NSE8/FCX Certification

Documenting the processes followed in preparation for the FCX/NSE8 Fortinet expert certification.

recent posts

  • Blog 4 – An Update

    It’s been a couple of months, I imagine, since I’ve provided an update regarding my FCX journey. In the style of the last update, things have again pivoted.

    I have spent the better part of the last two months focusing on Azure. The only reason for this being the current project I have been assigned to at work – to build out a new failover design for a client’s redundant FortiGate hubs. I’ll speak about this briefly, since it’s what I currently know about and we ran into some interesting issues that I wasn’t able to find quick solutions for via Google, Fortinet forums, or AI.

    The client has two FortiGate hubs, acting as termination points for their ~40 spoke sites as well as somewhere between 50 and 100 vendor and partner B2B IPSec tunnels. The simple (not so simple) ask, is to allow for proper failover for VMs living in Azure from Region 1 to Region 2. The failover itself is handled by other engineers. It’s my task to build the network pipes to support this new traffic pattern. The design we all put out heads together and came up with is almost rudimentary: An upgrade to a pair of HA FortiGates in Region 1, where the single FortiGate hub currently lives. Traffic will always flow out of this FortiGate from the Azure resources when it’s up (steady state). When individual VMs or resources failover from Region 1 to Region 2, still traffic flows to the Azure HA FortiGates in Region 1, across the peered regions. When all of Region 1 fails, Azure will failover via Azure Site Recovery into Region 2 and (now that the Azure HA FortiGates are down with Region 1) traffic will flow out via an ExpressRoute to the secondary FortiGate hub, living in an on-prem datacenter. It’s almost too much of a bruteforce to even work, but it passes all of the tests and costs less than the first design – one Azure FortiGate in each region, causing LOTS of IP design complexity for our infrastructure and systems teams.

    We ran into numerous issues, none of which proved to be a detriment to the design, but plenty that strained brains for days on end. Particularly when we decided it would be a great feature to have the ability to terminate IPSec tunnels to both the External Load Balancer (part of the standard FortiGate HA design, provided by Fortinet docs) and a Global Load Balancer in front of the ELB, simultaneously. Looking back at the 3-4 week long build, that was probably the biggest headache, next to hitting enough combinations of check boxes to finally get BGP to peer across IPSec when terminating to our ELB.

    As to not make this a dissertation, and without enough visuals, screenshots, and notes that I’d want to include for the privacy of the client, I’ll leave it at that. As an Easter Egg, you may be able to find one or two Fortinet forum posts I made while working on this build.

    I’ve learned a lot in the past couple of months. Unfortunately for the FCX (now NSE-8 again, I guess) of this blog, most of it was directly related to FortiGate builds and quirks in Azure. It definitely provided a deep dive and great hands-on experience for the cloud sections of the FCX, but unfortunately I’m sure I’ll need to come back and cover a broader scope to truly cover that domain.

    With the official cutover to the new Azure build coming next week, it will be nice to put this in my pocket and move forward with the rest of the Fortinet work planned over the ~6 months. Again, in regard to work, I’ve got quite a bit of Security Profile, Security Fabric, FortiManager, and best practices implementation in the pipeline – tasks and hours that will better align with the scope of the NSE-8.

    As an informal update to the previous style of this blog, I must mention what I’ve been using to study, even though it’s not Fortinet. I’ve followed John Savill’s YouTube playlist for the Azure Fundamentals certification, and completed the cert. I’ve also followed his playlist for the AZ-104 Azure Administrator certification, which really goes much further than the cert requires, almost acting as a mini-Azure-masterclass in about video 24 hours. I’ll likely sit that cert in the next couple of weeks. To follow I imagine I will either take a few weeks to study and sit the AZ-700 Network or dive right back into reviewing complete Fortinet Administration Guides for FortiOS, FortiSwitch OS, FortiManager, and FortiAnalyzer and I work my way through the next 6 months of work projects. I will say that’s a lot of looking ahead for the guy that’s pivoted twice since starting this blog. The next post will surely explain better.

  • Blog 3 – Already pivoting strategies

    Monday – back to work. Yesterday I fit a good 3 or so hours of studying in between the coffee shop and common area on the first floor of our apartment building. Later in the day, after finishing the Study Guide for Fortinet Azure Cloud and beginning to pull up the newly released SD-WAN Core 7.6 guide, I realized I’m at the point where I’m going to begin reading material I’ve already studied. Time for my first pivot (there’s going to be a lot of these, it’s part of my personality).

    I’ve decided to take a break from reading and taking notes on the study guides, and instead do the same for the FortiGate 7.2.11 Admin Guide. There’s a couple of reasons for this:

    First, this better aligns with my current project at work, which is building out branch FortiGate configs from scratch while implementing Fortinet best practices. At the same time I plan on using this knowledge as a baseline for the MOPs (Method of Procedures) I will create a bit later in my process. I will create MOPs to both assist in my studying process (learning via teaching) and aid our help desk in support of the enterprise network at work.

    Second, I don’t want to go and study the Study Guides for technologies such as FortiMail, FortiADC, FortiSandbox, or any of the software that I don’t currently have experience in, until I get closer to having a lab fully set up for these. The timing of the lab setup is going to be a big limiting factor in regard to progress in these, and many other, areas of study. I only expect to receive complimentary lab licenses for many of these products for a span of 3-8 months, so I want to make the absolute most of my time with them and time it right in terms of when I take both the written and practical exams.

