This week has been all SD-WAN. And I by all SD-WAN I mean SD-WAN plus a bunch of other shit that relates to SD-WAN. The pre-release notes aren’t incredibly specific, but here are the topics they list:
SD-WAN Architecture
Application performance
Multi-datacenter
Redundant connectivity
Work from anywhere
SASE
Prepping for SPA
SD-WAN On-Ramp
Secure Private Access
Routing
SD-WAN Routing
VPN
SD-WAN
Based on this list, I worked up the following sub-topics to cover within my Phase 3 section:
Unfortunately it’s the end of day 8 and I do believe I’ve covered 80-90% of this. I do work with SD-WAN a lot in my day-to-day work environment but I’m a bit thrown off by the difference between my initial estimate and the current time worked. I had a similar feeling after finishing VPNs and Overlays. Things are just going a lot quicker than they did for my Phase 1 (Routing). Given that I went so in-depth for routing and covered many topics that I had not gone deep on before (OSPF, VRFs, Multicast, etc.), this makes some sense – but it’s still a weird feeling to almost be finished with what is supposed to be a 50 hour topic is closer to 20-25 hours. I don’t have a real solution for this at the moment other than telling myself I’ll come back to both VPNs and SD-WAN during my review phase but it doesn’t stop the worry that I may be missing chunks of content or simply not spending enough hours in the lab on these subtopics. The one thing I can do now is hope that there is updated topic documentation that gets released when (or before) the July 15th update – when NSE8 is official released.
Before we get into the NSE8 changes, as always, I’ll start with the time tracker. This week we finished up IPsec and Overlay VPNs and just today began SD-WAN. VPNs was a short phase 2 (of a total 7 phases I have planned) – roughly 3 weeks compared to Phase 1 (Routing) coming in at 6 weeks.
The big change: the NSE8 Core module is an in-person practical exam. I know from my first brief start with FCX that the expert level exam was fully remote in terms of the proctored written and practical exams. I did expect it to stay remote but after this release we can see it is in fact required to be taken in-person. There are not yet details explaining where the exam is taken in terms of local (proctored via a standard local testing center or only at Fortinet offices), however I imagine this will come soon.
The second big update is something I had previous asked our AM about: whether my FCS and FCSS certifications would qualify me for the NSE8 prerequisites. The answer is yes!
Going off of this I’m going to go ahead and cross all 3 pre-reqs off my checklist:
I will of course confirm this with our AM as well, just in case. However, for now it just means I don’t have to spend the time re-taking 2-3 additional exams, which is nice.
The final update is the change in date for the first day to take the NSE8, July 15th. I imagine we’ll see at least 1-2 more big updates like this for the NSE8 before July 15th, so I will continue to keep a very close eye on anything released from Fortinet as well as updates to the NSE8 Pre-Release Guide.
I don’t have any major study updates this week I’ll leave it at that. Thanks for reading and best of luck studying for anybody following along!
I’m slowly starting to lose track of the weeks here, but that’s not a problem. This past week has seen a lot of lab time. Between starting ADVPN for the first time and getting to SSL VPN migration scenarios I don’t see it ending any time soon. I have the schedule mapped out for anywhere from 4-6 works on IPsec VPNs (including ADVPN, migrations, a little ZTNA) and this block is a bit different from routing in that everything really falls under IPsec. Therefore it’s all one document that I’m taking deep notes in and we’re almost up to 60 pages. I think I like this structure a little better because I know exactly how to spend my time – as long as it’s something IPsec related it’s time well spent.
Something fun I’m starting to run into is the need to expand the Azure lab. I mentioned last week I began setting up a domain controller. So far this week I’ve built a working RADIUS connection for SSL VPN (and IPsec) and am on the cusp of a working LDAP configuration – although I have a feeling it’s going to be LDAPS by the time I get it working. I really did think it was going to be another 2 months before I’d breaking into authentication in the lab but once the DC was stood up I didn’t see any reason not to dive in.
