Lesson 1Policy design principles: least privilege, deny-by-default, explicit allow rulesStudy core firewall design principles like least privilege, deny-by-default, an explicit allow rules. Learn fi structure policies fi clarity, minimize shadowed rules, an document business justifications fi each access requirement.
Implementing deny-by-default at the edgeDesigning least-privilege access rulesAvoiding overlapping and shadowed policiesUsing address and service groups wiselyDocumenting and reviewing business rulesLesson 2HQ LAN to Internet policy: sources, destinations, services, NAT settings, loggingLearn how fi build a secure HQ LAN to Internet policy, including address an service objects, NAT configuration, logging options, an policy ordering. Understand how fi avoid overly permissive rules while keeping user access functional.
Defining HQ LAN and Internet address objectsSelecting appropriate service objects and groupsConfiguring central or policy-based NATEnabling and tuning traffic logging optionsPlacing the policy correctly in rule orderLesson 3Site-to-site traffic policies: selectors, policy order, and non-NAT for tunneled networksLearn how fi create policies fi site-to-site VPN traffic, including address selectors, policy order, an non-NAT rules. Understand how fi separate tunneled from direct Internet traffic an avoid asymmetric routing or unintended exposure.
Defining local and remote VPN selectorsCreating non-NAT policies for tunnelsOrdering VPN policies vs Internet rulesSeparating management and user trafficTroubleshooting common VPN policy issuesLesson 4Security profiles: application control—blocking risky apps, bandwidth shaping, and categorizationConfigure application control profiles fi identify an manage applications regardless of port. Learn fi block risky apps, shape bandwidth, an tune categories while monitoring logs fi refine policies widout disrupting business traffic.
Selecting base application control profilesBlocking high-risk and unwanted appsApplying per-application bandwidth limitsUsing categories and overrides wiselyReviewing logs to refine app policiesLesson 5BR LAN to Internet policy: sources, destinations, services, NAT settings, loggingConfigure a secure branch LAN to Internet policy aligned wid HQ standards. Learn how fi reuse objects, apply NAT, an enable logging while accounting fi local breakout, limited bandwidth, an different compliance or content needs.
Reusing global vs local address objectsDefining branch-specific service policiesConfiguring NAT and IP pools for branchesAligning logging with central reportingHandling local Internet breakout trafficLesson 6Logging and session handling within policies: enabling logging, syslog fields, and disk usage implicationsUnderstand how fi enable an tune logging on policies, including log types, severity, an destinations. Learn key session fields, how logs affect disk usage, an strategies fi log retention, offloading, an compliance reporting.
Choosing log types and severity levelsSelecting local disk vs remote loggingUnderstanding key session log fieldsManaging disk usage and log rotationUsing logs for audits and forensicsLesson 7HQ LAN to HQ DMZ policy: controlled access to web/mail servers, limited ports, intra-zone inspectionDesign HQ LAN to DMZ policies dat tightly control access to internal servers. Learn fi restrict ports, apply security profiles, an inspect intra-zone traffic while preserving server availability an supporting monitoring or backup flows.
Defining DMZ server address objectsRestricting access to required ports onlyApplying security profiles to DMZ trafficAllowing monitoring and backup securelyTesting and validating DMZ access rulesLesson 8Security profiles: web filtering configuration, categories, safe-search, and SSL inspection considerationsConfigure web filtering profiles wid category-based controls, safe-search enforcement, an SSL inspection choices. Learn how fi balance user productivity, privacy, an security while minimizing certificate warnings an inspection failures.
Building category-based web filter profilesEnforcing safe-search and YouTube controlsConfiguring SSL inspection for web trafficHandling certificate warnings and bypassesReporting and tuning blocked web activityLesson 9Security profiles: IPS policy tuning, signatures, and performance vs. protection tradeoffsExplore IPS profile design fi different traffic types, tune signatures fi reduce noise, an understand how inspection modes an hardware resources affect throughput. Learn fi balance detection depth wid acceptable latency an CPU usage.
Choosing IPS default and custom profilesTuning signatures and severity thresholdsUsing flow-based vs proxy-based inspectionHandling false positives and exemptionsMeasuring IPS impact on performanceLesson 10Security profiles: antivirus deployment and recommended scanning optionsUnderstand FortiGate antivirus profiles, including real-time scanning, file type coverage, an heuristic options. Learn recommended settings fi web, email, an file services, plus how fi handle large files, archives, an performance-sensitive traffic.
Selecting AV profiles for different policiesConfiguring full, quick, and flow-based scanHandling archives, large files, and timeoutsDealing with encrypted and compressed trafficLogging and alerting for malware eventsLesson 11Inter-VDOM or inter-zone policies if using VDOMs: policy separation and management accessExplore inter-VDOM an inter-zone policies used when VDOMs segment environments. Learn how fi separate management an user traffic, control administrative access, an maintain clear policy boundaries between security domains.
Planning VDOM roles and trust levelsCreating inter-VDOM link interfacesBuilding policies between VDOMs safelyRestricting management plane accessLogging and auditing cross-VDOM traffic
