FortiPAM 1.7.0
The following list contains new and expanded features added in FortiPAM 1.7.0.
Secret/Launch
1160995- Secret configuration page improvements
When creating a secret:
-
The Secret Setting, Service Setting tabs have been merged into a single Settings tab.
-
The Permission tab has been renamed to Sharing.
-
Credential History, Edit History, Secret Log (previously Activity), SSH Log (previously SSH Filter Log) tabs now available under a new consolidated Audit tab.
See Creating a secret.
1145871- Support MobaXterm-sftp
Starting FortiPAM 1.7.0, a new default launcher MobaXterm-sftp now available.
The MobaXterm-sftp launcher enables SFTP tab on the left of the SSH session console.
The SFTP tab allows you to upload/download files and perform directory operation directly within the session.
Prerequisites
Install sshpass package under mobaxterm packages.
Notes
-
The MobaXterm-sftp launcher is not supported if the target Linux SSH server only allows keboard-interactive authentication.
-
The MobaXterm-sftp launcher is not supported by secrets with TOTP settings enabled.
-
If using the feature with an SSH profile, ensure to uncheck SFTP channel option in Other Channels/Block Channel.
See Launchers.
1160286- AV/DLP support for secret file upload
In FortiPAM 1.7.0, AV/DLP support has been added for secret file upload to safeguard files stored on FortiPAM.
When creating a File type secret, new Antivirus Scan and DLP Status options are now available.
See Creating a secret.
1173019- Support configurable SSH terminal types
In FortiPAM 1.7.0, new configurable SSH terminal type has been introduced:
config secret template
set ssh-term {vanilla | xterm | vt100}
end
-
vanilla: Minimal and legacy SSH terminal type and provides basic capabilities (default). -
xterm: Supports advanced features like color and cursor control. -
vt100: Supports simple text and cursor control for compatibility with older systems.
See Templates.
1173019- Default maximum delay for password changer increased
Starting FortiPAM 1.7.0, the default maximum delay for the password changer has been increased to 60000 ms (from 20000 ms).
See Creating a password changer.
1096117- Expose the configuration of strength of SSH encryption algorithms
Starting FortiPAM 1.7.0, when creating a secret with SSH service enabled, you can now set up the configuration strength for SSH encryption algorithms using the new SSH Algorithm Negotiation dropdown.
See Creating a secret.
Additionally, a new SSH Algorithm Negotiation dropdown available when creating/editing a secret policy.
See Creating a policy.
1138302- Target Auto Match/Create
Starting FortiPAM 1.6.0, FortiPAM allowed creating a secret without a target.
Starting FortiPAM 1.7.0, FortiPAM now simplifies secret creation by automatically matching the secret to a pre-exisiting target with the same address, domain, or URL. If no such target exists, a new target for the secret is automatically created.
When creating/editing a secret, a new Auto Match/Create option available in the Target dropdown.
|
The feature is only available when creating a secret using the GUI. |
See Creating a secret.
1134577- Native RDP connection diagnostics
Starting FortiPAM 1.7.0, for a failed RDP connection, FortiPAM now displays connection failure logs:
-
Errors occur during the negotiation phase, for example, when the server requires NLA but FortiPAM is configured not to, or when FortiPAM requires NLA while the server does not support it.
-
Errors produced during the TLS handshake phase.
-
Errors during NLA authentication.
-
Errors during protocol parsing.
1144521, 1119158- Two new default password changers
In FortiPAM 1.7.0, the following two new default password changers have been added:
-
PAN-OS (Palo Alto Networks)
-
SSH Password For Root (Unix)
See Password changers.
1163064- Same IP address target with different gateway
Starting FortiPAM 1.7.0, you can create targets that have the same IP address but different gateways.
See Targets.
1149963- Discovery auto-onboarding
In FortiPAM 1.7.0, for Windows AD discovery type, FortiPAM supports account auto-onboarding where once the accounts have been discovered on the target windows AD server, the accounts are imported as secrets on FortiPAM automatically by preconfigured rules.
The following new options are available when creating a Windows AD discovery entry:
-
Account Filter: Legacy LDAP Search Base and LDAP Group Filter.