Between those last two points I want to emphasize my focus for the next week – SSL VPN to IPsec VPN migrations, as I call them. For some reason I have a feeling there will undoubtedly be one of these exact scenarios on the exam. Therefore I’m labbing out every permutation I can think of:
local authentication + split DNS + full tunnel + custom TCP port
LDAP authentication + split tunnel + DNS suffix
RADIUS authentication + split DNS + split tunnel + custom port
…
It’s a fun little challenge that’s keeping me focused and covers multiple topics at once. I’ll leave it at that, thanks for reading.
As usual, we start with the tracker for the past week:
I wish I had the time and care to insert that “It’s all X? It always was.” meme with the two astronauts. In my case it would be all IPsec this week. IPsec is near and dear to my heart in that, like BGP, I deal with it just about every single work day. Between standing up new tunnels with partner enterprises or simply thinking about how data traverses our network, IPsec VPNs are involved. The piece here that I’m exciting about as studying is chugging along is getting to lab out IPsec Dial-Up remote access VPNs. Our organization is still on SSL VPN and we’re right up to that time where a migration to IPsec VPN is making its way up the priority list.
One quick lab update. I’ve stood up a “DC” in Azure. A little F1 Windows Datacenter 2025 VM that I’m using to begin labbing out RADIUS, SAML, and LDAP authentication for IPsec dial-up VPN. Luckily I was able to configure it pretty cheap and I’m only sitting at just over $20 a month for the box. Given that I’ll only turn it on when actively using it I’m expecting a dollar or two a month overall. Again, I want to keep providing lab cost updates here just to track the cost comparison of a fully virtual lab in Azure versus investment in a metal server and Hyper-V.
Motivation is better this week. The switch from reviewing routing to beginning a “new” subject is definitely the cause. It’s nice to learn about entirely new subtopics and begin labbing out scenarios I haven’t seen before. Soon enough I’ll be able make use of that FortiAuthenticator eval license I was provided and integrate FAC with IPsec VPN (but I’m going to come back to this during the authentication section in a couple months, I don’t want to have to request another 60 day FAC eval license after just how long it took the first time).
I’m coming up on the end of our first section, routing, after right around 100 hours of studying. Let’s get to the tracker:
This past week has been slightly different in that I did divert from my consistency in daily studying while I completed an overnight maintenance window for a network migration at work (and subsequently recovered from the sleep change). However, progress is still very consistent and after another 1-2 hours of studying tonight I will go ahead and move to the next section, VPN and Overlay Technologies:
I’m excited to get going on this next phase as I have found myself slowing down and losing momentum during this routing review period I’ve been in over the past week and a half.
My only other major update is that I’ve finally received some evaluation licenses from Fortinet for a few FortiGate VMs, FortiAnalyzer, FortiManager, and FortiAuthenticator. There really won’t be application for anything but the FGTs for at least another couple of months so we’ll keep the rest stashed until then. Although I may try to set up ADVPN in the lab which I believe requires FMG.
A short update this week, and no update last week so I went ahead and posted my BGP deep notes as articles. I’ll likely do more of those moving forward for my more comprehensive notes – It forces me to extensively verify the claims I make in notes and make sure I’m keeping very high documentation standards.
Beginning of week 5 studying for Core. Let’s start with the tracker for this past week:
This week was an interesting one. I spent the first half continuing to lab VRF and Asymmetric Routing after finishing deep notes for both. After at first deciding that I was done with both topics I did not feel satisfied enough and decided I would really lab out both topics extensively. This resulted in 4 pretty brutal days with the end result being a confirmation that it’s not possible to lab VRF route leaking and beyond my ability and patience (if even possible) to simulate asymmetric routing between three FortiGate VMs. This frustration extended into this weekend when I also confirmed that Azure does not in fact support multicast traffic in a standard configuration. As you can see in the picture directly above, I’ve flagged all three of these labbing issues in the tracker. I’ll simply have to lab out both VRF leaking and multicast scenarios in a physical lab, although this does mean I’ll have to purchase or borrow another FortiGate (for multicast routing at least).
Overall, motivation is still high and I’ve only fallen out of my schedule once this past Friday when I had the chance to go to an event and meet a famous tennis star that I couldn’t pass up. I’m not going to sweat the one less hour of studying this week as I almost always end up spending an additional 2-4 hours each week reading forum posts or contributing to online Q&As. While reading a little bit of a CCIE journey blog I did read a post about a really bad burnout that made me slightly anxious – however I do think it’s simply a risk I need to stay cognizant of and continue to give myself mercy when I slip up on my schedule or decide to take breaks from studying.
