Let me be upfront about something most home lab posts won't tell you: Fortinet gear is not cheap. Even used. Even the small stuff. If you came here looking for a "$200 firewall that does everything" post, this isn't it.
But if you're studying for your NSE certifications, working in an environment that runs Fortinet, or you just want hands-on experience with the same gear sitting in enterprise racks across the country — then the cost makes sense. It made sense for me.
I'm Dylan. I work as a network analyst at Halton District School Board, where we run Fortinet end to end. I built this lab to train on the real thing — not a simulation, not a VM with limited features. Here's exactly what I'm running, what I paid, and what I'd tell myself if I was starting over.
★ THE STACK
| DEVICE | MODEL | ROLE | APPROX. COST (USED) |
|---|---|---|---|
| FIREWALL | FORTIGATE 60F | Perimeter, VPN, UTM | $300–$450 CAD |
| SWITCH | FORTISWITCH 124D | VLANs, trunking, FortiLink | $150–$250 CAD |
| WIRELESS | FORTIAP 421E | Dual-band, multi-SSID | $100–$180 CAD |
| SERVER | LINUX BOX | Apache, self-hosted services | Already owned |
★ THE FORTIGATE 60F — THE BRAIN
The FortiGate 60F is the heart of everything. This is a real enterprise firewall — not a consumer router with a firewall checkbox bolted on. It runs FortiOS, which is the same operating system you'll find on a $100,000 chassis in a data centre, just with lower throughput limits.
For a home lab, the 60F is the sweet spot. It's small enough to sit on a desk, draws minimal power, and has enough ports and features to keep you busy for years. I run mine with full UTM (Unified Threat Management) enabled — IPS, application control, web filtering, SSL inspection, the works.
WHAT I ACTUALLY USE IT FOR:
✓ Site-to-site VPN (IKEv2)
✓ SSL VPN for remote access
✓ VLAN segmentation between lab zones
✓ DNS filtering and web category blocking
✓ FortiLink management of the switch and AP
✓ Security Fabric integration across all devices
The FortiLink feature alone is worth the price of entry. It lets the FortiGate manage the switch and AP directly through a single pane of glass — no separate management interfaces for each device. In the enterprise world this is standard. In a home lab it means you actually learn how it works instead of just reading about it.
★ THE FORTISWITCH 124D — THE BACKBONE
The FortiSwitch 124D is a 24-port managed switch. Nothing exotic about the hardware — what makes it interesting is FortiLink, the protocol that connects it to the FortiGate.
Once FortiLink is established, you manage the switch entirely from the FortiGate GUI. VLANs, trunks, port profiles, RSTP — all configured in one place. This is how enterprise Fortinet environments actually work, and getting hands-on with it at home is genuinely valuable if you're going to be managing similar setups at work.
MY VLAN SETUP:
VLAN 20 — Lab / Study (GNS3 machines, test devices)
VLAN 30 — Trusted (daily use, phones, laptops)
VLAN 40 — IoT (smart home, guest devices)
VLAN 50 — Servers (Linux box, self-hosted services)
Segmenting your home network like this isn't just good practice for cert studying — it actually makes your network more secure. IoT devices on their own VLAN can't reach your servers. Guest devices can't reach anything. It's the kind of thing that sounds like overkill until you've done it once and realized how obvious it is.
★ THE FORTIAP 421E — WIRELESS DONE RIGHT
The FortiAP 421E is a dual-band 802.11ac Wave 2 AP. It's older at this point, but for a home lab it's more than enough. Like the switch, it's managed entirely through the FortiGate — you configure SSIDs, band steering, and client limits all from the same FortiGate GUI.
I run three SSIDs: one for trusted devices, one for IoT, and one for guests. Each maps to its respective VLAN. The AP just does what it's told. This is exactly how a managed wireless deployment works in an enterprise — the controller (in this case the FortiGate's built-in wireless controller) does the thinking.
★ WHERE TO BUY USED FORTINET GEAR
New Fortinet hardware is priced for enterprise procurement budgets, not IT students. The used market is where you shop. Here's where I look:
▶ Facebook Marketplace — Local pickup means no shipping risk. Worth checking weekly.
▶ Kijiji — Great for Canadian buyers. IT equipment shows up regularly from businesses downsizing.
▶ IT asset resellers — Companies like ServerMonkey or similar. Slightly more expensive but tested gear.
▶ What to avoid: Units described as "for parts" or missing serial numbers. You need a valid serial to register on the Fortinet support portal, even for a free account.
★ IS IT WORTH IT?
That depends on one question: are you planning to work in environments that use Fortinet?
If yes — then this is one of the best investments you can make in your career. You can't truly learn FortiOS from documentation alone. The GUI makes sense once you've clicked through it a hundred times. Policies, objects, VDOMs, Security Fabric — these concepts click differently when you're configuring real hardware at 11pm because you broke something and you have to figure out why.
If you're studying Cisco for CCNA and want a firewall just to have one — get a used Cisco ASA or a pfSense box instead. Much cheaper, more CCNA-relevant.
For me, it was a no-brainer. I work on this stuff every day at Halton. The lab just means I can break things without consequences._
These are affiliate links — if you buy through them I get a small commission at no extra cost to you. I only link gear I actually run in my lab.