Top 100 Most Asked Questions on Fortinet Firewalls & SD-WAN
Fortinet questions fall into two categories: the ones you search on day one of your FortiGate deployment, and the ones you search at 2am when something stopped working. This guide covers both. One hundred questions, organized by topic, with direct answers that don’t make you read three paragraphs before getting to the command you need.
April 2026 | ⏱ 28 min read | FortiOS 7.x • FortiGate • FortiManager • SD-WAN | ⚙ All levels
10 Categories — 10 Questions Each
|
① FortiGate Basics & Initial Setup (Q1–Q10) ② Firewall Policies & Security Profiles (Q11–Q20) ③ FortiOS & System Administration (Q21–Q30) ④ VPN — IPsec & SSL-VPN (Q31–Q40) ⑤ SD-WAN Configuration & Policy (Q41–Q50) |
⑥ Routing, WAN & HA (Q51–Q60) ⑦ Wireless & FortiAP (Q61–Q70) ⑧ FortiAnalyzer, FortiManager & Logging (Q71–Q80) ⑨ Troubleshooting (Q81–Q90) ⑩ Security Fabric & Advanced Features (Q91–Q100) |
|
Category 1 — Q1 to Q10 FortiGate Basics & Initial Setup |
|
Q1. What is FortiOS and which version should I run?
FortiOS is Fortinet’s operating system that runs on FortiGate firewalls. As of 2026, the recommended production branches are 7.4.x (mature, widely deployed) and 7.6.x for newer hardware. Fortinet releases Feature versions (odd numbers) and Mature versions (even numbers) — for production, stick to mature releases unless you need a specific feature only in the latest branch. Check the Fortinet document FortiOS Feature/Mature Release Calendar on docs.fortinet.com before deciding.
Q2. What is the default IP address and login for a FortiGate?
The factory default management IP on port1 (or the dedicated management port on larger models) is 192.168.1.99. Access the GUI at https://192.168.1.99. Default credentials: username admin, password blank (empty). You are forced to set a password on first login. Some models use 192.168.1.1 as the default — check the Quick Start guide for your specific model.
Q3. What FortiGate models are commonly used for branch and small office deployments?
The FortiGate 40F / 60F series covers very small branches and home offices. The FortiGate 80F / 90G targets small offices with Wi-Fi needs. The FortiGate 100F / 120G handles mid-size branches with higher throughput. The FortiGate 200F / 200G series fits larger branches. The FortiGate 600F / 800F / 1000F targets campus edge and data center perimeter. The newer G-series (60G, 90G, 120G) uses the NP7 network processor for better throughput and SSL inspection performance.
Q4. How do I configure a FortiGate interface via CLI?
Enter the interface configuration with config system interface, then edit the specific port. Set the IP, mode, and allowed management access. Always set allowaccess carefully — only enable what’s needed on each interface.
config system interface edit "port1" set mode static set ip 203.0.113.1 255.255.255.0 set allowaccess ping https ssh set role wan next end
Q5. What is the difference between NAT mode and Transparent mode on a FortiGate?
NAT mode is the standard deployment — the FortiGate acts as a router/firewall with IP addresses on each interface. Traffic is routed (and optionally NAT’d) between interfaces. Transparent mode inserts the FortiGate invisibly into an existing network segment without IP addresses on the data interfaces — like a switch with security inspection. Transparent mode is used when you can’t change IP addressing or routing but still need deep inspection. Most deployments use NAT mode.
Q6. How do I configure VLANs on a FortiGate interface?
Create a VLAN sub-interface under the physical port with an 802.1Q tag. The physical port connected to a switch trunk carries untagged and tagged frames; the VLAN sub-interface strips the tag and treats the traffic as a separate interface with its own IP, security policy, and routing.
config system interface edit "port3.10" set vdom "root" set ip 192.168.10.1 255.255.255.0 set allowaccess ping set type vlan set vlanid 10 set interface "port3" next end
Q7. What is a VDOM on a FortiGate and when is it useful?
Virtual Domains partition a single FortiGate into multiple independent virtual firewalls, each with its own interfaces, routing table, policies, and administrator accounts. VDOMs are used in multi-tenant environments (MSSPs, universities with separate departments) or when you need complete traffic separation on one physical device. The root VDOM is the default. Additional VDOMs require a license on models below the enterprise tier.
Q8. How does FortiGate licensing work?
Fortinet uses a bundle licensing model. The hardware appliance is purchased separately from the security services. The UTP (Unified Threat Protection) bundle includes IPS, AV, web filtering, antispam, application control, and FortiCare support. The ENT (Enterprise) bundle adds FortiSandbox cloud, IOC, and FortiConverter. Licenses are annual and renew per device. Without active licenses, security services (IPS signatures, AV databases, URL categories) stop updating but the base firewall continues to function.
Q9. What is the FortiGate Security Fabric?
The Security Fabric is Fortinet’s integrated platform that connects FortiGate, FortiAP, FortiSwitch, FortiAnalyzer, FortiManager, FortiClient, FortiSandbox, and other Fortinet products into a shared security ecosystem. Devices share threat intelligence, topology data, and policy coordination through the root FortiGate. The Fabric gives you a single-pane view of the entire security posture, automatic quarantine of compromised devices, and coordinated response across products. It works best when the majority of your infrastructure is Fortinet-branded.
Q10. How do I reset a FortiGate to factory defaults?
From the CLI: execute factoryreset. Confirm when prompted. The device reboots with default settings. If you have console access and need to reset the admin password (device is accessible, you just don’t know the password), you can use the physical reset button combined with the console to break into BIOS-level reset mode. The exact procedure varies by model — search the Fortinet KB for your specific model’s password recovery procedure.
|
Category 2 — Q11 to Q20 Firewall Policies & Security Profiles |
|
Q11. How does FortiGate firewall policy processing order work?
FortiGate processes firewall policies from top to bottom. The first policy whose source interface, destination interface, source address, destination address, and service match the packet is applied — subsequent policies are not evaluated. Place more specific policies above more general ones. An implicit deny policy at the bottom (not visible in the GUI by default) drops everything that doesn’t match an explicit permit. Use diagnose firewall iprope lookup to check which policy would match a specific traffic flow.
Q12. What is the difference between flow-based and proxy-based inspection on FortiGate?
Flow-based inspection inspects packets as they flow through the firewall using the NP (network processor) for hardware acceleration where possible. It’s faster and has lower latency. Proxy-based inspection terminates the connection, buffers and inspects the full content (file, email, web page), then forwards it. Proxy mode provides more thorough inspection — better antivirus, full content analysis — but adds latency and consumes more CPU and memory. For most deployments, flow-based is the right default. Use proxy-based only where the deeper inspection justifies the overhead.
Q13. How do I configure SSL deep inspection on a FortiGate?
