Fortinet NSE4 FortiGate Security

🛡 Scenario — initial FortiGate setup from factory default

Task: A new FG-100F arrives factory-fresh. You need to set the management IP, change the admin password, set hostname, configure NTP, and verify connectivity before deploying in production.

Walk: 1) Connect a laptop to port1 (default management: 192.168.1.99). Access https://192.168.1.99. Login: admin / (no password). 2) System → Settings → change hostname to FW-HQ-01, set timezone, enable NTP (time.google.com). 3) System → Administrators → change admin password to a strong passphrase. 4) Network → Interfaces → set port1 IP to 10.0.0.1/24 (management VLAN). 5) execute ping 8.8.8.8 from CLI to verify WAN. 6) Backup config: System → Configuration → Backup.

NSE4 exam point: The default management IP is 192.168.1.99/24 on port1. Always change the admin password on first login. Factory reset via CLI: execute factoryreset.

🛡 Scenario — creating an outbound internet access policy

Task: LAN users (192.168.10.0/24 on port2) need internet access through WAN (port1). Create the permitting policy with NAT, enable logging, and verify.

Walk: 1) Policy & Objects → Firewall Policy → Create New. 2) Incoming Interface: port2 (LAN); Outgoing Interface: port1 (WAN). Source: LAN_SUBNET. Destination: all. Service: ALL. Action: ACCEPT. 3) Enable NAT (Use Outgoing Interface Address). 4) Enable Log Allowed Traffic → All Sessions (for troubleshooting) or Security Events. 5) Enable an Application Control or Web Filter profile if needed. Click OK. 6) Verify: diag debug flow filter addr 192.168.10.10 then diag debug flow show function-name enable while pinging from a client — confirm the policy matches.

NSE4 exam point: Policies are matched top-down; first match wins. Always order specific rules before broad ones. The implicit deny at the bottom blocks everything not explicitly permitted.

🛡 Scenario — DNAT to publish an internal web server

Task: An internal web server at 192.168.10.50:80 must be reachable from the internet on the FortiGate's WAN IP port 80.

Walk: 1) Policy & Objects → Virtual IPs → Create New. Name: VIP-WebServer. External Interface: port1 (WAN). External IP: WAN_IP. Mapped IP: 192.168.10.50. Enable Port Forwarding: External Port 80 → Map to Port 80. 2) Firewall Policy → Create New. Incoming: port1; Outgoing: port2; Source: all; Destination: VIP-WebServer; Service: HTTP; Action: ACCEPT. Enable logging. 3) Test: curl http://<WAN_IP> from an external host — should reach the internal server.

NSE4 exam point: VIPs are used for DNAT (inbound). For outbound NAT, use the NAT checkbox in the policy (SNAT). VIPs must be referenced in a policy destination to take effect — creating a VIP alone doesn't open traffic.

🛡 Scenario — captive portal for guest Wi-Fi authentication

Task: Guest users on VLAN 100 must authenticate through a captive portal before getting internet access. Use local users for simplicity.

Walk: 1) User & Authentication → User Definition → Create New → create a local user guest01 with a password. 2) User & Authentication → User Groups → Create New → group GuestUsers, add guest01. 3) Policy & Objects → Firewall Policy → on the guest outbound policy, set Security Mode = Captive Portal, Portal type = Authentication, User Groups = GuestUsers. 4) Guest opens browser → redirected to FortiGate captive portal → enters credentials → internet access granted for the session timeout period.

NSE4 exam point: Active authentication (captive portal, dialog) requires the user to explicitly provide credentials. Passive authentication (FSSO, RSSO) uses existing domain login events — no second prompt.

🛡 Scenario — configuring SSL-VPN web mode for remote access

Task: Remote employees need to access an internal RDP server at 192.168.10.100 via a browser-based SSL VPN portal — no client software required.

Walk: 1) VPN → SSL-VPN Portals → Edit "full-access" (or create a new portal). Enable Web Mode. Add a bookmark: Type = RDP, Name = "Internal RDP", Remote Host = 192.168.10.100. 2) VPN → SSL-VPN Settings: Enable SSL-VPN on WAN interface, set Listen Port (default 443 or 10443), Authentication/Portal Mapping: map SSLVPNUsers group to full-access portal. 3) Create a firewall policy: ssl.root → LAN; Source = SSLVPNUsers group + SSL-VPN tunnel range; Destination = 192.168.10.100; Service = RDP; Action = ACCEPT. 4) Test: browse to https://<WAN_IP>:10443, log in, click the RDP bookmark.

NSE4 exam point: Web mode = browser only (portal). Tunnel mode = FortiClient installs a virtual adapter — gives full network access to the internal subnet, not just published bookmarks.

🛡 Scenario — site-to-site IPsec VPN between two FortiGates

Task: Connect HQ (192.168.1.0/24) to Branch (10.10.10.0/24) via IPsec VPN. Both sites have FortiGate firewalls with static public IPs.

