Comprehensive Guide: Network Fundamentals, Packet

Flows, and Interview Q&A for Cisco Meraki and

Fortinet FortiGate

Prepared for 4-10 Years Experience Level

July 24, 2025

Introduction
This exhaustive document serves as a complete preparation resource for your network engi-
neer interview, focusing on Cisco Meraki and Fortinet FortiGate technologies. It is designed
for professionals with 4-10 years of experience, covering in-depth network fundamentals with
dedicated chapters for key concepts, detailed packet flow explanations for Meraki MX and For-
tiGate, and an extensive collection of frequently asked interview questions and answers. By
studying this PDF, you should be fully equipped to handle technical discussions, troubleshoot-
ing scenarios, and behavioral questions. The content is structured for easy navigation, with
practical examples, configurations, and tips drawn from real-world applications.

1 Network Fundamentals
Network fundamentals form the bedrock of any networking role. Below, each core concept
is explained in detail, including how it works, key components, common configurations, trou-
bleshooting tips, and relevance to Meraki and FortiGate environments. For complex topics
like routing protocols, dedicated chapters follow.

1.1 OSI Model

The Open Systems Interconnection (OSI) model is a conceptual framework developed by the
International Organization for Standardization (ISO) to standardize network communication.
It divides networking into seven layers, each with specific functions, allowing for modular
design, interoperability between different vendors’ equipment (like Cisco Meraki and Fortinet
FortiGate), and easier troubleshooting by isolating issues to particular layers. The model is
theoretical but maps closely to real-world protocols in the TCP/IP suite.
- Layer 1: Physical Layer: This layer is responsible for the physical transmission and
reception of raw bit streams over a physical medium, such as copper cables, fiber optics, or
wireless signals. It defines hardware specifications like voltage levels, cable types (e.g., Cat6
Ethernet), connectors (RJ-45), and signaling rates. In a Meraki environment, this involves
connecting MS switches or MR access points via Ethernet ports. Troubleshooting tips: Use

1
Comprehensive Network Engineer Interview Preparation July 24, 2025

a cable tester to check for breaks or interference; monitor signal-to-noise ratio (SNR) for
wireless links. Common issues: Faulty cables leading to packet loss.
- Layer 2: Data Link Layer: Handles node-to-node data transfer on the same network,
including framing, MAC addressing, error detection (via CRC checksums), and flow control.
It is divided into LLC (Logical Link Control) for multiplexing and MAC (Media Access Control)
for addressing. Protocols include Ethernet, Wi-Fi (802.11), and PPP. In FortiGate, this layer
manages switch ports and VLAN tagging. Relevance: ARP operates here to map IPs to MACs.
Troubleshooting: Inspect MAC address tables with ‘get switch mac-table‘ in FortiGate CLI;
resolve issues like duplicate MACs or STP loops.
- Layer 3: Network Layer: Provides logical addressing and routing between different
networks. It handles packet forwarding, fragmentation, and reassembly. Key protocol: IP
(IPv4/IPv6). Routers and Layer 3 switches operate here. In Meraki MX appliances, this in-
volves routing decisions and NAT. Troubleshooting: Use ‘ping‘ for reachability and ‘traceroute‘
for path analysis; common problems include routing loops or blackholes due to misconfigured
routes.
- Layer 4: Transport Layer: Ensures end-to-end communication reliability, including seg-
mentation, flow control, error recovery, and multiplexing via ports. Protocols: TCP (reliable,
connection-oriented with ACKs, congestion control via windows) and UDP (unreliable, con-
nectionless for low-latency apps like DNS). In firewalls like FortiGate, policies filter based on
ports. Troubleshooting: Use ‘netstat‘ or ‘ss‘ to view connections; issues like TCP SYN floods
can be mitigated with DoS policies.
- Layer 5: Session Layer: Manages the setup, coordination, and termination of com-
munication sessions between applications. It handles dialog control (half/full duplex) and
synchronization. Examples: NetBIOS, RPC. In practice, often combined with higher layers;
relevant for VPN sessions in Meraki.
- Layer 6: Presentation Layer: Translates data between the application layer and the
network, handling encryption (e.g., SSL/TLS), compression (gzip), and format conversions
(ASCII to EBCDIC). In modern networks, this includes JSON/XML parsing in APIs. Trou-
bleshooting: Decryption failures in SSL inspection on FortiGate.
- Layer 7: Application Layer: Provides network services directly to end-user applications,
including protocols like HTTP, FTP, SMTP, and DNS. Firewalls like Meraki MX perform deep
packet inspection (DPI) here for app control. Troubleshooting: Use tools like ‘curl‘ for HTTP
testing; issues include app-specific errors like DNS resolution failures.
Relevance to Interview: With 4-10 years experience, expect questions like mapping protocols
to layers or troubleshooting scenarios, e.g., ”Why might a ping fail at Layer 3 but succeed at
Layer 2?” Emphasize how Meraki’s cloud management simplifies multi-layer configs.