    This all leads to a more overarching point that I’ve realized. I should focus on what I’m using now at work (and what I have access to at in my homelab) before I move to the technologies I need trial licenses for. What does this mean practically? I will be spending at least the next 2-4 months focusing primarily on the FortiGate, FortiSwitch, FortiAP, FortiManager, and FortiAnalyzer platforms. Narrowing my focus will allow me to do deep learning on subjects such as best practices implementation, SD-WAN design, routing, and advanced troubleshooting. These are all skills that I can always get better at and will directly improve my quality of work. Once I’ve exhausted these base products, I will begin to shift in the direction of the products I haven’t, or don’t often, work with.

    I’ll end with what’s been on my mind. Reading about peoples’ FCX/CCIE/JNCIE study experiences, I understand that it’s necessary to complete anywhere from 1000-3000 hours of studying. How does the math work out to completion in roughly 2 years, as many report? That averages to somewhere around 20 hours a week, or 3 hours a day. How will I rearrange my life to allow for 3 hours of studying a day? Will I do 90 minutes a day on weeknights and 6+ hours on both Saturday and Sunday? Or will I start doing an hour in the morning as well as the usual 90 minutes a weeknight? Lots to consider, but certainly the most important thing is keeping up with my current routine of studying every single day.

  • Blog 2

    It’s a Saturday, which is usually a study day. I’d like to get all of the background information for this blog out of the way pretty quickly so I can focus on simply documenting my daily/weekly steps and progress.

    Let’s start with what I have so far in terms of discovery of resources. Here’s the summary: there isn’t much. The best that I’ve found so far is actually another blog called fcxstudy.group. I will be using his tracking spreadsheet and a fair amount of his advice is being followed in terms of my lab structure, or what will eventually be my lab structure. The most important pieces are is his FCX Study Tracker, which can be found here: FCXStudy.group Study Tracker and his lab topology and resource chart, here: FCXStudy.group Lab Exam Part 2

    I read through his whole blog (there’s only about 6 or so articles that pertain to the FCX exam). I then downloaded the study tracker and started marking off some of the topics, based on what I’ve studied either in preparation for the FCP and FCSS, or simply while do independent studying. Here’s what I have today:

    As you can clearly see, I’m just about starting from zero. I was a bit strict with myself in terms of what I considered to be reviewed thus far, but we’re still I’d estimate somewhere in the low single digits in terms of percentage of confidence and readiness for the written exam (there’s a whole other spreadsheet page for the lab/practical exam).

    If anything, I think being in this position is favorable. It means I have a lot of options in terms of what I can focus on first. I don’t have to start with topics that I have little practical interest in and can have some fun with these first few months. I’ve marked each of the topics in the chart above as 50%, rather than 100%. These are the topics that I’ve spent a fair amount of time covering in preparation for previous exam, or topics that I regularly work with in my day job.

    Yes, my day job, I’ve yet to mention this. I currently work for an MSP (Managed Service Provider), wearing a network engineer’s shoes. I primarily work with a single customer, who has a medium-sized enterprise network, utilizing Fortinet equipment almost all the way up their stack, from Datacenter and Azure FortiGate firewalls, to site/branch FortiGate firewalls, edge and access FortiSwitches, and FortiAPs. We also utilize FortiManager, FortiAnalyzer, FortiClient EMS, and we’re now introducing FortiExtenders. The FortiGates are currently running in the 7.2 FortiOS series.

    Back to exam prep. My current phase of studying is working through all of the Fortinet Training Institute’s Study Guides. At this time I’m just reading though them and taking notes, occasionally testing out new learnings either in my homelab stack or in the work stack. I plan on continuing this until I run out of Study Guides to take notes on. I’m really just trying to get a grasp of high level concepts and “laying eyes” on more detailed or advanced topics that I’ve yet to touch in a practical environment. Here is a full list of the lessons currently available within the Fortinet Training Portal, that I find applicable to the FCX:

    FortiGate 7.4 – Completed during FCP study
    FortiManager 7.4 – Completed during FCP study
    FortiAnalyzer 7.4 – Completed between FCP and FCSS study
    FortiSwitch 7.2 – Completed in preparation for a NAC implementation project at work
    FortiClient EMS 7.2 – Completed in preparation for work tasks and troubleshooting
    Enterprise Firewall 7.4 – Completed during FCSS study
    Network Security Support Engineer – Completed during FCSS study
    SD-WAN 7.2 – Completed
    Secure Wireless LAN 7.4 – Completed
    Secure LAN Edge 7.6 – Completed
    Azure Cloud Security 7.4 – In progress
    FortiAuthenticator 6.5
    FortiNAC 7.2
    FortiMail 7.4
    FortiWeb 7.4
    FortiSIEM 7.2
    FortiSandbox 5.0
    FortiSOAR 7.3
    FortiEDR 5.0
    SD-WAN Core Operations 7.6
    SD-WAN Large Deployment 7.6
    Public Cloud Security Architect 7.2/7.6
    FortiSASE 25
    Security Operations 7.4

    Now that I’ve typed all of those out I’ve realized how much time I’ve spent writing this post, which is valuable time I could use for studying. I’m off to the coffee stop to keep pushing through the Study Guides.

  • Blog 1

    It’s July of 2025. I’m one month past finishing the Fortinet FCSS and FCP certifications and just about 2 years into working with Fortinet gear. There’s a small physical homelab sitting under the TV in the living room, hosting the apartment’s WiFi and a wired connections for an Xbox One. I’ve decided to begin studying for the Fortinet NSE-8 exam.