SSL inspection (also called SSL/SSH Inspection Profile) intercepts HTTPS connections, decrypts them, inspects the content, and re-encrypts before forwarding. FortiGate acts as a man-in-the-middle using its own CA certificate. For users not to see certificate warnings, the FortiGate CA must be trusted by client browsers — distribute it via Group Policy to Windows clients. Configure SSL inspection profiles in Security Profiles > SSL/SSH Inspection, then attach the profile to firewall policies. Exempt financial, healthcare, or privacy-sensitive sites that can’t be intercepted.
Q14. What is application control on FortiGate and how granular is it?
FortiGate’s application control uses deep packet inspection to identify applications by their traffic signatures — not just ports. It recognizes thousands of applications including specific features within apps (YouTube watch vs. YouTube upload, Facebook post vs. Facebook chat). You can block, allow, monitor, or rate-limit by application, category (social media, P2P, gaming), or risk level. Application control works best with SSL deep inspection enabled, since many apps now use HTTPS and can’t be identified without decryption.
Q15. How does web filtering work on FortiGate?
Web filtering checks URLs and domains against Fortinet’s FortiGuard cloud database of categorized sites. Categories include gambling, adult content, social media, shopping, malware, phishing, and 80+ others. You can allow, block, monitor, or warn users per category. For HTTPS sites without SSL inspection, FortiGate uses SNI (Server Name Indication) from the TLS handshake to identify the domain and apply category-based filtering even without decrypting the content. Enable HTTPS filtering in the web filter profile to cover encrypted traffic.
Q16. What is IPS on FortiGate and how do I tune it to reduce false positives?
The Intrusion Prevention System uses FortiGuard signatures to detect and block known attack patterns. IPS processes traffic inline and can drop, reset, or pass packets matching attack signatures. To reduce false positives: start with the default IPS profile in monitor mode, review logs for signatures triggering on legitimate traffic, then change those specific signatures from block to monitor or create exemptions. Alternatively, create application-specific IPS profiles that only include signatures relevant to the servers being protected (e.g., only Apache/Nginx signatures for a web server policy).
Q17. How do I create an address object and use it in a firewall policy?
Address objects define IP addresses, ranges, subnets, FQDNs, or geographic regions that can be referenced in policies. Create them under Policy & Objects > Addresses in the GUI, or via CLI:
config firewall address edit "Server-DMZ" set type iprange set start-ip 10.10.10.10 set end-ip 10.10.10.20 next end
Q18. What is a Virtual IP (VIP) on FortiGate and how does it enable port forwarding?
A VIP maps an external IP (and optionally a port) to an internal server IP (and port). It’s FortiGate’s mechanism for static NAT and destination NAT (DNAT). When traffic arrives on the WAN interface for the external IP, FortiGate translates it to the internal server address. You must then create a firewall policy that uses the VIP as the destination — without the policy, the VIP has no effect. VIPs appear as destination objects in policy configuration.
Q19. What is antivirus scanning on FortiGate and does it impact throughput?
FortiGate’s antivirus engine scans files in HTTP, HTTPS (with SSL inspection), FTP, SMTP, POP3, and other protocols against the FortiGuard AV signature database. It also includes heuristic detection and integration with FortiSandbox for unknown file analysis. AV scanning does impact throughput — more significantly in proxy-based mode because the full file must be buffered before delivery. In flow-based mode, the impact is lower but still measurable. For high-throughput deployments, size the FortiGate to its threat protection throughput spec (with AV + IPS), not the raw firewall throughput.
Q20. How does FortiGate handle DNS filtering?
DNS filter intercepts DNS queries (UDP/TCP 53) and checks the queried domain against FortiGuard categories. If the domain falls in a blocked category (malware, phishing, botnet C2), FortiGate returns a sinkhole response (fake IP pointing to a block page) instead of the real DNS answer. DNS filtering is lightweight — it doesn’t need SSL inspection, works for all DNS-based traffic on the network, and is particularly effective at blocking malware C2 communications before any connection is established.
|
Category 3 — Q21 to Q30 FortiOS & System Administration |
⚙️ |
Q21. How do I upgrade FortiOS firmware safely?
Before upgrading: read the release notes for the target version (especially the upgrade path section), back up the configuration (execute backup config flash or download from GUI), and check the Fortinet upgrade path tool at support.fortinet.com to confirm whether intermediate versions are required. Never skip major versions — some paths require stopping at an intermediate release. Upload the firmware via GUI (System > Firmware) or CLI (execute restore image tftp). Schedule during a maintenance window; the device reboots.
Q22. How do I back up and restore a FortiGate configuration?
GUI: Dashboard > Status > System Information > Backup. CLI: execute backup config tftp <filename> <TFTP-IP>. The backup file is a plain-text configuration script (with passwords hashed). Restore via GUI or execute restore config tftp <filename> <TFTP-IP>. For VDOMs, you can back up the global config and individual VDOM configs separately. Automate backups by scripting the CLI over SSH using a management server or Ansible.
Q23. How do I configure LDAP/Active Directory authentication on FortiGate?
Create an LDAP server object pointing to the AD domain controller, then test the bind credentials. Create a user group that references the LDAP server with a group filter (AD security group). Reference that group in firewall policies, SSL-VPN authentication, or admin profiles. For reading group membership, set the group-filter to the AD group’s distinguished name. Use LDAPS (port 636 with TLS) rather than plain LDAP (389) in production.
Q24. How does FortiGate integrate with RADIUS for 802.1X or VPN authentication?
Create a RADIUS server object with the server IP and shared secret. Test connectivity with diagnose test authserver radius <server-name> <user> <password>. Reference the RADIUS server in a user group. For VPN authentication, the VPN gateway policy uses the user group for authentication. FortiGate can also act as a RADIUS client toward Cisco ISE, FreeRADIUS, or Microsoft NPS for wired and wireless 802.1X enforcement when combined with FortiSwitch and FortiAP.
Q25. What is FortiGuard and how often are its databases updated?
FortiGuard is Fortinet’s threat intelligence and security subscription service. It provides real-time updates for IPS signatures, antivirus definitions, web filter URL categories, application signatures, DNS filter databases, and botnet IP lists. Update frequencies vary by feed: AV signatures can update every hour; URL categories update daily. The FortiGate checks in with FortiGuard servers using port 443 or 8888 (UDP). Verify update status with diagnose autoupdate versions.
Q26. How do I configure SNMP monitoring on a FortiGate?
Enable SNMP under System > SNMP. Configure SNMPv3 (preferred) with authentication (SHA) and encryption (AES). Define the SNMP community or v3 user, then add which interfaces allow SNMP access. Configure traps to send to your NMS. For SNMPv3, FortiGate supports all standard MIBs plus Fortinet private MIBs (available from support.fortinet.com) for FortiGate-specific metrics like VPN tunnel status, hardware sensors, and security event counters.
