Introduction to FortiGate Part-I Infrastructure

Introduction to Fortigate Part-I

Infrastructure

Fortinet Network Security Introduction

(NSE4 Study Guide - Book One of Four)

By Daniel Howard NSE8 #003255

For any comments or recommendations, please email me directly at

[email protected]

1|Page
Introduction to FortiGate Part-I Infrastructure

About the Author

Daniel Howard is a subject matter expert in many Fortinet technologies, and he is one
of only a few hundred to obtain the prestigious Fortinet Network Security Expert 8
certification, which is a grueling 2-day on-site lab examination. He has worked in the
carrier space for the past decade, highly focused on consulting, managing, and
maintaining Fortinet networks for Manage Security Service Providers (MSSPs). He has
managed several carrier migration projects, deployments, served as a technical
trainer, and lead on the various teams that he has been a part of. He works for
Fortinet as a Technical Account Manager consulting within the carrier space, and he
continues to assist various security and operation teams.

Hey! you can also stay updated on the progress for my other books by following my
Facebook page, Amazon author page, or the Fortinet Press website.
https://www.facebook.com/fortinetpress/
https://www.amazon.com/Daniel-Howard/e/B08BS3B4NY
https://fortinetpress.com/
Enjoy!

2|Page
Introduction to FortiGate Part-I Infrastructure

Table of Contents
Introduction to Fortigate Part-I Infrastructure ............................................ 1
Fortinet Network Security Introduction ..................................................... 1
(NSE4 Study Guide) ............................................................................. 1
Introduction ........................................................................................ 6
Chapter 1: Introduction to Fortinet ..................................................... 10
Chapter 2: Layer 2 Switching ............................................................ 10
Chapter 3: IPv4/IPv6 Routing ............................................................. 10
Chapter 4: Firewall Policy and NAT...................................................... 10
Chapter 1 | Introduction to FortiGate ........................................................ 23
Getting Started with FortiGate ............................................................. 24
Unboxing your FortiGate .................................................................. 25
Intro to Modern Network Security and Challenges ....................................... 29
Security Profiles and FortiGuard Overview ............................................. 32
FortiGuard Technical Overview .......................................................... 34
Security Processing Unit (SPU) Overview .................................................. 35
FortiOS Modes of Operations overview..................................................... 36
Basic FortiGate Administration ............................................................. 37
Intro to the basic GUI navigation ........................................................ 38
Intro to administrator access and permissions ......................................... 49
Intro to the network interface ........................................................... 56
Intro to CLI and navigation .................................................................. 66
Connecting to the Command Line Interface (CLI) ..................................... 66
FortiGate CLI Terminology ................................................................ 68
Sub-commands examples .................................................................. 69
General Administrative Task ................................................................ 79
Product Life Cycle .......................................................................... 87
Basic Services ............................................................................... 96
Chapter One Summary........................................................................ 99

3|Page
Introduction to FortiGate Part-I Infrastructure

Chapter One Review Questions ............................................................ 100

Chapter 2 | Layer Two Technologies ........................................................ 106
FortiGate Layer-2 Technologies ............................................................ 107
NAT Mode at Layer-2 ........................................................................ 108
MAC Learning and Forwarding .............................................................. 109
Software Switch & Hardware Switch ...................................................... 115
NAT Mode L2-Protocols ................................................................... 122
Spanning Tree Protocol (STP) .............................................................. 123
Link Aggregation Control Protocol (LACP) ................................................ 125
VLAN Layer-3 Interface...................................................................... 135
Virtual Wire Pairing .......................................................................... 143
Virtual Extensible LAN (VXLAN) ............................................................ 145
Transparent Mode at Layer-2 ............................................................... 146
Transparent Mode Overview ............................................................. 147
Transparent Mode Networking........................................................... 148
Layer-2 MAC learning Overview ......................................................... 148
VLANs in Transparent Mode .............................................................. 155
Summary .................................................................................... 162
End of Chapter Two Questions .......................................................... 163
Chapter 3 | Layer Three Technologies ...................................................... 168
FortiOS Layer Three Technologies ......................................................... 169
IP Routing Overview....................................................................... 170
IPv4 Review ................................................................................ 170
IPv6 Review ................................................................................ 174
FortiGate IP Routing ......................................................................... 178
Routing Table Overview .................................................................. 178
Route Attributes and Selection .......................................................... 184
Session Table ................................................................................. 190
FortiOS Routing ............................................................................... 201
Dynamic Routing Overview ................................................................. 209

4|Page
Introduction to FortiGate Part-I Infrastructure

FortiOS Routing Features ................................................................... 214

