CertPrepNow
FortinetFCSS_LAN_EDGE 7.6Updated 2026-06-12

FCSS_LAN_EDGE 7.6 Study Guide

Everything you need to pass the Fortinet FCSS - LAN Edge 7.6 exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The FCSS LAN Edge 7.6 exam is passable with free resources if you combine official Fortinet training with hands-on lab practice over 4-8 weeks:

  • Fortinet Training Institute self-paced LAN Edge course (free registration)
  • Fortinet Document Library: FortiSwitch, FortiAP, FortiOS administration guides (free)
  • Fortinet LAN Edge Deployment Guide PDF (free download)
  • Fortinet Community forums and technical tips (free)
  • FortiGate VM trial for hands-on lab practice (free evaluation)
  • 300+ free practice questions on this site

Fortinet makes all self-paced training courses available for free through the NSE Training Institute. The official LAN Edge course combined with the documentation library covers the majority of exam content. Hands-on lab access can be purchased separately for a nominal fee.

Choose Your Study Path

Limited Fortinet experience. You may have general networking knowledge but need to learn Fortinet-specific products, FortiLink architecture, and LAN Edge concepts from the ground up.

Week 1Complete the free Fortinet NSE 4 FortiGate Security course prerequisites. Learn FortiGate fundamentals: interfaces, firewall policies, VLANs, DHCP, and basic administration
Week 2Study FortiSwitch fundamentals: managed vs standalone mode, FortiLink protocol, how FortiGate discovers and authorizes switches, VLAN assignment, port configuration, and trunk setup
Week 3Study FortiAP and wireless infrastructure: CAPWAP tunnel mode vs bridge mode, SSID configuration, wireless profiles, AP authorization, and radio management
Week 4Deep dive into authentication: RADIUS and LDAP server configuration on FortiGate, FortiAuthenticator integration, two-factor authentication, certificate-based authentication, and Fortinet Single Sign-On (FSSO)
Week 5Study RADIUS SSO (RSSO) on FortiAuthenticator, syslog integration, and how authentication events flow between FortiAuthenticator, FortiGate, and RADIUS/LDAP servers
Week 6Learn NAC and Zero-Trust: NAC policies, MAC Authentication Bypass, dynamic VLAN assignment, VLAN pooling, device profiling, guest portals, and quarantine mechanisms
Week 7Study Security Fabric and FortiManager integration: centralized management, zero-touch provisioning, firmware management, template deployment, and FortiAIOps
Week 8Focus on troubleshooting: FortiLink connectivity issues, CAPWAP tunnel failures, authentication debugging, CLI diagnostics, and monitoring tools. Take practice exams
Week 9Take full-length mock exams. Review all incorrect answers and re-study weak domains. Focus on scenario-based troubleshooting
Week 10Final review: revisit authentication flow diagrams, FortiLink architecture, NAC policy logic, and commonly confused concepts. Schedule your exam

Exam Overview

Format

35-45 questions, 75 minutes. Single-selection and multiple-selection multiple choice, and scenario-based questions.

Scoring

Pass/fail scoring. Fortinet does not publish a specific score — you receive a pass or fail result after completing the exam. No official penalty for wrong answers. Always answer every question.

Domains & Weights

  • FortiSwitch Deployment and Management20%
  • FortiAP and Wireless Infrastructure20%
  • Authentication and Single Sign-On25%
  • Network Access Control and Security20%
  • Security Fabric and FortiManager Integration15%

Registration

$400 USD. Available at Pearson VUE testing centers worldwide. Exam fee is $200 USD per attempt (pricing updated October 2025).

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these technologies deeply, know their configuration, and be able to troubleshoot them in scenarios. These appear across multiple questions.
Tier 2: Should KnowUnderstand what these are and their key configuration parameters. May appear in 2-4 questions each.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1 question each.
Domain 120% of exam

FortiSwitch Deployment and Management

This domain covers deploying and managing FortiSwitch devices through FortiGate via FortiLink. You must understand managed vs standalone modes, FortiLink protocol operation, VLAN configuration, port and trunk management, and zero-touch provisioning. Expect scenario-based questions about switch deployment architecture and troubleshooting connectivity issues.