Q27. What is the FortiGate REST API and how do I use it for automation?
FortiGate exposes a full REST API at https://<fortigate-ip>/api/v2/. Authentication uses an API token (generated under System > Administrators > Create New > REST API Admin). All configuration objects can be read, created, modified, and deleted via API calls. Fortinet publishes OpenAPI/Swagger documentation for each FortiOS version at fndn.fortinet.net. The Terraform Fortinet provider uses this API under the hood for infrastructure-as-code deployments.
Q28. How do I configure NTP on a FortiGate?
Set the NTP server under System > Settings or via CLI:
config system ntp set ntpsync enable set type custom config ntpserver edit 1 set server "pool.ntp.org" next end end
Q29. What is the FortiGate session table and how do I check it?
The session table tracks all active connections through the firewall — source IP, destination IP, port, protocol, timeout, and which policy matched. Use diagnose sys session list to see all sessions or filter with diagnose sys session filter. Session table exhaustion (hitting the maximum) causes new connections to be dropped. Check the current count with diagnose sys session stat. Each FortiGate model has a maximum session capacity spec — plan capacity accordingly for high-traffic deployments.
Q30. How do I configure administrator profiles and limit what sub-admins can access?
Create Admin Profiles under System > Admin Profiles with read, read-write, or no access permissions per feature area (firewall, routing, VPN, logging, system). Assign each admin account an Admin Profile. For VDOM environments, assign admins to specific VDOMs to limit their scope. FortiManager can centralize admin access across multiple FortiGate devices with a global role-based access control model. Two-factor authentication (FortiToken or TOTP) can be required for any administrator account.
|
Category 4 — Q31 to Q40 VPN — IPsec & SSL-VPN |
|
Q31. How do I configure a site-to-site IPsec VPN on FortiGate?
Use the VPN wizard (VPN > IPsec Wizard > Site to Site) for guided setup, or configure manually. You need: Phase 1 (IKE settings — authentication, encryption, DH group), Phase 2 (traffic selectors and encryption), a static route pointing the remote subnet toward the VPN tunnel interface, and firewall policies permitting traffic between local and remote subnets through the tunnel. IKEv2 is recommended over IKEv1 for new tunnels. Pre-shared keys are simplest; certificates are more secure for large deployments.
Q32. What is route-based vs policy-based IPsec VPN on FortiGate?
Route-based VPN creates a virtual tunnel interface (e.g., VPN-to-HQ). Traffic is routed into the tunnel based on the routing table, and a firewall policy controls what’s permitted. This is the modern, flexible approach — supports dynamic routing (BGP/OSPF over VPN), ECMP, and multiple subnets without reconfiguring Phase 2. Policy-based VPN embeds the encryption into the firewall policy directly. It’s simpler for static configurations but doesn’t support dynamic routing. Fortinet strongly recommends route-based for all new deployments.
Q33. How do I verify an IPsec tunnel is up on FortiGate?
diagnose vpn ike gateway list shows Phase 1 status. diagnose vpn tunnel list shows Phase 2 (child SA) status with bytes in/out. In the GUI: VPN > IPsec Tunnels shows a green/red indicator per tunnel. If Phase 1 is up but Phase 2 isn’t, the issue is usually a traffic selector mismatch — verify the Phase 2 selectors match on both sides exactly. If Phase 1 won’t establish, check NAT-T settings if one side is behind NAT, firewall rules blocking UDP 500/4500, and IKE proposal mismatches.
Q34. What is SSL-VPN on FortiGate and how is it different from IPsec VPN?
SSL-VPN provides remote user access using TLS (port 443 or a custom port) through a web portal or the FortiClient application. It’s designed for remote users on laptops and mobile devices who need access to corporate resources without being on the corporate network. IPsec VPN (site-to-site) connects two networks persistently. SSL-VPN supports both tunnel mode (client gets a virtual IP and full network access, like a traditional VPN) and web mode (browser-based access to specific internal web applications without a full tunnel).
Q35. Is SSL-VPN being deprecated on FortiGate?
Fortinet announced in 2024 that SSL-VPN will be deprecated in a future FortiOS release, with IPsec VPN (specifically IKEv2 with FortiClient) as the recommended replacement. Fortinet’s reasoning: IPsec is more efficient, works through NAT better, and doesn’t require an exposed HTTPS port with associated web vulnerability risk. Several critical CVEs in FortiGate’s SSL-VPN component accelerated this decision. For new remote access deployments in 2026, plan around IPsec with FortiClient or ZTNA (FortiClient ZTNA) rather than SSL-VPN.
Q36. What is FortiClient and what does it do?
FortiClient is the endpoint agent for Fortinet’s Security Fabric. It provides IPsec and SSL-VPN connectivity, endpoint antivirus, web filtering, vulnerability scanning, and ZTNA (Zero Trust Network Access) enforcement. The free version handles VPN only. The licensed version (requires FortiClient EMS — Endpoint Management Server) adds full endpoint security, fabric integration, and centralized management. FortiClient EMS manages deployment, policy, and telemetry across thousands of endpoints.
Q37. How does ZTNA work on FortiGate with FortiClient?
Fortinet’s ZTNA uses FortiClient on the endpoint and a FortiGate as the ZTNA access proxy. The endpoint’s FortiClient reports its identity and posture (OS version, AV status, compliance) to FortiClient EMS. FortiGate evaluates this posture information in combination with user identity before granting access to specific applications — not the whole network. Traffic goes through an encrypted tunnel to the FortiGate’s ZTNA proxy, which applies application-level access control. This replaces SSL-VPN for application-specific remote access.
Q38. How do I configure split tunneling on FortiGate SSL-VPN?
In the SSL-VPN portal settings, enable split tunneling and define the routing addresses (specific subnets that should traverse the VPN). Traffic to those subnets goes through the tunnel; all other traffic (internet, SaaS) goes directly from the client’s local internet connection. This reduces load on the FortiGate and improves performance for SaaS applications. The trade-off: internet traffic from the client bypasses FortiGate inspection. Use DNS filter and FortiClient web filtering on the endpoint to maintain security for the direct internet path.
Q39. How do I configure ADVPN (Auto-Discovery VPN) on FortiGate for dynamic hub-and-spoke?
ADVPN allows FortiGate spokes to create direct IPsec tunnels to each other on demand, bypassing the hub for spoke-to-spoke traffic. The hub distributes routing information and shortcut hints via BGP. When spoke A needs to reach spoke B, the hub signals both to establish a direct tunnel. This eliminates hub backhauling for inter-site traffic. ADVPN requires IKEv1 in older FortiOS versions; IKEv2 support with ADVPN improved in FortiOS 7.x. Configure the hub with a dynamic phase 1 accepting any peer and distribute routes via BGP with auto-discover-shortcut enabled.
