Lesson 1Policy design principles: least privilege, deny-by-default, explicit allow rulesStudy core firewall planning principles like least privilege, deny-by-default, and clear allow rules. Learn to structure policies for clarity, reduce shadowed rules, and note business reasons for each access need.
Implementing deny-by-default at the edgeDesigning least-privilege access rulesAvoiding overlapping and shadowed policiesUsing address and service groups wiselyDocumenting and reviewing business rulesLesson 2HQ LAN to Internet policy: sources, destinations, services, NAT settings, loggingLearn to build a secure main office LAN to Internet policy, including address and service objects, NAT setup, logging options, and policy order. Understand avoiding overly open rules while keeping user access working.
Defining HQ LAN and Internet address objectsSelecting appropriate service objects and groupsConfiguring central or policy-based NATEnabling and tuning traffic logging optionsPlacing the policy correctly in rule orderLesson 3Site-to-site traffic policies: selectors, policy order, and non-NAT for tunneled networksLearn to create policies for site-to-site VPN traffic, including address selectors, policy order, and non-NAT rules. Understand separating tunneled from direct Internet traffic and avoiding asymmetric routing or unwanted exposure.
Defining local and remote VPN selectorsCreating non-NAT policies for tunnelsOrdering VPN policies vs Internet rulesSeparating management and user trafficTroubleshooting common VPN policy issuesLesson 4Security profiles: application control—blocking risky apps, bandwidth shaping, and categorizationSet up application control profiles to spot and manage apps no matter the port. Learn to block risky apps, shape bandwidth, tune categories, and check logs to refine policies without disrupting business traffic.
Selecting base application control profilesBlocking high-risk and unwanted appsApplying per-application bandwidth limitsUsing categories and overrides wiselyReviewing logs to refine app policiesLesson 5BR LAN to Internet policy: sources, destinations, services, NAT settings, loggingSet up a secure branch LAN to Internet policy matching main office standards. Learn to reuse objects, apply NAT, enable logging, considering local breakout, limited bandwidth, and different compliance or content needs.
Reusing global vs local address objectsDefining branch-specific service policiesConfiguring NAT and IP pools for branchesAligning logging with central reportingHandling local Internet breakout trafficLesson 6Logging and session handling within policies: enabling logging, syslog fields, and disk usage implicationsUnderstand enabling and tuning logging on policies, including log types, severity, and destinations. Learn key session fields, log effects on disk use, and plans for retention, offloading, and compliance reporting.
Choosing log types and severity levelsSelecting local disk vs remote loggingUnderstanding key session log fieldsManaging disk usage and log rotationUsing logs for audits and forensicsLesson 7HQ LAN to HQ DMZ policy: controlled access to web/mail servers, limited ports, intra-zone inspectionDesign main office LAN to DMZ policies that tightly control access to internal servers. Learn to limit ports, apply security profiles, inspect intra-zone traffic while keeping servers available and supporting monitoring or backups.
Defining DMZ server address objectsRestricting access to required ports onlyApplying security profiles to DMZ trafficAllowing monitoring and backup securelyTesting and validating DMZ access rulesLesson 8Security profiles: web filtering configuration, categories, safe-search, and SSL inspection considerationsSet up web filtering profiles with category controls, safe-search enforcement, and SSL inspection options. Learn balancing user productivity, privacy, and security while reducing certificate warnings and inspection issues.
Building category-based web filter profilesEnforcing safe-search and YouTube controlsConfiguring SSL inspection for web trafficHandling certificate warnings and bypassesReporting and tuning blocked web activityLesson 9Security profiles: IPS policy tuning, signatures, and performance vs. protection tradeoffsExplore IPS profile planning for different traffic, tune signatures to cut noise, and see how inspection modes and hardware affect throughput. Learn balancing detection depth with acceptable latency and CPU use.
Choosing IPS default and custom profilesTuning signatures and severity thresholdsUsing flow-based vs proxy-based inspectionHandling false positives and exemptionsMeasuring IPS impact on performanceLesson 10Security profiles: antivirus deployment and recommended scanning optionsUnderstand FortiGate antivirus profiles, including real-time scanning, file types, and heuristics. Learn recommended settings for web, email, files, plus handling large files, archives, and performance-sensitive traffic.
Selecting AV profiles for different policiesConfiguring full, quick, and flow-based scanHandling archives, large files, and timeoutsDealing with encrypted and compressed trafficLogging and alerting for malware eventsLesson 11Inter-VDOM or inter-zone policies if using VDOMs: policy separation and management accessExplore inter-VDOM and inter-zone policies when using VDOMs to segment environments. Learn separating management and user traffic, controlling admin access, and keeping clear policy boundaries between security domains.
Planning VDOM roles and trust levelsCreating inter-VDOM link interfacesBuilding policies between VDOMs safelyRestricting management plane accessLogging and auditing cross-VDOM traffic