A final note I want to make is in regard to a study tactic I have very recently discovered and found quite useful. I’ve already explained in previous posts that I use Claude AI a fair amount to help me map out topics or to review my notes for accuracy. Something I recently told it (it has memory between chats) is that I like when it asks questions like this:
These are the kind of high-level understanding questions that really force you to face whether you understand the topic. The kind of questions you’d find at the end of each chapter in a college textbook. I basically told Claude to ask me these types of questions more, and it usually does. So when I give it my BGP notes or OSPF notes and I have it check them for accuracy, it’ll give me some questions like this and I’ll be sure to slowly and thoughtfully answer them. Claude then gives me feedback on my understanding.
That’s all for this past week. This week I’m going to finish multicast and then begin review of the first section (Routing) and move to the next section likely towards the first half of next week. Cheers!
Beginning of week 4 studying for core. Let’s start with the tracker:
This past week I finished up OSPF and moved to ECMP, Policy Routing (excluding SD-WAN), asymmetric routing, and VRF and route leaking. ECMP and Policy Routing are both fairly straight forward and intuitive. The deep notes and basic labbing for both of these topics only took a day each – at least working through the existing Fortinet documentation and working with AI to identify gaps in my notes and some common situations to lab out. I did end up coming back to ECMP on Saturday for a bit more lab time. Asymmetric Routing was not as breezy but it taught me a lesson that’s already paying off. I’ve been working with an enterprise network with asymmetric routing enabled for the past year or so, and I’ve also learned about its mechanics while studying for previous Fortinet certs, but I hit a weird spot when I first began the deep notes. It was a weeknight so I only had a 2 hour study session, but I noticed that at the end of the session I still didn’t actually understand how asymmetric routing was treated by the FortiGate. Between RPF check understanding, asymroute vs auxiliary session, TCP without SYN, and the various articles explaining what asymmetric routing looks like in debugs and sniffers – I couldn’t fit all the pieces together. There was simply too much I did not yet understand; and at the end of the session I felt the disconnection and quite overwhelmed. The next day, Saturday, I had a full 4 hours for asymmetric routing. I still felt overwhelmed and confused quite a few times, but the feeling subsided as I continued to spend time working through the topics. First I made sure I understood RPF check – why asymmetric routing breaks traffic flows on FortiGate. Then I read Reddit threads, forum posts, and blog posts to get an understanding of how different people deal with asymmetric on their networks. I slowly began to understand the difference between asymroute, auxiliary sessions, and TCP without SYN – and when to actually use them rather than just how to configure them. The pieces began fitting together. Just like a big jigsaw puzzle (my girlfriend and I have been doing a lot of them lately), the more pieces you have fit together, the easier it becomes to fit the rest. It’s always the most difficult when nothing is yet connected. The best thing you can do is simply start with the edges or a little section, then add another little section, and on and on. This lesson has already become relevant as I begin to take on VRFs and Route Leaking. I spent four hours on it today and at the end of each hour, as I hit the restroom or took a five minute break, I felt that overwhelming feeling again of there being too many pieces not put together. I even felt inclinations to entirely skip the topic each time I read a thread or article suggesting that VDOMs are preferred to VRFs or Route Leaking isn’t recommended in modern networks. However, I know that both topics are listed at least once in the NSE8 topic outline so I have to push through. I know that just like with asymmetric routing as long as I continue working to understand the subtopics, understanding will come.
Quick Lab Update
A couple quick comments on the lab environment: 1) In order to lab out ECMP I ended up having to upgrade the two FGT VMs from B1s to B4s as B1s only supports 2 vNICs and I needed another outside vNIC to create a secondary tunnel between the FGTs. 2) I do know that my Azure environment is still in the first ~12 month period that allows for an allotment of low-limit free resources. This ends for me in August so I expect all costs to bump up a bit after that. If I stay on my estimated schedule of 12 months I should only have to bear the higher costs for about 4 months.
