A marathon, not a sprint. That’s the theme for this week. Between my skip day last week and my short days yesterday and today, I’m down quite a few hours below my 18-20 hour weekly target. I’m telling myself that’s okay, because it is. I’m not always going to have perfect week. This upcoming weekend I will be going on a trip and likely won’t be able to do much studying at all. Again, I’m telling myself this is okay because I’m honestly nervous about taking my first real “break” from studying since I started 3 or 4 months ago.
In one of my upcoming posts, I will include more details about the Authentication phase of my study plan I’ve been working through these past couple of weeks.
Very short post this week. One day late and only for the sake of consistency. I’m very tired and as you can see from my hours above, have been slacking a little bit. Between personal days and a bit of illness, it’s one of those week’s I’ve simply had to get through. I continue to repeat in my head the advice I’ve received – to continue putting in the work each day, each week, and not worry about perfection or deadlines. The learning and understanding will continue to come with time.
Not a bad week at all. Not at consistent as previous weeks and I’m a bit under hours but I just want to start this by emphasizing how useful the FDN Hands on Labs (HOL) are. I spent a good portion of the week going through the SD-WAN HOL. Need I repeat from last week’s blog post that the HOL guide is over 200 pages long? It’s 7 labs that cover everything from simple hub-and-spoke SD-WAN from scratch with Jinja Orchestrator to ADVPN 2.0 and ICMP embedded SLAs.
Quick update on lab costs as well – last month we got close to $50 after the FGT licensing free trials expired and before I got a chance to apply the eval licenses. This month we’re looking at something closer to $40.
No other big updates other than starting the Authentication and User Access Phase (Phase 4) today and a bit of trouble getting access the FortiAuthenticator VM in my lab. Hoping to figure that out tomorrow.
This week I spent with my foot in my mouth after last week’s post included me going on and on about how I didn’t know what to fill the next 2 weeks with to finish our the SD-WAN phase. Turns out there’s a lot more, and it was all under the SD-WAN Architecture section of the pre-release notes topic outline.
It turns out these 4 topics were a weeks worth of deep notes (and a little bit of labbing). From there, this weekend I began the SD-WAN 7.6 Hands-on Lab from the Fortinet Developer Network and it’s probably going to fill the next week on its own. Let’s just say the lab documentation is somewhere around 200 pages. I spent 4 hours on the first of 6-7 labs included in the HOL, although the first 2 hours were wasted on me getting stuck because of a simple typo while importing the Fortinet-provided Jinja template.
I did also spend some time this past week re-labbing ADVPN 2.0, just because I almost know for a fact it will be on the exam (it’s right there in the pre-release notes and it’s just a big offering for Fortinet in general). I still don’t feel perfectly comfortable, so I imagine I’ll do this at least 2 more times before I sit the exam.
In terms of timing I think I will probably do at least another 1.5 weeks with SD-WAN before a quick 2-4 day review of SD-WAN and Traffic Shaping. Then we’re moving right along to Authentication and Access Control and I’ll be excited to get the FortiAuthenticator VM spun up and poke around for the first time.
This week has been all SD-WAN. And I by all SD-WAN I mean SD-WAN plus a bunch of other shit that relates to SD-WAN. The pre-release notes aren’t incredibly specific, but here are the topics they list:
SD-WAN Architecture
Application performance
Multi-datacenter
Redundant connectivity
Work from anywhere
SASE
Prepping for SPA
SD-WAN On-Ramp
Secure Private Access
Routing
SD-WAN Routing
VPN
SD-WAN
Based on this list, I worked up the following sub-topics to cover within my Phase 3 section:
Unfortunately it’s the end of day 8 and I do believe I’ve covered 80-90% of this. I do work with SD-WAN a lot in my day-to-day work environment but I’m a bit thrown off by the difference between my initial estimate and the current time worked. I had a similar feeling after finishing VPNs and Overlays. Things are just going a lot quicker than they did for my Phase 1 (Routing). Given that I went so in-depth for routing and covered many topics that I had not gone deep on before (OSPF, VRFs, Multicast, etc.), this makes some sense – but it’s still a weird feeling to almost be finished with what is supposed to be a 50 hour topic is closer to 20-25 hours. I don’t have a real solution for this at the moment other than telling myself I’ll come back to both VPNs and SD-WAN during my review phase but it doesn’t stop the worry that I may be missing chunks of content or simply not spending enough hours in the lab on these subtopics. The one thing I can do now is hope that there is updated topic documentation that gets released when (or before) the July 15th update – when NSE8 is official released.