Q40. How do I troubleshoot an IPsec VPN that shows Phase 1 up but no traffic flowing?
Check in order: Is Phase 2 established? (diagnose vpn tunnel list). Do the Phase 2 traffic selectors match both sides exactly? Is there a static route sending traffic toward the tunnel interface? Are there firewall policies in both directions permitting the traffic (from LAN to VPN interface and vice versa)? Are there NAT rules accidentally translating traffic before it enters the tunnel? Run diagnose debug flow to trace a packet through the FortiGate’s processing pipeline and see exactly where it’s being dropped or misrouted.
|
Category 5 — Q41 to Q50 SD-WAN Configuration & Policy |
|
Q41. What is FortiGate SD-WAN and how is it different from Cisco Viptela SD-WAN?
FortiGate SD-WAN is built directly into FortiOS as a software feature — no separate controller, overlay, or orchestrator is required to get basic SD-WAN functionality. You add WAN interfaces to the SD-WAN zone, configure health checks, set rules, and traffic steering happens natively. Cisco SD-WAN (Viptela) requires dedicated vManage, vSmart, and vBond controllers with an OMP overlay. Fortinet’s approach is simpler to deploy at smaller scale; Cisco’s has richer centralized orchestration at enterprise scale. For organizations already running FortiGate, FortiGate SD-WAN is the natural path.
Q42. How do I set up SD-WAN on a FortiGate with two ISP links?
Enable SD-WAN under Network > SD-WAN. Add both WAN interfaces as SD-WAN members. Create health checks (performance SLAs) for each member — ping or HTTP probes to measure latency, jitter, and packet loss. Configure SD-WAN rules that match traffic by destination, application, or service, then define the preferred link and failover logic. Set a default route with SD-WAN as the next hop. Firewall policies use the SD-WAN zone as the outgoing interface rather than specific WAN ports.
Q43. What are SD-WAN Performance SLAs and how do they drive traffic steering?
Performance SLAs define the quality thresholds a WAN link must meet: maximum latency (ms), maximum jitter (ms), and maximum packet loss (%). The FortiGate continuously probes each SD-WAN member using the configured probe target (a server IP or domain). If a member fails the SLA thresholds, it’s marked as down for that SLA. SD-WAN rules referencing that SLA automatically steer traffic to another member that still passes. When the failed link recovers and passes the SLA for a configured number of consecutive probes, traffic shifts back.
Q44. What SD-WAN load-balancing algorithms does FortiGate support?
FortiGate SD-WAN supports multiple load-balancing strategies: Source IP (sessions from the same source always use the same link), Sessions (new sessions distributed round-robin), Spillover (fills one link first, then overflows to the next when bandwidth threshold is hit), Volume (distributes based on traffic volume), and Lowest cost (prefers the link with the lowest configured cost). For most deployments, session-based round-robin with SLA-based failover provides a good balance of even distribution and resilience.
Q45. How does FortiGate SD-WAN handle VoIP traffic quality?
Create a dedicated SD-WAN rule matching SIP or RTP traffic (or use application control to identify VoIP applications). Set the SLA for that rule to require low latency (<50ms) and low jitter (<30ms). The rule steers VoIP traffic to the link that currently meets those SLA thresholds, and automatically fails over if the primary link degrades. This prevents voice quality from suffering when one WAN link develops congestion or packet loss. VoIP-specific SLAs should use UDP-based probes where possible since TCP probes don’t accurately represent UDP path quality.
Q46. How do I verify SD-WAN is steering traffic as configured?
Use diagnose sys sdwan intf-sla-log <member> to see the SLA measurement history per member. diagnose sys sdwan health-check status shows which health checks are passing. get router info routing-table all shows which default route is active. In the GUI: Network > SD-WAN > SD-WAN Rules shows which rule is handling traffic. Use the Traffic Shaping Monitor under Dashboard to see real-time link utilization per SD-WAN member.
Q47. What is FortiOS SD-WAN Overlay Controller VPN (OCP) mode?
OCP (Overlay Controller Provisioning) with a hub FortiGate allows centralized management of SD-WAN IPsec overlays across spoke FortiGates. The hub acts as the control plane for shortcut VPN negotiation (similar to ADVPN). Spoke sites register with the hub, receive routing information, and dynamically create spoke-to-spoke tunnels as needed. OCP + ADVPN together provide a scalable, hub-managed SD-WAN overlay where sites communicate efficiently without routing all traffic through the hub.
Q48. How does FortiGate SD-WAN differ from FortiSASE?
FortiGate SD-WAN is an on-prem capability — the FortiGate at the branch does the path selection, security inspection, and traffic steering based on locally configured policies. FortiSASE is Fortinet’s cloud-delivered SASE platform that extends SD-WAN and security services (SWG, CASB, ZTNA, FWaaS) to a cloud PoP. With FortiSASE, remote users and small branches can have traffic inspected at the nearest cloud PoP without a full FortiGate appliance on-site. The two work together — branches with FortiGate use on-prem SD-WAN; thin sites and remote users use FortiSASE.
Q49. Can FortiGate SD-WAN work with MPLS and broadband simultaneously?
Yes. Add both the MPLS interface and the broadband interface as SD-WAN members. Create SLAs and rules that prefer MPLS for latency-sensitive applications (voice, real-time collaboration) and use broadband for bulk traffic and internet-bound traffic. If MPLS degrades or fails its SLA thresholds, traffic automatically moves to broadband. Over-the-top IPsec VPN on broadband provides encryption for traffic that was previously secured by MPLS’s private network nature.
Q50. What is the FortiGate SD-WAN Orchestrator and how does it scale?
FortiManager (Fortinet’s centralized management platform) includes SD-WAN Orchestrator for managing SD-WAN policy at scale across many FortiGate devices. You define SD-WAN rules, SLAs, and overlay VPN settings in FortiManager templates, then push them to hundreds of branch FortiGates simultaneously. This is the equivalent of Cisco vManage for Fortinet deployments. FortiManager also provides configuration compliance monitoring and automated remediation when a device’s config drifts from the template.
|
Category 6 — Q51 to Q60 Routing, WAN & High Availability |
|
Q51. How do I configure OSPF on a FortiGate?
Configure OSPF under Network > OSPF (GUI) or via CLI in config router ospf. Set the router-id, define areas, and add networks. On interfaces participating in OSPF, set the network type (broadcast, point-to-point) and authentication if required. Verify with get router info ospf neighbor and get router info routing-table ospf. FortiGate supports OSPF v2 and v3 (OSPFv3 for IPv6).
Q52. How does BGP work on FortiGate for internet edge deployments?
FortiGate supports full BGP including iBGP and eBGP peering. For internet edge, configure eBGP with your ISP’s ASN and peer IP. Apply route maps and prefix lists to control which routes are accepted from the ISP and which you advertise. For dual-ISP deployments, use BGP communities and local preference to prefer one path over another, or AS path prepending to influence inbound routing. FortiGate can also run BGP over VPN tunnels for SD-WAN overlay routing (hub-and-spoke BGP is common in ADVPN deployments).