That’s all I have this week. I’ll have more details next week when we begin wrapping up deep notes for the routing section overall and begin the review and additional labbing phase. That will likely last a week and set us at 6 weeks total for routing, right on schedule. I’m already exited to finally experiment with both ADVPN and ZTNA as we move into our second section, VPN and Overlays. Cheers!
We’re coming up on the beginning of the third week of studies. We’ll start right up with the updated time tracker.
As you can see, we finished up BGP deep notes and labbing in about 1.5 weeks. To clarify, that is only dedicated study time. I just finished up reading the BGP sections of some CCIE books and do plan on reviewing BGP in a month or two. I also work with it every day at work so I don’t imagine I’ll become terribly rusty. My main concern is forgetting specific settings and configurations that I don’t use on the daily. I still haven’t broken out the Anki flashcards but think they could come in handy later in this process, just to stay fresh on definitions and use cases.
OSPF has not been bad at all. For background, I have not used or even touched OSPF in a production environment. I configured it in Cisco labs for CCNA and then studied it briefly for both CCNP and FCP/FCSS. It took me a couple of labbing hours to really crack its code in terms of actual configuration but as soon as I brought up the first adjacency and began turning things off and on and turning dials I really became comfortable and the subtopics quickly clicked. I’m sure I’ll repeat this many a times, but I can’t emphasize enough how helpful labbing is in terms of quickly understanding topics.
Lab Resources Update
I finally have an update on the questions I listed in the previous blog post. Unfortunately, but as expected, the resource I spoke with didn’t have a ton of definite answers regarding version coverage (only 7.6 vs 7.4+7.6, etc.) on the exam. I learned that Fortinet stays pretty tight lipped even internally when it comes to NSE8/FCX. My AM and SE really just worked off of the same Pre-Release Notes that are publicly available, and the SE provided some context based on his experience with the NSE8 back when he took it.
The most important things I got out of my meeting with the Fortinet team were Fortinet Developer Network access and the ability to request of evaluation VM licenses. I have logged into FDN at this point and browsed through the Hands-on-Labs but have yet to dive into them as there aren’t yet any covering routing. The labs I have access to with my FCSS cert mostly cover specific Fortinet services like SD-WAN, ZTNA, FortiNAC, etc. – which makes perfect sense. I’ll be sure to dive in soon. Regarding licenses, I request some FGT, FMG, FAZ, and FortiAuthenticator license as those are the products covered within the NSE8 Core module. When I get to the Secure Networking module I’ll be sure to request FortiNAC, FortiClient EMS, and FortiSandbox.
It’s important to me and my journey so I want to be sure to occasionally include the cost of running my lab. So far I’ve done everything with the two PAYG FGT VMs in Azure, but as their 30 day trial runs out, additional VMs are spun up, and evaluation licenses are applied, this will certainly change. Hopefully tracking all of this will help somebody out their when they consider whether to invest in server hardware to do everything virtual.
Running the two VMs about 18 hours a week, we’re averaging close to $0.50 a day. I think I’m keeping things cheap by running the smallest VMs possible and being vigilant about turning the VMs down after the end of each lab session.
Ending Thoughts
I don’t want every one of these blogs posts to be essay-length like the last one, but do I want to be sure to include anything I’ve experienced that may be helpful to the next person so I’ll end by including a quick read I found interesting on BGP: BGP in the Data Center by Dinesh Dutt
You have to sign up for an O’Reilly account to read it, but you can read it for free for the first 10 days via a preview account. It’s only about 90 pages total and provides a really good insight into how BGP is used at the hyperscale level.
Good morning, network nerds! Welcome to Routing Week 1!
We made a lot of good progress since my last post. I have a lot of good structure built out in my study plan and some great resources, at least to get started with. Something you’ll learn as you follow this series is that I have a pretty terrible recall memory. This leads me to writing down and documenting everything in my life that I actually want to remember. This is also why my girlfriend gets regularly peeved at the fact that I can’t remember what food we have in the fridge or pantry (I don’t write that down). At work I have upwards of a dozen small lists and sticky notes on my desk to accompany my ever expanding archive of what I’ve coined “network information documents” – or simply notes documenting anything from BGP ASs to known services to learned fixes. All of this to say: we’re going to reference the NSE8 Tracker spreadsheet a lot.