1.2 TCP/IP Model

The TCP/IP model, developed by the U.S. Department of Defense, is a practical implemen-
tation of networking protocols that powers the internet. It is more streamlined than the OSI
model, focusing on real-world usage, and maps roughly as follows: Network Interface (OSI
1-2), Internet (OSI 3), Transport (OSI 4), Application (OSI 5-7). This model emphasizes
end-to-end connectivity and is the foundation for protocols used in Meraki and FortiGate.

2
Comprehensive Network Engineer Interview Preparation July 24, 2025

- Network Interface Layer: Encompasses physical and data link functions, handling hard-
ware interfaces and framing. Examples: Ethernet frames, Wi-Fi standards. In FortiGate,
configure interfaces with ‘config system interface‘.
- Internet Layer: Focuses on logical addressing and routing. Core protocol: IP, with ICMP
for diagnostics (ping) and IGMP for multicast. Supports fragmentation to handle MTU
differences. In Meraki, this layer handles SD-WAN routing.
- Transport Layer: Provides host-to-host communication. TCP offers reliability through
sequencing, acknowledgments, and retransmissions; UDP prioritizes speed for applications
like video streaming. Port numbers (0-65535) multiplex services.
- Application Layer: Directly supports user applications with protocols like HTTP(S), DNS,
DHCP. In NGFWs like FortiGate, app control identifies and blocks specific apps (e.g., Face-
book) regardless of port.
Differences from OSI: TCP/IP is protocol-centric and less layered, making it more flexible but
sometimes harder to troubleshoot abstractly. In hybrid setups, Meraki MX routes at Internet
layer while FortiGate inspects at Application.

1.3 IP Addressing
IP addressing provides unique identifiers for devices on a network, enabling routing and com-
munication. It is crucial for subnet design, NAT, and security policies in enterprise networks.
- IPv4: 32-bit addresses in dotted decimal (e.g., [Link]), supporting 4.3 billion ad-
dresses. Divided into classes (A: 1-126, B: 128-191, etc.), but CIDR (Classless Inter-Domain
Routing) allows flexible subnetting (e.g., /24 = 256 addresses, 254 usable). Private ranges
avoid public exhaustion. Subnetting example: [Link]/24 split into two /25s (128 ad-
dresses each).
- IPv6: 128-bit hexadecimal addresses (e.g., [Link]/64), providing 3.4 x 103 [Link]
configuration(SLAACusingrouteradvertisements), built−inIPsec, [Link]
- NAT/PAT: Network Address Translation hides private IPs behind a public one; Port Address
Translation adds ports for multiplexing. Benefits: Security, address conservation. In FortiGate:
Enable in policies with ‘set nat enable‘; use IP pools for dynamic allocation.
Configuration Example (Meraki): Dashboard ¿ Addressing & VLANs ¿ Set subnet. Trou-
bleshooting: Conflicts (use ‘arp -a‘), exhaustion (expand scope), NAT loops (check mappings
with debug tools). Relevance: In interviews, calculate subnets (e.g., hosts in /27 = 30) or
explain dual-stack IPv4/v6.

1.4 Switching
Switching forwards data at Layer 2 based on MAC addresses, improving efficiency over hubs
by reducing collisions. Modern switches are managed, supporting VLANs and PoE.
- VLANs: Virtual LANs (802.1Q) segment broadcast domains for security and traffic isolation.
Tags add 4-byte headers. Config in Meraki: Switches ¿ Ports ¿ Access/Trunk mode, allowed
VLANs. Benefits: Reduces ARP traffic, enhances security.

3
Comprehensive Network Engineer Interview Preparation July 24, 2025

- STP/RSTP: Spanning Tree Protocol (802.1D) prevents loops by electing a root bridge
and blocking redundant paths. RSTP (802.1w) adds faster convergence (seconds vs. 30-
50s). Features: Port roles (root, designated, blocking), BPDUs for topology. In FortiGate
managed switches: Enable globally.
- MAC Learning: Switches learn MAC-port mappings dynamically, storing in CAM tables
(aging 300s). Flooding occurs for unknown destinations.
Troubleshooting: Loops (enable BPDU guard), VLAN mismatches (use ‘show vlan‘), CAM
overflow (increase table size or static entries). In 4-10 years experience, discuss L2 attacks
like MAC flooding and mitigation with port security.

1.5 DHCP
DHCP (RFC 2131) dynamically assigns IP addresses, reducing manual config errors and cen-
tralizing management.
- DORA Process: Client sends Discover (broadcast UDP 67/68), server Offers IP, client
Requests, server Acknowledges with lease (options: gateway, DNS, lease time).
- Components: Server (assigns from pool), Client (requests), Relay (forwards across subnets
via IP Helper, e.g., ‘ip helper-address‘ on routers).
In Meraki: MX ¿ DHCP ¿ Enable scope, exclusions. In FortiGate: Network ¿ DHCP Server ¿
Create. Options like 82 (relay info) for location-based assignment.
Troubleshooting: Rogue servers (capture with Wireshark, mitigate with DHCP snooping),
lease issues (short times cause frequent renews). Attacks: Starvation (fake MACs exhaust
pool; limit per port). Relevance: Explain relay in multi-VLAN setups.

1.6 DNS
DNS translates human-readable domain names to IPs, acting as the internet’s phonebook
(RFC 1035).
- How it Works: Hierarchical: Client queries recursive resolver (e.g., [Link]), which fetches
from root servers (.), TLD (.com), authoritative ([Link] NS). Caching reduces latency.
- Records: A/AAAA (host IP), CNAME (alias), MX (mail server priority), NS (delegation),
TXT (verification like SPF), PTR (reverse lookup).
- Internal vs External: Internal (e.g., Active Directory DNS) resolves private names; external
uses public servers. Split DNS directs based on source.
Troubleshooting: ‘nslookup‘ or ‘dig‘ for queries; cache poisoning mitigated by DNSSEC (sig-
natures). In FortiGate: DNS filter profiles block malicious domains.

1.7 Firewalls
Firewalls enforce security policies by controlling traffic flow.
- Types: Stateless (simple ACLs on ports/IPs), Stateful (tracks connection states like SYN/ACK),
NGFW (app/user awareness, IPS).

4
Comprehensive Network Engineer Interview Preparation July 24, 2025

- Features: Inspection (DPI for payloads), logging (syslog), NAT, VPN termination.
In Meraki MX: Layer 3/7 rules. In FortiGate: Policies with UTM (AV, IPS). Config example:
FortiGate GUI ¿ Policy ¿ Create, set action/inspection.
Troubleshooting: Policy order (first match), implicit deny; use lookup tools.

1.8 VPNs
VPNs create secure tunnels over public networks.
- IPsec: Internet Protocol Security; Phase 1 (IKE SA, auth via PSK/certs), Phase 2 (IPsec
SA, encryption AES, integrity SHA). Modes: Tunnel (full encapsulation), Transport.
- SSL VPN: Uses TLS; portal (browser access) vs. tunnel (client software).
In Meraki: Auto VPN hub/spoke. In FortiGate: Wizards for IPsec/SSL. Troubleshooting:
Mismatch in proposals, MTU fragmentation.

1.9 Security Concepts

- ACLs: Access Control Lists filter traffic; extended include ports/protocols. Processed top-
down, end with deny any.
- IDS/IPS: Intrusion Detection (passive alerts) vs Prevention (active blocks). Signature-
based (known threats) vs anomaly (baselines).
- Zero-Trust: Assume breach; verify every access with identity, device health. In FortiGate:
ZTNA policies.
Common attacks: DDoS (mitigate with rate limits), MITM (use HTTPS).

1.10 SD-WAN
SD-WAN decouples control from hardware for intelligent path selection.
- Features: Overlay tunnels, policy routing (e.g., VoIP over MPLS), failover.
In Meraki MX: Traffic steering rules. In FortiGate: SD-WAN members/rules, health checks.
Benefits: Cost savings, better app performance.

1.11 Wireless Networking

Wireless uses RF for connectivity.
- SSIDs: Service Set Identifiers; multiple per AP for guest/corporate. Security: WPA3 (SAE
for better encryption).
- Roaming: Clients switch APs; fast roaming with 802.11r/k.
In Meraki MR: Dashboard ¿ Wireless ¿ SSIDs. Troubleshooting: Interference (channel over-
lap), signal strength (RSSI ¿ -70dBm).

5
Comprehensive Network Engineer Interview Preparation July 24, 2025

1.12 Troubleshooting Tools

- Wireshark: Captures/analyzes packets; filters like ‘[Link] == 80‘.
- Ping/Traceroute: ICMP echo for latency/path; options like -i for interval.
- Syslog: Centralized logging; levels 0-7.
Advanced: ‘tcpdump‘ on appliances.

1.13 Advanced Topics

- QoS: Quality of Service marks (DSCP) and queues traffic; CoS for L2. Ensures VoIP priority.
- MPLS: Multi-Protocol Label Switching uses labels for fast forwarding; VPNs (L3VPN).
- Multicast: One-to-many; IGMP snooping, PIM routing.

2 Routing Protocols Overview

Routing protocols automate path selection in dynamic networks, classified by algorithm: Dis-
tance Vector (simple, slow convergence), Link-State (database-driven, fast), Path Vector
(policy-based). Interior (IGP like OSPF) vs Exterior (EGP like BGP). Metrics vary: hops,
cost, bandwidth.

3 OSPF (Open Shortest Path First)

OSPF is an IGP link-state protocol (RFC 2328) using Dijkstra’s SPF algorithm for shortest
path calculation. It floods LSAs to build a consistent LSDB across routers, ensuring loop-free
routes and quick convergence (sub-second with tuning).
- Areas: Reduces flooding; Area 0 (backbone) mandatory, stub areas block external LSAs for
scalability.
- Components: Hello packets (multicast [Link], dead interval 40s), LSAs (Type 1 router,
Type 2 network), DR/BDR election on multi-access segments.
- Configuration (FortiGate CLI): ‘config router ospf; set router-id [Link]; config area; edit
[Link]; set type regular; end; config ospf-interface; edit ”port1”; set interface ”port1”; set
cost 10; end‘.
- Troubleshooting: ‘get router info ospf neighbor‘ for adjacencies; ‘get router info ospf
database‘ for LSAs. Common issues: Mismatched area types, authentication failures.
Relevance: Preferred in enterprises for scalability; integrate with Meraki MX for dynamic
routing.

4 BGP (Border Gateway Protocol)

BGP (RFC 4271) is the EGP for internet routing, using path vector to prevent loops via
AS-Path attribute. It emphasizes policy over metrics, ideal for multi-homed setups.

6
Comprehensive Network Engineer Interview Preparation July 24, 2025

- Attributes: Well-known (AS-Path, Next-Hop) vs optional (MED for path selection). Local
Preference influences outbound.
- Sessions: eBGP (TTL=1, different AS), iBGP (full mesh or route reflectors).
- Configuration (Meraki Dashboard): Appliance ¿ Routing ¿ BGP ¿ Enable, set AS
number, peers.
- Troubleshooting: ‘get router info bgp summary‘ in FortiGate; issues like route flaps (damp-
ening), prefix limits.
Used for ISP peering; in interviews, explain route selection process.

5 RIP (Routing Information Protocol)

RIP is a legacy distance vector IGP (RFC 1058/2453), using hop count (max 15) to prevent
infinity loops.
- Versions: RIPv1 (broadcast, classful), RIPv2 (multicast [Link], classless, MD5 auth).
- Features: 30s updates, split horizon (no advertise back), route poisoning (metric 16).
- Configuration: Seldom used; example in FortiGate: ‘config router rip; config network; edit
1; set prefix [Link]/16; end‘.
Troubleshooting: Slow convergence (count-to-infinity); replaced by OSPF in modern networks.

6 Other Routing Protocols

- EIGRP: Cisco’s hybrid protocol, uses DUAL for loop-free paths, metrics (bandwidth/delay).
Fast convergence, partial updates.
- IS-IS: Link-state IGP for large ISPs, similar to OSPF but uses CLNS addressing.

7 Packet Flow in Meraki MX Appliances

Meraki MX security appliances process packets in a cloud-orchestrated, stateful pipeline,
integrating routing, firewalling, and SD-WAN. The flow ensures security and optimization,
with decisions pushed from the dashboard.
1. Ingress Interface: Packet received; checked for physical errors, VLAN tags stripped if
applicable.
2. Layer 2 Processing: MAC address validation, anti-spoofing (source MAC/IP binding).
3. Source Validation: uRPF (Unicast Reverse Path Forwarding) to prevent spoofing.
4. Stateful Inspection: Matches against connection table; new connections initiate session.
5. Firewall Rules: Layer 3 (IP/port) and Layer 7 (app/IDP) rules applied sequentially.
6. IPS/AMP: If licensed, scans for threats using Snort-like signatures and malware protection.
7. NAT/SNAT: Outbound: Masquerade private to public IP; Inbound: Port forwarding.

7
Comprehensive Network Engineer Interview Preparation July 24, 2025

8. VPN/Routing: Encrypt for Auto VPN (IPsec); route lookup (static ¿ VPN ¿ dynamic).
9. QoS/Shaping/SD-WAN: Mark DSCP, limit bandwidth, steer based on policies (e.g.,
low-latency link for VoIP).
10. Egress: Forward to WAN/LAN; log to dashboard, export flows via NetFlow.
Troubleshooting: Dashboard ¿ Appliance ¿ Packet capture; view flows in Security ¿ Event
log. Example: HTTP outbound - Ingress ¿ Firewall allow ¿ SNAT ¿ Route to ISP.

8 Packet Flow in Fortinet FortiGate Firewalls

FortiGate uses a sophisticated, ASIC-accelerated (NP7/SP5) packet flow in FortiOS, optimiz-
ing for high performance. The flow is ingress-to-egress, with offloads for eligible traffic.
1. Acceptance: Ingress port; link-level checks, DoS protection (SYN proxy if enabled).
2. Session Setup: Stateful; hash-based lookup for existing sessions (fast path offload).
3. Routing Lookup: Pre-NAT destination route from FIB (Forwarding Information Base).
4. DNAT/VIP: Virtual IP translation for inbound servers.
5. Policy Lookup: Match firewall policy (interfaces, addresses, services, users, schedule).
6. User Auth/ID: If policy requires, authenticate via FSSO, RADIUS, etc.
7. UTM Inspection: Sequential - SSL deep inspection ¿ IPS signatures ¿ Antivirus scan ¿
Web/App filter ¿ DLP.
8. SNAT: Post-policy source NAT (central or per-policy).
9. Routing (Post-NAT): Final egress interface determination.
10. Egress: Encapsulate for VPN if matched, forward packet, log hit.
Offloads bypass CPU for simple traffic. Troubleshooting: ‘diagnose debug flow filter ¡criteria¿;
diagnose debug flow show function-name enable; diagnose debug enable‘. Example: Inbound
HTTPS - Acceptance ¿ DNAT ¿ Policy match ¿ SSL inspect ¿ UTM clean ¿ SNAT ¿ Egress.

9 Cisco Meraki Interview Questions and Answers

Expanded list based on common questions for mid-senior engineers.
1. What is Cisco Meraki, and how does it differ from traditional Cisco networking?
Meraki is a cloud-managed networking solution acquired by Cisco, offering centralized
management via a dashboard for devices like MR (wireless), MS (switches), MX (security
appliances). Unlike traditional Cisco’s CLI-based config (e.g., IOS), Meraki uses GUI
with auto-provisioning, API support, and zero-touch deployment. Ideal for multi-site
environments with features like Auto VPN.
2. Describe the process of creating and configuring an organization in Cisco Mer-
aki. Log into Dashboard ¿ Organization ¿ Create Organization. Set name, timezone,
currency. Add networks (site-specific or templates). Claim devices by serial number.

8
Comprehensive Network Engineer Interview Preparation July 24, 2025

Configure templates for VLANs, SSIDs, policies. Apply licenses and enable features like
SD-WAN.
3. What are licensing prerequisites for Meraki devices? Per-device subscriptions: En-
terprise (basic), Advanced Security (NGFW features), Secure SD-WAN Plus (advanced
routing). Licenses are cloud-tied; co-termination averages terms. Without active li-
cense, devices go offline after grace period.
4. Explain configuring a basic SSID on a Meraki wireless access point. Dashboard
¿ Wireless ¿ SSIDs ¿ Create SSID. Set name, security (WPA2/3), VLAN, bandwidth
limits, client isolation. Enable Layer 7 shaping, splash pages. Use Air Marshal for
security scanning.
5. What is Meraki Systems Manager (SM), and its uses? Cloud-based MDM/EMM
for endpoints. Uses: App deployment, remote wipe, geofencing, compliance policies.
Integrates with Meraki for unified visibility.
6. How would you troubleshoot DHCP issues in a Meraki network? Check Clients
page for leases. Verify MX DHCP scope. Use event logs, packet captures. Enable
DHCP snooping to block rogues. Renew leases on clients.
7. What is ARP, and explain ARP poisoning in a Meraki context? ARP maps IP
to MAC. Poisoning spoofs for MITM. Mitigate with DAI on MS switches, validating
against bindings.
8. Describe STP and its role in Meraki switches. Prevents L2 loops. Meraki uses
RSTP; configure priorities, BPDU guard via Dashboard ¿ Switches ¿ STP.
9. What are Network Tags in Meraki, and a valid use? Labels for grouping (e.g.,
”HQ”). Use: Bulk policy application via templates.
10. Which MX route type has the highest priority? Static ¿ AutoVPN ¿ Client VPN
¿ Dynamic (BGP/OSPF).
11. Explain CAM tables and how they relate to switching in Meraki. CAM (Content
Addressable Memory) stores MAC-port mappings. In Meraki MS, view via Dashboard
¿ Switches ¿ MAC forwarding table. Overflow can cause flooding.
12. What problems might you see with LAN routing in a Meraki setup? Miscon-
figured VLANs, overlapping subnets, STP loops, or rogue DHCP. Troubleshoot with
topology maps and alerts.
13. How do various protocols like OSPF and BGP work in Meraki? MX supports
OSPF/BGP for dynamic routing. Configure under Appliance ¿ Routing. OSPF uses
LSAs for topology; BGP uses attributes for path selection.
14. What is Auto VPN in Meraki, and how to configure it? Hub-and-spoke or full-
mesh IPsec VPN. Dashboard ¿ Security & SD-WAN ¿ Site-to-site VPN ¿ Enable, set
hubs/spokes.
15. Explain Layer 7 firewall rules in Meraki. App-based shaping/blocking (e.g., block
Facebook). Configure under Firewall ¿ Layer 7 rules.
16. How to integrate Meraki with third-party RADIUS for authentication? Dash-
board ¿ Wireless ¿ Access control ¿ RADIUS. Add server IP, secret, ports.
17. What is Meraki Insight, and its benefits? WAN health monitoring tool. Benefits:
App performance analytics, bottleneck identification.
18. Troubleshoot a wireless client connectivity issue in Meraki. Check Client details
for signal/RSSI. Verify SSID config, interference via RF spectrum. Use wireless health
analytics.
19. Explain Meraki API usage for automation. RESTful API for dashboard ops. Use
Python SDK to script configs, e.g., add devices.

9
 Comprehensive Network Engineer Interview Preparation July 24, 2025

20. What is SD-WAN in Meraki MX, and policy configuration? Optimizes traffic
over multiple WAN links. Configure under SD-WAN ¿ Traffic steering ¿ Add policy
(e.g., prioritize VoIP over MPLS).
21. How to handle firmware upgrades in Meraki? Dashboard ¿ Organization ¿ Firmware
upgrades. Schedule, test in staging. Recent example: MS 17.2.2 released July 22, 2025.
¡argument name=”citationi d” > 2 < /argument >
22. Describe VLAN configuration on Meraki switches. Switches ¿ Ports ¿ Edit ¿ VLAN
mode (access/trunk), allowed VLANs.
23. What is Dynamic ARP Inspection (DAI) in Meraki? Validates ARP against DHCP
bindings to prevent poisoning. Enable on MS switches.
24. Explain QoS in Meraki for VoIP traffic. Wireless/SD-WAN ¿ QoS rules ¿ Prioritize RTP
ports, set DSCP markings.
25. How to monitor network performance in Meraki Dashboard? Use Summary reports,
Topology, Usage stats, Alerts.
26. What are Meraki MV cameras, and integration? Smart cameras with cloud storage.
Integrate with networks for motion alerts, analytics.
27. Troubleshoot VPN connectivity issues in Meraki. Check VPN status page, logs for IKE
errors. Verify NAT, MTU, PSK. Note recent advisory for AnyConnect VPN DoS in June 2025.
¡argument name=”citationi d” > 3 < /argument >
28. Explain client VPN setup in Meraki. Security ¿ Client VPN ¿ Enable, set subnet, DNS.
Users download config.
29. What is Air Marshal in Meraki wireless? Rogue AP detection and containment tool.
30. How to configure port mirroring on Meraki switches? Switches ¿ Ports ¿ Edit ¿ Mirror
mode for traffic analysis.
31. Describe integration with Cisco ISE for NAC. Use RADIUS for 802.1X, posture assess-
ment.
32. What recent updates in Meraki (as of 2025)? AI-powered innovations from Cisco Live
San Diego 2025, including enhanced networking features. ¡argument name=”citationi d” >
1 < /argument > FedRAMPauthorizationforgovernmentcloudinFebruary 2025. < argumentname =
”citationi d” > 8 < /argument > APIenhancementsforL3interfacesanduplinks. < argumentname =
”citationi d” > 0 < /argument >
33. Explain traffic shaping in Meraki. Limit bandwidth per SSID/app. Configure under
Wireless ¿ Firewall & traffic shaping.
34. How to handle high availability in Meraki MX? Warm spare setup: Add secondary MX,
enable HA.
35. What is Meraki Location Analytics? Tracks client movement via Bluetooth for insights.
36. Troubleshoot STP issues in Meraki. Check STP bridge priorities, root election via Dash-
board.
37. Explain BGP configuration in Meraki MX. Appliance ¿ Routing ¿ BGP ¿ Enable, set AS,
peers.
38. What is the difference between TCP and UDP in a Meraki context? TCP: Reliable,
connection-oriented; UDP: Faster, connectionless. Used in firewall rules for app control.
39. How to interpret packet captures in Meraki? Use built-in capture tool on appliances,
analyze with Wireshark.
40. Describe IPv4 vs IPv6 support in Meraki. Dual-stack; configure IPv6 under Addressing
& VLANs.
41. What experience do you have with Meraki troubleshooting? (Behavioral): Share
examples like resolving interference or config conflicts using dashboard tools.

