Document
Library

Administration Guide

What's new in FortiPAM
- FortiPAM 1.3.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secret list
- Target list
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Integrity check
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Appendix I: Default launchers parameters
Appendix J: Installation on AWS
Appendix K: Installation on GCP
Appendix L: WinRM configuration for Windows server
Appendix M: FortiPAM browser extension and standalone FortiClient air-gapped installation
Appendix N: Performance test results
Change Log

Home FortiPAM 1.3.0 Administration Guide

1.3.0

Dependency updater

Dependency updater

Service accounts

A service account is a non-human privileged account that an operating system uses to run applications, automated services, virtual machine instances, and other background processes.

A service account provides a way to assign an identity and permissions to a computer program or process that performs a specialized task.

Service accounts have privileges that allow extensive access to system resources either locally or across the domain.

While service accounts can be created manually, they are often preinstalled and preconfigured as part of an operating system or another software program.

Service accounts pose a greater risk compared to other privileged accounts as they can potentially enable bad actors to hide in plain sight by operating under the cloak of a valid program. Many such programs run continuously, giving attackers persistent access.

Cybercriminals who hack a service account can elevate privileges to gain ever more access. Adopting a phantom identity allows them to roam freely through corporate IT networks and cloud environments without arousing suspicions.

Updating service accounts

If a service running on a machine relies on a credential managed by FortiPAM, the dependency updater feature offers the ability to update the service credential immediately after FortiPAM changes the credential. FortiPAM ensures that the service does not fail during authentication.

Dependency Updater in Secret Settings displays a list of dependency updaters.

A dependency updater defines the service identifier and its type.

For every dependency updater, the following columns are displayed by default:

Name
Service Name
Update After Restart
References

The Dependency Updater tab contains the following options:

Create	Select to create a new dependency updater. See Creating a dependency updater.
Search	Enter a search term in the search field, then hit `Enter` to search the dependency updater list. To narrow down your search, see Column filter.
Edit	Select to edit the selected dependency updater.
Delete	Select to delete the selected the selected dependency updaters.
Clear Selection	Select to clear the currently selected dependency updater entries from selection.

For updating the Windows server, WinRM service must be configured on the target machine, and there must be a privileged account for the target machine in FortiPAM.

See Updating a service account credential Example.

Previous

Next

Dependency updater

Service accounts

A service account is a non-human privileged account that an operating system uses to run applications, automated services, virtual machine instances, and other background processes.

A service account provides a way to assign an identity and permissions to a computer program or process that performs a specialized task.

Service accounts have privileges that allow extensive access to system resources either locally or across the domain.

While service accounts can be created manually, they are often preinstalled and preconfigured as part of an operating system or another software program.

Service accounts pose a greater risk compared to other privileged accounts as they can potentially enable bad actors to hide in plain sight by operating under the cloak of a valid program. Many such programs run continuously, giving attackers persistent access.

Cybercriminals who hack a service account can elevate privileges to gain ever more access. Adopting a phantom identity allows them to roam freely through corporate IT networks and cloud environments without arousing suspicions.

Updating service accounts

If a service running on a machine relies on a credential managed by FortiPAM, the dependency updater feature offers the ability to update the service credential immediately after FortiPAM changes the credential. FortiPAM ensures that the service does not fail during authentication.

Dependency Updater in Secret Settings displays a list of dependency updaters.

A dependency updater defines the service identifier and its type.

For every dependency updater, the following columns are displayed by default:

Name
Service Name
Update After Restart
References

The Dependency Updater tab contains the following options:

Create	Select to create a new dependency updater. See Creating a dependency updater.
Search	Enter a search term in the search field, then hit `Enter` to search the dependency updater list. To narrow down your search, see Column filter.
Edit	Select to edit the selected dependency updater.
Delete	Select to delete the selected the selected dependency updaters.
Clear Selection	Select to clear the currently selected dependency updater entries from selection.

For updating the Windows server, WinRM service must be configured on the target machine, and there must be a privileged account for the target machine in FortiPAM.

See Updating a service account credential Example.

Previous

Next