your own session, and a cross-vendor capture map spanning Debian, Cisco IOS, FortiOS, Junos, and VeloCloud.
-
Why Deep Packet Inspection (DPI) Breaks Guest Wi-Fi (And How to Fix It on Fortinet FortiGate)
Full SSL Inspection looks like the obvious way to secure a guest or BYOD network on FortiGate — until certificate warnings, crashed apps, and "No Internet" errors flood the helpdesk. Here's why DPI breaks guest Wi-Fi, and the certificate-inspection-plus-ISDB architecture that actually works.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 1: System Health & Routing
Part 1 of a 3-part deep-dive CLI reference for the NSE 4 exam. Covers get system status, get system performance status, interface and NIC diagnostics, the routing table RIB vs FIB, ARP, and ping-options — with live output breakdowns and exam-pressure indicators for every command.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 2: Session Table & Packet Flow
Part 2 of 3 in the NSE 4 CLI reference series. Deep-dives into FortiOS session table internals — filtering, reading, and clearing sessions — then covers the packet sniffer verbosity levels 1–6 and the full debug flow chain with line-by-line breakdown of successful vs. dropped traces.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 3: VPN & HA
Part 3 of 3 in the NSE 4 CLI reference series. Covers IPsec VPN diagnostics (IKE gateway state, tunnel SAs, SPI counter discrepancies), SSL-VPN authentication traces, and HA cluster mechanics — election criteria, heartbeat state, and configuration synchronisation verification via checksum hashes.
-
Fortinet SD-WAN Jinja Orchestrator — Part 1: The Two Template Engines
Part 1 of three. FortiManager hosts two distinct template engines — classic CLI templates and Jinja CLI templates — and they aren't interchangeable. Thesis: Jinja for shape-varying network plumbing, CLI templates for shape-fixed system config, and a real deployment uses both.
-
Fortinet SD-WAN Jinja Orchestrator — Part 2: Anatomy and Patterns
Part 2 of three. We open Fortinet's sdwan-advpn-reference repo and read it end-to-end: the dynamic-bgp-on-lo directory, the four reference Project Templates, the inventory contract that feeds them, and the three Jinja patterns the templates lean on heaviest — loops, ipaddr derivation, and imports.
-
Fortinet SD-WAN Jinja Orchestrator — Part 3: PSK to Cert With FMG as CA
Part 3 of three. We take the single-hub PSK example from the reference repo and migrate it to certificate-based IPSec, with FortiManager as the CA. FMG CA setup, per-device enrolment, Project Template flag flip, what changes in the rendered config and what doesn't.
-
Finding the Hop That's Eating Your Packets: pmtud-sweeper
A per-hop Path-MTU sweeper that binary-searches the largest DF-set packet each hop will pass, then names the router that's clamping your tunnel. ICMP, UDP, TCP-SYN, end-to-end TCP MSS — pick the probe your network actually lets through.
-
Who Sent That RST? Forensic Classification of TCP Resets with rst-forensics
A pure-Python classifier that takes a TCP RST and tells you whether the server, a mid-path firewall, or the client actually sent it. Six independent scorers — TTL, IP-ID, window, options, sequence, and timing — vote on the origin so the verdict is reproducible instead of tribal.
-
Diffing FortiGate configs the way an admin reads them — fgt-config-diff
A small Python tool that parses FortiGate configs into a tree, aligns nodes by section path and edit key, and reports what was added, removed, or modified — in the language of policies and objects, not unified-diff line numbers. CLI plus a Flask web UI.
-
SDWAN Resilience Part 1: Design and Assumptions
A multi-part deep dive into building a resilient Fortinet SD-WAN on a real, slightly unfashionable topology — HA FortiManager, dual hubs in active/standby, no DCI, and an independent DCE. Part 1 lays out the topology, the AS plan, and challenges the design choices up front.
-
SDWAN Resilience Part 2: BGP on Loopback
Why we peer BGP on loopbacks instead of tunnel-interface IPs, the FortiOS dynamic-IPsec config that makes it work, the spoke-side reciprocal config, and why hub-to-hub iBGP is the wrong answer in a no-DCI active/standby topology.
-
SDWAN Resilience Part 3: DC to DCE Routing — Static, OSPF, and BGP
The hub FortiGate has to glue the spoke overlay to the data-centre environment that hosts the services. Static, OSPF, and eBGP each work — but only two of them fail correctly when the DCE peering goes down on one DC and not the other.
-
SDWAN Resilience Part 4: BFD and Convergence Tuning
Default BGP timers detect failure in three minutes. That's unacceptable for active/standby SD-WAN. This post is the timer-math: DPD vs BFD on tunnels, BFD-for-BGP, holdtime ratios, the Graceful Restart trade-off, and what convergence numbers each combination actually delivers.
