Fortinet NSE 4 / FCP FortiGate (FortiOS 7.4)
The vendor-neutral networking foundation NSE 4 assumes you already know — routing, NAT, VPN concepts, AAA, and threat / crypto fundamentals. Cover this layer here for free; the FortiGate-specific pieces (policy engine, security profiles, SD-WAN with SLA, FortiOS commands) live in the mentored 8-week program.
Each topic page: TL;DR · mental model · topology · commands · verification · common mistakes · lab · cheat strip.
Mapped to the Fortinet NSE 4 / FCP FortiGate Administrator blueprint.
Fortinet's current admin cert (branded FCP FortiGate Administrator in the new framework, still commonly searched as "NSE 4") covers six functional areas. Every one starts from vendor-neutral networking concepts — that's the layer this free library covers.
| NSE 4 / FCP FortiGate domain | Prereq topics |
|---|---|
| 1.0 System & Interfaces | 11 |
| 2.0 Routing | 10 |
| 3.0 Firewall Policies & NAT | 7 |
| 4.0 Authentication | 4 |
| 5.0 VPN (IPsec + SSL) | 6 |
| 6.0 Security Profiles & Fabric | 7 |
Fortinet®, NSE®, and FCP are trademarks of Fortinet, Inc. PacketMentor is independent and not affiliated with Fortinet.
1.0System & Interfaces
FortiGate Architecture — FortiOS, VDOMs, and the Session Table
How a FortiGate is built end-to-end: FortiOS on ASIC-accelerated hardware, the packet flow, VDOMs, admin access, factory reset, and the stateful session table NSE 4 asks about.
FortiGate HA — FGCP Active-Passive and Active-Active
How FortiGate Clustering Protocol (FGCP) forms a redundant pair or cluster: heartbeat, session sync, election, active-passive vs active-active, override, split-brain avoidance.
OSI Model & TCP/IP
Two networking reference models compared side-by-side. The seven OSI layers, the four TCP/IP layers, and which one the real internet actually runs on (spoiler: not OSI).
IPv4 Addressing
32-bit addresses, dotted decimal, classful vs classless, private ranges, and the special addresses (loopback, broadcast, APIPA) you should never accidentally use for production hosts.
Subnetting
Definitive CCNA-level subnetting guide — magic-number method, VLSM, wildcard masks, enterprise IP plans, 8 worked practice problems, and the subnetting-at-the-speed-of-conversation drill.
IPv6 Basics
128-bit addresses, hex notation, the :: shortcut, address types (global, link-local, multicast), SLAAC, and why IPv6 is finally happening 25 years after it was supposed to.
ARP — Address Resolution Protocol
How a host turns an IP address into the MAC address it needs to actually deliver a frame. Broadcast question, unicast answer, cached for hours. Also covers Gratuitous ARP, Proxy ARP, and the ARP spoofing attack.
DNS — Domain Name System
How www.example.com becomes an IP address. Covers the recursive query path (root → TLD → authoritative), record types (A, AAAA, CNAME, MX, PTR), TTL caching, and the most common DNS failure modes.
DHCP — Dynamic Host Configuration Protocol
Definitive CCNA-level DHCP guide — the DORA exchange step-by-step, packet anatomy, DHCP options table, lease renewal timing (T1/T2), Cisco IOS server + relay config, DHCPv6 brief, DHCP Snooping security, 8 worked scenarios, and the DHCP debug workflow.
DHCP Relay & IP Helper
How `ip helper-address` forwards DHCP DISCOVER broadcasts across Layer 3 boundaries so one DHCP server can serve many VLANs. Includes Option 82, the GIADDR field, and the relay troubleshooting flow.
Cabling & Media Standards
What's actually inside the cables and fiber you're plugging in — Cat5e/6/6A/8, single-mode vs multi-mode fiber, transceivers (SFP/SFP+/QSFP), distance and bandwidth limits, when to use what.
2.0Routing
FortiGate SD-WAN with Performance SLA
How Fortinet SD-WAN routes traffic across multiple WAN links based on real-time SLA measurement (latency, jitter, packet loss). Performance SLA config, SD-WAN rules, and how failover actually works.
