You Can Pass This Exam For Free
Choose Your Study Path
Limited Fortinet experience. You may have general networking knowledge but need to learn Fortinet-specific products, FortiLink architecture, and LAN Edge concepts from the ground up.
Exam Overview
Format
35-45 questions, 75 minutes. Single-selection and multiple-selection multiple choice, and scenario-based questions.
Scoring
Pass/fail scoring. Fortinet does not publish a specific score — you receive a pass or fail result after completing the exam. No official penalty for wrong answers. Always answer every question.
Domains & Weights
- FortiSwitch Deployment and Management20%
- FortiAP and Wireless Infrastructure20%
- Authentication and Single Sign-On25%
- Network Access Control and Security20%
- Security Fabric and FortiManager Integration15%
Registration
$400 USD. Available at Pearson VUE testing centers worldwide. Exam fee is $200 USD per attempt (pricing updated October 2025).
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
FortiSwitch Deployment and Management
This domain covers deploying and managing FortiSwitch devices through FortiGate via FortiLink. You must understand managed vs standalone modes, FortiLink protocol operation, VLAN configuration, port and trunk management, and zero-touch provisioning. Expect scenario-based questions about switch deployment architecture and troubleshooting connectivity issues.
Key Topics
Must-Know Concepts
- FortiLink protocol: how FortiGate discovers FortiSwitch units, the authorization process (manual vs automatic), and how policies extend to switch ports
- FortiSwitch managed mode vs standalone mode: managed mode uses FortiGate as controller via FortiLink; standalone mode operates independently with local management
- VLAN configuration through FortiGate: native VLAN, allowed VLANs per port, quarantine VLAN (4093), and how VLANs are pushed to managed switches
- Trunk port configuration: inter-switch link (ISL) auto-generation, manual trunk creation, VLAN pruning on ISL ports, and VLAN optimization to limit VLANs on auto-generated trunks
- Zero-touch provisioning workflow: FortiSwitch connects to FortiManager or FortiGate, receives configuration automatically, and joins the managed fabric without manual setup
- FortiLink interface requirements: DHCP server must be enabled on the FortiLink interface, NTP must be configured locally, and the interface must have an IP for management
- Switch stacking and multi-tier topologies: how FortiSwitch units can be daisy-chained and managed in hierarchical topologies through FortiLink
- Port security features: DHCP snooping, dynamic ARP inspection, IP source guard, and storm control configured through FortiGate on managed ports
Common Exam Traps
FortiAP and Wireless Infrastructure
This domain covers deploying and managing FortiAP wireless access points through FortiGate. You must understand CAPWAP operation, tunnel vs bridge mode, SSID and wireless profile configuration, AP authorization, radio management, rogue AP detection, and wireless NAC. Expect questions on wireless architecture design and troubleshooting connectivity problems.
Key Topics
Must-Know Concepts
- CAPWAP protocol operation: how FortiGate discovers FortiAP devices, the AP authorization process, and how wireless profiles are pushed to access points
- Tunnel mode vs bridge mode: tunnel mode sends all wireless traffic through CAPWAP to FortiGate for inspection; bridge mode forwards traffic locally at the AP layer
- SSID configuration: creating SSIDs, binding them to wireless profiles, assigning VLANs, configuring authentication methods (WPA2/WPA3-Enterprise, PSK, open with captive portal)
- Wireless profile and AP platform configuration: radio settings (channel, power, band), AP profile assignment, and how profiles determine AP behavior
- AP authorization: manual vs automatic authorization, how APs appear in the FortiGate wireless controller, and what happens when an unauthorized AP connects
- Rogue AP detection and suppression: how FortiAP scans for unauthorized APs, classification of rogue APs, and available suppression actions
- Wireless NAC support: NAC profiles for wireless clients, onboarding VLANs, device profiling, and how NAC policies interact with wireless authentication
- FortiAIOps for wireless monitoring: AI-driven anomaly detection, performance optimization recommendations, and wireless health monitoring
- Security Fabric Connection requirement: FortiAPs only appear in the Fabric topology when connected to an interface with Security Fabric Connection enabled
Common Exam Traps
Authentication and Single Sign-On
The heaviest domain at 25% of the exam. Covers advanced authentication using RADIUS, LDAP, FortiAuthenticator, FSSO, RSSO, certificate-based authentication, two-factor authentication, and captive portals. You must understand authentication flows end-to-end, from user credential submission through RADIUS/LDAP verification to FortiGate policy enforcement. Master this domain or you risk failing.
