Thanks for the preview.
Some things where I stuck:
You talk about "MAC addresses" often. I wonder why you avoid mentioning the OSI layer model, Layer 2 and 3.
pg 4. NAT mode: "FortiGate ports have IP addresses." ...which certainly is not true - they don't need to have addresses. Rather, "Ports need to have unique IP addresses if any.".
pg 5. It really would be enlightening if you could clarify whether a TP-mode FGT is a switch or a hub. All doc examples only show 2 ports active which doesn't allow this distinction to be made. Later on on pg. 6 you start talking about it being a bridge, then drop that in favor of "switch". As bridges are nearly extinct today I'd feel more comfortable with "switch".
One property of a switch is that it will forward a packet only to the port which has previously seen the destination's MAC address. If the destination MAC is not yet known a switch has to broadcast an ARP request to all ports. So, eventually, a switch can also connect collision domains.
"Forwarding domain" pg7-9: IMHO forwarding broadcasts from one VLAN to all ports is correct behavior as a VLAN has the explicit advantage NOT to tie VLAN members to one physical segment. I assume that's why this is the default way VLAN broadcasts work in FortiOS. You elaborate that this might have disadvantages in large networks which is a corner case in my opinion - connectivity before efficiency. At least, the student should not get the impression that without defining forwarding domains VLANs are not correctly set up.
diag command: only 16 seconds are not sufficient to explain the data which you can obtain from the output, which is a pity. As we all know, diag command are essential, and essentially not undocumented.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
