Fortinet black logo

EMS Administration Guide

FortiPAM integration

FortiPAM integration

To configure the FortiPAM integration for FortiClient, you must configure the following:

This document also describes the following use cases:

To configure FortiPAM:
  1. Log in to FortiPAM via the console.
  2. Configure the management IP address, default gateway, and DNS settings:
    config system dns
        set primary 208.91.112.53
        set secondary 96.45.46.46
    end
    config router static
        edit 1
            set gateway 172.17.162.3
            set device "port1"
        next
    end
    config system interface
        edit "port1"
            set ip 172.17.162.167 255.255.254.0
            set allowaccess ping https ssh http telnet
            set type physical
            set monitor-bandwidth enable
            set snmp-index 1
        next
    end
  3. Clear the browser cache.
  4. Log into FortiPAM via its interface IP address using HTTP. For example, if the interface IP address is 172.17.61.167, go to http://172.17.61.167. Do not use HTTPS. FortiPAM does not support HTTPS before license validation.
  5. Configure zero trust network access (ZTNA) rules and server in FortiPAM. This example sets the ZTNA server external IP address to 172.17.162.166. Users log in to FortiPAM with this IP address to launch a secret.
    config firewall vip
        edit "fortipam_vip"
            set uuid 188232bc-3534-51ed-897e-7d522767d173
            set type access-proxy
            set extip 172.17.162.166
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
    config firewall access-proxy
        edit "fortipam_access_proxy"
            set vip "fortipam_vip"
            config api-gateway
                edit 1
                    set url-map "/pam"
                    set service pam-service
                next
                edit 2
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "all"
                        next
                    end
                next
                edit 3
                    set service gui
                    config realservers
                        edit 1
                            set ip 127.0.0.1
                            set port 80
                        next
                    end
                next
            end
        next
    end
    config firewall policy
        edit 1
            set type access-proxy
            set uuid 075cff8c-4e1e-51ed-4d83-41cb5da1944e
            set srcintf "any"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set access-proxy "fortipam_access_proxy"
            set groups "SSO_Guest_Users"
            set ssl-ssh-profile "deep-inspection"
        next
    end
  6. Log in to FortiPAM as the admin user account. Add a "demo" user that will be used to log in to FortiPAM to launch predefined secrets for the user, or allow the user to create their own secret:
    config system admin
        edit "demo"
            set accprofile "Power User"
            set password "1"
        next
    end
  7. Create a secret folder. This example folder is called "f-demo". In FortiPAM, each secret must belong to a secret folder. The FortiPAM administrator can assign appropriate permissions for a user to the folder, such as owner or view-only permissions. Give owner permissions to the demo and admin users for the f-demo folder:
    config secret folder
        edit 5
            set name "f-demo"
            set inherit-policy disable
            set inherit-permission disable
            config user-permission
                edit 1
                    set user-name "demo" "admin"
                    set folder-permission owner
                    set secret-permission owner
                next
            end
        next
    end
  8. Add the "RDP Secret Launcher" secret and make it display in the f-demo folder. This example folder ID is 5:
    config secret database
        edit 22
            set name "RDP Secret Launcher"
            set folder 5
            set template "Windows Machine"
            set recording enable
            set proxy enable
            set block-rdp-clipboard disable
            set rdp-service-status up
            set samba-service-status up
            config credentials-history
            end
            config field
                edit 1
                    set name "Host"
                    set value "172.17.60.8"
                next
                edit 2
                    set name "Username"
                    set value "qa"
                next
                edit 3
                    set name "Password"
                    set value "ENC lLUCAA722LevoHAohj7+Jnsyp0A="
                next
            end
        next
    end
    
To enable the FortiPAM feature in EMS:
  1. The default port for communication between FortiPAM and EMS is 9191. This must match the port configured in FortiPAM in System > Settings > Client Port. To use a custom port, modify the port in both EMS and FortiPAM. In EMS, go to Endpoint Profiles > System Settings.
  2. Edit the desired profile or create a new one.
  3. Enable Privilege Access Management.
  4. In the Port field, enter 9191.
  5. Click Save.
To install FortiClient with the FortiPAM feature enabled and verify the configuration:
  1. On an endpoint with the FortiPAM feature enabled, open Task Manager. Confirm that the Fortvrs.exe and Fortitcs.exe daemons are running.
  2. On the desired browser, ensure that the FortiPAM password filler extension is installed.
  3. In FortiPAM, go to Secrets > Secret List.
  4. Select RDP Secret Launcher, then click Launch Secret.
  5. Select Remote Desktop-Windows, then click Launch.