Key Topics
Must-Know Concepts
- RADIUS server configuration on FortiGate: server IP, shared secret, authentication port (1812), accounting port (1813), and testing connectivity
- LDAP server configuration on FortiGate: server IP, port (389/636), bind type (simple, regular, anonymous), distinguished name, user DN, and group filter syntax
- FortiAuthenticator as RADIUS server: configuring FortiAuthenticator to act as a RADIUS server for FortiGate, with backend LDAP/AD integration for user validation
- RADIUS Single Sign-On (RSSO): FortiAuthenticator receives RADIUS accounting start/stop messages from NAS devices and forwards user session info to FortiGate
- Fortinet Single Sign-On (FSSO): monitors Windows AD domain controller logon events via DC Agent, polling, or FortiAuthenticator and sends user-to-IP mappings to FortiGate
- Two-factor authentication: FortiToken hardware and mobile, email tokens, SMS tokens. Know where 2FA is configured and how it integrates with RADIUS and local authentication
- Certificate-based authentication: digital certificates for user and device authentication, FortiAuthenticator as Certificate Authority, and certificate validation chains
- Syslog integration with FortiAuthenticator: configuring syslog sources to feed authentication events into FortiAuthenticator for RSSO processing
- Captive portal authentication: redirect mechanisms, portal types (local, external, FortiAuthenticator), guest user provisioning, and session timeout settings
- Authentication flow order: 802.1X attempted first, then MAB fallback, then captive portal for web-based authentication
Common Exam Traps
Network Access Control and Security
This domain covers Zero-Trust LAN Access using NAC policies, 802.1X authentication, MAC Authentication Bypass, dynamic VLAN assignment, VLAN pooling, guest portals, and quarantine mechanisms. You must understand how devices are profiled, authenticated, and placed into appropriate network segments based on their identity and security posture.
Key Topics
Must-Know Concepts
- NAC policy configuration on FortiGate: matching criteria (device type, OS, MAC, EMS tag, user group), actions (VLAN assignment, quarantine), and policy order evaluation
- 802.1X port-based authentication: supplicant, authenticator (FortiSwitch), and authentication server (RADIUS) roles. How 802.1X controls port access before and after authentication
- MAC Authentication Bypass (MAB): fallback authentication for non-802.1X devices (printers, IP phones, IoT). The switch sends the device MAC as both username and password to RADIUS
- Authentication order: 802.1X is attempted first, if no supplicant response then MAB is tried, then optional fallback to captive portal for web-based authentication
- Dynamic VLAN assignment via RADIUS: Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes returned by RADIUS server to specify the target VLAN
- VLAN pooling: distributing authenticated users across multiple VLANs to reduce broadcast domain size. Round-robin or hash-based distribution methods
- Guest portal configuration: captive portal redirect, guest user provisioning, temporary access duration, isolated guest VLANs, and sponsor-based approval workflows
- Quarantine mechanisms: automatic quarantine triggered by Security Fabric events, manual quarantine by administrators, quarantine VLAN (4093), and quarantine firewall address groups
- FortiLink NAC: NAC policies applied to FortiSwitch ports managed through FortiGate, controlling wired access based on device identity and compliance
Common Exam Traps
Security Fabric and FortiManager Integration
This domain covers centralizing LAN Edge management through FortiManager and integrating components into the Fortinet Security Fabric. You must understand template deployment, firmware management, zero-touch provisioning, fabric topology, and monitoring with FortiAIOps. While the smallest domain by weight, these topics tie the entire LAN Edge infrastructure together.
Key Topics
Must-Know Concepts
- FortiManager centralized management: managing FortiGate, FortiSwitch, and FortiAP devices from a single console, including configuration templates and policy packages
- Template deployment: system templates, device templates, and CLI templates pushed from FortiManager to managed devices for consistent configuration across sites
- Zero-touch provisioning via FortiManager: pre-staging device configurations, automatic deployment when devices connect, and model device support for planning
- Firmware management: centralized firmware upgrades across FortiGate, FortiSwitch, and FortiAP devices, firmware compliance checking, and scheduling upgrade windows
- Security Fabric topology: how devices appear in the fabric topology view, root FortiGate requirements, upstream/downstream relationships, and fabric connector configuration
- FortiAIOps configuration: enabling AI-driven monitoring, wireless performance analytics, anomaly detection, and optimization recommendations
- Multi-site management: managing LAN Edge deployments across multiple locations from a single FortiManager, ADOM (Administrative Domain) usage for multi-tenant management
- Monitoring and troubleshooting tools: FortiGate CLI diagnostics for FortiSwitch and FortiAP, wireless health dashboards, event logs, and SNMP monitoring
Common Exam Traps
Fortinet Technologies You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.