Document
Library

Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
- VM license
Folders
- Creating a folder
Secrets
- Secret list
- Secret launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Secret templates
  - Creating secret templates
- Policies
  - Creating a policy
    - Applying a policy to a folder
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Job list
  - Creating a job
Monitoring
- User monitor
- Active sessions
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Approval request
- My requests
  - Make a request
- Request review
  - Approve a request
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
Password changing
- Character sets
  - Creating a character set
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
Authentication
- Addresses
  - Creating an address
  - Creating an address group
- Scheme & Rules
  - Creating an authentication scheme
  - Creating an authentication rule
System
- Firmware
- Settings
- SNMP
- High availability
- Certificates
- ZTNA
- Backup
  - Sending backup file to a server Example
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- DNS settings
- Packet capture
  - Creating a packet capture filter
- Static routes
  - Creating an IPv4 static route
Security profile
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
Security fabric
- Fabric Connectors
  - FortiAnalyzer logging
Log & report
- Events
- Secret
- ZTNA
- SSH
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Change Log

Home FortiPAM 1.0.0 Administration Guide

1.0.0

FortiPAM with TPM

FortiPAM with TPM

FortiPAM supports TPM (Trusted Platform Module) to improve protection for secret credentials.

TPM should be enabled when you initially install FortiPAM.

If you enable TPM after secrets have been configured on FortiPAM, secret credentials may be corrupted.

To check if the FortiPAM hardware device has TPM capability:

Before enabling TPM on FortiPAM, enter the following CLI command:
diagnose tpm selftest
If the output is Successfully tested. Works as expected, then TPM is installed on your FortiPAM hardware device.

To enable TPM on FortiPAM hardware device:

In the CLI console, enter the following commands:
config system global
set private-data-encryption enable
end

FortiPAM-VM with vTPM enabled

If FortiPAM is a VM instance, the vTPM (virtual TPM) package must be installed, and vTPM enabled then.

See Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM.

On FortiPAM-VM, TPM can only be enabled after enabling vTPM.

To enable vTPM on FortiPAM-VM:

In the CLI console, enter the following commands:
config system global
set v-tpm enable
end

To enable TPM on FortiPAM-VM:

FortiPAM-VM must be in maintenance mode to change TPM settings.

In the CLI console, enter the following commands:
config sys maintenance
set mode enable
end
config system global
set private-data-encryption enable
end
Be carefull!!!This operation will refresh all ciphered data!
Backup the current configuration file at first!
Do you want to continue? (y/n)y
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
Your private data encryption key is accepted.
The key must be the same for data restoration between source FortiPAM and destination FortiPAM.

To disable TPM:

In the CLI console, enter the following commands:
config sys maintenance
set mode enable
end
config system global
set private-data-encryption disable
end
Be carefull!!!This operation will refresh all ciphered data!
+Backup the current configuration file at first!
+Do you want to continue? (y/n)y
For FortiPAM-VM, vTPM should be disabled after disabling TPM.

To disable vTPM for FortiPAM-VM:

In the CLI console, enter the following commands:
config system global
set v-tpm disable
end
This operation will stop using vTPM module
Do you want to continue? (y/n)y

Previous

Next

FortiPAM with TPM

FortiPAM supports TPM (Trusted Platform Module) to improve protection for secret credentials.

TPM should be enabled when you initially install FortiPAM.

If you enable TPM after secrets have been configured on FortiPAM, secret credentials may be corrupted.

To check if the FortiPAM hardware device has TPM capability:

Before enabling TPM on FortiPAM, enter the following CLI command:
diagnose tpm selftest
If the output is Successfully tested. Works as expected, then TPM is installed on your FortiPAM hardware device.

To enable TPM on FortiPAM hardware device:

In the CLI console, enter the following commands:
config system global
set private-data-encryption enable
end

FortiPAM-VM with vTPM enabled

If FortiPAM is a VM instance, the vTPM (virtual TPM) package must be installed, and vTPM enabled then.

See Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM.

On FortiPAM-VM, TPM can only be enabled after enabling vTPM.

To enable vTPM on FortiPAM-VM:

In the CLI console, enter the following commands:
config system global
set v-tpm enable
end

To enable TPM on FortiPAM-VM:

FortiPAM-VM must be in maintenance mode to change TPM settings.

In the CLI console, enter the following commands:
config sys maintenance
set mode enable
end
config system global
set private-data-encryption enable
end
Be carefull!!!This operation will refresh all ciphered data!
Backup the current configuration file at first!
Do you want to continue? (y/n)y
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
Your private data encryption key is accepted.
The key must be the same for data restoration between source FortiPAM and destination FortiPAM.

To disable TPM:

In the CLI console, enter the following commands:
config sys maintenance
set mode enable
end
config system global
set private-data-encryption disable
end
Be carefull!!!This operation will refresh all ciphered data!
+Backup the current configuration file at first!
+Do you want to continue? (y/n)y
For FortiPAM-VM, vTPM should be disabled after disabling TPM.

To disable vTPM for FortiPAM-VM:

In the CLI console, enter the following commands:
config system global
set v-tpm disable
end
This operation will stop using vTPM module
Do you want to continue? (y/n)y

Previous

Next