NSE8/FCX Certification

It’s been a couple of months, I imagine, since I’ve provided an update regarding my FCX journey. In the style of the last update, things have again pivoted.

I have spent the better part of the last two months focusing on Azure. The only reason for this being the current project I have been assigned to at work – to build out a new failover design for a client’s redundant FortiGate hubs. I’ll speak about this briefly, since it’s what I currently know about and we ran into some interesting issues that I wasn’t able to find quick solutions for via Google, Fortinet forums, or AI.

The client has two FortiGate hubs, acting as termination points for their ~40 spoke sites as well as somewhere between 50 and 100 vendor and partner B2B IPSec tunnels. The simple (not so simple) ask, is to allow for proper failover for VMs living in Azure from Region 1 to Region 2. The failover itself is handled by other engineers. It’s my task to build the network pipes to support this new traffic pattern. The design we all put out heads together and came up with is almost rudimentary: An upgrade to a pair of HA FortiGates in Region 1, where the single FortiGate hub currently lives. Traffic will always flow out of this FortiGate from the Azure resources when it’s up (steady state). When individual VMs or resources failover from Region 1 to Region 2, still traffic flows to the Azure HA FortiGates in Region 1, across the peered regions. When all of Region 1 fails, Azure will failover via Azure Site Recovery into Region 2 and (now that the Azure HA FortiGates are down with Region 1) traffic will flow out via an ExpressRoute to the secondary FortiGate hub, living in an on-prem datacenter. It’s almost too much of a bruteforce to even work, but it passes all of the tests and costs less than the first design – one Azure FortiGate in each region, causing LOTS of IP design complexity for our infrastructure and systems teams.

We ran into numerous issues, none of which proved to be a detriment to the design, but plenty that strained brains for days on end. Particularly when we decided it would be a great feature to have the ability to terminate IPSec tunnels to both the External Load Balancer (part of the standard FortiGate HA design, provided by Fortinet docs) and a Global Load Balancer in front of the ELB, simultaneously. Looking back at the 3-4 week long build, that was probably the biggest headache, next to hitting enough combinations of check boxes to finally get BGP to peer across IPSec when terminating to our ELB.

As to not make this a dissertation, and without enough visuals, screenshots, and notes that I’d want to include for the privacy of the client, I’ll leave it at that. As an Easter Egg, you may be able to find one or two Fortinet forum posts I made while working on this build.

I’ve learned a lot in the past couple of months. Unfortunately for the FCX (now NSE-8 again, I guess) of this blog, most of it was directly related to FortiGate builds and quirks in Azure. It definitely provided a deep dive and great hands-on experience for the cloud sections of the FCX, but unfortunately I’m sure I’ll need to come back and cover a broader scope to truly cover that domain.

With the official cutover to the new Azure build coming next week, it will be nice to put this in my pocket and move forward with the rest of the Fortinet work planned over the ~6 months. Again, in regard to work, I’ve got quite a bit of Security Profile, Security Fabric, FortiManager, and best practices implementation in the pipeline – tasks and hours that will better align with the scope of the NSE-8.

As an informal update to the previous style of this blog, I must mention what I’ve been using to study, even though it’s not Fortinet. I’ve followed John Savill’s YouTube playlist for the Azure Fundamentals certification, and completed the cert. I’ve also followed his playlist for the AZ-104 Azure Administrator certification, which really goes much further than the cert requires, almost acting as a mini-Azure-masterclass in about video 24 hours. I’ll likely sit that cert in the next couple of weeks. To follow I imagine I will either take a few weeks to study and sit the AZ-700 Network or dive right back into reviewing complete Fortinet Administration Guides for FortiOS, FortiSwitch OS, FortiManager, and FortiAnalyzer and I work my way through the next 6 months of work projects. I will say that’s a lot of looking ahead for the guy that’s pivoted twice since starting this blog. The next post will surely explain better.