Fortinet Certified Professional - FortiGate (FCP - FortiGate) Study Guide
The FCP - FortiGate certification (formerly NSE 4) validates the ability to deploy, configure, and operate FortiGate next-generation firewalls running FortiOS. It is aimed at network and security professionals who administer FortiGate day to day, covering system setup, firewall policy and NAT, authentication and FSSO, SSL and IPsec VPN, security profiles, routing and SD-WAN, high availability, and logging and diagnostics.
Reviewed Jul 2026.
Domain 1: Deployment and system configuration
- The admin GUI and the SSL VPN web portal both default to TCP port 443, so when both must be reachable on one interface an administrator commonly moves the GUI to an alternate port such as 8443 to avoid the conflict.
- The administrator idle timeout defines how long a GUI or CLI session can stay inactive before FortiOS logs the admin out, reducing the risk of an unattended session being misused.
- Trusted hosts restrict which source addresses may log in to an administrator account, and management access protocols (HTTPS, SSH, ping, etc.) must be explicitly enabled per interface.
- A downstream device requesting to join a Security Fabric appears as unauthorized on the root FortiGate until an administrator authorizes (trusts) it under Security Fabric settings, after which it becomes an active member in the topology.
- A fabric connector integrates an external product or platform (such as an SDN or cloud provider) with the Security Fabric, and an interface with the Undefined role does not receive the GUI's role-based default policy and configuration suggestions.
- Administrative distance measures how trustworthy a routing source is; directly connected routes default to 0, static routes to 10, OSPF to 110, and BGP to 20 (external) or 200 (internal).
- When two routes have equal administrative distance, the route with the lower metric or cost is preferred.
- A zone bundles multiple physical or virtual interfaces under one name so a single firewall policy can reference the zone instead of each member interface individually, without changing routing.
- Some settings are global (administrator accounts and profiles) while others are per-VDOM (firewall policies and static routes); enabling multi-VDOM mode requires a system reboot to take effect.
- Session helpers (also called ALGs) are needed for protocols like SIP and FTP active mode that embed IP address and port data in their payload, so NAT can translate the embedded values; encrypted protocols such as HTTPS and SSH do not need them.
- diagnose sys session list displays the active session table entries, and some low-level diagnose commands exist only in the CLI, not the GUI.
- execute factoryreset wipes the configuration and restores factory defaults, and downgrading firmware to an earlier major release typically also resets the configuration to defaults.
- DHCP Relay lets clients reach a DHCP server on a different subnet, while a reserved (fixed) address maps a device's MAC address to a specific IP so it always receives the same lease.
- Aggregate or redundant interface members must be unconfigured and have no assigned IP before they can be added to the group, and traffic across the group is distributed by hashing source and destination address and port information.
Domain 2: Firewall policies and NAT
- FortiGate evaluates firewall policies top-to-bottom and applies the first policy that matches the traffic, so ordering is critical; the policy list view shows policies in their actual evaluation order.
- Address groups can nest other address groups, letting a single policy reference many addresses through one grouped object to simplify management.
- The Overload IP pool performs many-to-one source NAT by dynamically assigning source ports, letting many internal hosts share a few public addresses; it is the default and most common pool type.
- A Fixed Port Range pool conserves addresses like Overload but confines each host's translated sessions to a defined port span rather than the full available range.
- Per-policy NAT is the default; enabling Central NAT is a single VDOM-wide setting, and a Central SNAT rule can be configured to match and account for traffic while applying no translation.
- Security profiles are applied within the firewall policy, not within a Central SNAT rule.
- A static NAT VIP maps one external address to one internal address, while a load-balance VIP distributes destination traffic across multiple real servers using a selected load-balancing method.
- A hairpin policy on the internal interface with source NAT enabled lets internal clients reach a server via the same public VIP used from outside.
- Two VIPs using the interface's own IP with port forwarding to different internal ports can publish two services from a single public IP address.
- A Device (MAC) address object matches a device by MAC so the policy stays accurate even as the device's IP changes, and a Dynamic (SDN connector) address object automatically reflects changing cloud instances such as EC2.
- The always schedule keeps a policy active continuously; a recurring schedule repeats on selected weekdays and times, and a one-time schedule matches a single fixed start and end date and time.
- Predefined service objects are created and maintained by Fortinet and cannot be permanently deleted, and firewall policies can match traffic by geographic location (geo-IP) of the source or destination address.
- The implicit deny rule at the bottom of the policy list drops all traffic that no policy matches, and its logging is off by default and must be explicitly enabled.
- Traffic denied by a policy is never forwarded, so security profile scanning does not run on it at all.
Domain 3: Authentication and FSSO
- A user group that references a RADIUS server directly, rather than listing individual accounts, lets any user who successfully authenticates against that server be treated as a member, scaling far better than duplicating accounts locally.