Before we get into the NSE8 changes, as always, I’ll start with the time tracker. This week we finished up IPsec and Overlay VPNs and just today began SD-WAN. VPNs was a short phase 2 (of a total 7 phases I have planned) – roughly 3 weeks compared to Phase 1 (Routing) coming in at 6 weeks.
The big change: the NSE8 Core module is an in-person practical exam. I know from my first brief start with FCX that the expert level exam was fully remote in terms of the proctored written and practical exams. I did expect it to stay remote but after this release we can see it is in fact required to be taken in-person. There are not yet details explaining where the exam is taken in terms of local (proctored via a standard local testing center or only at Fortinet offices), however I imagine this will come soon.
The second big update is something I had previous asked our AM about: whether my FCS and FCSS certifications would qualify me for the NSE8 prerequisites. The answer is yes!
Going off of this I’m going to go ahead and cross all 3 pre-reqs off my checklist:
I will of course confirm this with our AM as well, just in case. However, for now it just means I don’t have to spend the time re-taking 2-3 additional exams, which is nice.
The final update is the change in date for the first day to take the NSE8, July 15th. I imagine we’ll see at least 1-2 more big updates like this for the NSE8 before July 15th, so I will continue to keep a very close eye on anything released from Fortinet as well as updates to the NSE8 Pre-Release Guide.
I don’t have any major study updates this week I’ll leave it at that. Thanks for reading and best of luck studying for anybody following along!
I’m slowly starting to lose track of the weeks here, but that’s not a problem. This past week has seen a lot of lab time. Between starting ADVPN for the first time and getting to SSL VPN migration scenarios I don’t see it ending any time soon. I have the schedule mapped out for anywhere from 4-6 works on IPsec VPNs (including ADVPN, migrations, a little ZTNA) and this block is a bit different from routing in that everything really falls under IPsec. Therefore it’s all one document that I’m taking deep notes in and we’re almost up to 60 pages. I think I like this structure a little better because I know exactly how to spend my time – as long as it’s something IPsec related it’s time well spent.
Something fun I’m starting to run into is the need to expand the Azure lab. I mentioned last week I began setting up a domain controller. So far this week I’ve built a working RADIUS connection for SSL VPN (and IPsec) and am on the cusp of a working LDAP configuration – although I have a feeling it’s going to be LDAPS by the time I get it working. I really did think it was going to be another 2 months before I’d breaking into authentication in the lab but once the DC was stood up I didn’t see any reason not to dive in.
Between those last two points I want to emphasize my focus for the next week – SSL VPN to IPsec VPN migrations, as I call them. For some reason I have a feeling there will undoubtedly be one of these exact scenarios on the exam. Therefore I’m labbing out every permutation I can think of:
local authentication + split DNS + full tunnel + custom TCP port
LDAP authentication + split tunnel + DNS suffix
RADIUS authentication + split DNS + split tunnel + custom port
…
It’s a fun little challenge that’s keeping me focused and covers multiple topics at once. I’ll leave it at that, thanks for reading.
As usual, we start with the tracker for the past week:
I wish I had the time and care to insert that “It’s all X? It always was.” meme with the two astronauts. In my case it would be all IPsec this week. IPsec is near and dear to my heart in that, like BGP, I deal with it just about every single work day. Between standing up new tunnels with partner enterprises or simply thinking about how data traverses our network, IPsec VPNs are involved. The piece here that I’m exciting about as studying is chugging along is getting to lab out IPsec Dial-Up remote access VPNs. Our organization is still on SSL VPN and we’re right up to that time where a migration to IPsec VPN is making its way up the priority list.
