Administration Guide

What's new in FortiPAM
- FortiPAM 1.3.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secret list
- Target list
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Integrity check
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Appendix I: Default launchers parameters
Appendix J: Installation on AWS
Appendix K: Installation on GCP
Appendix L: WinRM configuration for Windows server
Appendix M: FortiPAM browser extension and standalone FortiClient air-gapped installation
Appendix N: Performance test results
Change Log

Home FortiPAM 1.3.0 Administration Guide

1.3.0

Access control options

When creating or editing a role, select Definitions to see access control definitions.

Access Control

Definition

Secrets

Secret List

It controls access to the Secret list page.

It also controls whether pages: Secret Templates, Policies and Launchers can be viewed.

Secret Folder

Controls the access to Folders.

Note: You can restrict the corresponding folder and secret permissions under a specific folder and secret.

Root Folder

Permission to create folders in Root.

SSH Filter Profile

Access to the SSH Filter Profiles page.

Job List

Access to the Job List page.

Approval Request

Access to the My Request and Request Review page in Approval Request.

Approval Profile

Access to the Approval Profile page in Approval Flow.

Password Changer

Access to Password Changers page in Password Changing.

Password Character Set

Access to Character Sets page in Password Changing.

Password Policy

Access to Password Policies page in Password Changing.

Event Filter Profile

Enable/disable creating event filter profiles.

Create Personal Folder

Enable/disable creating a personal folder right after the user is created.

Edit Secret Target

Enable/disable editing secret targets.

Edit Classification Tag

Enable/disable editing the Classification Tag page.

Edit Secret Templates

Enable/disable editing the Secret Templates page.

Edit Secret Policies

Enable/disable editing the Policies page.

Edit Secret Launchers & Integrity Check

Enable/disable editing the Secret Launchers and the Integrity Check pages.

View Encrypted information

Enable/disable viewing the secret password, passphrase, and ssh-key. This requires Read/Write permission for the Secret List.

View Secret Log

Enable/disable viewing secret logs (Edit History, Activity, and SSH Filter Log tabs) when editing a secret (Secret Details window).

View Secret Video

Enable/disable viewing secret video when editing a secret (Secret Details window).

Note: This only takes effect when View Secret Log is already enabled.

Permit File Transfer

Enable/disable launching file launchers. These are designated to send files.

Force Proxy

Enable/disable forcing user with this account profile to always launch with proxy.

User Management

Administrator Users

Access to the User List page in User Management and the Backup page in System.

User Groups

Access to the User Groups page in User Management.

Role

Access to the Role page in User Management.

Ldap Servers

Access to the Ldap Servers page in User Management.

Saml Single Sign-On

Access to the Saml Single Sign-On page in User Management.

Radius Servers

Access to the Radius Servers page in User Management.

Schedule

Access to the Schedule page in User Management.

Allow CLI Access

Enable/disable CLI access.

Allow CLI Diagnostic Commands

Enable/disable access to diagnostic CLI commands.

Allow Firmware Upgrade & Backups

Enable/disable permission to use firmware and configuration backup features.

Monitoring

Access to pages in Monitoring.

Note: This requires the same permission as User Groups, Ldap Servers, Saml Single Sign-On, and Radius Servers.

Authentication

Addresses

Access to the Addresses page.

ZTNA

Access to the ZTNA page in System.

ZTNA requires the same permission as Schedule and Addresses.

Examples Example:

If all the required permissions are Read/Write, ZTNA can be either None or Read/Write.
If Schedule is set to Read and the rest is Read/Write, ZTNA is None.

Network

Configuration

Access to the Interfaces page in Network.

Packet Capture

Access to the Packet Capture page in Network.

Static Routes

Access to the Static Routes page in Network.

Fabric

Access to the FortiAnalyzer Logging card on the Fabric Connectors page in Security Fabric.

Endpoint Control

Access to the FortiClient EMS card on the Fabric Connectors page in Security Fabric.

Antivirus

Access to the AntiVirus page.

Notes:

This also controls the Antivirus settings in the FortiGuard Distribution Network page.
Use Extreme AVDB and AntiVirus PUP/PUA settings in the FortiGuard Distribution Network page are disabled or shown as unavailable if the role has Read-Only or no access permission.

Data Leak Prevention

Access to the Data Leak Prevention and the DLP File Pattern pages.

Manage System Certificates

Enable/disable accessing the Certificates page in System.

System

Configuration

Access to:

DNS Settings in Network.
SNMP, Settings, and HA pages in System.
VM License uploading; System Reboot, and Shutdown settings.
Configuration Revisions and Scripts.

FortiGuard Updates

Access to the FortiGuard page from Dashboard.

Email Alert/Log Settings

Access to Email Alert Settings and Log Settings in Log & Report.

Admin Settings

Access FortiPAM GUI

Enable/disable accessing FortiPAM GUI.

Enter Glass Breaking Mode

Enable/disable glass breaking mode.

Set Maintenance Mode

Enable/disable maintenance mode.

View Logs

Enable/disable viewing Events, Secrets, ZTNA, and SSH logs in Log & Report.

View Reports

Enable/disable viewing Reports in Log & Report.

View Secret Launching Video

Enable/disable viewing playback videos in Secret Video.