The Study Timeline
First off, for background here, I created this outline with Claude AI. I gave it the NSE8 Pre-Release PDF, and some context on my available time per week and network experience. It produced these two timelines for the NSE8 modules. I certainly won’t be sticking to these exactly, but they provide a basic structure to go off of.
The Lab (so far)
If you read my first blog post you’ll know that I have a small FortiGate/FortiSwitch/FortiAP stack at home. Unfortunately this simply isn’t going to cut it for the NSE8. It was great for the FCP and FCSS, but there’s simply too many additional products (FortiManager, FortiAnalyzer, FortiClient EMS, etc.) to keep things remotely physical. Virtualization is required. The ability to quickly spin up additional FortiGate instances to act as routing or IPSec peers is already enough of a QoL boost to justify learning the bit of cloud or hypervisor skills required.
To summarize the screenshot above, I stood up a couple of FortiGate VMs in Azure. I made an IPSec tunnel between them and started labbing out the BGP concepts I’ve been going deep on this past week. So far I’ve just been using the PAYG (pay as you go) licensing model for the FGT VMs, but I’m hoping to swap these with BYOL (bring your own license) versions once our Fortinet AM (Account Manager) finally responds to my email. Oh, that!
On Monday, I shot an email off to our company’s Fortinet AM and SE (Sales Engineer) with a list of about 4 questions (see blog 4 for the list – it’s mostly specifics about FortiOS versions and past certs) and a request for some additional resources such as Fortinet Developer Network access and hopefully some evaluation licenses for all of the products included in the NSE8 syllabus. To be fair it was quite a few specific questions and asks… I’m sure they’ll get back this week. Until then I’ll stick with the PAYG, which is a maximum of 10 or 15 dollars a week with the 2 FGT VMs. I always make sure to shut these down after each lab session.
Time Tracker
I’m not sure if I’ll include these in each weekly blog post, but I do feel it’s personally valuable to know roughly how many hours I’ve spend on each topic. Another thing I’ve noticed about myself is that I have a problem with either going too shallow or deep on subjects (an extension of a general personality of extremes that falls outside of this blog’s scope). Documenting my time will give me a general idea as to whether I’m within range of my Topic Schedule. I also noticed that it keeps me more accountable with myself, just like this blog!
Additional Resources
To conclude I just wanted to mention a few additional resources that I may or may not have mentioned and have found valuable this first week.
Claude AI – I’ve been using Claude Pro for about a year now for everything from gardening advice to career advice to vibe coding little dashboards for personal use. I used it extensively while studying for the FCS and FCSS, feeding it my typed notes to check for accuracy errors and knowledge gaps, as well as to create practice questions and practical scenarios. For the NSE8 I obviously used it for the Topic Schedule, but I’ve also been feeding it my BGP deep notes to check for accuracy and gaps and then asked it to provide me with different scenarios to lab out.
draw.io – I use this to create all of my network diagrams. It’s easy to use, nimble, and most importantly, free.
Google – This may be obvious, or not. The FortiOS administration guide isn’t enough, neither are the Fortinet Training site’s self-paced learning modules (like they were for FCS/FCSS). You have to reference Fortinet Community documents and Technical Tips. The best way to find these, I’ve found, is to simply search “fortigate [topic]”. For example, “fortigate bgp graceful restart”. Then I go through the first few pages and take notes on any and everything I haven’t learned yet. When I first start on a new subtopic I make sure to take notes but know that facts aren’t set in stone until I’ve either reviewed a couple corroborating sources or labbed it out myself. If you haven’t already, it’s also useful to quickly learn Google Dorking, which allows you to use Google better, simply put. Here are some quick tips on that:
Put double quotes around any term you want your search to match exactly. For example if you want to absolutely be sure that that your search includes the phrase “denied by forward policy check” (See first image below). This is extremely useful when searching for specific logs or error codes.
If you only want results from fortinet.com, include site:fortinet.com. (See second image).