FortiOS IP Diagnostic ........................................................................ 223
Summary .................................................................................... 233
Chapter Three Review Questions .......................................................... 234
Chapter 4 | Firewall Policy and NAT ......................................................... 238
Firewall Policy and NAT Introduction ..................................................... 239
Firewall Policy ................................................................................ 240
Profile Based Policy Components ....................................................... 243
Policy-Based Next-Generation Firewall ................................................... 255
Profile Based Policy Entry Features ....................................................... 258
Firewall Policy Table Management ........................................................ 272
Firewall Policy Section Summary .......................................................... 277
Network Address Translation (NAT)..................................................... 278
FortiOS Configuration Methods for NAT ................................................... 278
Policy NAT Virtual IP (VIP) ............................................................... 280
IP Pool and SNAT .......................................................................... 298
Central NAT ................................................................................ 307
IPv4 and IPv6 NAT ......................................................................... 310
Summary .................................................................................... 318
Chapter Four Review Questions ......................................................... 320
Book Summary - Intro to FortiGate Part-1................................................ 324
Appendix A: End of Chapter Answers ................................................... 325

5|Page
Introduction to FortiGate Part-I Infrastructure

Introduction

G reetings! I want to be the first to welcome you on this journey into Fortinet Cyber
Security technology, and I’m looking forward to helping you become Fortinet NSE4
certified! I love Fortinet products, but even better, I believe in them. I believe in them
to protect a network better than any other product on the market. Aside from being
the fastest firewall on the market, they are very effective and intuitive to use. I guess
if I didn’t think this, I wouldn’t be writing this book, and if you didn’t believe in them
already somewhat, you would not have purchased this book. But If you need proof, why
FortiGate is a better firewall, then check out the 3rd party company NSS Labs who
consistently ranks Fortinet as a leader in Cyber Security.
But let’s get down to business, if Fortinet knowledge is what you seek, then this
is the right book for you whether you be a technology enthusiast with no Fortinet
experience and are just intrigued by the FortiGate and its capabilities and want to learn
more or you are or will be managing a Fortinet network and are required to be certified.
Like you, I have searched the Internet looking for a comprehensive book that maps to
the Network Security Expert 4 (NSE4) Fortinet certification exam, and like you, I did
not find a lot of resources out there, and here we are.
I had to break down the subjects covered into four books, Part-I, Part-II, which
covers infrastructure. Next, Part-III and Part-IV will cover FortiOS security features. The
first two books will focus on FortiGate infrastructure, meaning network functionality
and reachability. The next two books will go over all the major security features that
are offered on FortiOS. This is where we get into things like authentication, certificates,
Web-Filtering, IPS, and AV! The books are designed to be read in sequence to build your
FortiGate knowledge from the ground up, layer by layer, using the OSI model approach.
The goal of writing these books is to help you become an outstanding network
security engineer who can effectively implement, engineer, support, and maintain a

DID YOU KNOW THAT THE AVERAGE FORTINET

PRODUCTION ENGINEER SALARY IS 102K PER
YEAR??

6|Page
Introduction to FortiGate Part-I Infrastructure

FortiGate network. My career has been an enriching journey so far, and I have met
many talented people; and becoming a Fortinet expert has changed my life forever,
and I want the same for you. After reading this book, and knowing it true, I promise
you'll be on your journey to being a Fortinet Rockstar! But nothing is free, and it requires
your effort and dedication. Are you ready?

Fortinet NSE Certifications

The first item I want to cover with you is the Fortinet certification structure.
Five years ago, around 2015, Fortinet completely reworked its certification structure
and created an 8-tier certification process. And so, the Network Security Expert
certification path was born. Before the structure, Fortinet had ad hoc certifications for
each product with little study material, and there was no way to identify an overall
Fortinet expert that could deploy and integrate multiple cybersecurity products. Well,
those days are long past now, and we have an evident certificate structure and path
for self-development regarding Fortinet products.
NSE certifications 1 through 3 are non-technical certifications and are meant
for a high-level introduction into Fortinet products and solutions. You can think of the
first three certifications being sales-related and for management teams that are
trying to make strategic decisions for their environments. It's not until we get to the
NSE-4 where we get the unveil the true potential of the FortiGate firewall, and where

7|Page
Introduction to FortiGate Part-I Infrastructure

the rubber meets the road. Compared to another vendor certification like Cisco, the
NSE4 certification is pretty much equivalent to the CCNA. If you work in a Fortinet
environment managing FortiGate(s), then at a minimum, you will be required to hold
NSE4 certification. And Fortinet partners are required to have so many on staff to
maintain their partnership level. NSE 1 and 2 are free to the public and are accessible
via https://training.fortinet.com
The NSE4 Network Security Professional certification focuses on the FortiGate
firewall. The NSE 4 is not an entry-level certification; Fortinet expects you to have
basic computer networking knowledge. If you have no prior experience or
certifications, then I recommend you pursue the CompTIA Network+ and CompTIA
Security+ certification first before attempting this one. The NSE4 certification focuses
on vendor-specific features with a limited theory background. In total, there are 21
domains of material to master to be able to pass the NSE4 examination. The exam is
taken at the Pearson VUE testing center. There are no prerequisites to take the exam.
Next is the NSE5 Network Security Analyst certification, which lets you choose
between four exams that cover the following Fortinet products: FortiAnalyzer,
FortiManager, FortiSIEM, and FortiClient. You must successfully pass a minimum of
any two of these exams to become NSE5 certified. These exams must also be taken at
Pearson VUE testing center. There are no prerequisites to take these exams.
The NSE6 Network Security Specialist certification lets you choose between nine
exams mapping to the following products: FortiADC, FortiDDoS, FortiNAC, FortiWeb,

As of 2020 there are over 25,000 NSE4

certificate holders

FortiVoice, FortiAuthenticator, FortiMail, FortiWifi, and FortiWLC. You must pass any
four of these exams to become NSE6 certified. There are no prior prerequisites to take
these exams. These exams must also be taken at Pearson VUE testing center. The NSE6
certification is valid for two years from the date of completion. There are no
prerequisites to take these exams.
The NSE7 Network, Security Architect certification lets you choose between four
exams: Advanced Threat Protection, Enterprise Firewall, Secure Access, and Cloud
Security. You must pass any one of these exams to become NSE7 certified. There are
no prerequisites to take these exams. The NSE7 is the next step beyond taking the NSE4
regarding FortiGate firewalls but requires knowledge of product integration. When
comparing to other vendors like Cisco, the NSE7 is equivalent to their CCNP level
certification. The NSE7 certification is valid for two years from the date of completion.
The exam must be taken at Pearson VUE testing center.

8|Page
Introduction to FortiGate Part-I Infrastructure

Lastly, the highest Fortinet certificate, the NSE8 Expert. Obtaining this
certificate demonstrates the ability to design, configure, install, and troubleshoot a
comprehensive network security solution in a live environment. You must pass a written
exam at Person VUE first, and next must pass an extensive two-day hands-on lab exam
in which you must successfully configure and validate a complete network topology
involving multiple Fortinet products. Here you can find more details on NSE8
certification:
https://www.fortinet.com/content/dam/fortinet/assets/training/NSE8_Certification
_ExamFAQ.pdf
In summary, all certifications are valid for two years. You can recertify by
retaking the same exam or passing a higher-level exam, but there are some caveats, so
for more information on Fortinet NSE certificates, please review:
https://training.fortinet.com/local/staticpage/view.php?page=nse

Why Become Fortinet NSE4 Certified?

There are currently over 25,000 NSE4 certificate holders as of 2020. Fortinet is
one of the fastest-growing cybersecurity companies in the world, and there is a shortage
of talent in the market. More and more companies are converting their cybersecurity
solutions to Fortinet technologies, and at this very moment, there are 1,000’s of open
positions for employers hiring people with a Fortinet background within the united
states alone and even more open positions in Network Security around the world since
Fortinet is a global company.
Obtaining the NSE4 Network Security Professional certificate will lay your
Network Security skill set foundation and make you marketable to employers trying to
secure their network infrastructure and services with FortiGate. The NSE4 certification
would also qualify you to work in a Manage Security Service Provider (MSSP)
environment supporting other enterprise security needs. Learning Fortinet has changed
my life and has given me a specialized skill set that only few people have within
information technology specifically. If you're ready to separate yourself from the rest
of the herd and double your pay, then the NSE4 will set you off on your path.

How do you become an NSE4?

As of 2020, you can earn a NSE4 certification when you pass the NSE4_FGT-6.2
or NSE4_FGT-6.0 exam at a Pearson Vue testing center; you are allowed 120 minutes,
and there are 70 questions. For more information on Pearson Vue Fortinet testing,
please see below link:
https://home.pearsonvue.com/fortinet

9|Page
Introduction to FortiGate Part-I Infrastructure

Chapter 1: Introduction to Fortinet

Chapter 1, Ready to unbox your FortiGate? Here I provide a step-by-step

introduction into the world of FortiOS and FortiGate hardware. I go over FortiCare and
FortiGuard. I will walk you through a basic lab setup and give recommendations on how
to be successful using this book, provide an overview of FortiOS features, initial setup,
basic administration, built-in servers, and fundamental maintenance.

Chapter 2: Layer 2 Switching

Chapter 2, we build a strong foundation on how FortiOS interacts with various

layer two protocols and go over VLANs. You will learn about FortiOS transparent mode
and how to broadcast domains are configured and handled. Configure soft-switch
settings and understand spanning tree protocol

Chapter 3: IPv4/IPv6 Routing

Chapter 3, we get into the nitty-gritty routing engine FortiOS and explore the layer
three routing features and attributes. How to implement policy-routes, layer-3 VLAN
interfaces. What ECMP is and what it is used for. Learn about Reverse Path Forward
(RPF) and different methods. Best practices regarding network design and routing.
Learn how to use FortiOS packet capture tools.

Chapter 4: Firewall Policy and NAT

Chapter 4, We made it to the heart of the firewall.. the policy (known as ACL or rule in
other vendors)! Here you'll learn the different components within firewall policies and
how the matching algorithm works regarding these policies. How to configure firewall
policies and logging. Understand policy IDs and sequence numbers. We also go over how
to find firewall policy objects and perform Firewall policy management. We also discuss
how FortiOS performs different types of NAT functions and how to configure these
functions.

How to Use This Book

each chapter is structured in the following manner:

1. Industry general overview of technology being discussed
2. Why we need it

10 | P a g e