FortiPAM-VM GUI access

To enable GUI access to the FortiPAM-VM you must configure basic network settings of the FortiPAM-VM in the client console.

To configure basic settings in FortiPAM-VM:

Power on your virtual machine, and enter the VM Console.
At the FortiPAM-VM login prompt enter the username admin and password.
The default password is no password. You will be prompted to create a new password.
At the CLI prompt, enter show system storage to verify the disk usage type for the two added hard disks. The output looks like the following:
Administrators need to configure a dedicated FortiPAM video disk for video recording.

Two hard disks and two virtual network interface cards need to be added to the VM in VM manager before FortiPAM image installation.
See Deploying FortiPAM-VM on KVM.

config system storage
edit "HD1"
set status enable
set media-status enable
set order 1
set partition "LOGUSEDXDE8326F6"
set device "/dev/vda1"
set size 20023
set usage log
next
edit "HD2"
set status enable
set media-status enable
set order 2
set partition "PAMVIDEOB471724F"
set device "/dev/vdb1"
set size 20029
set usage video
next
end
Enter the following CLI commands to set up FortiPAM:
config system interface
edit "port1"
set ip 172.16.x.x/x #Depending on your network setting
set type physical
set snmp-index 1
next
edit "port2"
set ip x.x.x.x/x
set type physical
set snmp-index 2
next
end
config router static
edit 1
set gateway x.x.x.x
set device "port1"
next
end
The IP address set here is automatically copied to VIP.
Optionally, enable TPM or vTPM. See FortiPAM with TPM in the FortiPAM Administration Guide.
Optionally, to encrypt disk to protect logs and videos, see Configuring log and video disk encryption in the FortiPAM Administration Guide.
On a web browser, go to https://172.16.xxx.xxx to access FortiPAM GUI.
To upload the FortiPAM license file, see Uploading the license file to FortiPAM-VM section in the FortiPAM Administration Guide.
FortiCloud currently does not support IPv6 for FortiPAM-VM license validation. You must specify an IPv4 address in both the support portal and the port1 management interface.
Optionally, enable displaying a login disclaimer message to show the last successful or failed login date and time:
```
  config system global 
   set post-login-banner enable
  end
```
For a detailed example on setting up the login disclaimer using the CLI console, see Disclaimers via the CLI in the FortiPAM Administration Guide.
To set up the login disclaimer using the GUI, see the Login Disclaimer option in System > Settings in the FortiPAM Administration Guide.
After logging in to the FortiPAM GUI, go to Log & Report > Email Alert Settings, and:
1. Select Enable Email Notification.
2. Add receiver email addresses for critical system notifications in the Critical System Notification tab.
  See Email alert settings and Email alert when the glass breaking mode is activated example in the FortiPAM Administration Guide.

Glass breaking mode

Glass breaking in FortiPAM means extending the user permission to access data that the user is not authorized to access. Typically, user access is controlled by permission defined in every secret and folder. In a rare situation, such as a network outage or the remote authentication server becoming unreachable, glass breaking allows you to temporarily access important secrets and target servers to resolve issues.

As a best practice, only a few administrators should have access to the glass breaking mode. Further, the glass breaking mode should only be activated under exceptional situations and for disaster recovery. Email notifications can also be configured to send alerts whenever someone enters glass breaking mode.

To enable glass breaking alert email notifications:

Ensure that Email Service is set up in System > Settings.
Go to Log & Report > Email Alert Settings, and select Enable email notification.
In the Glassbreaking Notification tab:
1. In From, enter the email address of the sender.
2. In To, enter the email address of the receiver.
Click Apply.
Setting up an email alert for glass breaking excludes other important notifications, e.g., administrative change (configuration and HA status) and security (virus detection).

To update firmware image:

You can only upload a firmware when in maintenance mode. See Maintenance mode.
In the user dropdown on the top-right, go to System > Firmware.
The Firmware Management window opens.
Go to File Upload:
1. Select Browse, then locate the image.out FortiPAM firmware image on your local computer.
2. Click Open.
Click Confirm and Backup Config.
The firmware image uploads from your local computer to the device, which will then reboot. For a short period of time during this reboot, the device is offline and unavailable.

To enter maintenance mode:

From the user dropdrown, select Activate Maintenance Mode in System.
In the Warning dialog:
1. Enter the maximum duration, in minutes.
2. Enter a reason for activating the maintenance mode.
3. Click OK.

FortiPAM-VM GUI access

To enable GUI access to the FortiPAM-VM you must configure basic network settings of the FortiPAM-VM in the client console.

To configure basic settings in FortiPAM-VM:

Power on your virtual machine, and enter the VM Console.

At the FortiPAM-VM login prompt enter the username admin and password.
The default password is no password. You will be prompted to create a new password.

At the CLI prompt, enter show system storage to verify the disk usage type for the two added hard disks. The output looks like the following:

Administrators need to configure a dedicated FortiPAM video disk for video recording.

Two hard disks and two virtual network interface cards need to be added to the VM in VM manager before FortiPAM image installation.

See Deploying FortiPAM-VM on KVM.

config system storage

edit "HD1"

set status enable

set media-status enable

set order 1

set partition "LOGUSEDXDE8326F6"

set device "/dev/vda1"

set size 20023

set usage log

edit "HD2"

set status enable

set media-status enable

set order 2

set partition "PAMVIDEOB471724F"

set device "/dev/vdb1"

set size 20029

set usage video

end

Enter the following CLI commands to set up FortiPAM:

config system interface

edit "port1"

set ip 172.16.x.x/x #Depending on your network setting

set type physical

set snmp-index 1

edit "port2"

set ip x.x.x.x/x

set type physical

set snmp-index 2

end

config router static

edit 1

set gateway x.x.x.x

set device "port1"

end

The IP address set here is automatically copied to VIP.

Optionally, enable TPM or vTPM. See FortiPAM with TPM in the FortiPAM Administration Guide.

Optionally, to encrypt disk to protect logs and videos, see Configuring log and video disk encryption in the FortiPAM Administration Guide.

On a web browser, go to https://172.16.xxx.xxx to access FortiPAM GUI.

To upload the FortiPAM license file, see Uploading the license file to FortiPAM-VM section in the FortiPAM Administration Guide.

FortiCloud currently does not support IPv6 for FortiPAM-VM license validation. You must specify an IPv4 address in both the support portal and the port1 management interface.

Optionally, enable displaying a login disclaimer message to show the last successful or failed login date and time:

  config system global 
   set post-login-banner enable
  end

For a detailed example on setting up the login disclaimer using the CLI console, see Disclaimers via the CLI in the FortiPAM Administration Guide.

To set up the login disclaimer using the GUI, see the Login Disclaimer option in System > Settings in the FortiPAM Administration Guide.

After logging in to the FortiPAM GUI, go to Log & Report > Email Alert Settings, and:

Select Enable Email Notification.
Add receiver email addresses for critical system notifications in the Critical System Notification tab.
See Email alert settings and Email alert when the glass breaking mode is activated example in the FortiPAM Administration Guide.

Glass breaking mode

To enable glass breaking alert email notifications:

Ensure that Email Service is set up in System > Settings.

Go to Log & Report > Email Alert Settings, and select Enable email notification.

In the Glassbreaking Notification tab:

In From, enter the email address of the sender.
In To, enter the email address of the receiver.

Click Apply.

Setting up an email alert for glass breaking excludes other important notifications, e.g., administrative change (configuration and HA status) and security (virus detection).

To update firmware image:

You can only upload a firmware when in maintenance mode. See Maintenance mode.

In the user dropdown on the top-right, go to System > Firmware.

The Firmware Management window opens.

Go to File Upload:

Select Browse, then locate the image.out FortiPAM firmware image on your local computer.
Click Open.

Click Confirm and Backup Config.

The firmware image uploads from your local computer to the device, which will then reboot. For a short period of time during this reboot, the device is offline and unavailable.

To enter maintenance mode:

From the user dropdrown, select Activate Maintenance Mode in System.

In the Warning dialog:

Enter the maximum duration, in minutes.
Enter a reason for activating the maintenance mode.
Click OK.

KVM Administration Guide

FortiPAM-VM GUI access