Key Topics

FortiLinkFortiSwitchVLANsTrunk PortsISLZero-Touch ProvisioningFortiGate Switch Controller

Must-Know Concepts

  • FortiLink protocol: how FortiGate discovers FortiSwitch units, the authorization process (manual vs automatic), and how policies extend to switch ports
  • FortiSwitch managed mode vs standalone mode: managed mode uses FortiGate as controller via FortiLink; standalone mode operates independently with local management
  • VLAN configuration through FortiGate: native VLAN, allowed VLANs per port, quarantine VLAN (4093), and how VLANs are pushed to managed switches
  • Trunk port configuration: inter-switch link (ISL) auto-generation, manual trunk creation, VLAN pruning on ISL ports, and VLAN optimization to limit VLANs on auto-generated trunks
  • Zero-touch provisioning workflow: FortiSwitch connects to FortiManager or FortiGate, receives configuration automatically, and joins the managed fabric without manual setup
  • FortiLink interface requirements: DHCP server must be enabled on the FortiLink interface, NTP must be configured locally, and the interface must have an IP for management
  • Switch stacking and multi-tier topologies: how FortiSwitch units can be daisy-chained and managed in hierarchical topologies through FortiLink
  • Port security features: DHCP snooping, dynamic ARP inspection, IP source guard, and storm control configured through FortiGate on managed ports

Common Exam Traps

FortiLink requires DHCP to be enabled on the FortiLink interface for switch discovery. If DHCP is not configured, the FortiSwitch cannot obtain an IP address and will not be discovered
VLAN optimization limits VLANs on auto-generated ISL trunks to only user-defined VLANs. Without it, all VLANs 1-4093 are allowed on ISL ports, increasing unnecessary traffic
Security policies on FortiGate control transit traffic, NOT the management traffic between FortiGate and FortiSwitch. A missing security policy will not prevent FortiLink from establishing
When a FortiSwitch first connects, it appears as Unauthorized until explicitly authorized by the administrator, unless automatic authorization is enabled on the FortiGate
FortiSwitch firmware must be compatible with the FortiGate FortiOS version. Version mismatches can prevent FortiLink from establishing
Quick Check: FortiSwitch Deployment and Management

Question 1 of 3

A network administrator deploys a new FortiSwitch and connects it to a FortiGate via FortiLink. The switch is discovered but shows as 'Unauthorized' in the FortiGate GUI. What should the administrator do to bring the switch online?

Domain 220% of exam

FortiAP and Wireless Infrastructure

This domain covers deploying and managing FortiAP wireless access points through FortiGate. You must understand CAPWAP operation, tunnel vs bridge mode, SSID and wireless profile configuration, AP authorization, radio management, rogue AP detection, and wireless NAC. Expect questions on wireless architecture design and troubleshooting connectivity problems.

Key Topics

FortiAPCAPWAPSSIDWireless ProfilesRogue AP DetectionFortiAIOpsWireless Controller

Must-Know Concepts

  • CAPWAP protocol operation: how FortiGate discovers FortiAP devices, the AP authorization process, and how wireless profiles are pushed to access points
  • Tunnel mode vs bridge mode: tunnel mode sends all wireless traffic through CAPWAP to FortiGate for inspection; bridge mode forwards traffic locally at the AP layer
  • SSID configuration: creating SSIDs, binding them to wireless profiles, assigning VLANs, configuring authentication methods (WPA2/WPA3-Enterprise, PSK, open with captive portal)
  • Wireless profile and AP platform configuration: radio settings (channel, power, band), AP profile assignment, and how profiles determine AP behavior
  • AP authorization: manual vs automatic authorization, how APs appear in the FortiGate wireless controller, and what happens when an unauthorized AP connects
  • Rogue AP detection and suppression: how FortiAP scans for unauthorized APs, classification of rogue APs, and available suppression actions
  • Wireless NAC support: NAC profiles for wireless clients, onboarding VLANs, device profiling, and how NAC policies interact with wireless authentication
  • FortiAIOps for wireless monitoring: AI-driven anomaly detection, performance optimization recommendations, and wireless health monitoring
  • Security Fabric Connection requirement: FortiAPs only appear in the Fabric topology when connected to an interface with Security Fabric Connection enabled

Common Exam Traps

In tunnel mode, ALL wireless traffic goes through the FortiGate CAPWAP tunnel for inspection. In bridge mode, traffic is forwarded locally. The exam tests when each mode is appropriate
FortiAPs connected to a VLAN that does not have Security Fabric Connection enabled will not appear in the Security Fabric topology and may not be onboarded for management
CAPWAP uses UDP port 5246 for control and UDP port 5247 for data. Firewalls between FortiGate and FortiAP must allow these ports
Wireless NAC requires at minimum 2 VLANs: an onboarding VLAN and the target VLAN for matched devices. Both VLANs must have L3 settings including DHCP
Rogue AP suppression can interfere with legitimate neighboring wireless networks. It should only be enabled after confirming the AP is truly unauthorized
Quick Check: FortiAP and Wireless Infrastructure

Question 1 of 3

A company requires all wireless traffic to be inspected by FortiGate security policies before reaching the corporate network. Which FortiAP deployment mode should be configured?

