Home A - Z Create page
Page Index

An Otter Wiki

NSE4

Basics for NSE4 - FortiOS 7.6 Administrator

Routing

RPF - Reverse Path Forwarding

Anti IP Spoofing.

✅ Strict RPF (uRPF strict) A packet is allowed only if the best (longest‑match / preferred) route back to the source IP would exit the same interface the packet arrived on.

Think: “Would I send the reply back out the same interface?” If no → drop.

✅ Loose RPF (uRPF loose) A packet is allowed if the firewall/router has any route at all to the source IP (regardless of interface). It’s basically a route existence check.

Think: “Do I have some route to that source?” If yes → allow.

RPF Example

Topology (classic multi-homed/asymmetric routing)

       ISP-A (WAN1) -----------------
         |                           \
         | (best route to source)     \  Internet
     +---+---+                         \
     | Forti |                          \
     | Gate  |                           \
     +---+---+                            \
         |                                 \
       ISP-B (WAN2) ------------------------(packet arrives here)

Routing table on FortiGate (simplified) 203.0.113.0/24 via WAN1 ← best/preferred route default route(s), etc.

Traffic event A packet arrives on WAN2:

Src = 203.0.113.5 Dst = your public VIP / service Ingress interface = WAN2

RPF decision Strict RPF:

Look up route to 203.0.113.5 Best route says: send to WAN1 But packet came in WAN2 Mismatch → DROP

Loose RPF:

Look up route to 203.0.113.5 A route exists (via WAN1) Loose mode does not care that it arrived on WAN2 Route exists → ALLOW

FSSO - Fortinet Single Sign On

FSSO is about mapping an IP address → a user (and groups) so FortiGate can apply identity-based policies without prompting users to log in again.

When a user logs in, FSSO typically collects: username, domain, workstation, IP address, and group membership, and forwards it to FortiGate/FortiManager

Building blocks

A) Collector Agent (CA) (Windows FSSO agent) The FSSO Collector Agent runs as a service and collects logon events, then sends user/IP mappings to FortiGate (often based on group filters).

It can collect data either from DC Agents or by polling Domain Controllers directly.

B) DC Agent (domain controller plugin) In DC Agent mode, each Domain Controller has a Fortinet DC Agent installed (a DLL), which reads auth events and forwards them to the Collector.

C) Polling mode (no software on DCs) In Polling mode, the Collector Agent polls the DCs for logon events and forwards them to FortiGate.

Security Profiles

Anti Virus

Web Filter

IPS

Application Control

Certificates