Q53. How do I configure policy-based routing on FortiGate?
Policy routes (also called PBR or static route with conditions) override the normal routing table based on source address, destination address, incoming interface, or protocol. Configure under Network > Policy Routes. A common use case: traffic from a specific server subnet must always exit through WAN2 instead of the default WAN1. Policy routes are evaluated before the routing table, so a matching policy route takes precedence. Note: SD-WAN rules effectively replace most policy-routing use cases in modern FortiOS deployments.
Q54. What is FortiGate HA (High Availability) and what modes are available?
FortiGate HA uses FGCP (FortiGate Clustering Protocol) to cluster two or more identical FortiGate units. Active-Passive (A-P): one FortiGate handles all traffic; the other is in standby, ready to take over within seconds if the primary fails. Sessions sync between units so failover is stateful for TCP connections. Active-Active (A-A): the primary distributes sessions to secondary units for processing, improving throughput. FGSP (FortiGate Session Life Support Protocol) is an alternative for clustering FortiGates that don’t share interfaces — used for asymmetric routing scenarios.
Q55. How do I check the HA status on a FortiGate cluster?
get system ha status shows cluster state, which unit is master/slave, uptime, and the number of monitored interfaces and routes. diagnose sys ha dump-by-vcluster shows detailed per-cluster state. In the GUI: System > HA shows the cluster member status visually. Monitor for unexpected failover events in the system log — interface flaps, link monitoring failures, and firmware mismatches are common causes of unintended failover.
Q56. How does FortiGate handle NAT for outbound internet traffic?
In firewall policies, enable NAT (the “NAT” checkbox in the policy). The default is to NAT using the outgoing interface’s IP address — which is PAT (Port Address Translation). For multiple WAN IPs, create an IP Pool object with the public IPs and reference it in the policy instead of the interface IP. Fixed port allocation in NAT is available for applications that don’t work with port translation. Central SNAT (under Policy & Objects > Central SNAT) provides more granular control over source NAT rules independently of firewall policies.
Q57. What is the FortiGate routing table priority and how does route distance work?
Like Cisco, FortiGate uses administrative distance to prefer routes from different sources. The defaults: Connected (0), Static (10), OSPF intra-area (110), OSPF inter-area (110), iBGP (200), eBGP (20). Within the same protocol, metric determines the best path. You can manually set the distance on static routes to create floating (backup) static routes that only activate when a primary route is removed. get router info routing-table all shows the full routing table with distances and metrics.
Q58. How do I configure a DHCP server on a FortiGate interface?
Configure under Network > DHCP Servers or via CLI under config system dhcp server. Define the interface, IP range, default gateway, DNS server, and lease time. You can also configure DHCP option 43 (for IP phone provisioning), DHCP relay (pointing to an external DHCP server on another subnet), and IP reservations by MAC address. FortiGate can simultaneously serve DHCP on multiple interfaces — one DHCP server config per interface.
Q59. How does link monitoring work in FortiGate HA?
HA link monitoring watches specific interfaces for failure. If a monitored interface goes down on the active unit and the standby unit has that interface up, a failover is triggered. Configure which interfaces are monitored under System > HA > Link Monitor. Be selective — monitoring too many interfaces can cause unnecessary failovers from temporary link glitches. For critical WAN links, you can also use route failover detection (if the default route disappears, trigger a failover) rather than interface-level monitoring.
Q60. What is the difference between FortiGate VM and physical FortiGate?
FortiGate VM runs the same FortiOS as physical appliances on VMware ESXi, KVM, Microsoft Hyper-V, Nutanix, AWS, Azure, GCP, and OCI. The software features are identical; what differs is performance. Physical FortiGates use dedicated NP (Network Processor) and CP (Content Processor) ASICs for hardware-accelerated firewall and inspection. VMs rely entirely on CPU for packet processing — significantly lower throughput for equivalent VM resources. Use FortiGate VM for cloud deployments, lab environments, and scenarios where hardware acceleration isn’t critical; use physical for high-throughput production deployments.
|
Category 7 — Q61 to Q70 Wireless & FortiAP |
|
Q61. How does FortiGate manage FortiAP access points?
FortiGate acts as the wireless controller for FortiAP devices using the CAPWAP protocol. FortiAPs discover the FortiGate controller via DHCP option 138 or DNS lookup of fortiwlc. Once discovered and authorized in the FortiGate GUI (WiFi & Switch Controller > Managed FortiAPs), the AP receives its configuration from the FortiGate — SSIDs, radio channels, power, security profiles. All management is done from the FortiGate; the AP itself has no local configuration interface for day-to-day operation.
Q62. What FortiAP models are recommended for branch and campus in 2026?
The FAP-231G and FAP-234G are 802.11ax (Wi-Fi 6) dual-radio APs suited for general office use. The FAP-431G and FAP-433G provide tri-radio (dedicated scanning radio) for high-density environments. The FAP-U231F and FAP-U433F support Wi-Fi 6E (6 GHz band) for the latest client devices. For outdoor deployments: FAP-24x series. All are managed by FortiGate or FortiLAN Cloud and integrate with the Fortinet Security Fabric for threat detection and quarantine.
Q63. How do I configure a guest SSID with captive portal on FortiGate?
Create a new SSID in WiFi & Switch Controller with WPA2-Personal or open security for guests. Map the SSID to a separate VLAN interface (e.g., VLAN 99) with its own subnet. Create a firewall policy from the guest VLAN to the internet, and enable a captive portal (authentication) under the policy — either internal FortiGate portal or redirect to an external system. Apply web filtering and application control on the guest policy to restrict content. Block all routing between the guest VLAN and internal corporate VLANs.
Q64. How does FortiGate wireless security integrate with FortiClient for endpoint compliance?
When FortiClient EMS manages endpoints in a Security Fabric deployment, FortiGate can check the endpoint’s compliance posture as part of wireless authentication. If a device connects to a corporate SSID via 802.1X and its FortiClient reports non-compliance (missing AV, out-of-date patches, jailbroken), the FortiGate can deny access or place the device in a restricted VLAN for remediation. This integration is managed through the Security Fabric connector between FortiGate and FortiClient EMS.
Q65. What is the difference between tunnel mode and bridge mode for FortiAP SSIDs?
In tunnel mode, all wireless client traffic is encapsulated in CAPWAP and sent to the FortiGate controller before forwarding. This gives the FortiGate full visibility and security inspection of wireless traffic regardless of where the AP is located. In bridge mode, the AP bridges wireless traffic directly to the local wired network without sending it to the controller. Bridge mode is more efficient for high-throughput scenarios but means the FortiGate sees less wireless traffic unless clients traverse the firewall anyway for routing. Choose tunnel mode for security inspection; bridge mode for performance with existing security enforcement upstream.
