Status:
Available
The Fortinet NSE 7 - Secure Networking 7.6 Architect exam evaluates your knowledge and expertise in designing, administering, and supporting secure SD-WAN and an enterprise security infrastructure composed of multiple FortiGate devices.
This exam tests your applied knowledge of advanced FortiGate configuration and operation, and includes operational scenarios; incident analysis; integration with FortiManager, FortiAnalyzer, and SD-WAN technologies; and troubleshooting scenarios.
Once you pass the exam, you will receive the following exam badge:

Audience
The Fortinet NSE 7 - Secure Networking Architect exam is intended for network and security professionals responsible for designing, administering, and supporting secure SD-WAN and an enterprise security infrastructure composed of multiple FortiGate devices.
Exam Details
| Exam name |
Fortinet NSE 7 - Secure Networking Architect |
| Time allowed |
60–70 minutes |
| Exam questions |
40–50 questions |
| Scoring |
Pass or fail. A score report is available from your Pearson VUE account. |
| Language |
English |
| Product version |
FortiGate 7.6, FortiManager 7.6, FortiAnalyzer 7.6 |
Exam Topics
Successful candidates have applied knowledge and skills in the following areas and tasks:
System configuration and SD-WAN setup (20–30% of the exam)
| Tasks |
Details |
| Implement the Fortinet Security Fabric |
- Fabric Connectors versus external connectors
- Automation Stitches
- Use cases—SAML single sign-on (SSO) in the Security Fabric, automated quarantine with Security Fabric and indicator of compromise (IoC) detection
- Use cases—integrating FortiNAC with dynamic firewall addressing, adding FortiNDR (formerly FortiAI) to the Security Fabric
- Use cases—FortiGate automation for configuration backups, running CLI scripts for high CPU scenarios
|
| Configure different operation modes for a high availability (HA) cluster |
- FortiGate Clustering Protocol (FGCP)
- Active-active load balancing
- Extension of FGCP—virtual clustering
- Virtual MAC addresses
- Ethernet types and sync optimization
- Use cases—VDOM partitioning (high traffic volume)
- FortiGate Session Life Support Protocol (FGSP)
- Sample FGSP standalone sync
- Standalone sync—coverage and limits
- Use cases—session synchronization encryption using IPsec tunnels, inspection with asymmetric traffic―layer 2, inspection with asymmetric traffic for cloud environments
- Effective HA: FGCP, FGSP, VRRP insights
|
| Implement enterprise networks using VLANs and VDOMs |
- VLANs on FortiGate
- Virtual LAN switch
- VDOM types
- Use cases—segmentation through VLANs, internet access through inter-VDOM routing
|
| Deploy an enterprise SD-WAN setup |
- SD-WAN fundamentals
- SD-WAN basic components
- Architecture components
- Use case identification
- SD-WAN direct internet access (DIA): DIA topologies, DIA best practices and recommended settings
- Use cases—basic SD-WAN DIA setup
- SD-WAN basic monitoring
- SD-WAN traffic distribution and member health
- SD-WAN widgets
- SD-WAN traffic logs and events
|
Central management (15–25% of the exam)
| Tasks |
Details |
| Implement branch configuration deployments |
- Zero-touch provisioning (ZTP) of SD-WAN branches
- ZTP basics
- Device deployment with ZTP
- Device blueprints and using CSV files to import devices
|
| Use SD-WAN Manager and overlay orchestration |
- FortiManager features for SD-WAN
- SD-WAN management on FortiManager
- Metadata variable configuration and use
- SD-WAN core settings on FortiManager
- Planning SD-WAN deployment with FortiManager
- Key deployment elements
- New SD-WAN deployments with a dedicated FortiManager
- Converting a topology for SD-WAN with FortiManager
- Templates and template groups
- IPsec configuration with FortiManager
- Describing IPsec templates available on FortiManager
- Using IPsec templates to configure hub-and-spoke IPsec VPNs
- Configuring IPsec interfaces as SD-WAN members
- SD-WAN overlay template—FortiManager SD-WAN overlay template
- Use cases
|
Security profiles (5–15% of the exam)
| Tasks |
Details |
| Manage SSL/SSH inspection profiles |
- Multiple clients connecting to multiple servers versus protecting SSL servers
- SSL strategies—certificate inspection versus full inspection
- Server certificate server name indication (SNI) check feature
- Dealing with false positive events
- HTTP and HTTPS code injection
- Use cases—certificate errors on FortiGate
|
| Use a combination of web filtering, application control, intrusion prevention system (IPS), and Internet Service Database (ISDB) to secure the network |
- Impact on firewall performance
- Security profiles—device performance
- Use cases: protecting server and client targets, false positive events, HTTP and HTTPS code injection, IPS sensors using CVE patterns
|
Rules and routing (25–35% of the exam)
| Tasks |
Details |
| Implement OSPF to route enterprise traffic |
- OSPF overview, access lists, prefix lists, route maps, protocol redistribution
- OSPF over IPsec, OSPF equal-cost multi-path (ECMP)
- Use cases
|
| Implement BGP to route enterprise traffic |
- BGP overview
