NSE8/FCX Certification

Beginning of week 4 studying for core. Let’s start with the tracker:

This past week I finished up OSPF and moved to ECMP, Policy Routing (excluding SD-WAN), asymmetric routing, and VRF and route leaking.
ECMP and Policy Routing are both fairly straight forward and intuitive. The deep notes and basic labbing for both of these topics only took a day each – at least working through the existing Fortinet documentation and working with AI to identify gaps in my notes and some common situations to lab out. I did end up coming back to ECMP on Saturday for a bit more lab time.
Asymmetric Routing was not as breezy but it taught me a lesson that’s already paying off. I’ve been working with an enterprise network with asymmetric routing enabled for the past year or so, and I’ve also learned about its mechanics while studying for previous Fortinet certs, but I hit a weird spot when I first began the deep notes. It was a weeknight so I only had a 2 hour study session, but I noticed that at the end of the session I still didn’t actually understand how asymmetric routing was treated by the FortiGate. Between RPF check understanding, asymroute vs auxiliary session, TCP without SYN, and the various articles explaining what asymmetric routing looks like in debugs and sniffers – I couldn’t fit all the pieces together. There was simply too much I did not yet understand; and at the end of the session I felt the disconnection and quite overwhelmed.
The next day, Saturday, I had a full 4 hours for asymmetric routing. I still felt overwhelmed and confused quite a few times, but the feeling subsided as I continued to spend time working through the topics. First I made sure I understood RPF check – why asymmetric routing breaks traffic flows on FortiGate. Then I read Reddit threads, forum posts, and blog posts to get an understanding of how different people deal with asymmetric on their networks. I slowly began to understand the difference between asymroute, auxiliary sessions, and TCP without SYN – and when to actually use them rather than just how to configure them. The pieces began fitting together. Just like a big jigsaw puzzle (my girlfriend and I have been doing a lot of them lately), the more pieces you have fit together, the easier it becomes to fit the rest. It’s always the most difficult when nothing is yet connected. The best thing you can do is simply start with the edges or a little section, then add another little section, and on and on.
This lesson has already become relevant as I begin to take on VRFs and Route Leaking. I spent four hours on it today and at the end of each hour, as I hit the restroom or took a five minute break, I felt that overwhelming feeling again of there being too many pieces not put together. I even felt inclinations to entirely skip the topic each time I read a thread or article suggesting that VDOMs are preferred to VRFs or Route Leaking isn’t recommended in modern networks. However, I know that both topics are listed at least once in the NSE8 topic outline so I have to push through. I know that just like with asymmetric routing as long as I continue working to understand the subtopics, understanding will come.

Quick Lab Update

A couple quick comments on the lab environment:
1) In order to lab out ECMP I ended up having to upgrade the two FGT VMs from B1s to B4s as B1s only supports 2 vNICs and I needed another outside vNIC to create a secondary tunnel between the FGTs.
2) I do know that my Azure environment is still in the first ~12 month period that allows for an allotment of low-limit free resources. This ends for me in August so I expect all costs to bump up a bit after that. If I stay on my estimated schedule of 12 months I should only have to bear the higher costs for about 4 months.

That’s all I have this week. I’ll have more details next week when we begin wrapping up deep notes for the routing section overall and begin the review and additional labbing phase. That will likely last a week and set us at 6 weeks total for routing, right on schedule. I’m already exited to finally experiment with both ADVPN and ZTNA as we move into our second section, VPN and Overlays. Cheers!