Skip to main content
PacketMentor logo
Open menu
Home
Training
Learn
CCNA Library (74)
Browse all CCNA topics →
Network (13)
Device Operations (5)
Network Access (12)
Wireless (6)
IP Connectivity (10)
IP Services (11)
Security (10)
Automation (7)
Network+ Library (77)
Browse all Network+ topics →
1.0Networking Concepts (22)
2.0Network Implementation (17)
3.0Network Operations (16)
4.0Network Security (15)
5.0Network Troubleshooting (7)
NSE 4 Library (45)
CCNP Library (26)
Practice
All practice →
Troubleshooting Labs
Packet Tracer Labs
Interactive Simulators
Mock ExamPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← Library
NSE 4 FortiOS 7.4 · current FCP FortiGate 45 prerequisite topics across 6 domain buckets

Fortinet NSE 4 / FCP FortiGate (FortiOS 7.4)

The vendor-neutral networking foundation NSE 4 assumes you already know — routing, NAT, VPN concepts, AAA, and threat / crypto fundamentals. Cover this layer here for free; the FortiGate-specific pieces (policy engine, security profiles, SD-WAN with SLA, FortiOS commands) live in the mentored 8-week program.

Each topic page: TL;DR · mental model · topology · commands · verification · common mistakes · lab · cheat strip.

Blueprint coverage

Mapped to the Fortinet NSE 4 / FCP FortiGate Administrator blueprint.

Fortinet's current admin cert (branded FCP FortiGate Administrator in the new framework, still commonly searched as "NSE 4") covers six functional areas. Every one starts from vendor-neutral networking concepts — that's the layer this free library covers.

NSE 4 / FCP FortiGate domain Prereq topics
1.0 System & Interfaces 11
2.0 Routing 10
3.0 Firewall Policies & NAT 7
4.0 Authentication 4
5.0 VPN (IPsec + SSL) 6
6.0 Security Profiles & Fabric 7

Fortinet®, NSE®, and FCP are trademarks of Fortinet, Inc. PacketMentor is independent and not affiliated with Fortinet.

1.0System & Interfaces

11 topics
1.0 System & Interfaces Intermediate

FortiGate Architecture — FortiOS, VDOMs, and the Session Table

How a FortiGate is built end-to-end: FortiOS on ASIC-accelerated hardware, the packet flow, VDOMs, admin access, factory reset, and the stateful session table NSE 4 asks about.

#310 Open topic →
1.0 System & Interfaces Intermediate

FortiGate HA — FGCP Active-Passive and Active-Active

How FortiGate Clustering Protocol (FGCP) forms a redundant pair or cluster: heartbeat, session sync, election, active-passive vs active-active, override, split-brain avoidance.

#316 Open topic →
1.0 System & Interfaces Foundational

OSI Model & TCP/IP

Two networking reference models compared side-by-side. The seven OSI layers, the four TCP/IP layers, and which one the real internet actually runs on (spoiler: not OSI).

#01 Open topic →
1.0 System & Interfaces Foundational

IPv4 Addressing

32-bit addresses, dotted decimal, classful vs classless, private ranges, and the special addresses (loopback, broadcast, APIPA) you should never accidentally use for production hosts.

#03 Open topic →
1.0 System & Interfaces Foundational

Subnetting

Definitive CCNA-level subnetting guide — magic-number method, VLSM, wildcard masks, enterprise IP plans, 8 worked practice problems, and the subnetting-at-the-speed-of-conversation drill.

#05 Open topic →
1.0 System & Interfaces Foundational

IPv6 Basics

128-bit addresses, hex notation, the :: shortcut, address types (global, link-local, multicast), SLAAC, and why IPv6 is finally happening 25 years after it was supposed to.

#06 Open topic →
1.0 System & Interfaces Foundational

ARP — Address Resolution Protocol

How a host turns an IP address into the MAC address it needs to actually deliver a frame. Broadcast question, unicast answer, cached for hours. Also covers Gratuitous ARP, Proxy ARP, and the ARP spoofing attack.

#07 Open topic →
1.0 System & Interfaces Foundational

DNS — Domain Name System

How www.example.com becomes an IP address. Covers the recursive query path (root → TLD → authoritative), record types (A, AAAA, CNAME, MX, PTR), TTL caching, and the most common DNS failure modes.

#42 Open topic →
1.0 System & Interfaces Foundational

DHCP — Dynamic Host Configuration Protocol

Definitive CCNA-level DHCP guide — the DORA exchange step-by-step, packet anatomy, DHCP options table, lease renewal timing (T1/T2), Cisco IOS server + relay config, DHCPv6 brief, DHCP Snooping security, 8 worked scenarios, and the DHCP debug workflow.

#40 Open topic →
1.0 System & Interfaces Foundational

DHCP Relay & IP Helper

How `ip helper-address` forwards DHCP DISCOVER broadcasts across Layer 3 boundaries so one DHCP server can serve many VLANs. Includes Option 82, the GIADDR field, and the relay troubleshooting flow.