- Access lists, prefix lists, route maps, protocol redistribution
- ECMP with BGP routes
- Loopback interfaces as BGP sources
- The
neighbor-group command
- Optimizing BGP for rapid convergence: BGP convergence, route reflectors, BFD parameter, the
graceful-restart command
- Use cases
|
| Design SD-WAN rules |
- User-defined SD-WAN rules
- SD-WAN rule lookup process
- SD-WAN for local-out traffic
- Implicit SD-WAN rule
- Monitoring SD-WAN rule status
- SD-WAN rule strategies
- SD-WAN rule traffic matching criteria
- Application steering and application learning phases
- Internet services as destination criteria
- Preferred member election based on strategy
- Advantage given to higher priority members
|
| Configure SD-WAN routing |
- Key routing principles in SD-WAN
- Policy routes
- Route lookup process
- Member static routes
- Static routes for zones
- Member probe routes
- Session tables
- Different protocol states
- Common session flags
- Session reevaluation and triggers
- Routing changes in SNAT sessions
- Routing designing for SD-WAN
- Routing considerations
- Determining which type of routing and routing protocols to use
|
Advanced IPsec (25–35% of the exam)
| Tasks |
Details |
| Implement IPsec VPN IKE version 2 |
- Mastering IPsec topology design
- Best practices—Dead Peer Detection (DPD) modes
- Impact of outbound network address translation (NAT) for IPsec interfaces with no IP addresses
- OpenSSL for IPsec VPNs
- IPsec aggregate for redundancy and traffic load balancing
- Overlapping routes in remote VPNs
- Maximum transmission unit (MTU) issues in IPsec tunnels
- Network performance optimization: MTU, TCP maximum segment size (MSS), and IPsec fragmentation
- IPsec networks with FortiManager IPsec templates
- IPsec templates
- IPsec templates autorouting
- Metadata variables in IPsec templates
- IPsec template single and dual hub-and-spoke topology
- The VPN manager and IPsec templates
- Hardware offload with IPsec encryption and decryption, forward error correction (FEC), the session
NPU-Flag field
- Dual-hub topologies
- SD-WAN with dual-hub topologies
- Dual-hub options in the SD-WAN overlay template
- Configuration specifics for large topologies
- BGP routing and self-healing
- BGP advanced options for SD-WAN
- Routing options for dual-hub topologies
- SD-WAN self-healing
- Multiregion topologies and large deployments
- Use cases for SD-WAN multiregion topologies
- Routing specifics for multiregion topologies
- MSSP deployments with SD-WAN
- VRF-aware overlays
- Use cases
|
| Configure IPsec multihub, multiregion, and large deployments |
- Dual-hub topologies and use cases
- Dual-hub options in the SD-WAN overlay template
- Configuration specifics for large topologies
- BGP routing and self-healing
- BGP advanced options for SD-WAN
- Routing options for dual-hub topologies
- SD-WAN self-healing
- Multiregion topologies and large deployments
- Use cases—SD-WAN multiregion topologies
- Routing specifics for multiregion topologies
- Common MSSP deployments with SD-WAN
- VRF-aware overlays
|
| Implement ADVPN to enable on-demand VPN tunnels between sites |
- ADVPN operation and requirements
- ADVPN in a hub-and-spoke network
- ADVPN shortcut negotiation
- ADVPN on FortiManager
- Fortinet auto-discovery VPN (ADVPN) using FortiGate or FortiManager
- Hub-and-spoke topologies using ADVPN with IBGP dual hub-and-spoke topologies using ADVPN with IBGP and EBGP
- ADVPN using the FortiManager VPN manager
- ADVPN using FortiManager IPsec templates
- SD-WAN support for ADVPN
- ADVPN 2.0 overlay placeholders
- Designing a network with SD-WAN and ADVPN
- Shortcut timeout, delay for shortcut failback, dependent shortcuts
- Alternative overlay and routing designs for ADVPN
- BGP on loopback design
- ADVPN without BGP route reflection
- Dynamic BGP
- Use cases—ADVPN 1.0 challenges, ADVPN 2.0
|
Training Resources
The following resources are recommended for attaining the knowledge and skills that are covered on the exam. The recommended training is available as a foundation for exam preparation. In addition to training, you are strongly encouraged to have hands-on experience with the exam topics and objectives.
- Enterprise Firewall 7.6 Administrator course and hands-on labs
- SD-WAN 7.6 Enterprise Administrator course and hands-on labs
- FortiOS 7.6 Administrator course and hands-on labs
- FortiManager 7.6 Administrator course and hands-on labs
- FortiAnalyzer 7.6 Administrator course and hands-on labs
- FortiAnalyzer 7.6 Analyst course and hands-on labs
- FortiOS 7.6.0—Administration Guide
- FortiOS 7.6.3—Administration Guide
- FortiOS 7.6.0—New Features
- FortiOS 7.6.3—New Features
- FortiOS 7.6.0—CLI Reference
- FortiOS 7.6.3—CLI Reference
- FortiManager 7.6.0—Administration Guide
- FortiManager 7.6.3—Administration Guide
- FortiManager 7.6.0—CLI Reference
- FortiAnalyzer 7.6—CLI Reference
- SD-WAN—Deployment Guide
Experience
- 3 years of experience with networking
- 3 years of experience with network security
- 2 years of hands-on experience with FortiGate
- 2 years of hands-on experience with FortiManager
- 2 years of hands-on experience with FortiAnalyzer