Q66. How do I troubleshoot a FortiAP that shows as offline in FortiGate?
Check: Is the AP reachable by IP? (Ping from FortiGate.) Is PoE active on the switch port? Does the AP have a DHCP lease? Is CAPWAP UDP 5246/5247 reaching the FortiGate? Check the interface where the AP is connected — the FortiGate must have an IP on that interface. If the AP is on a different subnet, check if CAPWAP traffic is allowed through intermediate firewalls. On the AP console (if accessible): run diagnostics to see whether it’s getting a DHCP address and resolving the controller. Check FortiGate’s event log for CAPWAP negotiation messages.
Q67. How does rogue AP detection work on FortiGate/FortiAP?
FortiAPs in dedicated monitor mode or on their scanning radio continuously scan all channels for 802.11 beacons. They report detected SSIDs and BSSIDs to the FortiGate. The FortiGate compares discovered APs against a whitelist of known/authorized APs. Unknown APs in the RF environment are flagged as rogue or unclassified. In the GUI: WiFi & Switch Controller > Rogue AP Monitor. FortiGate can optionally send de-authentication frames to disconnect clients from rogue APs, though this is a legally sensitive operation in some jurisdictions.
Q68. What is FortiLAN Cloud and how does it differ from FortiGate-managed APs?
FortiLAN Cloud is Fortinet’s cloud-based management platform for FortiAPs and FortiSwitches, similar to Cisco Meraki’s cloud model. APs and switches connect to the cloud management plane instead of a local FortiGate controller. This is useful for organizations that want cloud-managed simplicity without a FortiGate at every site. The trade-off: full Security Fabric integration and policy-based security requires a FortiGate. FortiLAN Cloud handles the operational side; security policies applied at the firewall level still need a FortiGate in the path.
Q69. How do I configure 802.1X authentication for wireless clients on FortiGate?
In the SSID configuration, set security mode to WPA2 Enterprise and configure the RADIUS server (RADIUS Server Name and RADIUS Secret). FortiGate acts as the RADIUS client and proxies authentication requests to your external RADIUS server (Microsoft NPS, FreeRADIUS, or FortiAuthenticator). Create the RADIUS server object first under User & Authentication > RADIUS Servers. For dynamic VLAN assignment based on RADIUS attributes, enable dynamic VLAN in the SSID settings.
Q70. What is FortiAuthenticator and when do I need it?
FortiAuthenticator is Fortinet’s dedicated identity and authentication management server. It provides RADIUS, LDAP, and TACACS+ services, manages FortiToken (hardware and software OTP tokens) for multi-factor authentication, and provides portal-based guest management. You need FortiAuthenticator when you need centralized MFA across many FortiGate devices, large-scale guest Wi-Fi management with self-registration, or a dedicated RADIUS server that integrates with FortiGate’s Security Fabric. For smaller deployments with only one or two FortiGates, FortiGate’s built-in RADIUS proxy to Active Directory is often sufficient without a separate FortiAuthenticator.
|
Category 8 — Q71 to Q80 FortiAnalyzer, FortiManager & Logging |
|
Q71. What is FortiAnalyzer and what does it do?
FortiAnalyzer is a centralized log management, analytics, and reporting platform for Fortinet devices. FortiGates send syslog or Fortinet Secure Syslog to FortiAnalyzer, which indexes, correlates, and stores the data. It provides pre-built reports (traffic, threat, compliance), real-time dashboards, and alerting. FortiAnalyzer is essential for compliance auditing (PCI DSS, HIPAA, GDPR log requirements) and for getting security visibility across multiple FortiGate deployments. Available as physical appliance, VM, or cloud-based (FortiAnalyzer Cloud).
Q72. What is FortiManager and how is it different from FortiAnalyzer?
FortiManager handles configuration management: deploying policies, templates, and software updates to FortiGate devices at scale. FortiAnalyzer handles log analysis and reporting. They are separate products that can run on the same appliance (FortiAnalyzer-BigData) or separately. In large deployments, both are needed: FortiManager manages what the network does; FortiAnalyzer tells you what actually happened. Most enterprises deploy FortiManager and FortiAnalyzer together as VM or physical appliances in a central management location.
Q73. How do I configure a FortiGate to send logs to FortiAnalyzer?
Authorize the FortiGate in FortiAnalyzer first (Device Manager > Add Device). Then in FortiGate, go to Security Fabric > Fabric Connectors > FortiAnalyzer (or Log & Report > Log Settings). Enter the FortiAnalyzer IP, accept the certificate. Verify the connection status. Set log filters for which event types to send (traffic, threat, event, VPN). For IPS and web filter logs, ensure logging is enabled in the respective security profiles. Logs transmit over TCP 514 (syslog) or Fortinet’s secure protocol on 514/SSL.
Q74. How do I use FortiManager to push policies to multiple FortiGates?
Create a policy package in FortiManager containing firewall policies, address objects, and service definitions. Assign the package to one or more managed FortiGate devices or device groups. Install (push) the package by selecting Device Manager > Install Wizard and choosing the target devices. FortiManager compares what’s currently on each device against the policy package and shows a diff before committing. This centralizes policy change control — all changes happen in FortiManager and are pushed outward, rather than each device being configured independently.
Q75. What log types does FortiGate generate?
FortiGate generates: Traffic logs (forward and local traffic — every session matched by a policy), Security logs (IPS detections, antivirus hits, web filter blocks, application control actions), Event logs (system events: admin logins, HA failovers, VPN events, routing changes), VPN logs (IPsec and SSL-VPN tunnel events), and DNS logs (DNS filter hits). Traffic logs are the highest volume — log all sessions only if you have sufficient storage. Log permitted traffic can fill FortiAnalyzer disk quickly; consider logging only security events plus blocked traffic for long-term retention.
Q76. What is FortiSIEM and how does it extend Fortinet visibility?
FortiSIEM is a full SIEM (Security Information and Event Management) platform that aggregates logs from Fortinet devices, third-party firewalls, endpoints, cloud platforms, and applications. It provides correlation across all data sources, behavioral analytics, threat detection rules, and incident response workflows. Unlike FortiAnalyzer (Fortinet-focused), FortiSIEM is vendor-agnostic and suitable for organizations with mixed-vendor environments. It replaces or supplements external SIEMs like Splunk or Microsoft Sentinel for organizations standardizing on Fortinet.
Q77. How do I run compliance reports on FortiAnalyzer for PCI DSS?
FortiAnalyzer includes pre-built compliance report templates for PCI DSS, HIPAA, GDPR, ISO 27001, and NIST. Under Reports > Report Definitions, select the relevant compliance template. Configure the report scope (which FortiGates, time period) and schedule. The reports map log data to specific compliance control requirements — for example, PCI DSS Requirement 10 (log review) maps to FortiAnalyzer’s log integrity and access tracking reports. Export as PDF or HTML for auditors.