Static Routing
Definitive CCNA-level static routing guide — next-hop vs exit-interface vs fully-specified, default routes, floating statics, summary routes, recursive lookup, IPv6 statics, AD reference, 8 worked scenarios, and the static-routing debug workflow.
Default Routing
The catch-all route every edge router needs. Covers static defaults, dynamic defaults (originated by OSPF/EIGRP/BGP), gateway of last resort, and the difference between a default and a summary route.
Routing Decision Process
How a router actually decides where to forward a packet. Longest prefix match, administrative distance, and metric — in that order. Covers why a /30 static beats a /16 OSPF even though OSPF is the better protocol.
OSPF Single-Area
Definitive CCNA-level OSPF guide — link-state mental model, seven neighbor states, LSA types, DR/BDR election, cost tuning, authentication, route summarization, common debug patterns, and 8 worked scenarios.
OSPF Multi-Area
Why a single OSPF area stops working past ~50 routers, and how multi-area design fixes it. Covers ABRs, ASBRs, area 0 backbone rules, LSA types, and the area design decisions that scale OSPF to thousands of routers.
BGP Basics
Definitive CCNP-level BGP guide — autonomous systems, eBGP vs iBGP, path-vector routing, neighbor states, full best-path selection process, attributes deep dive (AS_PATH, LOCAL_PREF, MED, communities), route reflectors, RPKI, 8 worked scenarios, and the BGP debug workflow.
BGP Best-Path Selection — The Full 13-Step Order
The complete BGP path-selection algorithm CCNP ENCOR expects you to recite. Every step in order, with the tie-breaker mnemonic and a worked example for the top three most-common decision points.
SD-WAN Concepts
Software-Defined WAN explained — separating control plane from data plane, overlay tunnels across any underlay (MPLS, internet, LTE), centralized policy via vManage/vSmart, and why the WAN is finally getting the SDN treatment.
Route Summarization
Why aggregating many specific routes into one shorter prefix shrinks route tables, speeds convergence, and limits the blast radius of a flapping link. Covers manual, OSPF, and EIGRP summarization.
3.0Firewall Policies & NAT
FortiGate Firewall Policies — Structure, Order of Operations, NAT Inline
How firewall policies work on FortiOS: the 6 core fields, top-down first-match evaluation, how NAT lives inside the policy, and the diagnostic that tells you which policy matched.
Access Control Lists (ACLs)
Definitive CCNA-level ACL guide — first-match-wins, implicit deny, wildcard masks, standard vs extended vs named, direction (in vs out), the established keyword, time-based ACLs, named-ACL editing, 9 worked scenarios, and the ACL debug workflow.
NAT & PAT
Definitive CCNA-level NAT guide — static NAT, dynamic NAT, PAT/overload, the four inside/outside terms, port forwarding, CGNAT, NAT64 brief, hairpin NAT, translation table limits, 8 worked scenarios, and the NAT debug workflow.
TCP vs UDP
Two flavors of Layer 4 transport. TCP gives reliability and order at the cost of latency; UDP gives speed with no safety net. Covers the 3-way handshake, ports, when to use each, and the protocols that pick the wrong one.
TCP 3-Way Handshake
The three packets every TCP connection starts with — SYN, SYN-ACK, ACK. Covers sequence numbers, the half-open state, SYN floods, and why HTTPS connections feel slower than they should over high-latency links.
TCP Connection States
What every TCP socket goes through from CLOSED to ESTABLISHED to TIME_WAIT. Covers each state, why TIME_WAIT exists (and frustrates web servers), and how `netstat`/`ss` shows you what's really happening.
MTU & Fragmentation
Why packets get fragmented or dropped on links with smaller MTU than expected. Covers MTU vs MSS, the Don't-Fragment bit, ICMP 'Fragmentation Needed,' Path MTU Discovery, and why blocking ICMP breaks the internet.
4.0Authentication
FortiGate FSSO — Fortinet Single Sign-On
How FSSO gives FortiGate identity-aware policies without prompting users: collector agents on the AD DC, event-log monitoring, transparent login mapping, and RADIUS-SSO variants.
AAA · RADIUS & TACACS+
Authentication, Authorization, Accounting — centralize who can log in, what they can do, and what they did. Covers RADIUS vs TACACS+, method lists, and why every network with more than 5 devices uses centralized auth.
802.1X — Port-Based Network Access Control
Lock every switch port until the connected device proves identity. Covers the supplicant / authenticator / auth server roles, EAPOL on the wire, and how 802.1X plugs into RADIUS for enterprise Wi-Fi and wired auth.
Cisco ISE Basics
Cisco Identity Services Engine — the RADIUS/TACACS+ + posture + profiling brain behind enterprise wired/wireless network access. What ISE does, where it sits, and the deployment model behind 802.1X-everywhere.
5.0VPN (IPsec + SSL)
FortiGate IPsec VPN — Site-to-Site and Dial-Up
How IPsec VPNs work on FortiOS: Phase 1 IKE, Phase 2 SA, site-to-site, dial-up, route-based vs policy-based, and the diagnostics that solve 90% of tunnel-down tickets.
FortiGate SSL VPN — Web Mode and Tunnel Mode
How FortiOS SSL VPN works for remote users: web-mode portal, full-tunnel-mode client (FortiClient), authentication with LDAP/RADIUS/SAML, and the split-tunnel decision every design faces.
VPN Basics — IPsec & SSL
How two separated networks (or one user and a network) can talk privately over the public internet. Covers site-to-site IPsec, remote-access SSL/TLS VPNs, IKE phases, and what 'tunnel' actually means.
GRE Tunnels
How to make two distant routers feel directly connected by wrapping IP inside IP. Covers tunnel interface config, MTU caveats, why GRE itself isn't encrypted, and the standard 'GRE over IPsec' combination.
Cisco AnyConnect / Remote Access VPN
How a remote user's laptop gets put 'on the corporate LAN' over the internet. Covers AnyConnect client, SSL/TLS vs IKEv2, split tunneling, authentication options, and where it fits alongside ZTNA in 2026.
Encryption Fundamentals
The cryptography networking engineers must understand — symmetric vs asymmetric, hashing, digital signatures, certificates, and where each is used in IPsec, TLS, SSH, and 802.1X.
6.0Security Profiles & Fabric
FortiGate Security Profiles — AV, Web Filter, App Control, IPS, SSL Inspection
Every security profile FortiGate applies inline to firewall-policy traffic: antivirus, web filter, application control, IPS, DNS filter, DLP, and SSL/SSH deep inspection — plus how to combine them without breaking users.
Cybersecurity Threats & Mitigation
The threat landscape every network engineer must recognize — phishing, ransomware, MITM, DDoS, supply-chain attacks, insider threats — and the mitigation controls that actually move the needle.
Encryption Fundamentals
The cryptography networking engineers must understand — symmetric vs asymmetric, hashing, digital signatures, certificates, and where each is used in IPsec, TLS, SSH, and 802.1X.
DHCP Snooping
Switch security feature that blocks rogue DHCP servers. Trusts one port (where the real server lives) and drops DHCP server messages from any other port. Foundation for Dynamic ARP Inspection too.
Dynamic ARP Inspection (DAI)
The Layer-2 security feature that kills ARP spoofing dead. Validates every ARP packet against the DHCP Snooping binding table — bogus replies get dropped, trust your gateway again.
Port Security
Lock a switch port to a specific MAC address (or addresses). Covers static, dynamic, and sticky learning, violation modes (protect / restrict / shutdown), and the err-disable recovery dance.
IP Source Guard (IPSG)
The fourth Layer-2 security feature. Validates the source IP of every IP packet against the DHCP Snooping binding table — blocking IP spoofing attacks at the access port.
The FortiGate-specific pieces live in the mentored program.
Firewall policy engine, session tables, security profiles (AV, web filter, app control, IPS, SSL/SSH inspection), SD-WAN with performance SLAs, FortiOS CLI — all taught 1:1 with hands-on FortiGate VM labs over 8 weeks.
See the NSE 4 program →Most FortiGate engineers also hold CCNA.
The routing, switching, and Layer-2 security concepts on the Cisco side are the same ones Fortinet expects you to know cold.
Open CCNA library →