Fortinet NSE7: Enterprise Firewall and Advanced FortiGate Administration

The Fortinet Security Fabric is a framework for integrating Fortinet security products so they share intelligence and enable coordinated response. Core Fabric components: FortiGate (the firewall and orchestrator), FortiManager (centralised policy and configuration management — manage hundreds of FortiGate devices from one console, device groups, policy packages, revision history), FortiAnalyzer (centralised log aggregation and analytics — FortiView dashboards, compliance reports, automated threat correlation across all devices). Fabric API integration: FortiGate exposes REST API for automation — create and update objects, run CLI commands, retrieve log data programmatically. Fabric connectors: dynamic address objects that update automatically by querying external sources (AWS EC2 tags, Azure resource groups, GCP labels, VMware vCenter VMs, ACI EPGs) — eliminates manual IP management for cloud workloads. Security rating: FortiGate evaluates your configuration against Fortinet's best practice checklist and scores your deployment — identifies misconfigurations, unnecessary services, and hardening opportunities. FortiSASE: Fortinet's SASE offering — FortiClient as endpoint agent connects to FortiSASE PoPs for cloud-based security enforcement (remote users and branch offices).

FortiGate SD-WAN replaces traditional MPLS-only WAN with intelligent multi-path routing. SD-WAN concepts: underlay (physical WAN links — MPLS, internet broadband, 4G/5G), overlay (IPSec tunnels over underlay links), SD-WAN member interfaces (WAN interfaces enrolled in SD-WAN zone), performance SLAs (monitor latency, jitter, packet loss per link — define acceptable thresholds per application), rules (match traffic by destination, application, or service, then steer to the best member based on performance SLA and cost preference). SD-WAN strategies: lowest cost (prefer cheapest link that meets SLA), best quality (prefer lowest latency link), maximise bandwidth (load balance across all members in proportion to capacity). Application-aware routing: FortiGate identifies applications using deep inspection (AppControl) and applies different SD-WAN policies per application — Zoom and Teams prefer low-latency links, bulk file transfers use the cheapest link. IPSec VPN mesh: full or partial mesh between branch FortiGates — use IKEv2 and route-based VPN with dynamic routing (BGP over IPSec tunnels) for auto-learning of branch routes.

NSE7 HA and routing deep dive. FortiGate HA advanced: Active-Passive (primary forwards all traffic, secondary is hot standby — failover in under one second for existing sessions if session synchronisation is enabled), Active-Active (traffic load-balanced across both — more complex, asymmetric routing challenges for some protocols). HA session synchronisation: all established sessions replicated to standby — TCP connections survive failover without client reconnection. HA cluster management: dedicated MGMT interface (bypass HA synchronisation — ensure independent out-of-band access to each unit). VRRP interaction: FortiGate virtual IP is distinct from VRRP — do not confuse HA virtual MAC with VRRP gateway redundancy. BGP on FortiGate: eBGP (different AS peers — internet routing, SD-WAN hub routing), iBGP (same AS peers — internal route reflection). BGP route filtering: prefix-list and route-map for granular attribute manipulation and advertisement control. Troubleshooting methodology: sniffer packet any 'host 10.0.0.1' 4 (capture on any interface matching host — analyse with Wireshark), diagnose debug flow filter addr 10.0.0.1 (trace packet through FortiGate policy and routing — see why a packet is allowed or blocked), diagnose sys session list (view active sessions — verify NAT, policy, and routing for established connections).