Domain 325% of exam

Authentication and Single Sign-On

The heaviest domain at 25% of the exam. Covers advanced authentication using RADIUS, LDAP, FortiAuthenticator, FSSO, RSSO, certificate-based authentication, two-factor authentication, and captive portals. You must understand authentication flows end-to-end, from user credential submission through RADIUS/LDAP verification to FortiGate policy enforcement. Master this domain or you risk failing.

Key Topics

RADIUSLDAPFortiAuthenticatorFSSORSSOTwo-Factor AuthenticationCertificatesCaptive Portal

Must-Know Concepts

  • RADIUS server configuration on FortiGate: server IP, shared secret, authentication port (1812), accounting port (1813), and testing connectivity
  • LDAP server configuration on FortiGate: server IP, port (389/636), bind type (simple, regular, anonymous), distinguished name, user DN, and group filter syntax
  • FortiAuthenticator as RADIUS server: configuring FortiAuthenticator to act as a RADIUS server for FortiGate, with backend LDAP/AD integration for user validation
  • RADIUS Single Sign-On (RSSO): FortiAuthenticator receives RADIUS accounting start/stop messages from NAS devices and forwards user session info to FortiGate
  • Fortinet Single Sign-On (FSSO): monitors Windows AD domain controller logon events via DC Agent, polling, or FortiAuthenticator and sends user-to-IP mappings to FortiGate
  • Two-factor authentication: FortiToken hardware and mobile, email tokens, SMS tokens. Know where 2FA is configured and how it integrates with RADIUS and local authentication
  • Certificate-based authentication: digital certificates for user and device authentication, FortiAuthenticator as Certificate Authority, and certificate validation chains
  • Syslog integration with FortiAuthenticator: configuring syslog sources to feed authentication events into FortiAuthenticator for RSSO processing
  • Captive portal authentication: redirect mechanisms, portal types (local, external, FortiAuthenticator), guest user provisioning, and session timeout settings
  • Authentication flow order: 802.1X attempted first, then MAB fallback, then captive portal for web-based authentication

Common Exam Traps

RSSO and FSSO both achieve transparent SSO, but from different sources: RSSO uses RADIUS accounting messages from network devices; FSSO uses Windows AD logon events. Choosing the wrong one is a common exam mistake
LDAP bind type matters: simple bind sends credentials in cleartext, regular bind uses the bind DN, and anonymous bind has no credentials. The exam tests which bind type to use in different security requirements
FortiAuthenticator can act as BOTH a RADIUS server AND a RADIUS client. As a server, it authenticates users. As a client, it receives RADIUS accounting for RSSO. Do not confuse the two roles
Two-factor authentication on FortiGate requires the user to have a FortiToken associated in the user account configuration. Simply enabling 2FA globally is not sufficient
RADIUS shared secret must match exactly between FortiGate and the RADIUS server. A mismatch silently fails authentication without clear error messages
Quick Check: Authentication and Single Sign-On

Question 1 of 4

A network uses a wireless LAN controller that sends RADIUS accounting messages when users authenticate. The security team wants FortiGate to apply identity-based policies without requiring users to authenticate again. Which SSO method should be configured?

Domain 420% of exam

Network Access Control and Security

This domain covers Zero-Trust LAN Access using NAC policies, 802.1X authentication, MAC Authentication Bypass, dynamic VLAN assignment, VLAN pooling, guest portals, and quarantine mechanisms. You must understand how devices are profiled, authenticated, and placed into appropriate network segments based on their identity and security posture.

