NSE8 Topics - Practical (870) and Written (812)

NSE8 Exam information

The following section outlines the topics assessed in both the Written exam (NSE8_812) and the practical lab (NSE8_870) required for the NSE8. The topics below were taken from the NSE 8 Certification Public Handbook, last updated on the 18th of January 2023.

The NSE8 Written exam is $400 USD and is taken through Pearson Vue test centers or online using the Pearson Vue systems. There are 60 questions and you have 120 minutes to complete it.

The NSE8 Practical exam is a 9 hour online practical assessment divided over two sessions:
the first being a 5 hour long session, with an hour break for lunch, then another 4 hour session. This is a departure from the previous practical which was in-person and ran for 2 days.

The cost is $1600 USD.

To help study for this exam I have put the exam blueprint into an excel spreadsheet that can be used to help you track your progress and confidence level with it. You can get the excel file here

Written (812) Exam Blueprint



1. Security Architecture
  a. Demonstrate knowledge of FortiGate Network Security products
    i. Chassis solutions 6000/7000 modules and architecture
    ii. Correct hardware production selection based on design
  b. Demonstrate knowledge of Fortinet Security Fabric Solution deployments
    i. FortiMail
    ii. FortiSandbox
    iii. Traditional networks and hybrid/cloud/multi-cloud networks
    iv. Logging and management protocols used by Fortinet, and required network architecture for resiliency
  c. Demonstrate knowledge of Fortinet high-availability solutions
    i. Core products
    ii. Types of the HA solutions
    iii. HA and Cloud deployments
    iv. Optimization

2. Infrastructure
  a. Demonstrate knowledge of FortiGate operation modes
    i. Transparent Mode and Layer-2 Traffic
    ii. VDOM and VDOM links
  b. Demonstrate knowledge of FortiGate hardware technology
    i. NP6/NP7/nTurbo/CP9/SoC4 acceleration and acceleration concepts
    ii. Hyperscale requirements, operation, limitations
    iii. Traffic Flows during acceleration and offloading
    iv. Describe and design hardware accelerated networks with FortiGate devices
    v. FortiGate chassis/module architecture
    vi. Life of packet
    vii. Hardware offloading
  c. Demonstrate knowledge of non-FortiGate hardware technology
    i. Hardware v virtual
    ii. FAZ, SIEM
  d. Demonstrate knowledge of Fortinet solutions for cloud security
    i. Private cloud
    ii. Public cloud
    iii. SAAS
    iv. SASE

3. Networking
  a. Demonstrate knowledge of advanced routing and networking technologies
    i. Static Routing
    ii. Dynamic Routing (OSPF/BGP)
    iii. Routing and high availability concepts
    iv. Asymmetric Routing
    v. Secure SD-WAN Routing
    vi. Policy Routing
    vii. Multi-cast routing
    viii. Routing control
    ix. NAT
      1. Dual-bidirectional NAT between two address domains
      2. Interpret NAT information presented in Session table output
    x. IPv6
      1. NAT46 & NAT 64, SLAAC, DHCPv6, DNSv6
    xi. Traffic shaping
      1. Interface-based shaping configuration
      2. Effects on hardware acceleration
    xii. Virtual wire pairs
      1. VWP with VLAN tags
  b. Demonstrate knowledge of advanced VPN design methodologies
    i. SSL VPN / IPSEC
    ii. Aggregate VPN
    iii. ADVPN
    iv. VXLAN over IPSEC
    v. GRE
    vi. IKEv1 vs IKEv2 differences
  c. Demonstrate knowledge of Fortinet access solutions advanced configurations and features
    i. FortiSwitch advanced configurations
      1. MCLAG
    ii. FortiAP advanced configurations
      1. Remote tunneling
    iii. Advanced use cases of FortiExtender (IPSEC VPN, VLAN mode)
      1. IPSEC VPN
      2. VLAN mode
    iv. FortiOS access control features
      1. Control Policy
      2. Device Profiling
      3. DHCP Option 82
      4. FortiNAC configuration
      5. Remediation Policy
  d. Demonstrate knowledge of how to integrate Fortinet access solutions
    i. Advanced authentication for access layer
      1. FortiAP radius based dynamic vlan
      2. RADIUS based dynamic VLAN
    ii. FortiLink advanced configurations
      1. Quarantine NAC vlans
      2. FortiLink over L3
    iii. Centralized management of access products from FortiManager
    iv. Design Fortinet access layer solutions
      1. Wireless planning
      2. Switch stack design
      3. ZTNA solutions
     v. Fortinet Security Fabric and integrated management of Firewall, access, and ATP products
  e. Demonstrate knowledge of application delivery
    i. Load balancing
    ii. Health checks

4. Secure SD-WAN
  a. Demonstrate knowledge of SD-WAN advanced architecture and design
    i. Design and implement a full featured SD-WAN solution with dynamic routing
    ii. Local traffic routing with SD-WAN
    iii. Understanding SD-WAN rules and failover
  b. Demonstrate knowledge of SD-WAN advanced features
    i. Azure vWAN
    ii. ADVPN design and requirements
    iii. Packet duplication and aggregate tunnels
    iv. Network overlays
  c. Demonstrate knowledge of SD-WAN troubleshooting
    i. Session failover with NAT
    ii. Session route change with max bandwidth method
    iii. Shortcut tunnels and BGP