  6. In the prompt, select Yes. You should successfully log in to the remote Windows machine without needing to enter credentials.
To configure a secret for SSH to a FortiGate:
  1. Install PuTTY on the client machine.
  2. Install FortiClient on the endpoint. The FortiPAM feature must be enabled.
  3. Register FortiClient to EMS. Ensure that the profile assigned to the endpoint has the FortiPAM feature enabled.
  4. Log in to FortiPAM as the administrator. Add the SSH secret:
    1. Obtain the ID for the secret folder that you will use for this secret by running show secret folder. The example desired directory is f-demo, which has an ID of 5.
    2. Obtain the list of secret IDs being used by running show secret database. In this example, the ID 22 is already being used. The example uses 23 as the ID for the new SSH secret:
      show secret database
      id    Secret ID.
      22  RDP Secret Launcher
    3. Add a secret for SSH to FortiGate, using secret ID 23. The following commands enable proxy and session recording. Replace the demo, host, username, password, and URL values for your own configuration before running the commands:
      config secret database
          edit 23
              set name "ID23 SSHtoFGT"
              set folder 5
              set template "FortiGate (SSH Password)"
              set recording enable
              set proxy enable
              set ssh-filter enable
              set ssh-filter-profile "DEMO"
              set ssh-service-status up
              config credentials-history
              end
              config field
                  edit 1
                      set name "Host"
                      set value "172.17.61.28"
                  next
                  edit 2
                      set name "Username"
                      set value "admin"
                  next
                  edit 3
                      set name "Password"
                      set value "ENC kseKVIslSftEmwBy8OqUPyYryoA="
                  next
                  edit 4
                      set name "URL"
                      set value "https://172.17.61.28"
                  next
              end
          next
      end
  5. In Microsoft Edge, log in to FortiPAM as the demo user to launch the secret and ensure that it works properly by going to Secrets > Secret List, selecting the newly created, secret, and clicking Launch Secret. Edge is preferred over Chrome and Firefox for testing this configuration. You should be able to log in to FortiOS successfully without needing to provide for credentials. A PuTTY dialog opens. After the end of the session, go to Log & Reports > Secrets > Secret Video to ensure that a video was recorded as configured.

To use a secret to log in to a website:

The following provides instructions on how to use a secret to log in to a website. The example website is AWS.

  1. Log in to FortiPAM and create a secret to log in to AWS:
    config secret database
        edit 25
            set name "Login AWS"
            set folder 5
            set template "AWS Web Account"
            set recording enable
            set proxy enable
            config credentials-history
            end
            config field
                edit 1
                    set name "URL"
                    set value "https://aws.amazon.com/"
                next
                edit 2
                    set name "Username"
                    set value "yours@gmail.com"
                next
                edit 3
                    set name "Password"
                    set value "ENC yNhlyigiX2TX0nJNuetRYI3EJI4="
                next
                edit 4
                    set name "AccountID"
                next
            end
        next
    end
  2. Click Launch Secret.
  3. Click Sign in.
  4. Click the root user email address.
  5. Select Use FortiPAM session credentials to autofill the user account, then click Next.
  6. Select Use FortiPAM session credentials to autofill in the password, then click Sign in. FortiClient starts the session recording and sending the video to FortiPAM until the session finishes.

To debug the integration:

By default, FortiClient-side FortiPAM daemon (fortivrs.exe) debug logs are enabled. File names are as follows. You can find the files in the trace folder:

  • fortivrs_session_0_1.log
  • fortivrs_session_1_1.log

The C:\Users\Public\FortiClient\ztna\config.json directory contains zero trust network access (ZTNA) rules. In the example from To use a secret to log in to a website:, the file contains one ZTNA rule entry as follows: {"rules":[{"name":"InternalPamRuleItem1","mode":"transparent","destination":"aws.amazon.com:443","gateway":"172.17.162.166:443","encryption":0}]}.