Walk (HQ side): 1) VPN → IPsec Wizard → Site to Site. Remote gateway: Branch WAN IP. Authentication: Pre-Shared Key S3cur3Phr4se!. Local subnet: 192.168.1.0/24. Remote subnet: 10.10.10.0/24. 2) Wizard creates the Phase 1, Phase 2, and route automatically. 3) Add a firewall policy: LAN → Branch-IPsec interface; Source = HQ LAN; Destination = Branch LAN; Action = ACCEPT (and reverse). Repeat mirror config on Branch FortiGate. 4) Verify: get vpn ipsec tunnel summary → tunnel should show "up". Ping 10.10.10.1 from HQ LAN client.

NSE4 exam point: Phase 1 = IKE negotiation (authentication + encryption parameters). Phase 2 = defines the traffic selectors (which subnets). If the tunnel stays down, check that Phase 1 and Phase 2 parameters match on both ends.

🛡 Scenario — blocking malware downloads with an AV + Web Filter profile

Task: Users are downloading executable files from file-sharing sites. Configure a security profile combination to block these and log the events.

Walk: 1) Security Profiles → AntiVirus → Create New. Enable scanning for HTTP, HTTPS (requires SSL inspection). Set action on virus = Block. 2) Security Profiles → Web Filter → Create New. Enable FortiGuard category blocking. Block categories: Malicious Websites, Hacking, Peer-to-Peer. Block URLs matching *.torrent. 3) Apply both profiles to the LAN → WAN firewall policy (edit the policy, attach AV profile and Web Filter profile). 4) Verify: attempt to browse to a blocked category → FortiGate returns a block page. Attempt to download an EICAR test file → blocked by AV.

NSE4 exam point: Security profiles (AV, Web Filter, IPS, App Control, DNS Filter) are only active when attached to a firewall policy. Creating a profile without attaching it does nothing.

🛡 Scenario — enabling certificate inspection for HTTPS traffic

Task: The Web Filter is not blocking HTTPS sites because traffic is encrypted. Enable SSL inspection so the FortiGate can apply security profiles to HTTPS.

Walk: 1) Security Profiles → SSL/SSH Inspection → Create New. Choose Certificate Inspection (reads the SNI and certificate CN without decrypting the payload). This lets Web Filter apply category-based blocking to HTTPS without a MitM certificate. 2) Alternatively, choose Full Inspection (deep inspection / MitM): FortiGate re-signs the certificate using its own CA. Push the FortiGate CA certificate to all client browsers via GPO so they trust it. 3) Attach the SSL inspection profile to the LAN → WAN policy alongside the Web Filter and AV profiles.

NSE4 exam point: Certificate inspection = read metadata only, no decryption (limited visibility). Full inspection = decrypt, inspect, re-encrypt (full visibility but requires CA trust distribution). Financial and banking sites should be exempt from full inspection to avoid breaking TLS pinning.

🛡 Scenario — diagnosing a blocked connection with traffic logs

Task: A user reports they cannot reach an internal server at 10.0.0.50:443. You need to determine whether the FortiGate is blocking the traffic and which policy is responsible.

Walk: 1) Log & Report → Forward Traffic. Filter by Source IP = user's IP, Destination IP = 10.0.0.50. Find entries with Action = Deny. Note the Policy ID in the log entry. 2) Policy & Objects → Firewall Policy → find the policy with that ID → check source/destination/service. 3) If no log entry exists, traffic may not be reaching the FortiGate. Run a sniffer: diag sniffer packet port1 "host 10.0.0.50" 4 10 l. 4) If traffic reaches but is being denied by an implicit deny, create the correct permitting policy above the implicit deny.

NSE4 exam point: The implicit deny does NOT log by default. Enable "Log Violation Traffic" in System → Settings to see denied traffic in the logs. Without this, denied traffic is invisible to Log & Report.

🛡 Scenario — configuring Active-Passive HA between two FG-100F units

Task: Deploy two FG-100F units in Active-Passive HA. The primary handles all traffic; the secondary takes over within seconds if the primary fails.

Walk: 1) On Primary: System → HA → Mode = Active-Passive. Group Name: HQ-HA. Password: ha-secret-pw. Priority: 200 (higher = preferred primary). Enable session sync. Connect HA heartbeat cables to dedicated heartbeat interfaces (HA1/HA2). 2) On Secondary: identical config but Priority = 100. 3) After a few seconds, get system ha status shows one Master and one Slave. 4) Failover test: unplug a WAN cable on the primary. Secondary promotes to Master within 1–3 seconds. Reconnect primary → it rejoins as Slave and syncs config automatically.

NSE4 exam point: In A-P mode, both units share the same virtual MAC addresses — switches don't need to update their ARP tables on failover. In A-A mode, load is shared across both units; both are actively forwarding. A-P is simpler and covers most enterprise HA requirements.