5. Security Solutions
  a. Demonstrate knowledge of Fortinet application security solutions
    i. Operation and deployment modes
    ii. Designing resilient solutions
    iii. Advanced security inspection
    iv. FortiGuard services for enhanced Fortinet solutions
    v. Troubleshooting application security issues
  b. Demonstrate knowledge of Fortinet network security solutions
    i. Inspection modes
    ii. Security profiles
    iii. Troubleshooting FortiOS security features
    iv. FortiGuard services for FortiOS security services
    v. VoIP
      1. VoIP ALG / proxy
      2. SIP kernel-helper
      3. Flow SIP
    vi. HTTP/2
      1. SSL inspection with HTTP/2
  c. Demonstrate knowledge of authentication mechanisms
    i. Implement SAML authentication
    ii. Integrate external authentication using Radius / LDAP
    iii. Configuring Fortinet product authentication using FortiAuthenticator
    iv. Authentication using VSAs with Radius for automated roles / profiles
    v. Two factor authentication using certificates and tokens
    vi. Fortinet FSSO using collectors and FortiAuthenticator
    vii. Integrate with AD certificate services
    viii. RBAC, authentication and certificate management solutions with Fortinet Management products

6. Security Operations
  a. Demonstrate knowledge of Fortinet SOC solution
    i. Integrate Fortinet solutions for advanced threat protection
    ii. Security incident handling
    iii. Security incident enrichment
    iv. Threat analysis and incident response
    v. Automated remediation
    vi. Fortinet management and logging tools
  b. Demonstrate knowledge of Fortinet endpoint solutions
    i. Network admission control solution
    ii. Device On-boarding using various methods
    iii. FCT Client Profile
    iv. VPN Profile Management
    v. FortiClient EMS installation package managing
    vi. EMS on net / off net
    vii. ZTNA Policy / configuration (EMS/FCT/FG/FAC)
    viii. Endpoint protection (Client/Guest)
    ix. Quarantine functions on both LAN/WLAN
    x. EDR - Playbooks / Exceptions

7. Automation
  a. Demonstrate knowledge of Fortinet Automation tools, solutions, and integrations
    i. Automation Stiches
    ii. Understand Fabric connectors
    iii. Zero Touch Configuration/Zero Touch Provisioning
    iv. Automated Response Systems (SOAR/Handlers)
    v. FortiSIEM log automation triggers
  b. Demonstrate knowledge of Fortinet build-in scripting capabilities
    i. FortiManager CLI/TCL Scripting
    ii. FMG CLI Template + Variables
    iii. FortiGate AutoScript
  c. Demonstrate knowledge of Fortinet API configuration and usage
    i. FortiGate webhook triggers
    ii. API Integration within the Security Fabric
    iii. Understand principles of API usage (including required config)
    iv. Solutions for rollout and management of large scale FortiGate networks (Fortinet or 3rd party management tools)



Practical Exam Certification Topics


1. Networking
  a) SD-WAN Deployments
  b) Dynamic Routing
  c) Traffic Engineering
  d) Secure Access
  e) VPN Connections
  f) High Availability and clustering
  g) Troubleshooting network deployments
 
2. Central Management
  a) Central Management Deployments
  b) Automation
  c) Security Operations
  d) Troubleshooting Central Management Deployments

3. Authentication
  a) Authentication Integration
  b) Troubleshooting Authentication Scenarios

4. Threat Protection
  a) Securing EndPoints
  b) Securing Applications
  c) Securing the Network
  d) Troubleshooting Threat Protection


Product Firmware Versions

This section details all the products and firmware versions used within the NSE8 exams.
For the most up to date firmware versions, refer to the NSE8 handbook on www.fortinet.com





** All information recorded on this page was correct at the time of writing. For the most up to date information on the Fortinet NSE 8 certification, see the NSE 8 Certification Public Handbook on www.fortinet.com

Comments

Post a Comment

Popular posts from this blog

NSE8 Lab Study Resources - Narbik CCIE R&S v5.1 Foundations

Image
 Hey All, I have been working on putting together some scenarios for lab practice and I've found myself falling back on some of the study materials I used when preparing for the CCIE EI (yet to obtain, on the list after the NSE8). A legendary trainer in this area is Narbik Kocharians CCIE 12410 who is the president of Micronics Networking and Training - his CCIE prep courses and text books are considered almost required reading for any serious candidate for this certification. His text books work through hands on labs that are focused on specific topics to help cement the theory of the different topics in the exam.  His textbook CCIE Routing and Switching 5.1 Foundations: Bridging the Gap between CCNP and CCIE is well aimed at the skill level required of the NSE8 and fortunately there is actually quite a bit of overlap in its 1100 pages. The chapters within the textbook are: 1. Physical Topology 2. Physical and Logical Topologies 3. Spanning Tree Protocol 4. Point-to-Point Protocol
Read more

Journey to the NSE8 - Change in tactic

 I've previously been studying the Secure Wireless LAN content in order to pass the final exam required for my NSE6 (on the way to the NSE8). Going over the material again at the moment I'm noticing that my study sessions are becoming a bit of a blur and I'm not absorbing the content as well as I should be, and I can see this track of study becoming like quicksand if I don't give myself a break from it. The NSE6 fortunately covers a lot of technologies, including FortiAuthenticator and FortiADC which are both heavily featured on the NSE8 blueprint. So from here Im going to review the training for the FortiADC and have a crack at that exam to finish off my NSE6
Read more

Specifying a domain name suffix for DHCP clients on a FortiGate (FortiOS)

Image
Domain Name Suffix You can specify a domain name suffix in a DHCP address pool on the FortiGate DHCP server . With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For example a client can type in https://fortimanager in their web browser to access your fortimanager instance, instead of the FQDN of https://fortimanager.domain.local In FortiOS (current as of December 2022) this is configured via the CLI.   Configuration config system dhcp server     edit <#>          set domain <domain suffix>   In a full context this would be config system dhcp server     edit 1          set domain "lab.example.com"          set default-gateway 192.168.1.1          set netmask 255.255.255.0          set interface "port1"          config ip-range               edit 1                    set start-ip 192.168.1.100                    set end-ip 192.168.1.200               next         
Read more