To debug on the FortiPAM side, you can do the following:

  • Go to Network > Packet Capture.
  • Use the following commands to troubleshoot:
    diagnose debug enable
    diagnose wad debug enable level verbose
    diagnose wad debug enable category secret
    diagnose wad debug enable category ssh
    diagnose debug console timestamp enable

FortiPAM integration

To configure the FortiPAM integration for FortiClient, you must configure the following:

This document also describes the following use cases:

To configure FortiPAM:
  1. Log in to FortiPAM via the console.
  2. Configure the management IP address, default gateway, and DNS settings:
    config system dns
        set primary 208.91.112.53
        set secondary 96.45.46.46
    end
    config router static
        edit 1
            set gateway 172.17.162.3
            set device "port1"
        next
    end
    config system interface
        edit "port1"
            set ip 172.17.162.167 255.255.254.0
            set allowaccess ping https ssh http telnet
            set type physical
            set monitor-bandwidth enable
            set snmp-index 1
        next
    end
  3. Clear the browser cache.
  4. Log into FortiPAM via its interface IP address using HTTP. For example, if the interface IP address is 172.17.61.167, go to http://172.17.61.167. Do not use HTTPS. FortiPAM does not support HTTPS before license validation.
  5. Configure zero trust network access (ZTNA) rules and server in FortiPAM. This example sets the ZTNA server external IP address to 172.17.162.166. Users log in to FortiPAM with this IP address to launch a secret.
    config firewall vip
        edit "fortipam_vip"
            set uuid 188232bc-3534-51ed-897e-7d522767d173
            set type access-proxy
            set extip 172.17.162.166
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
    config firewall access-proxy
        edit "fortipam_access_proxy"
            set vip "fortipam_vip"
            config api-gateway
                edit 1
                    set url-map "/pam"
                    set service pam-service
                next
                edit 2
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "all"
                        next
                    end
                next
                edit 3
                    set service gui
                    config realservers
                        edit 1
                            set ip 127.0.0.1
                            set port 80
                        next
                    end
                next
            end
        next
    end
    config firewall policy
        edit 1
            set type access-proxy
            set uuid 075cff8c-4e1e-51ed-4d83-41cb5da1944e
            set srcintf "any"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set access-proxy "fortipam_access_proxy"
            set groups "SSO_Guest_Users"
            set ssl-ssh-profile "deep-inspection"
        next
    end
  6. Log in to FortiPAM as the admin user account. Add a "demo" user that will be used to log in to FortiPAM to launch predefined secrets for the user, or allow the user to create their own secret:
    config system admin
        edit "demo"
            set accprofile "Power User"
            set password "1"
        next
    end
  7. Create a secret folder. This example folder is called "f-demo". In FortiPAM, each secret must belong to a secret folder. The FortiPAM administrator can assign appropriate permissions for a user to the folder, such as owner or view-only permissions. Give owner permissions to the demo and admin users for the f-demo folder:
    config secret folder
        edit 5
            set name "f-demo"
            set inherit-policy disable
            set inherit-permission disable
            config user-permission
                edit 1
                    set user-name "demo" "admin"
                    set folder-permission owner
                    set secret-permission owner
                next
            end
        next
    end
  8. Add the "RDP Secret Launcher" secret and make it display in the f-demo folder. This example folder ID is 5:
    config secret database
        edit 22
            set name "RDP Secret Launcher"
            set folder 5
            set template "Windows Machine"
            set recording enable
            set proxy enable
            set block-rdp-clipboard disable
            set rdp-service-status up
            set samba-service-status up
            config credentials-history
            end
            config field
                edit 1
                    set name "Host"
                    set value "172.17.60.8"
                next
                edit 2
                    set name "Username"
                    set value "qa"
                next
                edit 3
                    set name "Password"
                    set value "ENC lLUCAA722LevoHAohj7+Jnsyp0A="
                next
            end
        next
    end
    
To enable the FortiPAM feature in EMS:
  1. The default port for communication between FortiPAM and EMS is 9191. This must match the port configured in FortiPAM in System > Settings > Client Port. To use a custom port, modify the port in both EMS and FortiPAM. In EMS, go to Endpoint Profiles > System Settings.
  2. Edit the desired profile or create a new one.
  3. Enable Privilege Access Management.
  4. In the Port field, enter 9191.
  5. Click Save.
To install FortiClient with the FortiPAM feature enabled and verify the configuration:
  1. On an endpoint with the FortiPAM feature enabled, open Task Manager. Confirm that the Fortvrs.exe and Fortitcs.exe daemons are running.
  2. On the desired browser, ensure that the FortiPAM password filler extension is installed.
  3. In FortiPAM, go to Secrets > Secret List.
  4. Select RDP Secret Launcher, then click Launch Secret.
  5. Select Remote Desktop-Windows, then click Launch.

