Administration Guide

What's new in FortiPAM
- FortiPAM 1.3.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secret list
- Target list
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Integrity check
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Appendix I: Default launchers parameters
Appendix J: Installation on AWS
Appendix K: Installation on GCP
Appendix L: WinRM configuration for Windows server
Appendix M: FortiPAM browser extension and standalone FortiClient air-gapped installation
Appendix N: Performance test results
Change Log

Home FortiPAM 1.3.0 Administration Guide

1.3.0

License expiry and renewal

FortiPAM must have a valid license to provide all the services. Therefore, you must keep track of the license status.

By default, FortiPAM sends license expiration notification 30 days before a license expires.

The license expiry notification timing can be adjusted by using the following CLI command:

config alertemail setting

set FDS-license-expiring-days 30 #adjust the number of days

end

To renew a license, contact the FortiPAM sales team. After purchasing FortiPAM services, you receive the service registration document that includes the service name in the title and a contract registration code.

Follow the procedure as detailed in Renewing FortiPAM-VM license to renew FortiPAM-VM license.

License status

FortiPAM license status can be found in the Licenses widget available in Dashboard > Status. See Licenses widget.

Email alert for license expiration

License expiration email notification is one of the critical system notifications.

When a FortiPAM license is about to expire, i.e., the license is expiring within the next 30 days; a warning dialog appears when you log in to FortiPAM.

Also, a red banner appears on the top once you are logged in, alerting you about license expiry.

To set up email alerts for license expiry:

Ensure that Email Service is set up in System > Settings. See Settings.
Go to Log & Report > Email Alert Settings, and select Enable email notification.
In the Critical System Notification tab:
1. In From, enter the email address of the sender.
2. In To, enter the email address of the receiver.
Click Apply.
Alternatively, you can add an email address where the notification is sent when creating or editing a user in User Management > User List (Configure User Details tab).
For expiring Advanced Malware Protection and FortiCare support, license expiration email notifications and warnings are sent to the administrator.

CLI configuration for setting up email alerts for license expiry example:

config system automation-action

edit "License Expired Notification Email"

set action-type email

set email-subject "FortiPAM %%log.devname%% %%log.logdesc%%"

set email-to "admin1@fortinet.com" "admin2@fortinet.com" # receiver email address

set message "Your license is expiring soon. Please renew at your earliest convenience. If your FortiPAM Subscription license is expired, only super admin will be allowed to access FortiPAM until a new license is applied.

Detail:

%%log%%"

set description "Default automation action configuration for sending an email when a license is near expiration."

end

Subscription license

FortiPAM-VM is licensed by annual subscription. The FortiPAM-VM subscription license controls the licensed user seats. Once the license expires:

Only a user with Super Administrator role can log in to the FortiPAM GUI.
FortiPAM goes into maintenance mode.
In the maintenance mode:
1. All secrets/folders are read-only.
2. Critical processes are suspended including manual and scheduled password changing.
You cannot launch secrets.
A Super Administrator can enable the glass breaking mode to see all the secrets.
Although not recommended, a Super Administrator can promote normal users to the Super Administrator role, allowing users to continue logging in to FortiPAM.
Users with permission, such as the Default Administrator role, can still access FortiPAM through ssh and the CLI console.

Advanced Malware Protection (formerly AntiVirus and DLP license)

The FortiPAM-VM subscription license includes Advanced Malware Protection and FortiCare support. For FortiPAM hardware models, Advanced Malware Protection and FortiCare support licenses are purchased separately as annual contracts.

The Advanced Malware Protection (AVDB & DLP) licenses are related to the file scanning feature in file launchers. Once the Advanced Malware Protection license expires:

The antivirus scanning continues to work, however the antivirus database is not updated and no new signatures are added.
DLP feature stops working. The DLP feature requires a valid license.