Creating a client software entry for integrity check
To create a client software entry for integrity check:
-
Go to Secret Settings > Integrity Check and select Create.
The New Client Software window opens.
- Enter the following information:
Name
The name of the client software entry.
Package
Configure client software packages. See Creating client software packages.
While creating a client software entry for integrity check, you can either store the software package locally, i.e., on the FortiPAM disk or provide an external URL to the package for downloading.
- Click Submit.
Creating client software packages
To create a client software package
- In Step 1, when Creating a client software entry, select Create in the Package pane.
The New Client Package window opens.
- Enter the following information:
Name
The name of the client software package.
Integrity Check Option
Select from the following integrity check options:
Executable hash: Comparing the executable hash with the provided value (default).
Certificate: Checking the certificate of a file.
Hash Algorithm
Select from the following hash algorithms:
MD5 (default)
SHA-1
SHA-256
Note: The option is only available when the Integrity Check Option is Executable hash.
Hash
The package/folder hexadecimal hash value.
Note: The option is only available when the Integrity Check Option is Executable hash.
CA Certificate
From the dropdown, select a CA certificate.
Use the search bar to look up a CA certificate.
Note: The option is only available when Integrity Check Option is Certificate.
Package Download Option
Select from the following two options:
Internal download URL
External download URL (default)
External Download Url
The external download URL for the client software package.
Only installers are supported.
Note: The option is only available when the Package Download Option is External download URL.
Package
Select + Upload File, locate the client software package from your management computer, and click Open.
Note: The option is only available when the Package Download Option is Internal download URL.
- Click OK.
From the list, select a client software package and then select Edit to edit the packages.
From the list, select client software packages and then select Delete to delete the packages.
Creating a client software entry for integrity check via the CLI Example
- In the CLI console, enter the following commands to configure the client software table. In the example, for the PuTTY launcher, we have two client software packages.
x64
checks the file certificate and downloads the package from an external link.x86
checks against the MD5 checksum and stores the package locally.config secret client-software
edit "putty"
config pkg
edit "x64"
set integrity-check cert
set download-option external
set external-url "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe"
set ca "Fortinet_SSL"
set client-name "putty"
next
edit "x86"
set hash-algo MD5
set hash "aeb47b393079d8c92169f1ef88dd5696"
set package-name "putty.exe"
set client-name "putty"
next
end
next
end
- Enter the following commands to go to the secret launcher table and bind the client software entry with the launcher.
config secret launcher
edit "PuTTY"
set type ssh
set client-software "putty"
next
end
- Enter the following commands to enable the integrity check option in the launcher settings of the template.
config secret template
edit "Unix Account (SSH Password)"
config launcher
edit 2
set launcher-name "PuTTY"
set port 22
set integrity-check enable
next
end
next
end
With the configurations set as above, the secret with Unix Account (SSH Password) template and PuTTY as the launcher includes an integrity check each time it is launched.