Q78. What is the FortiGate Security Rating and how do I use it?
The Security Rating (Security Fabric > Security Rating) runs automated checks against your FortiGate configuration and scores it against security best practices. It checks for things like: admin password strength, HTTPS management access, IPS signatures enabled, antivirus enabled, SSL inspection configured, recommended firmware version in use, and feature licensing. Each category gets a score and a list of specific findings with remediation guidance. It’s a useful checklist for newly deployed FortiGates and periodic security reviews.
Q79. How do I forward FortiGate logs to a third-party SIEM like Splunk?
Configure syslog forwarding under Log & Report > Log Settings > Remote Logging > Syslog. Enter the Splunk Universal Forwarder or Splunk Heavy Forwarder IP on the receiving end, use UDP or TCP 514, and select the log types to forward. Fortinet provides the Fortinet App for Splunk on Splunkbase that parses FortiGate syslog format and provides pre-built dashboards, searches, and visualizations. CEF format is also supported for SIEM platforms that prefer Common Event Format.
Q80. How do I view real-time traffic on a FortiGate?
In the GUI: Dashboard > FortiView > Traffic (sessions, applications, sources, destinations in real time). The FortiView interface shows live session data sortable by bandwidth, session count, and source/destination. For CLI-based real-time monitoring: diagnose sys top shows process CPU usage; diagnose netlink interface list shows interface statistics; diagnose sniffer packet <interface> none 4 captures live packets on the CLI.
|
Category 9 — Q81 to Q90 Troubleshooting |
|
Q81. How do I run the FortiGate packet sniffer from CLI?
diagnose sniffer packet <interface> <filter> <verbose> <count>. The interface can be any to capture on all interfaces. The filter is a tcpdump-style BPF filter (e.g., 'host 192.168.1.100 and port 443'). Verbose levels: 1=summary, 4=headers, 6=full hex. This is the fastest way to confirm whether traffic is arriving on the correct interface and whether the FortiGate is sending responses. Press Ctrl+C to stop.
Q82. How do I use the FortiGate debug flow to trace why traffic is being dropped?
Debug flow traces a packet through the entire processing pipeline and shows you at which point it’s allowed or dropped and why. Run it carefully — it can impact CPU on busy systems:
diagnose debug reset diagnose debug flow filter addr 192.168.1.100 diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable (generate traffic, observe output) diagnose debug disable diagnose debug flow trace stop
Q83. Why is traffic being dropped even though a firewall policy permits it?
Common reasons beyond the obvious policy lookup: IPS is blocking it (check security profile logs for that policy), the session is already in the session table from a previous connection attempt and the state is incorrect (diagnose sys session filter and clear if needed), an asymmetric routing issue where replies are arriving on a different interface than the session expects, or a RPF (Reverse Path Forwarding) check failure. Run debug flow to identify the exact drop reason code.
Q84. How do I troubleshoot high memory usage on a FortiGate?
get system performance status shows current memory usage and the top memory-consuming processes. diagnose sys top shows per-process memory. Common causes: excessive proxy-based inspection buffering (switch to flow-based where possible), very large session tables (more sessions than the model is rated for), large IPS or AV signature databases loaded for a small-memory model, or a memory leak in a specific daemon (requires TAC case). FortiGate has built-in memory conserve mode that disables some features when memory drops below a threshold to prevent crashes.
Q85. How do I check which policy is matching a specific traffic flow?
Use the Policy Lookup tool in the GUI: Policy & Objects > Firewall Policy > Policy Lookup. Enter the source and destination IP, port, and protocol — the tool shows which policy would match. In CLI: diagnose firewall iprope lookup <src-ip> <dst-ip> <port> <protocol> <src-interface>. For traffic already flowing, find the session in the session table with diagnose sys session filter daddr <IP> and check the policy ID field in the session output.
Q86. How do I troubleshoot SSL certificate issues with FortiGate deep inspection?
Users see certificate errors for two reasons: the FortiGate’s CA certificate isn’t trusted by the browser (fix by distributing the FortiGate CA via Group Policy), or the FortiGate is blocking a site where the original certificate is invalid, expired, or self-signed (configure the SSL inspection profile to allow or block invalid server certificates explicitly). Exempt specific sites from SSL inspection using URL or address categories in the SSL inspection profile when certificate interception breaks specific applications (many banking and healthcare apps detect SSL inspection).
Q87. How do I clear a stuck or stale session on a FortiGate?
Use session filters to find the session, then clear it:
# Filter sessions by source or dest IP diagnose sys session filter src 192.168.1.100 diagnose sys session list # Clear filtered sessions diagnose sys session clear
Q88. How do I check the status of FortiGuard service subscriptions from CLI?
diagnose autoupdate versions shows the current version and last-update timestamp for each security service (IPS, AV, web filter, app control). get system fortiguard-service shows the licensed services and their expiry dates. If a service shows as expired or unlicensed, the signatures stop updating even though the existing signatures continue to function until deleted by a restart.
Q89. How do I collect a full diagnostic report for a Fortinet TAC case?
Run execute tac report from the CLI. This generates a comprehensive support file containing configuration (passwords masked), interface statistics, routing tables, session table counts, log samples, and hardware status. Download the resulting file and attach it to your TAC support case. For live issues, TAC may also request diagnose debug report outputs or specific debug session captures depending on the problem type.
Q90. What are the most common FortiGate CVEs and how do I check if I’m vulnerable?
Notable recent CVEs affecting FortiGate include SSL-VPN authentication bypass vulnerabilities (CVE-2023-27997, CVE-2024-21762) and remote code execution vulnerabilities in specific FortiOS versions. Check your FortiOS version against the Fortinet PSIRT advisories at fortiguard.fortinet.com/psirt. The Fortinet Security Rating tool in the GUI also flags known vulnerabilities for your firmware version. Enable automatic update notifications from Fortinet and subscribe to the PSIRT advisory mailing list. Apply patches promptly — Fortinet vulnerabilities are actively exploited within days of disclosure.
|
Category 10 — Q91 to Q100 Security Fabric & Advanced Features |
|
Q91. How do I set up FortiGate as the Security Fabric root and add downstream devices?
Enable the Security Fabric on the root FortiGate under Security Fabric > Fabric Settings. Enable Fabric Discovery and set a fabric name. Downstream FortiGate, FortiSwitches, and FortiAPs join automatically if they can reach the root FortiGate. For FortiSwitches, enable the FortiSwitch port on the connecting FortiGate interface. The root FortiGate shows a topology map of all connected Fabric devices, their firmware versions, and security posture. Non-Fortinet devices can join via API integrations.
Q92. What is FortiSwitch and how does FortiGate manage it?