Key Topics

NAC Policies802.1XMAC Authentication BypassDynamic VLANVLAN PoolingGuest PortalQuarantineDevice Profiling

Must-Know Concepts

  • NAC policy configuration on FortiGate: matching criteria (device type, OS, MAC, EMS tag, user group), actions (VLAN assignment, quarantine), and policy order evaluation
  • 802.1X port-based authentication: supplicant, authenticator (FortiSwitch), and authentication server (RADIUS) roles. How 802.1X controls port access before and after authentication
  • MAC Authentication Bypass (MAB): fallback authentication for non-802.1X devices (printers, IP phones, IoT). The switch sends the device MAC as both username and password to RADIUS
  • Authentication order: 802.1X is attempted first, if no supplicant response then MAB is tried, then optional fallback to captive portal for web-based authentication
  • Dynamic VLAN assignment via RADIUS: Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes returned by RADIUS server to specify the target VLAN
  • VLAN pooling: distributing authenticated users across multiple VLANs to reduce broadcast domain size. Round-robin or hash-based distribution methods
  • Guest portal configuration: captive portal redirect, guest user provisioning, temporary access duration, isolated guest VLANs, and sponsor-based approval workflows
  • Quarantine mechanisms: automatic quarantine triggered by Security Fabric events, manual quarantine by administrators, quarantine VLAN (4093), and quarantine firewall address groups
  • FortiLink NAC: NAC policies applied to FortiSwitch ports managed through FortiGate, controlling wired access based on device identity and compliance

Common Exam Traps

802.1X requires a supplicant on the endpoint. Devices without supplicant capability (printers, cameras) cannot use 802.1X and must fall back to MAB. The exam tests whether you know which devices need MAB
MAB sends the MAC address as both username and password in lowercase without separators by default, but this format depends on the RADIUS server configuration. Format mismatches cause authentication failures
Dynamic VLAN requires three specific RADIUS attributes: Tunnel-Type (VLAN), Tunnel-Medium-Type (802), and Tunnel-Private-Group-ID (VLAN ID or name). Missing any one attribute causes VLAN assignment to fail
Quarantine VLAN 4093 is the default. It is automatically included in the allowed VLANs on all FortiSwitch ports. Devices quarantined are moved to this VLAN, not disconnected from the network
NAC policies on FortiGate are evaluated in order from top to bottom. The first matching policy is applied. Incorrect policy ordering is a common misconfiguration
Quick Check: Network Access Control and Security

Question 1 of 3

A company needs to provide network access to IP security cameras that do not support 802.1X authentication. The cameras should be placed in a dedicated IoT VLAN. Which combination of features should be configured?

Domain 515% of exam

Security Fabric and FortiManager Integration

This domain covers centralizing LAN Edge management through FortiManager and integrating components into the Fortinet Security Fabric. You must understand template deployment, firmware management, zero-touch provisioning, fabric topology, and monitoring with FortiAIOps. While the smallest domain by weight, these topics tie the entire LAN Edge infrastructure together.

Key Topics

FortiManagerSecurity FabricZero-Touch ProvisioningTemplatesFirmware ManagementFortiAIOps

Must-Know Concepts

  • FortiManager centralized management: managing FortiGate, FortiSwitch, and FortiAP devices from a single console, including configuration templates and policy packages
  • Template deployment: system templates, device templates, and CLI templates pushed from FortiManager to managed devices for consistent configuration across sites
  • Zero-touch provisioning via FortiManager: pre-staging device configurations, automatic deployment when devices connect, and model device support for planning
  • Firmware management: centralized firmware upgrades across FortiGate, FortiSwitch, and FortiAP devices, firmware compliance checking, and scheduling upgrade windows
  • Security Fabric topology: how devices appear in the fabric topology view, root FortiGate requirements, upstream/downstream relationships, and fabric connector configuration
  • FortiAIOps configuration: enabling AI-driven monitoring, wireless performance analytics, anomaly detection, and optimization recommendations
  • Multi-site management: managing LAN Edge deployments across multiple locations from a single FortiManager, ADOM (Administrative Domain) usage for multi-tenant management
  • Monitoring and troubleshooting tools: FortiGate CLI diagnostics for FortiSwitch and FortiAP, wireless health dashboards, event logs, and SNMP monitoring

Common Exam Traps

FortiManager pushes configurations TO devices. It does not enforce real-time policies. There can be configuration drift if devices are modified locally after FortiManager deployment
Zero-touch provisioning requires the device to reach FortiManager. DNS and FortiGuard connectivity must be available for the device to resolve and contact FortiManager automatically
FortiAIOps is a monitoring and recommendation tool, not an enforcement tool. It suggests optimizations but does not automatically apply configuration changes
Security Fabric requires a root FortiGate. Without a root device configured, downstream FortiSwitch and FortiAP devices will not appear in the fabric topology
ADOM (Administrative Domain) in FortiManager is for multi-tenant management. Each ADOM can have different administrators, policies, and devices. The exam may test ADOM-level isolation
Quick Check: Security Fabric and FortiManager Integration

Question 1 of 3

An organization deploys 50 new FortiSwitch units across 10 branch offices. They want all switches to receive their configuration automatically upon first connection without any on-site manual setup. Which FortiManager feature should be used?