#62 Open topic →
1.0 System & Interfaces Foundational

Cabling & Media Standards

What's actually inside the cables and fiber you're plugging in — Cat5e/6/6A/8, single-mode vs multi-mode fiber, transceivers (SFP/SFP+/QSFP), distance and bandwidth limits, when to use what.

#12 Open topic →

2.0Routing

10 topics
2.0 Routing Intermediate

FortiGate SD-WAN with Performance SLA

How Fortinet SD-WAN routes traffic across multiple WAN links based on real-time SLA measurement (latency, jitter, packet loss). Performance SLA config, SD-WAN rules, and how failover actually works.

#313 Open topic →
2.0 Routing Foundational

Static Routing

Definitive CCNA-level static routing guide — next-hop vs exit-interface vs fully-specified, default routes, floating statics, summary routes, recursive lookup, IPv6 statics, AD reference, 8 worked scenarios, and the static-routing debug workflow.

#20 Open topic →
2.0 Routing Foundational

Default Routing

The catch-all route every edge router needs. Covers static defaults, dynamic defaults (originated by OSPF/EIGRP/BGP), gateway of last resort, and the difference between a default and a summary route.

#21 Open topic →
2.0 Routing Foundational

Routing Decision Process

How a router actually decides where to forward a packet. Longest prefix match, administrative distance, and metric — in that order. Covers why a /30 static beats a /16 OSPF even though OSPF is the better protocol.

#22 Open topic →
2.0 Routing Intermediate

OSPF Single-Area

Definitive CCNA-level OSPF guide — link-state mental model, seven neighbor states, LSA types, DR/BDR election, cost tuning, authentication, route summarization, common debug patterns, and 8 worked scenarios.

#30 Open topic →
2.0 Routing Intermediate

OSPF Multi-Area

Why a single OSPF area stops working past ~50 routers, and how multi-area design fixes it. Covers ABRs, ASBRs, area 0 backbone rules, LSA types, and the area design decisions that scale OSPF to thousands of routers.

#35 Open topic →
2.0 Routing Intermediate

BGP Basics

Definitive CCNP-level BGP guide — autonomous systems, eBGP vs iBGP, path-vector routing, neighbor states, full best-path selection process, attributes deep dive (AS_PATH, LOCAL_PREF, MED, communities), route reflectors, RPKI, 8 worked scenarios, and the BGP debug workflow.

#37 Open topic →
2.0 Routing Advanced

BGP Best-Path Selection — The Full 13-Step Order

The complete BGP path-selection algorithm CCNP ENCOR expects you to recite. Every step in order, with the tie-breaker mnemonic and a worked example for the top three most-common decision points.

#411 Open topic →
2.0 Routing Intermediate

SD-WAN Concepts

Software-Defined WAN explained — separating control plane from data plane, overlay tunnels across any underlay (MPLS, internet, LTE), centralized policy via vManage/vSmart, and why the WAN is finally getting the SDN treatment.

#77 Open topic →
2.0 Routing Intermediate

Route Summarization

Why aggregating many specific routes into one shorter prefix shrinks route tables, speeds convergence, and limits the blast radius of a flapping link. Covers manual, OSPF, and EIGRP summarization.

#32 Open topic →

3.0Firewall Policies & NAT

7 topics
3.0 Firewall Policies & NAT Intermediate

FortiGate Firewall Policies — Structure, Order of Operations, NAT Inline

How firewall policies work on FortiOS: the 6 core fields, top-down first-match evaluation, how NAT lives inside the policy, and the diagnostic that tells you which policy matched.

#311 Open topic →
3.0 Firewall Policies & NAT Foundational

Access Control Lists (ACLs)

Definitive CCNA-level ACL guide — first-match-wins, implicit deny, wildcard masks, standard vs extended vs named, direction (in vs out), the established keyword, time-based ACLs, named-ACL editing, 9 worked scenarios, and the ACL debug workflow.

#50 Open topic →
3.0 Firewall Policies & NAT Foundational

NAT & PAT

Definitive CCNA-level NAT guide — static NAT, dynamic NAT, PAT/overload, the four inside/outside terms, port forwarding, CGNAT, NAT64 brief, hairpin NAT, translation table limits, 8 worked scenarios, and the NAT debug workflow.

#41 Open topic →
3.0 Firewall Policies & NAT Foundational

TCP vs UDP

Two flavors of Layer 4 transport. TCP gives reliability and order at the cost of latency; UDP gives speed with no safety net. Covers the 3-way handshake, ports, when to use each, and the protocols that pick the wrong one.

#04 Open topic →
3.0 Firewall Policies & NAT Foundational

TCP 3-Way Handshake

The three packets every TCP connection starts with — SYN, SYN-ACK, ACK. Covers sequence numbers, the half-open state, SYN floods, and why HTTPS connections feel slower than they should over high-latency links.

#09 Open topic →
3.0 Firewall Policies & NAT Intermediate

TCP Connection States

What every TCP socket goes through from CLOSED to ESTABLISHED to TIME_WAIT. Covers each state, why TIME_WAIT exists (and frustrates web servers), and how `netstat`/`ss` shows you what's really happening.