  6. In the prompt, select Yes. You should successfully log in to the remote Windows machine without needing to enter credentials.
To configure a secret for SSH to a FortiGate:
  1. Install PuTTY on the client machine.
  2. Install FortiClient on the endpoint. The FortiPAM feature must be enabled.
  3. Register FortiClient to EMS. Ensure that the profile assigned to the endpoint has the FortiPAM feature enabled.
  4. Log in to FortiPAM as the administrator. Add the SSH secret:
    1. Obtain the ID for the secret folder that you will use for this secret by running show secret folder. The example desired directory is f-demo, which has an ID of 5.
    2. Obtain the list of secret IDs being used by running show secret database. In this example, the ID 22 is already being used. The example uses 23 as the ID for the new SSH secret:
      show secret database
      id    Secret ID.
      22  RDP Secret Launcher
    3. Add a secret for SSH to FortiGate, using secret ID 23. The following commands enable proxy and session recording. Replace the demo, host, username, password, and URL values for your own configuration before running the commands:
      config secret database
          edit 23
              set name "ID23 SSHtoFGT"
              set folder 5
              set template "FortiGate (SSH Password)"
              set recording enable
              set proxy enable
              set ssh-filter enable
              set ssh-filter-profile "DEMO"
              set ssh-service-status up
              config credentials-history
              end
              config field
                  edit 1
                      set name "Host"
                      set value "172.17.61.28"
                  next
                  edit 2
                      set name "Username"
                      set value "admin"
                  next
                  edit 3
                      set name "Password"
                      set value "ENC kseKVIslSftEmwBy8OqUPyYryoA="
                  next
                  edit 4
                      set name "URL"
                      set value "https://172.17.61.28"
                  next
              end
          next
      end
  5. In Microsoft Edge, log in to FortiPAM as the demo user to launch the secret and ensure that it works properly by going to Secrets > Secret List, selecting the newly created, secret, and clicking Launch Secret. Edge is preferred over Chrome and Firefox for testing this configuration. You should be able to log in to FortiOS successfully without needing to provide for credentials. A PuTTY dialog opens. After the end of the session, go to Log & Reports > Secrets > Secret Video to ensure that a video was recorded as configured.

To use a secret to log in to a website:

The following provides instructions on how to use a secret to log in to a website. The example website is AWS.

  1. Log in to FortiPAM and create a secret to log in to AWS:
    config secret database
        edit 25
            set name "Login AWS"
            set folder 5
            set template "AWS Web Account"
            set recording enable
            set proxy enable
            config credentials-history
            end
            config field
                edit 1
                    set name "URL"
                    set value "https://aws.amazon.com/"
                next
                edit 2
                    set name "Username"
                    set value "yours@gmail.com"
                next
                edit 3
                    set name "Password"
                    set value "ENC yNhlyigiX2TX0nJNuetRYI3EJI4="
                next
                edit 4
                    set name "AccountID"
                next
            end
        next
    end
  2. Click Launch Secret.
  3. Click Sign in.
  4. Click the root user email address.
  5. Select Use FortiPAM session credentials to autofill the user account, then click Next.
  6. Select Use FortiPAM session credentials to autofill in the password, then click Sign in. FortiClient starts the session recording and sending the video to FortiPAM until the session finishes.

To debug the integration:

By default, FortiClient-side FortiPAM daemon (fortivrs.exe) debug logs are enabled. File names are as follows. You can find the files in the trace folder:

  • fortivrs_session_0_1.log
  • fortivrs_session_1_1.log

The C:\Users\Public\FortiClient\ztna\config.json directory contains zero trust network access (ZTNA) rules. In the example from To use a secret to log in to a website:, the file contains one ZTNA rule entry as follows: {"rules":[{"name":"InternalPamRuleItem1","mode":"transparent","destination":"aws.amazon.com:443","gateway":"172.17.162.166:443","encryption":0}]}.

To debug on the FortiPAM side, you can do the following:

  • Go to Network > Packet Capture.
  • Use the following commands to troubleshoot:
    diagnose debug enable
    diagnose wad debug enable level verbose
    diagnose wad debug enable category secret
    diagnose wad debug enable category ssh
    diagnose debug console timestamp enable