After a couple of months of half-assed studying I finally sat and passed the AZ-104 exam this past week. With this as well as the start of the new year I can’t think of a better time to make the big push for the FCX/NSE8. As we get back into this topic I again cannot emphasize enough the help that the https://fcxstudy.group/ blog has provided in my short progress into this long journey thus far. My newfound enthusiasm can almost solely be attributed to this specific post: https://fcxstudy.group/2025/10/31/my-fcx-experience-kevin-guenay-nse8-003845/
In the post, an Austrian Systems Engineer explains his journey to passing the FCX. Maybe it was the parallels I saw with my level of experience, or pure dumb optimism after reading about Kevin passing the exam after close to a year of hard studying (contrary to the other FCX experience blogs that often mention 1.5-2 years). Either way, let’s talk shop.
I have recreated Andrew from fcxstudy.groups’s FCX Excel spreadsheet tracker. I started it from scratch but ended up in a similar format to what he created, and also borrowed his style of topic tracking – especially the “Teach Others” concept of learning. Let’s go through the tracker sheet by sheet and I’ll add any necessary color.
Sheet 1: Exam Requirements and General Tables
This is really just notes from reading through the NSE8_Pre-Release_Handbook_Public_Exam as well as lists of lab resources and a small table I can use to track total hours at my projected daily study rate (I still would like to get the yearly hour count up closer to 1000, but I started with a lower target in hope to not scare myself off).
Sheet 2: Questions
This is simply a list of questions I’d like to eventually have answered. Most answers will come from our Fortinet AM (Account Manager) and SE (Sales Engineer) at work. Kevin’s blog post also emphasized his use of the Fortinet Demo licenses and Hand-On-Learning labs, so one of my first tasks will be obtaining Fortinet Developer Network access from our AM.
Sheet 3: Core Module NSE8 High-Level
The two tables likely don’t need their own sheet, but I’m fine wasting e-paper. Both of these datasets are extremely important, in particular to my interest, the products covered. This sheet and the next are specific to the Core exam module, the first of two 4 hour practical exams making up the new NSE8 format. This tells me exactly what kind of lab VMs I need as well as what high level scope I can set in terms of studying resources. Personally, I love that products like FortiMail and FortiADC have been kicked off the syllabus. I personally do not have any experience with these and likely won’t in the near future so the more this exam version focuses on products I have experience with, the better.
Sheet 4: Core Module Topics
This is the meat and potatoes of the tracking spreadsheet. The list of topics was pulled directly from the NSE8_Pre-Release_Handbook_Public_Exam and will be updated accordingly if there are any changes once the production handbook is released. Let me explain the checkbox columns since I’ve labeled them for brevity:
Learning Exp. (Experience): Do I have experience learning about this topic? This would likely come from studying for the FCP, FCSS, or the month or so I started studying for the FCX.
Practical Exp. (Experience): Do I have practical experience working with this topic? This would likely come from work experience at my day job or from lab experience during FCSS or FCX studying.
Deep Study: Have I spent days to weeks reading through written material, admin guides, handbooks, KBs, etc. about this topic?
Deep Practical: Have I simulated this topic in the lab? Have I simulated troubleshooting scenarios?
Make Guides: Have I made a guide teaching others about this topic? This is something I tweaked based on Andrews original “Teach Others” learning technique. I like making MOPs and KBs for generic troubleshooting of Fortinet equipment to be shared at work, and it’s probably the best way to passively teach others without becoming the office know-it-all. I used this method quite a bit when studying for the FCSS.
Forum Q&As: Have I answered questions on Reddit, Fortinet Forums, Discords about this topic? Once I’ve checked this and Make Guides, I really know I’m confident on the topic.
Sheet 4: Secure Networking Module High-Level
Same as the Core high-level sheet, but for the Secure Networking module, my choice of the 3 specified exams one must pass to complete NSE8. I chose Secure Networking as it best aligns with my current experience as well as my personal interest in the pure networking domains. This is also the “logical continuation” of the core exam.
Sheet 5: Secure Networking Topics
Same as the Core module topics sheet, but for the Secure Networking topics.
I’ve set a recurring reminder in my phone reminding me to make a blog post/update every week. I highly doubt that will actually happen, but the idea is that it will remind me to stay true to my daily and weekly studying hours goals. I think it makes more sense to create these posts when I have enough material updates to warrant one. Hopefully the addition of FDN (Fortinet Developer Network, includes Demos and Hands-On Learning Labs), and some evaluation licenses from our AM will provide that content.
NSE8/FCX Certification 