Document
Library

Administration Guide

What's new in FortiPAM
- FortiPAM 1.3.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secret list
- Target list
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Integrity check
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Appendix I: Default launchers parameters
Appendix J: Installation on AWS
Appendix K: Installation on GCP
Appendix L: WinRM configuration for Windows server
Appendix M: FortiPAM browser extension and standalone FortiClient air-gapped installation
Appendix N: Performance test results
Change Log

Home FortiPAM 1.3.0 Administration Guide

1.3.0

Creating a gateway on the FortiPAM CLI

Creating a gateway on the FortiPAM CLI

FortiPAM now allows configuring a gateway, e.g., a FortiPAM, a FortiGate, or a FortiProxy device, when a target is not reachable directly from FortiPAM to proxy the connection to the target.

To create a gateway:

In the CLI console, enter the following commands to configure the gateway:

 config secret gateway 
   edit "test1"
    set status enable #default value
    set type forward #default value
    set address <string>
    set port 443 #default value
    set sni <string>
    set url-map "tcp" #default value
    set ssl-max-version tls-1.3 #default value
    set client-cert <string>
    set ca <string>
    set description <string>
   next
  end

Variable	Description
status {enable \| disable}	Enable/disable the gateway (default = enable).
type forward	The forward connection mode.
address <string>	The gateway IP address or FQDN.
port <integer>	The gateway port number (1 - 65535, default = 443).
sni <string>	The gateway SNI for TLS. If the `address` is an IP address, the `sni` is the TLS's SNI extension value, which can be used in the gateway for virtual hosting on the same IP address.
url-map <string>	The TCP forwarding access proxy path. This is the gateway's URL map for TFAP(TCP Forwarding Application Proxy).
ssl-max-version {tls-1.1 \| tls-1.2 \| tls-1.3}	The highest TLS version acceptable from a server (default = tls-1.3). This is the TLS version between FortiPAM and the gateway.
client-cert <string>	The client certificate for mTLS. This is required if the gateway requests a client certificate.
ca <string>	The CA certificate verification for mTLS. This is used for the gateway certificate verification.
description <string>	A description for the gateway.

In the CLI console, enter the following commands to configure a target with gateway:

 config secret target
  edit "172.16.80.101"
   set class "Other"
   set templete "Unix Account (SSH Password)"
   set address <string>
   set gateway "test1" #using the gateway created in step 1
   set creation-time <datetime> #syntax yyyy-mm-dd hh:mm:ss, year= 2001-2037
   set web-proxy-status disable
  next
 end

See FortiPAM connects to a target through a FortiProxy acting as the gateway Example.

Previous

Next

Creating a gateway on the FortiPAM CLI

FortiPAM now allows configuring a gateway, e.g., a FortiPAM, a FortiGate, or a FortiProxy device, when a target is not reachable directly from FortiPAM to proxy the connection to the target.

To create a gateway:

In the CLI console, enter the following commands to configure the gateway:

 config secret gateway 
   edit "test1"
    set status enable #default value
    set type forward #default value
    set address <string>
    set port 443 #default value
    set sni <string>
    set url-map "tcp" #default value
    set ssl-max-version tls-1.3 #default value
    set client-cert <string>
    set ca <string>
    set description <string>
   next
  end

Variable	Description
status {enable \| disable}	Enable/disable the gateway (default = enable).
type forward	The forward connection mode.
address <string>	The gateway IP address or FQDN.
port <integer>	The gateway port number (1 - 65535, default = 443).
sni <string>	The gateway SNI for TLS. If the `address` is an IP address, the `sni` is the TLS's SNI extension value, which can be used in the gateway for virtual hosting on the same IP address.
url-map <string>	The TCP forwarding access proxy path. This is the gateway's URL map for TFAP(TCP Forwarding Application Proxy).
ssl-max-version {tls-1.1 \| tls-1.2 \| tls-1.3}	The highest TLS version acceptable from a server (default = tls-1.3). This is the TLS version between FortiPAM and the gateway.
client-cert <string>	The client certificate for mTLS. This is required if the gateway requests a client certificate.
ca <string>	The CA certificate verification for mTLS. This is used for the gateway certificate verification.
description <string>	A description for the gateway.

In the CLI console, enter the following commands to configure a target with gateway:

 config secret target
  edit "172.16.80.101"
   set class "Other"
   set templete "Unix Account (SSH Password)"
   set address <string>
   set gateway "test1" #using the gateway created in step 1
   set creation-time <datetime> #syntax yyyy-mm-dd hh:mm:ss, year= 2001-2037
   set web-proxy-status disable
  next
 end

See FortiPAM connects to a target through a FortiProxy acting as the gateway Example.

Previous

Next