Fortinet Technologies You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

FortiLink (FortiSwitch) vs CAPWAP (FortiAP)

Use FortiLink (FortiSwitch) when…

Protocol used by FortiGate to discover, manage, and configure FortiSwitch devices over Ethernet. Extends Security Fabric policies to switch ports.

Use CAPWAP (FortiAP) when…

Protocol used by FortiGate to discover, manage, and configure FortiAP wireless access points. Controls wireless profiles, SSIDs, and radio settings.

Exam trap

Both protocols allow FortiGate to centrally manage LAN Edge devices, but they are different protocols for different device types. FortiLink manages switches; CAPWAP manages wireless APs. Do not confuse which protocol applies to which device.

RADIUS SSO (RSSO) vs Fortinet SSO (FSSO)

Use RADIUS SSO (RSSO) when…

FortiAuthenticator receives RADIUS accounting messages from network equipment (switches, wireless controllers, VPN) and forwards user session information to FortiGate for transparent policy enforcement.

Use Fortinet SSO (FSSO) when…

FortiAuthenticator or FSSO agent monitors Windows Active Directory logon/logoff events and sends user-to-IP mappings to FortiGate for identity-based policy enforcement.

Exam trap

RSSO is triggered by RADIUS accounting messages from network devices. FSSO is triggered by Windows AD logon events. Both achieve transparent SSO, but they monitor different event sources. The exam tests whether you know which SSO method to use based on the authentication infrastructure.

Tunnel Mode (FortiAP) vs Bridge Mode (FortiAP)

Use Tunnel Mode (FortiAP) when…

Wireless traffic is encapsulated in a CAPWAP tunnel and sent to FortiGate for inspection and policy enforcement. All traffic passes through the FortiGate firewall.

Use Bridge Mode (FortiAP) when…

Wireless traffic is bridged locally at the FortiAP to the wired network. Traffic does not pass through FortiGate, reducing latency but bypassing centralized inspection.

Exam trap

Tunnel mode provides full FortiGate security inspection but adds latency. Bridge mode offers lower latency but skips FortiGate inspection. The exam tests when each mode is appropriate: tunnel for security-sensitive environments, bridge for performance-sensitive local traffic.

FortiGate NAC Policies vs FortiNAC

Use FortiGate NAC Policies when…

NAC policies configured directly on FortiGate to match devices by type, OS, MAC, user group, or EMS tag and assign them to VLANs. Built into FortiOS for Fortinet-only environments.

Use FortiNAC when…

Standalone NAC appliance providing advanced device profiling, automated responses, and policy enforcement across multi-vendor network environments including non-Fortinet switches and APs.

Exam trap

FortiGate NAC policies are built into FortiOS and work with FortiSwitch and FortiAP. FortiNAC is a separate product for complex multi-vendor environments. The exam focuses on FortiGate NAC policies, but may use FortiNAC as a distractor answer.

Security Policies vs FortiLink Management Traffic

Use Security Policies when…

Firewall policies on FortiGate that control transit traffic flowing through the firewall between network interfaces, zones, and VLANs.

Use FortiLink Management Traffic when…

Control plane traffic between FortiGate and managed FortiSwitch/FortiAP devices for management, configuration, and status communication. This is NOT controlled by security policies.

Exam trap

Security policies control user/transit traffic, NOT management traffic between FortiGate and its managed switches or APs. Confusing these is a common exam trap. If a FortiSwitch cannot connect, the issue is likely FortiLink interface configuration, not a missing security policy.

RADIUS Authentication vs LDAP Authentication

Use RADIUS Authentication when…

AAA protocol for centralized authentication. Commonly used for network device access (802.1X, VPN, WiFi). Supports accounting and authorization attributes for dynamic VLAN assignment.

Use LDAP Authentication when…

Directory query protocol for looking up user accounts and group memberships from Active Directory or other directory services. Used for user validation and group-based policy assignment.