- A RADIUS server object requires the server address, a shared secret matched on both ends, and an authentication protocol (PAP, CHAP, MS-CHAP-v2, or Auto); RADIUS authentication uses UDP port 1812 by default.
- The shared secret authenticates FortiGate to the RADIUS server and helps protect the credential exchange.
- RADIUS can return group membership using the standard Filter-Id attribute or the Fortinet-Group-Name vendor-specific attribute, which explicitly names the FortiGate user group the user should join.
- RSSO derives identity from RADIUS accounting messages (from 802.1X switches, wireless controllers, or VPN devices) rather than from Active Directory logon events.
- The LDAP Regular bind type requires FortiGate to authenticate first with a dedicated search account's distinguished name and password before locating users.
- Two-factor authentication is independent of where the primary password is validated, so FortiToken, email, or SMS can be layered on top of remote LDAP or RADIUS primary authentication; SMS delivery requires a configured SMS gateway or messaging service.
- The local password policy can enforce minimum length, required character composition, and an expiration period in days for local users.
- FSSO provides transparent, identity-based policy enforcement by leveraging users' existing Active Directory domain logon.
- DC Agent mode installs an agent on every monitored domain controller that pushes logon and logoff events to the Collector Agent in near real time; installing the DC Agent requires administrative rights on the domain controller.
- Polling mode reads logons by periodically querying the domain controller's security event log without installing any agent on the DC, so it can lag behind actual logon activity.
- The Collector Agent utility is where the list of monitored domain controllers and the workstation verification interval are set; workstation verification checks whether the previously logged-on user is still active on the workstation.
- FortiGate and the FSSO Collector Agent must share a matching configured password for their connection to authenticate; the connection is configured under User & Authentication, Single Sign-On.
- The FortiClient SSO Mobility Agent helps identify users whose devices are not reliably reachable by DC polling, such as roaming laptops.
Domain 4: SSL and IPsec VPN
- IKE Phase 1 authenticates the peers and negotiates the encryption, hashing, and Diffie-Hellman parameters that build the secure IKE channel; Phase 2 then negotiates the IPsec security associations that actually encrypt user data, and Phase 2 cannot start until Phase 1 succeeds.
- Standard non-NAT-T IPsec uses UDP port 500 for IKE and IP protocol 50 (ESP) for the encrypted payload, and both must be permitted through any intervening firewall.
- Phase 1 fails outright if the two peers use different IKE versions, and a mismatch in encryption, authentication, or Diffie-Hellman group between the peers is a likely cause of Phase 1 failure.
- A Phase 2 failure with a working Phase 1 is commonly caused by the source and destination subnets in the Phase 2 selectors not matching on both sides.
- Route-based (interface mode) IPsec creates a virtual tunnel interface bound to a physical interface that participates in the routing table, so it uses standard accept policies and needs a static or dynamic route pointing traffic into the tunnel.
- Policy-based VPNs use the special IPsec policy action and lack a virtual tunnel interface, which is why they cannot run a dynamic routing protocol over the tunnel.
- ADVPN requires route-based (interface mode) IPsec, and a dynamic routing protocol is needed so on-demand shortcut paths can be learned and installed between spokes.
- Dead Peer Detection (DPD) checks whether the remote IPsec peer is still reachable and responsive, and DPD together with SD-WAN performance SLA health checks provides fast failover between redundant tunnels.
- diagnose vpn ike gateway flush name <gateway> clears the IKE gateway's Phase 1 state to force renegotiation, for example after a pre-shared key change, without a reboot.
- SSL VPN tunnel mode installs a virtual network adapter on the client and assigns it an IP from the tunnel IP range, giving full network access.
- SSL VPN web (portal) mode provides clientless browser-based access, using bookmarks that launch connections to internal resources such as RDP, SSH, or web applications without a tunnel client.
- SSL VPN host check relies on FortiClient running on the endpoint to report posture attributes such as installed antivirus vendor and status, which FortiGate compares against the administrator's defined requirements.
- SSL VPN realms let an administrator append a realm identifier to the login URL to route users to a customized login page for that realm.
Domain 5: Security profiles (AntiVirus, Web Filter, Application Control, IPS)
- On models with local storage, quarantined files are held in a dedicated quarantine area on the FortiGate's internal disk, where an administrator can browse, download, or delete them; models without a disk have limited or no local quarantine.
- The regular (normal) AV database focuses on current, actively spreading threats with a smaller footprint and lower resource use and is the default, while the extended database covers a broader historical set.
- An external malware block list references an administrator-maintained set of file hashes (often via a threat feed connector) so matching files are blocked regardless of whether they trigger a standard AV signature.
- FortiSandbox runs dynamic behavioral analysis on files the AV engine cannot classify, returning refined verdict feedback and letting administrators view sandbox analysis logs.
- Certificate (SSL) inspection reads only the certificate and cannot examine the decrypted contents of an encrypted session, so full (deep) SSL inspection is required to let AntiVirus and IPS scan the payload, at the cost of full file buffering and added latency.
- In deep inspection FortiGate copies the original certificate's subject details into a replacement certificate but signs it with its own CA, so the site name looks correct but the issuer changes; using an internal enterprise CA that domain-joined clients already trust avoids distributing a new certificate.
- Some sites, such as banking sites, are commonly exempted from deep inspection because decryption can conflict with compliance or break client-certificate authentication, but exempted sessions are never decrypted so AntiVirus and IPS cannot inspect their payload.
- Web filter category actions include Block, Warning (a click-through interstitial the user can bypass, with the choice logged), and Monitor (allow but log every match).
- SSH inspection can distinguish and control channel types such as port forwarding, shell, and X11 within an SSH session.
- Application control classifies traffic that matches no signature under the Unknown Application category, and it checks application overrides first, then filter overrides, before falling back to the category default action.
- An IPS sensor is built from filters and individually added signature entries.
- IPS signature actions include Monitor (allow but log every match), Default (defer to FortiGuard's predefined action for that signature), and rate-based signatures that only fire after a tunable event count within a set time window.
- Packet logging on IPS saves the raw triggering packet data for later forensic review, at the cost of extra storage and processing.
- Grayware or unwanted software categories such as adware and spyware can be enabled within the AntiVirus profile.
Domain 6: Routing and SD-WAN
- Administrative distance selects between routing sources and the lower value wins; when distances tie, FortiGate uses priority as a tiebreaker and installs only the route with the lower priority value, keeping the higher-priority route in the RIB as a standby.
- A static route with distance 10 is installed over an OSPF route to the same destination because 110 is higher, and giving a backup route a higher administrative distance than the primary keeps it out of the FIB until the primary disappears.
- The default route 0.0.0.0/0.0.0.0 matches any destination for which no more specific route exists, and dragging a more specific rule higher establishes precedence in ordered lists.
- get router info routing-table database shows all candidate RIB routes including backups, while get router info routing-table all shows only the winning routes installed in the FIB; diagnose firewall route list also displays active FIB entries.
- The default ECMP load-balancing method is source-IP-based hashing.
- OSPF neighbor states progress Down, Init, 2-Way, ExStart, Exchange, Loading, Full; 2-Way means neighbors have seen each other in hellos and Full means databases are synchronized.
- Default OSPF broadcast interface timers are a 10-second hello interval and a 40-second dead interval, and a stub area blocks external Type 5 LSAs and relies on a default route from its area border router.
- Enabling OSPF pairs a network prefix with an area ID to activate OSPF on matching interfaces and assign them to that area.
- BGP is favored for ISP connectivity because it enables dynamic, policy-based routing and multihomed failover; the Established state is where peers actively exchange route update messages.
- Redistribution between protocols is controlled with route maps (match and set clauses that can modify attributes like metric or tag), prefix lists, and distribute lists.
- SD-WAN rules are evaluated top-down and the first matching rule is applied, so precedence is set by reordering rules in the list.
- SD-WAN Performance SLA measures latency, jitter, and packet loss against configurable target thresholds, and the Best Quality strategy dynamically selects the currently top-performing member.
- A link monitor removes the associated route when probes fail beyond the threshold to force failover, and configuring a hold-down time reduces route flapping.
Domain 7: High availability
- FGCP is a Fortinet-proprietary protocol that synchronizes configuration and, optionally, session state across a cluster, doing far more than just failing over an IP address.
- FGCP primary election compares monitored interface status first (fewest failed monitored interfaces wins), then HA uptime, then device priority, and finally the higher serial number as the last tiebreaker.
- With override disabled, meaningful HA uptime differences (a 300-second / 5-minute threshold) generally outweigh priority; with override enabled, higher device priority is favored for primary election.
- A healthy subordinate becomes the new primary after a monitored interface failure on the current primary.
- Session pickup is disabled by default, so without it active sessions are dropped and must be re-established after a failover; it must be explicitly enabled to preserve sessions.
- The heartbeat interface with the higher priority value is preferred for carrying heartbeat traffic while others stay as backups.
- The heartbeat lost threshold sets how many consecutive missed heartbeat packets are tolerated before a peer is declared down, after which FGCP concludes the primary failed and elects a new one; failover typically completes within a few seconds.
- Configuration changes are pushed automatically to subordinate units, and diagnose sys ha checksum cluster compares configuration checksums between members to reveal sync drift.
- An out-of-sync condition is resolved by running the command that forces a configuration resynchronization to all members.
- Reserved management interfaces, enabled with ha-mgmt-status, are excluded from HA synchronization so each member keeps its own unique management IP.