-
SDWAN Resilience Part 5: Performance SLAs and Service Steering
BGP and BFD catch every failure that takes a tunnel or session with it. They don't catch the failure where everything looks healthy at the network layer but the application is gone. That's the gap SD-WAN Performance SLAs fill — and the place where careful health-check design earns its keep.
-
SDWAN Resilience Part 6: Building It Right — Full DCI and Dual-Active ADVPN
The first five parts defended a topology with real constraints. This final post is the version without those constraints — Fortinet's reference design: full DCI, dual-active ADVPN, iBGP between hubs, symmetric routing, ECMP across both paths. The full shebang.
-
Configuring RADIUS Admin Auth on FortiGate SD-WAN: RBAC and Three User Profiles (Part 2 of 2)
Part 2 of 2 on RADIUS for FortiGate SD-WAN. Walks through the FortiOS config end-to-end — RADIUS server entry, group-to-profile mapping via VSA, three worked RBAC examples (senior engineer, NOC operator, compliance auditor), and the verification commands you'll need.
-
NSE5 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a 10-part study series for the Fortinet NSE 5 / FCP FortiManager Administrator certification. Covers the exam logistics, the official curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE5 Part 10: Advanced Features and Integrations
Part 10 — the final post in the NSE5 study series. Covers the advanced features that make FortiManager more than a config pusher: FortiGuard distribution, scripting, the JSON-RPC API, SSO, and FortiAnalyzer integration.
-
NSE5 Part 2: Initial Configuration and System Settings
Part 2 of the NSE5 study series — covers the day-one FortiManager configuration: network, admin access, system time, DNS, FortiGuard, OFTP, the on-disk file structure, and the diagnostic commands worth memorising before anything else.
-
NSE5 Part 3: High Availability
Part 3 of the NSE5 study series — covers the FortiManager HA cluster: primary and secondary roles, the sync mechanics, monitor IPs, manual vs automatic failover, and what to do when the cluster splits.
-
NSE5 Part 4: Administrative Domains (ADOMs)
Part 4 of the NSE5 study series — covers Administrative Domains: normal vs advanced ADOMs, version locking, ADOM modes, RBAC scope, and the per-ADOM revision history that underpins the rest of the FortiManager workflow.
-
NSE5 Part 5: Device Registration and Provisioning
Part 5 of the NSE5 study series — covers device registration: the FGFM tunnel, manual vs automatic registration, model devices, zero-touch provisioning, and the install operations that turn a registered device into a managed device.
-
NSE5 Part 6: Device-Level Configuration and Templates
Part 6 of the NSE5 study series — covers the FortiManager template engine: provisioning templates, CLI templates, SD-WAN, IPsec, and certificate templates, and how they compose into a single per-device install.
-
NSE5 Part 7: Policy and Objects
Part 7 of the NSE5 study series — covers ADOM-level policy management: policy packages, the object database, dynamic objects, install previews, install logs, and the cleanup workflows that keep the database lean.
-
NSE5 Part 8: Workflow, Workspace Mode and Revision Control
Part 8 of the NSE5 study series — covers workspace mode and the workflow approval engine: ADOM locking, read/write sessions, the workflow state machine, and how to recover an ADOM that two admins are fighting over.
-
NSE5 Part 9: Diagnostics and Troubleshooting
Part 9 of the NSE5 study series — covers the FortiManager diagnostic toolbox: device-manager diagnostics, the FGFM tunnel, install-failure forensics, oftpd, packet capture, and the debug commands worth knowing under exam pressure.
-
RADIUS vs TACACS+ on FortiGate SD-WAN: Choosing the Right AAA Backend (Part 1 of 2)
Part 1 of 2 on RADIUS for FortiGate SD-WAN. Covers the protocol differences vs TACACS+, the RADIUS server options worth knowing (NPS, FortiAuthenticator, FreeRADIUS, ISE, Okta, Duo, Entra), and when each protocol is the right call for FortiOS.
-
Building a FortiManager Lab on Proxmox — Part 1: Lab Goals, Compute Sizing and Proxmox Host Preparation
Part 1 of a five-part series on building a FortiManager lab on Proxmox. Covers lab goals, compute sizing for FMG and FGT VMs, host prerequisites, and a clean Proxmox 8.x baseline before the qcow2 build in Part 2.