Exam trap

RADIUS provides full AAA (authentication, authorization, accounting) and is used for network access control with dynamic VLAN assignment via RADIUS attributes. LDAP is primarily for user lookup and group membership queries. The exam tests which protocol to use for specific scenarios like 802.1X (RADIUS) vs user group lookup (LDAP).

Dynamic VLAN Assignment vs VLAN Pooling

Use Dynamic VLAN Assignment when…

RADIUS server returns specific VLAN attributes during authentication, placing the user into a single designated VLAN based on their role, department, or security posture.

Use VLAN Pooling when…

Multiple VLANs are grouped into a pool. Authenticated users are distributed across VLANs in the pool to prevent any single broadcast domain from becoming too large.

Exam trap

Dynamic VLAN puts users into ONE specific VLAN based on RADIUS attributes. VLAN pooling distributes users across MULTIPLE VLANs for load distribution. Both are dynamic, but they serve different purposes: role-based assignment vs broadcast domain optimization.

802.1X Authentication vs MAC Authentication Bypass (MAB)

Use 802.1X Authentication when…

Port-based network access control where the endpoint runs a supplicant that authenticates to a RADIUS server through the switch acting as authenticator. Requires endpoint software support.

Use MAC Authentication Bypass (MAB) when…

Fallback authentication for devices that cannot run 802.1X supplicants (printers, cameras, IoT). The switch uses the device MAC address as credentials to authenticate against RADIUS.

Exam trap

802.1X requires a supplicant on the endpoint. MAB is the fallback for devices without supplicant capability. The exam tests the authentication order: 802.1X is attempted first, and MAB is the fallback. MAB is less secure because MAC addresses can be spoofed.

Top Mistakes to Avoid

Confusing FortiLink (for FortiSwitch management) with CAPWAP (for FortiAP management) — they are different protocols for different device types
Mixing up RSSO (triggered by RADIUS accounting messages) with FSSO (triggered by Windows AD logon events) — both achieve transparent SSO but monitor different sources
Thinking security policies on FortiGate control FortiLink management traffic — security policies control transit traffic, not the control plane between FortiGate and managed switches
Forgetting that FortiSwitch appears as Unauthorized after initial FortiLink connection and must be explicitly authorized before it can be managed
Confusing tunnel mode (traffic sent through CAPWAP to FortiGate for inspection) with bridge mode (traffic forwarded locally at the AP) for FortiAP deployments
Not knowing that wireless NAC requires at minimum 2 VLANs (onboarding VLAN and target VLAN) with L3 settings including DHCP on both
Assuming dynamic VLAN assignment works without all three required RADIUS attributes: Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID
Confusing FortiGate NAC policies (built into FortiOS) with FortiNAC (separate dedicated appliance for multi-vendor environments)
Forgetting that VLAN optimization limits auto-generated ISL trunks to user-defined VLANs only — without it, all 4093 VLANs are allowed on trunk ports
Treating FortiAIOps as an enforcement tool when it only provides monitoring and recommendations — it does not automatically apply changes

Exam-Ready Checklist

Can explain the FortiLink protocol and how FortiGate discovers, authorizes, and manages FortiSwitch devices
Understand CAPWAP operation for FortiAP management including tunnel mode vs bridge mode and when to use each
Can configure RADIUS and LDAP authentication on FortiGate including server settings, bind types, and troubleshooting
Know the difference between RSSO and FSSO: what triggers each, how they flow through FortiAuthenticator, and when to use each
Can configure NAC policies including 802.1X, MAB fallback, dynamic VLAN assignment, and VLAN pooling
Understand the authentication order: 802.1X first, then MAB fallback, then captive portal for web-based authentication
Can configure FortiManager templates, zero-touch provisioning, and firmware management for multi-site deployments
Know how Security Fabric topology works: root FortiGate, downstream devices, and fabric connector requirements
Can troubleshoot FortiLink connectivity issues: DHCP on FortiLink interface, switch authorization, firmware compatibility
Understand quarantine mechanisms: automatic quarantine via Security Fabric automation, manual quarantine, quarantine VLAN 4093
Can explain VLAN configuration on managed FortiSwitch: native VLAN, allowed VLANs, VLAN pruning, and VLAN optimization
Know FortiAuthenticator roles: RADIUS server for user authentication AND RADIUS client for RSSO accounting, plus certificate authority features
Scored 70%+ on at least two full practice exams covering all five domains

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions