Lesson 1Policy design principles: least privilege, deny-by-default, explicit allow rulesStudy main firewall planning ideas like least privilege, deny-by-default, and clear allow rules. Learn to arrange policies for clarity, reduce hidden rules, and note business reasons for each access need.
Implementing deny-by-default at the edgeDesigning least-privilege access rulesAvoiding overlapping and shadowed policiesUsing address and service groups wiselyDocumenting and reviewing business rulesLesson 2HQ LAN to Internet policy: sources, destinations, services, NAT settings, loggingLearn how to build a safe main office LAN to Internet policy, including address and service objects, NAT setup, logging choices, and policy order. Understand how to avoid too-open rules while keeping user access working.
Defining HQ LAN and Internet address objectsSelecting appropriate service objects and groupsConfiguring central or policy-based NATEnabling and tuning traffic logging optionsPlacing the policy correctly in rule orderLesson 3Site-to-site traffic policies: selectors, policy order, and non-NAT for tunneled networksLearn how to create policies for site-to-site VPN traffic, including address selectors, policy order, and non-NAT rules. Understand how to separate tunneled from direct Internet traffic and avoid uneven routing or unwanted exposure.
Defining local and remote VPN selectorsCreating non-NAT policies for tunnelsOrdering VPN policies vs Internet rulesSeparating management and user trafficTroubleshooting common VPN policy issuesLesson 4Security profiles: application control—blocking risky apps, bandwidth shaping, and categorizationSet up application control profiles to find and manage applications no matter the port. Learn to block risky apps, control bandwidth, and adjust categories while checking logs to improve policies without stopping business traffic.
Selecting base application control profilesBlocking high-risk and unwanted appsApplying per-application bandwidth limitsUsing categories and overrides wiselyReviewing logs to refine app policiesLesson 5BR LAN to Internet policy: sources, destinations, services, NAT settings, loggingSet up a safe branch LAN to Internet policy matching main office standards. Learn how to reuse objects, apply NAT, and enable logging while considering local breakout, limited bandwidth, and different compliance or content needs.
Reusing global vs local address objectsDefining branch-specific service policiesConfiguring NAT and IP pools for branchesAligning logging with central reportingHandling local Internet breakout trafficLesson 6Logging and session handling within policies: enabling logging, syslog fields, and disk usage implicationsUnderstand how to enable and adjust logging on policies, including log types, severity, and destinations. Learn key session fields, how logs affect disk use, and plans for log keeping, offloading, and compliance reporting.
Choosing log types and severity levelsSelecting local disk vs remote loggingUnderstanding key session log fieldsManaging disk usage and log rotationUsing logs for audits and forensicsLesson 7HQ LAN to HQ DMZ policy: controlled access to web/mail servers, limited ports, intra-zone inspectionDesign main office LAN to DMZ policies that tightly control access to internal servers. Learn to limit ports, apply security profiles, and check intra-zone traffic while keeping servers available and supporting monitoring or backup flows.
Defining DMZ server address objectsRestricting access to required ports onlyApplying security profiles to DMZ trafficAllowing monitoring and backup securelyTesting and validating DMZ access rulesLesson 8Security profiles: web filtering configuration, categories, safe-search, and SSL inspection considerationsSet up web filtering profiles with category controls, safe-search rules, and SSL inspection choices. Learn how to balance user work, privacy, and security while reducing certificate warnings and inspection problems.
Building category-based web filter profilesEnforcing safe-search and YouTube controlsConfiguring SSL inspection for web trafficHandling certificate warnings and bypassesReporting and tuning blocked web activityLesson 9Security profiles: IPS policy tuning, signatures, and performance vs. protection tradeoffsLook at IPS profile planning for different traffic types, adjust signatures to cut noise, and understand how inspection modes and hardware affect speed. Learn to balance detection depth with okay latency and CPU use.
Choosing IPS default and custom profilesTuning signatures and severity thresholdsUsing flow-based vs proxy-based inspectionHandling false positives and exemptionsMeasuring IPS impact on performanceLesson 10Security profiles: antivirus deployment and recommended scanning optionsUnderstand FortiGate antivirus profiles, including real-time scanning, file type coverage, and heuristic choices. Learn recommended settings for web, email, and file services, plus how to handle large files, archives, and speed-sensitive traffic.
Selecting AV profiles for different policiesConfiguring full, quick, and flow-based scanHandling archives, large files, and timeoutsDealing with encrypted and compressed trafficLogging and alerting for malware eventsLesson 11Inter-VDOM or inter-zone policies if using VDOMs: policy separation and management accessLook at inter-VDOM and inter-zone policies used when VDOMs split environments. Learn how to separate management and user traffic, control admin access, and keep clear policy lines between security areas.
Planning VDOM roles and trust levelsCreating inter-VDOM link interfacesBuilding policies between VDOMs safelyRestricting management plane accessLogging and auditing cross-VDOM traffic