#47 Open topic →
3.0 Firewall Policies & NAT Intermediate

MTU & Fragmentation

Why packets get fragmented or dropped on links with smaller MTU than expected. Covers MTU vs MSS, the Don't-Fragment bit, ICMP 'Fragmentation Needed,' Path MTU Discovery, and why blocking ICMP breaks the internet.

#48 Open topic →

5.0VPN (IPsec + SSL)

6 topics
5.0 VPN (IPsec + SSL) Intermediate

FortiGate IPsec VPN — Site-to-Site and Dial-Up

How IPsec VPNs work on FortiOS: Phase 1 IKE, Phase 2 SA, site-to-site, dial-up, route-based vs policy-based, and the diagnostics that solve 90% of tunnel-down tickets.

#314 Open topic →
5.0 VPN (IPsec + SSL) Intermediate

FortiGate SSL VPN — Web Mode and Tunnel Mode

How FortiOS SSL VPN works for remote users: web-mode portal, full-tunnel-mode client (FortiClient), authentication with LDAP/RADIUS/SAML, and the split-tunnel decision every design faces.

#315 Open topic →
5.0 VPN (IPsec + SSL) Intermediate

VPN Basics — IPsec & SSL

How two separated networks (or one user and a network) can talk privately over the public internet. Covers site-to-site IPsec, remote-access SSL/TLS VPNs, IKE phases, and what 'tunnel' actually means.

#55 Open topic →
5.0 VPN (IPsec + SSL) Intermediate

GRE Tunnels

How to make two distant routers feel directly connected by wrapping IP inside IP. Covers tunnel interface config, MTU caveats, why GRE itself isn't encrypted, and the standard 'GRE over IPsec' combination.

#24 Open topic →
5.0 VPN (IPsec + SSL) Intermediate

Cisco AnyConnect / Remote Access VPN

How a remote user's laptop gets put 'on the corporate LAN' over the internet. Covers AnyConnect client, SSL/TLS vs IKEv2, split tunneling, authentication options, and where it fits alongside ZTNA in 2026.

#58 Open topic →
5.0 VPN (IPsec + SSL) Foundational

Encryption Fundamentals

The cryptography networking engineers must understand — symmetric vs asymmetric, hashing, digital signatures, certificates, and where each is used in IPsec, TLS, SSH, and 802.1X.

#61 Open topic →

6.0Security Profiles & Fabric

7 topics
6.0 Security Profiles & Fabric Intermediate

FortiGate Security Profiles — AV, Web Filter, App Control, IPS, SSL Inspection

Every security profile FortiGate applies inline to firewall-policy traffic: antivirus, web filter, application control, IPS, DNS filter, DLP, and SSL/SSH deep inspection — plus how to combine them without breaking users.

#312 Open topic →
6.0 Security Profiles & Fabric Foundational

Cybersecurity Threats & Mitigation

The threat landscape every network engineer must recognize — phishing, ransomware, MITM, DDoS, supply-chain attacks, insider threats — and the mitigation controls that actually move the needle.

#82 Open topic →
6.0 Security Profiles & Fabric Foundational

Encryption Fundamentals

The cryptography networking engineers must understand — symmetric vs asymmetric, hashing, digital signatures, certificates, and where each is used in IPsec, TLS, SSH, and 802.1X.

#61 Open topic →
6.0 Security Profiles & Fabric Foundational

DHCP Snooping

Switch security feature that blocks rogue DHCP servers. Trusts one port (where the real server lives) and drops DHCP server messages from any other port. Foundation for Dynamic ARP Inspection too.

#52 Open topic →
6.0 Security Profiles & Fabric Foundational

Dynamic ARP Inspection (DAI)

The Layer-2 security feature that kills ARP spoofing dead. Validates every ARP packet against the DHCP Snooping binding table — bogus replies get dropped, trust your gateway again.

#56 Open topic →
6.0 Security Profiles & Fabric Foundational

Port Security

Lock a switch port to a specific MAC address (or addresses). Covers static, dynamic, and sticky learning, violation modes (protect / restrict / shutdown), and the err-disable recovery dance.

#51 Open topic →
6.0 Security Profiles & Fabric Foundational

IP Source Guard (IPSG)

The fourth Layer-2 security feature. Validates the source IP of every IP packet against the DHCP Snooping binding table — blocking IP spoofing attacks at the access port.

#57 Open topic →
Everything else NSE 4 covers

The FortiGate-specific pieces live in the mentored program.

Firewall policy engine, session tables, security profiles (AV, web filter, app control, IPS, SSL/SSH inspection), SD-WAN with performance SLAs, FortiOS CLI — all taught 1:1 with hands-on FortiGate VM labs over 8 weeks.

See the NSE 4 program →
Add Cisco vendor depth

Most FortiGate engineers also hold CCNA.

The routing, switching, and Layer-2 security concepts on the Cisco side are the same ones Fortinet expects you to know cold.

Open CCNA library →