10
 Comprehensive Network Engineer Interview Preparation July 24, 2025

42. How to keep up with Meraki trends? Follow Cisco blogs, certifications (CMNA), webinars,
and community forums.

10 Fortinet FortiGate Interview Questions and Answers

Expanded list for mid-senior level.
1. What is FortiGate, and why is it considered a good firewall? FortiGate is
Fortinet’s NGFW providing UTM features like IPS, AV, web filtering, SSL inspection.
Effective due to ASIC acceleration, FortiGuard intelligence, scalability from SMB to
enterprise.
2. What is UTM, and how does FortiGate implement it? Unified Threat Manage-
ment integrates security functions. FortiGate uses profiles (AV, IPS) applied to policies,
with hardware offload for low latency.
3. Explain the Security Fabric in Fortinet. Architecture integrating products for visi-
bility, automation. Enables zero-trust with segmentation and API sharing.
4. What is a Next-Generation Firewall (NGFW)? Beyond ports: App ID, user control,
DPI. FortiGate uses ASICs for high-throughput inspection.
5. Steps to configure a new firewall policy in FortiGate. Policy & Objects ¿ Firewall
Policy ¿ Create. Set interfaces, src/dst, services, action, profiles. CLI: config firewall
policy; edit ID; set params; end.
6. Difference between SSL web portal and tunnel mode in FortiGate VPN? Portal:
Browser access, limited. Tunnel: Full client, supports split-tunneling.
7. What is split tunneling, and why use it? Routes select traffic via VPN. Reduces
load; configure in VPN ¿ SSL Settings.
8. Explain configuring VPNs on FortiGate. IPsec: IPsec Tunnels ¿ Create ¿ Set
gateway, auth, enc. SSL: SSL-VPN Settings ¿ Enable portal.
9. What are possible attacks on FortiGate, and how to mitigate? DDoS: DoS
policies. Rogue DHCP: Snooping. ARP poisoning: DAI. Use FortiSandbox.
10. Difference between deployment modes in FortiGate? Transparent: L2 bridge.
NAT/Route: L3 with NAT.
11. What is FortiOS? Operating system for FortiGate, handling security and networking.
Latest: 7.6 with updates in 2025. ¡argument name=”citationi d” > 11 < /argument >
12. Explain Threat Management in FortiGate. Uses FortiGuard for real-time AV/IPS up-
dates. See 2025 Threat Landscape Report for trends. ¡argument name=”citationi d” > 10 <
/argument >
13. How to configure an interface on FortiGate? Network ¿ Interfaces ¿ Edit ¿ Set IP, mode,
admin access.
14. What is the standard procedure to upgrade FortiOS? Backup config, download firmware,
System ¿ Firmware ¿ Upload & reboot.
15. Explain HA configuration in FortiGate. System ¿ HA ¿ Set mode (active-passive), group
ID, priorities.
16. What is VDOM in FortiGate? Virtual Domains for multi-tenancy; separate policies per
VDOM.
17. How to troubleshoot VPN issues in FortiGate? Use diagnose vpn tunnel list, debug flow,
logs.
18. Explain IPS configuration. Security Profiles ¿ Intrusion Prevention ¿ Create signature-based
profile, apply to policy.