-
Building a FortiManager Lab on Proxmox — Part 2: Obtaining the Image, qcow2 Conversion and First Boot
Part 2 of the FortiManager-on-Proxmox series. Walks through obtaining the KVM image from the Fortinet portal, validating the qcow2 files, building the VM shell with the right machine type and SCSI controller, importing both disks, and first-boot verification.
-
Building a FortiManager Lab on Proxmox — Part 3: Proxmox Networking, Linux Bridges, VLAN-Aware Bridges and SDN for the Lab
Part 3 of the FortiManager-on-Proxmox series. Designs the four-segment lab network, compares Linux bridges, VLAN-aware bridges and Proxmox SDN, walks through the /etc/network/interfaces shape, and explains why the lab bridges should never have an IP on the host.
-
Building a FortiManager Lab on Proxmox — Part 4: A Lab Edge FortiGate VM in Front of FortiManager
Part 4 of the FortiManager-on-Proxmox series. Builds a FortiGate-VM as the lab edge in front of FortiManager, with four NICs mapped to the lab bridges, a scoped policy set, FortiGuard pinhole, local-in policy hardening, and the deny-with-log rule that proves the boundary works.
-
Building a FortiManager Lab on Proxmox — Part 5: Registering Managed FortiGates, ADOMs and Policy Package Installs
Part 5 of the FortiManager-on-Proxmox series. Builds two managed FortiGate VMs, registers them via FGFM through the lab edge, splits them across two ADOMs, deploys a shared policy package with FMG, exercises revision history and rollback, and turns the lab into a snapshotted training platform.
-
FortiOS 7.6.6 SD-WAN: VRF1 Transport and Loopback Design
A refined VRF reference design for FortiOS 7.6.6 — transport in VRF 1, separate transport and management loopbacks, complete management-plane pinning, and NPU-VLINK guidance for inter-VRF acceleration.
-
MP-BGP and VRFs on FortiGate SD-WAN
A practical reference design using MP-BGP (VPNv4) and VRFs on FortiOS to keep management (VRF20), customer SD-WAN (VRF30), and Guest Wi-Fi DIA (VRF99) isolated end-to-end. Includes config, traffic flows, and the gotchas that bite people in production.
-
NSE4 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a study series for the Fortinet NSE 4 / FCP FortiGate Administrator certification. Covers exam logistics, the official 16-lesson curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE4 Part 10: High Availability
Part 10 — the final post in the NSE4 study series. Covers FGCP, active-passive vs active-active, heartbeat and monitor interfaces, session synchronisation, failover behaviour, and the diagnostic output you'll be asked to interpret.
-
NSE4 Part 2: Initial Configuration & the Security Fabric
Part 2 of the NSE4 study series — covers the day-one FortiGate configuration (interfaces, operation modes, admin access, DHCP, FortiGuard) and how the Security Fabric stitches multiple FortiGates and Fortinet products together.
-
NSE4 Part 3: Firewall Policies & NAT
Part 3 of the NSE4 study series — firewall policy structure, lookup order, NGFW modes, central vs policy NAT, source NAT pools, virtual IPs, and the session helpers behind protocol fixups.
-
NSE4 Part 4: Authentication, FSSO & Certificates
Part 4 of the NSE4 study series — local and remote authentication (LDAP, RADIUS), captive portal, Fortinet Single Sign-On (FSSO) modes, and certificate operations including SSL deep inspection.
-
NSE4 Part 5: Logging, Monitoring & Diagnostics
Part 5 of the NSE4 study series — log categories and severity, local vs remote storage, FortiAnalyzer and syslog forwarding, threat weight scoring, and the diagnostic commands you actually reach for under pressure.
-
NSE4 Part 6: Security Profiles — Web, App Control, AV, IPS, DoS
Part 6 of the NSE4 study series — the five security profiles you attach to firewall policies: web filter, application control, antivirus, intrusion prevention, and denial-of-service.
-
NSE4 Part 7: SSL VPN
Part 7 of the NSE4 study series — SSL VPN modes (web, tunnel, full), portals, realms, MFA, split tunnelling and the diagnostic commands for tracking down a stuck client.
-
NSE4 Part 8: IPsec VPN
Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.
-
NSE4 Part 9: Routing & SD-WAN
Part 9 of the NSE4 study series — static and policy routing, distance vs priority, RPF, OSPF and BGP basics, and how SD-WAN turns a pile of WAN links into a single steered zone with performance SLAs.
-
Route Leaking Between VRFs on FortiGate: Why It's Trickier Than You Think
VRF route leaking is a daily reality in any multi-tenant or shared-services network design. On FortiGate it's harder to find — and harder to get right — than the equivalent on Cisco or Juniper. Here's how to do it, why it's easy to miss, and the practical pitfalls.