FortiSwitch is Fortinet’s managed access switch line. When connected to a FortiGate via an uplink (FortiLink), FortiSwitch is managed entirely from the FortiGate GUI — VLANs, port policies, PoE, STP, and 802.1X authentication are all configured on the FortiGate, which pushes the config to the FortiSwitch. This is similar to Cisco’s Catalyst Center + Catalyst switch model, but integrated directly into the FortiGate. FortiSwitch also participates in the Security Fabric, allowing per-port quarantine of devices detected as compromised by FortiGate’s threat intelligence.
Q93. What is FortiSandbox and how does it integrate with FortiGate?
FortiSandbox analyzes suspicious files in an isolated environment (sandbox) to detect zero-day malware that signature-based AV misses. FortiGate (with an antivirus profile in proxy mode) can submit files for sandbox analysis: when an unknown file is detected, the file is held or passed with logging while FortiSandbox detonates it in a virtual environment. If malicious, FortiGate updates its local cache and blocks future instances. Available as cloud service (FortiSandbox Cloud, included in some license bundles) or on-prem appliance.
Q94. How does FortiGate handle IoT device profiling and segmentation?
FortiGate can automatically detect and profile IoT devices connecting to the network using device identification (MAC OUI, DHCP fingerprinting, network behavior analysis). Devices are assigned to categories (IP camera, medical device, printer, smart TV). Policies can reference device type as a source condition — so IP cameras get firewall rules appropriate for cameras (no outbound SSH, limited egress) automatically. This requires the Device Detection feature and works best with FortiSwitch integration for wired devices and FortiAP for wireless IoT.
Q95. What is FortiGate Consolidated Firewall and SD-WAN (NGFW) vs a traditional NGFW?
Traditional NGFW (Palo Alto, Check Point) focuses on security with routing and VPN as secondary capabilities. FortiGate positions itself as a consolidated network and security platform — combining NGFW, IPsec, SD-WAN, LTE failover, switch management, wireless control, and analytics in one device. For a branch site, a single FortiGate can replace a separate firewall, router, wireless controller, and switch management device. This consolidation reduces hardware count, vendor complexity, and management overhead — the main reason Fortinet wins in branch deployments.
Q96. How does FortiGate NP (Network Processor) acceleration work?
FortiGate’s NP processors (NP6, NP7) offload specific packet processing tasks from the main CPU to dedicated ASICs. Tasks that can be hardware-accelerated include: IPv4/IPv6 forwarding, firewall session setup and lookup, IPsec encryption/decryption, DoS protection, and traffic shaping. Tasks that cannot be hardware-accelerated and run on the CPU include: proxy-based inspection, SSL deep inspection, IPS for certain traffic patterns, and application control. The throughput numbers in Fortinet’s datasheets distinguish between “Firewall throughput” (with NP offload) and “Threat Protection throughput” (without offload, reflecting real-world security-enabled performance).
Q97. What is FortiDeceptor and how does it complement FortiGate?
FortiDeceptor is a deception technology platform that deploys honeypots and decoys (fake servers, fake credentials, fake data) across the network. When an attacker interacts with a decoy, FortiDeceptor immediately detects the lateral movement attempt and can automatically instruct FortiGate to quarantine the attacking source IP or endpoint. This provides early detection of attackers who have already bypassed perimeter security — the moment they touch a decoy, they’re identified. FortiDeceptor integrates with the Security Fabric for automated response.
Q98. What is Fortinet’s approach to OT/ICS security with FortiGate?
FortiGate includes OT-specific IPS signatures for industrial protocols (Modbus, DNP3, IEC 61850, Profinet, BACnet) and can detect attacks targeting SCADA and ICS systems. The FortiGate Rugged series (FGR-60F, FGR-70F) provides hardened hardware suitable for industrial environments — wider temperature range, DIN rail mounting, SFP fiber options, and extended warranty. Combined with FortiNAC (network access control) for OT asset discovery and Fortinet’s OT Security platform, FortiGate provides visibility and segmentation between IT and OT networks.
Q99. How does Fortinet compare to Palo Alto Networks for NGFW in 2026?
Palo Alto NGFW is generally considered to have stronger security analytics, better application identification in complex environments, and a more mature SASE story with Prisma. FortiGate wins on price per throughput, consolidated functionality (SD-WAN, switching, wireless built in), and deployment simplicity for branch networks. Organizations with large security teams and a primary focus on deep threat prevention often choose Palo Alto. Organizations with many distributed sites prioritizing cost, operational simplicity, and consolidated branch infrastructure often choose Fortinet. Gartner consistently ranks both as Leaders in the Network Firewall Magic Quadrant.
Q100. What are the Fortinet certifications and which ones should I pursue?
Fortinet’s Network Security Expert (NSE) program has eight levels: NSE 1–3 are awareness-level with free online training. NSE 4 (FortiGate Security & Infrastructure) is the primary hands-on certification for FortiGate administrators — it covers everything in this article and more. NSE 5 (FortiManager + FortiAnalyzer) follows for management platform expertise. NSE 6 covers specific products (FortiSwitch, FortiAP, FortiMail). NSE 7 (SD-WAN) is enterprise-level specialization. NSE 8 is the expert-level written and practical exam. For most network engineers starting with Fortinet: NSE 4 is the right first goal.
Quick Reference: Essential FortiGate CLI Commands
| Command | What It Does |
| get system status | Firmware version, serial, uptime, license status |
| get system performance status | CPU, memory, session count in real time |
| get router info routing-table all | Full routing table with protocol and metric |
| diagnose sys session list | All active sessions through the firewall |
| diagnose vpn ike gateway list | IPsec Phase 1 status |
| diagnose vpn tunnel list | IPsec Phase 2 (child SA) status and traffic counters |
| diagnose autoupdate versions | FortiGuard signature versions and last update |
| diagnose sys sdwan health-check status | SD-WAN SLA probe results per member |
| diagnose sniffer packet any <filter> 4 | Live packet capture on any interface |
| diagnose debug flow trace start 20 | Trace packet processing pipeline for 20 packets |
| get system ha status | HA cluster state and member info |
| execute tac report | Generate full support file for TAC case |
What to Remember
| Security Profiles | IPS, AV, web filter, app control, SSL inspection — none of them work unless they’re attached to a firewall policy and logging is enabled. |
| SD-WAN vs IPsec | SD-WAN rules steer traffic across transports. IPsec VPN creates the secure tunnel. They work together — IPsec overlay tunnels are SD-WAN members. |
| SSL-VPN | Being deprecated. For new remote access, plan around IPsec with FortiClient or ZTNA. Existing SSL-VPN deployments should migrate to avoid future CVE exposure. |
| Throughput specs | Always size to the “Threat Protection” throughput number (with AV+IPS enabled), not the raw firewall throughput. They can differ by 10x on small models. |