11
 Comprehensive Network Engineer Interview Preparation July 24, 2025

19. What is FortiAnalyzer integration? Central logging; configure under Log & Report ¿
FortiAnalyzer.
20. Difference between policy-based and route-based VPN? Policy: Traffic selectors in
policy. Route: Uses interfaces/tunnels for routing.
21. How to configure SD-WAN in FortiGate? WAN Opt ¿ SD-WAN ¿ Enable, add members,
rules.
22. Explain DoS policy setup. Policy & Objects ¿ DoS Policy ¿ Create, set thresholds.
23. What is SSL inspection, and how to enable? Decrypts HTTPS; Security Profiles ¿
SSL/SSH Inspection ¿ Create, apply.
24. Troubleshoot high CPU on FortiGate. get system performance status; Disable unused
features.
25. Explain user authentication methods. Local, RADIUS, LDAP; User & Authentication.
26. What is FortiSandbox, and integration? Sandbox for unknowns; Integrate via profiles.
27. How to configure NAT in FortiGate? Policy ¿ Set NAT, use IP pool or central SNAT.
28. Explain BGP setup on FortiGate. Network ¿ BGP ¿ Set AS, neighbors.
29. What are FortiTokens for MFA? Tokens; User ¿ FortiTokens ¿ Add.
30. Troubleshoot routing issues. get router info routing-table all.
31. Explain web filtering configuration. Security Profiles ¿ Web Filter ¿ Block categories.
32. What is zero-trust in Security Fabric? Continuous verification; ZTNA for access.
33. How to backup and restore config? System ¿ Maintenance ¿ Backup/Restore.
34. Explain antivirus profiles. Security Profiles ¿ AntiVirus ¿ Scan modes, apply.
35. What recent vulnerabilities in FortiGate (2025)? CVE-2025-32756: Stack-based buffer
overflow exploited in wild, May 2025. ¡argument name=”citationi d” > 20 < /argument >
CVE − 2025 − 24472 : Authbypass. < argumentname = ”citationi d” > 28 < /argument >
BackdoortechniquesinApril2025. < argumentname = ”citationi d” > 13 < /argument >
Patchimmediately .
36. How to configure link monitoring? Network ¿ SD-WAN ¿ Health checks.
37. Explain FortiManager for central management. Manages multiple FortiGates; Add de-
vices, push policies.
38. Troubleshoot firewall policy mismatches. Use policy lookup tool in GUI.
39. What is application control? Identifies apps; Security Profiles ¿ Application Control.
40. How to handle firmware rollback? Boot alternate partition via CLI.
41. Explain OSPF configuration. Network ¿ OSPF ¿ Set areas, interfaces.
42. What is FortiGuard? Threat intelligence for updates.
43. Troubleshoot DHCP server issues. Network ¿ DHCP Server; Logs for conflicts.
44. Explain ZTNA setup. ZTNA ¿ Policies ¿ Create tags, rules.
45. How to integrate with SIEM? Log & Report ¿ Syslog ¿ Add server.
46. What is the purpose of a firewall? Controls traffic, prevents unauthorized access.
47. Explain possible DoS attacks and mitigation. SYN flood: TCP proxy. UDP flood: Rate
limiting.
48. How to configure VLANs on FortiGate? Network ¿ Interfaces ¿ Create subinterface,
VLAN ID.
49. Troubleshoot NAT issues. diagnose debug flow; Check mappings.
50. What is FortiAP integration? WiFi Controller ¿ FortiAP Profiles.
51. What recent updates in FortiGate (as of 2025)? Quantum-safe security advancements in
July 2025. ¡argument name=”citationi d” > 16 < /argument > LeaderinGartnerSASEMagicQuadrantJuly 20
argumentname = ”citationi d” > 18 < /argument > FortiOS7.6features. < argumentname =
”citationi d” > 11 < /argument >

12
Comprehensive Network Engineer Interview Preparation July 24, 2025

11 Scenario-Based and General Questions

• Scenario: Users get incorrect IPs from DHCP in a Meraki/FortiGate hybrid
setup. Check for rogue servers using Wireshark or FortiGate logs. In Meraki, enable
DHCP guard; in FortiGate, verify DHCP relay configuration and snooping.
• How would you integrate Meraki with FortiGate? Use Meraki MX as SD-WAN
edge connected via IPsec tunnels to FortiGate for advanced UTM. Configure site-to-site
VPN on both, ensure route propagation.
• Troubleshoot a VPN dropout between sites. Check logs (Meraki Event Log;
FortiGate ‘diagnose debug enable‘). Verify Phase 1/2 proposals, NAT traversal, MTU
(adjust to 1400 if fragmentation), and keepalives.
• Design an enterprise network with Meraki and FortiGate. Use Meraki for branch
offices (MX for SD-WAN, MS/MR for LAN/wireless) and FortiGate at HQ for core
firewalling/UTM. Integrate Security Fabric with Meraki API for visibility. Implement
zero-trust with ZTNA and Auto VPN.
• Handle a security breach scenario. Isolate affected segments (quarantine VLANs),
analyze logs/traffic captures, identify IOCs (e.g., via FortiAnalyzer), patch vulnerabili-
ties, and conduct post-mortem. Use IPS to block similar threats proactively.

12 Conclusion
This document is self-contained for your interview preparation. Practice hands-on with labs
(Meraki sandbox, FortiGate VM), review recent updates via searches, and practice explaining
concepts aloud. Good luck!

13