One quick lab update. I’ve stood up a “DC” in Azure. A little F1 Windows Datacenter 2025 VM that I’m using to begin labbing out RADIUS, SAML, and LDAP authentication for IPsec dial-up VPN. Luckily I was able to configure it pretty cheap and I’m only sitting at just over $20 a month for the box. Given that I’ll only turn it on when actively using it I’m expecting a dollar or two a month overall. Again, I want to keep providing lab cost updates here just to track the cost comparison of a fully virtual lab in Azure versus investment in a metal server and Hyper-V.
Motivation is better this week. The switch from reviewing routing to beginning a “new” subject is definitely the cause. It’s nice to learn about entirely new subtopics and begin labbing out scenarios I haven’t seen before. Soon enough I’ll be able make use of that FortiAuthenticator eval license I was provided and integrate FAC with IPsec VPN (but I’m going to come back to this during the authentication section in a couple months, I don’t want to have to request another 60 day FAC eval license after just how long it took the first time).
I’m coming up on the end of our first section, routing, after right around 100 hours of studying. Let’s get to the tracker:
This past week has been slightly different in that I did divert from my consistency in daily studying while I completed an overnight maintenance window for a network migration at work (and subsequently recovered from the sleep change). However, progress is still very consistent and after another 1-2 hours of studying tonight I will go ahead and move to the next section, VPN and Overlay Technologies:
I’m excited to get going on this next phase as I have found myself slowing down and losing momentum during this routing review period I’ve been in over the past week and a half.
My only other major update is that I’ve finally received some evaluation licenses from Fortinet for a few FortiGate VMs, FortiAnalyzer, FortiManager, and FortiAuthenticator. There really won’t be application for anything but the FGTs for at least another couple of months so we’ll keep the rest stashed until then. Although I may try to set up ADVPN in the lab which I believe requires FMG.
A short update this week, and no update last week so I went ahead and posted my BGP deep notes as articles. I’ll likely do more of those moving forward for my more comprehensive notes – It forces me to extensively verify the claims I make in notes and make sure I’m keeping very high documentation standards.
Beginning of week 5 studying for Core. Let’s start with the tracker for this past week:
This week was an interesting one. I spent the first half continuing to lab VRF and Asymmetric Routing after finishing deep notes for both. After at first deciding that I was done with both topics I did not feel satisfied enough and decided I would really lab out both topics extensively. This resulted in 4 pretty brutal days with the end result being a confirmation that it’s not possible to lab VRF route leaking and beyond my ability and patience (if even possible) to simulate asymmetric routing between three FortiGate VMs. This frustration extended into this weekend when I also confirmed that Azure does not in fact support multicast traffic in a standard configuration. As you can see in the picture directly above, I’ve flagged all three of these labbing issues in the tracker. I’ll simply have to lab out both VRF leaking and multicast scenarios in a physical lab, although this does mean I’ll have to purchase or borrow another FortiGate (for multicast routing at least).
Overall, motivation is still high and I’ve only fallen out of my schedule once this past Friday when I had the chance to go to an event and meet a famous tennis star that I couldn’t pass up. I’m not going to sweat the one less hour of studying this week as I almost always end up spending an additional 2-4 hours each week reading forum posts or contributing to online Q&As. While reading a little bit of a CCIE journey blog I did read a post about a really bad burnout that made me slightly anxious – however I do think it’s simply a risk I need to stay cognizant of and continue to give myself mercy when I slip up on my schedule or decide to take breaks from studying.
A final note I want to make is in regard to a study tactic I have very recently discovered and found quite useful. I’ve already explained in previous posts that I use Claude AI a fair amount to help me map out topics or to review my notes for accuracy. Something I recently told it (it has memory between chats) is that I like when it asks questions like this:
These are the kind of high-level understanding questions that really force you to face whether you understand the topic. The kind of questions you’d find at the end of each chapter in a college textbook. I basically told Claude to ask me these types of questions more, and it usually does. So when I give it my BGP notes or OSPF notes and I have it check them for accuracy, it’ll give me some questions like this and I’ll be sure to slowly and thoughtfully answer them. Claude then gives me feedback on my understanding.
That’s all for this past week. This week I’m going to finish multicast and then begin review of the first section (Routing) and move to the next section likely towards the first half of next week. Cheers!
Fortinet NSE8/FCX Certification 