Lesson 1Policy design principles: least privilege, deny-by-default, explicit allow rulesStudy core firewall design principles such as least privilege, deny-by-default, and explicit allow rules. Learn to structure policies for clarity, minimize shadowed rules, and document business justifications for each access requirement.
Implementing deny-by-default at the edgeDesigning least-privilege access rulesAvoiding overlapping and shadowed policiesUsing address and service groups wiselyDocumenting and reviewing business rulesLesson 2HQ LAN to Internet policy: sources, destinations, services, NAT settings, loggingLearn how to build a secure HQ LAN to Internet policy, including address and service objects, NAT configuration, logging options, and policy ordering. Understand how to avoid overly permissive rules while keeping user access functional.
Defining HQ LAN and Internet address objectsSelecting appropriate service objects and groupsConfiguring central or policy-based NATEnabling and tuning traffic logging optionsPlacing the policy correctly in rule orderLesson 3Site-to-site traffic policies: selectors, policy order, and non-NAT for tunneled networksLearn how to create policies for site-to-site VPN traffic, including address selectors, policy order, and non-NAT rules. Understand how to separate tunneled from direct Internet traffic and avoid asymmetric routing or unintended exposure.
Defining local and remote VPN selectorsCreating non-NAT policies for tunnelsOrdering VPN policies vs Internet rulesSeparating management and user trafficTroubleshooting common VPN policy issuesLesson 4Security profiles: application control—blocking risky apps, bandwidth shaping, and categorizationConfigure application control profiles to identify and manage applications regardless of port. Learn to block risky apps, shape bandwidth, and tune categories while monitoring logs to refine policies without disrupting business traffic.
Selecting base application control profilesBlocking high-risk and unwanted appsApplying per-application bandwidth limitsUsing categories and overrides wiselyReviewing logs to refine app policiesLesson 5BR LAN to Internet policy: sources, destinations, services, NAT settings, loggingConfigure a secure branch LAN to Internet policy aligned with HQ standards. Learn how to reuse objects, apply NAT, and enable logging while accounting for local breakout, limited bandwidth, and different compliance or content needs.
Reusing global vs local address objectsDefining branch-specific service policiesConfiguring NAT and IP pools for branchesAligning logging with central reportingHandling local Internet breakout trafficLesson 6Logging and session handling within policies: enabling logging, syslog fields, and disk usage implicationsUnderstand how to enable and tune logging on policies, including log types, severity, and destinations. Learn key session fields, how logs affect disk usage, and strategies for log retention, offloading, and compliance reporting.
Choosing log types and severity levelsSelecting local disk vs remote loggingUnderstanding key session log fieldsManaging disk usage and log rotationUsing logs for audits and forensicsLesson 7HQ LAN to HQ DMZ policy: controlled access to web/mail servers, limited ports, intra-zone inspectionDesign HQ LAN to DMZ policies that tightly control access to internal servers. Learn to restrict ports, apply security profiles, and inspect intra-zone traffic while preserving server availability and supporting monitoring or backup flows.
Defining DMZ server address objectsRestricting access to required ports onlyApplying security profiles to DMZ trafficAllowing monitoring and backup securelyTesting and validating DMZ access rulesLesson 8Security profiles: web filtering configuration, categories, safe-search, and SSL inspection considerationsConfigure web filtering profiles with category-based controls, safe-search enforcement, and SSL inspection choices. Learn how to balance user productivity, privacy, and security while minimizing certificate warnings and inspection failures.
Building category-based web filter profilesEnforcing safe-search and YouTube controlsConfiguring SSL inspection for web trafficHandling certificate warnings and bypassesReporting and tuning blocked web activityLesson 9Security profiles: IPS policy tuning, signatures, and performance vs. protection tradeoffsExplore IPS profile design for different traffic types, tune signatures to reduce noise, and understand how inspection modes and hardware resources affect throughput. Learn to balance detection depth with acceptable latency and CPU usage.
Choosing IPS default and custom profilesTuning signatures and severity thresholdsUsing flow-based vs proxy-based inspectionHandling false positives and exemptionsMeasuring IPS impact on performanceLesson 10Security profiles: antivirus deployment and recommended scanning optionsUnderstand FortiGate antivirus profiles, including real-time scanning, file type coverage, and heuristic options. Learn recommended settings for web, email, and file services, plus how to handle large files, archives, and performance-sensitive traffic.
Selecting AV profiles for different policiesConfiguring full, quick, and flow-based scanHandling archives, large files, and timeoutsDealing with encrypted and compressed trafficLogging and alerting for malware eventsLesson 11Inter-VDOM or inter-zone policies if using VDOMs: policy separation and management accessExplore inter-VDOM and inter-zone policies used when VDOMs segment environments. Learn how to separate management and user traffic, control administrative access, and maintain clear policy boundaries between security domains.
Planning VDOM roles and trust levelsCreating inter-VDOM link interfacesBuilding policies between VDOMs safelyRestricting management plane accessLogging and auditing cross-VDOM traffic