- diagnose sys ha status and diagnose sys ha dump expose more granular internal cluster state for deeper HA troubleshooting.
- Virtual clustering lets each unit be primary for a separate VDOM group, providing basic active-active-style load sharing across the cluster.
- FGSP is designed for independent units that are not in a formal FGCP cluster, such as units separated by routed Layer 3 links or behind an external load balancer, and it synchronizes session state without heartbeat interfaces or cluster membership.
- Reusing the same HA group ID for two clusters risks colliding virtual MAC addresses between them and causing traffic problems.
Domain 8: Logging, monitoring, and diagnostics
- Local disk logging requires the FortiGate to have installed nonvolatile storage such as an HDD, SSD, or SD card; models without such storage cannot use disk as a log destination.
- FortiAnalyzer is the dedicated Fortinet appliance or VM for centralized multi-device log analytics and reporting, and both FortiAnalyzer and a syslog server are valid remote destinations that can run alongside local disk logging.
- FortiGate sends syslog over UDP by default, which provides no acknowledgment that messages arrived.
- In a firewall policy, the Log Allowed Traffic All Sessions option logs every matching session whether or not a detection occurred, while Security Events logs only sessions that trigger a profile detection.
- Log types map to specific events: the Local traffic log records sessions to and from the FortiGate's own interfaces, the Application Control log records matched application signatures, and the IPS log records traffic that matched an attack signature.
- Event log categories such as System, VPN, and User and Device are individually enabled or disabled on the Log Settings page.
- Empty historical FortiView views usually indicate logging is not being written to disk or FortiAnalyzer, since those views depend on stored logs.
- FortiView includes monitor views such as Sources (by originating address) and Threats (by detected security event), and a real-time filterable session monitor can temporarily block a source directly from the view.
- SNMP is supported for polling in versions v1, v2c, and v3, using community strings for v1/v2c and username-based authentication and privacy for v3.
- SNMP traps can be sent for operational events such as CPU usage crossing a threshold or an interface going down, giving the monitoring station immediate notice without waiting for the next poll.
- execute traceroute maps each hop and its response time along the path to pinpoint where connectivity breaks, whereas a simple ping only confirms whether the final destination responds.
- The FortiGate packet sniffer follows tcpdump-style filter syntax; verbosity level 1 shows headers, level 2 adds a packet hex/ASCII dump without the interface name, level 3 adds the interface name, and levels 4 and above (such as 5 and 6) dump the full Ethernet frame.
- Different default idle timeout values by protocol and TCP connection state (UDP much shorter than an established TCP session) are normal session-handling behavior, not a fault; get system status shows the firmware version, build number, and serial number.
Fortinet Certified Professional - FortiGate (FCP - FortiGate) exam tips
- Memorize the default administrative distances (connected 0, static 10, OSPF 110, BGP 20 external / 200 internal) and remember that priority is a FortiGate tiebreaker only when distances are equal.
- Know the split between per-VDOM settings (firewall policies, static routes) and global settings (admin accounts, profiles), and that enabling multi-VDOM mode requires a reboot.
- For VPN questions, keep the Phase 1 vs Phase 2 roles straight and match failure symptoms to causes: IKE version or DH/algorithm mismatch breaks Phase 1, while mismatched selector subnets break Phase 2.
- Understand the difference between certificate inspection and full (deep) SSL inspection, and that only deep inspection lets AntiVirus and IPS scan encrypted payloads.
- Learn the FGCP primary-election order (monitored interfaces, then uptime, then priority, then serial number) and how the override setting flips priority above uptime.
Study guide FAQ
What is the difference between route-based and policy-based IPsec VPN on FortiGate?
Route-based (interface mode) IPsec creates a virtual tunnel interface that participates in the routing table, uses standard accept firewall policies, and supports dynamic routing and ADVPN. Policy-based IPsec has no tunnel interface and instead uses the special IPsec policy action to trigger encryption, so it cannot run dynamic routing over the tunnel.
How do FSSO DC Agent mode and polling mode differ?
DC Agent mode installs an agent on every monitored domain controller that pushes logon and logoff events to the Collector Agent in near real time. Polling mode installs no agent on the DC and instead periodically reads the domain controller's security event log, which is simpler to deploy but can lag behind actual logon activity.
In what order does FortiGate evaluate firewall policies?
FortiGate checks policies top-to-bottom and applies the first policy that matches the traffic. Traffic that matches no policy is dropped by the implicit deny rule at the bottom, whose logging is off by default. Because order determines the match, more specific policies should be placed above broader ones.
What is the relationship between administrative distance and priority in FortiGate routing?
Administrative distance chooses between different routing sources and the lower value wins. Priority is a FortiGate-specific tiebreaker used only among routes that already share the same administrative distance, where the numerically lower priority value is installed into the FIB while the other route stays in the RIB as a standby.