-
Account Auto Onboarding
-
Folder Destination: The folder that account secrets will be auto created into.
-
Password Management: The following two modes are supported:
-
Manual: The administrator enters the recently created secrets password.
-
Synchronize: In Manual, the administrator can choose whether to reset and synchronize the entered password to the remote Windows AD server.
-
-
-
Random: New secrets have their passwords randomly set by FortiPAM and synchronized to the remote server.
-
Synchronize Password
-
Password
-
See Discovery.
1141928- Support OT application launchers
In FortiPAM 1.7.0, the following three new default TIA Portal based OT launchers are introduced:
-
TIA Portal: For unprotected projects.
-
TIA Portal V16 Logon: For password protected projects in the TIA Portal V16.
-
TIA Portal V19 Logon: For password protected projects in the TIA Portal V19.
See Launchers.
A new TIA Project default secret template is also available.
See Templates.
1134040- Renamed Web Launcher to Web Browsing
Starting FortiPAM 1.7.0, the Web Launcher secret launcher has been renamed to Web Browsing.
See Launchers.
1184583- FortiClient script command
Starting FortiPAM 1.7.0, the following new options are available when creating a secret launcher for Windows:
-
Start FortiClient Session in Multiprocess Mode
-
Full-screen Recording
Start FortiClient Session in Multiprocess Mode and Full-screen Recording are only available with FortiClient 7.4.4 and above.
-
FortiClient Commands
See Creating a launcher.
See FortiClient script command.
1113718- New Radmin launcher
Starting FortiPAM 1.7.0, a new Radmin secret launcher is available with Type as Other client.
Note: The launcher requires FortiClient support.
The Radmin launcher helps you pass credentials independently to FortiClient.
The Radmin secret launcher supports FortiClient commands allowing script executed by FortiClient to automate actions on the launched application including filling in the username and password.
Using the Radmin secret launcher, you can automatically enter username and password when a new credential prompt window appears during the secret session launch.
See Launchers.
User/Group
1156215- Restrict user to only login through console
Starting FortiPAM 1.7.0, a new login-restriction-console CLI configuration command allows you to restrict user logins to FortiPAM through the console only, i.e., GUI, SSH, and other login methods are blocked.
config system admin
edit "test_admin"
set accprofile "Default Administrator"
set login-restriction-console {enable | disable}
next
end
Note:
-
The configuration is only available in the CLI console.
-
The configuration only applies to a local user with Allow CLI Access enabled in its user role.
-
The configuration does not work with any MFA settings.
-
The configuration is available to remedy scenarios where the Default Administrator is locked:
-
MFA was configured, but login fails due to network, firewall, or configuration issues.
-
Forgot password.
-
Always follow the best practices to avoid potential lockout issues.
See Restrict user to only login through console.
1173026- Support for JWT authentication
FortiPAM supports creating a JWT user.
Starting FortiPAM 1.7.0, a new JWT User type is available in the Configure Type tab when creating a new user.
The following new options are available in the Configure User Details tab when creating a JWT user:
-
JWT Key
-
JWT Claims
-
Lease Duration
See Users in FortiPAM and Creating a user.
A new JWT Key Management tab is available in User Management.
See JWT key management.
1182636- Increased maximum number of users configured on FortiPAM 1000G
Starting FortiPAM 1.7.0, the FortiPAM 1000G hardware device now supports configuring a maximum of 3000 users.
See Configuration capacity for FortiPAM hardware appliances and VM in the latest FortiPAM Release Notes.
System/Log
1149017- Export the FortiPAM video to playable webm format
When Remote Video Storage is enabled (see Remote video storage), the original secret video files are backed up to a remote server using SFTP.
If Live Recording is enabled in the Advanced tab (Video Setting pane), the secret session video files are available in .chk format.
Note: The .chk file cannot be replayed.
FortiPAM now allows exporting the FortiPAM secret session video in a playable webm format.
With the introduction of the new feature, FortiPAM creates the secret session video as a webm file based on the .chk files.
The webm file is then backed up and can be replayed.
Limitation
init.hdr does not update after the launch session ends in the Agentless mode or when using extension only.
See Settings.
1082302- Associate SSH log with video
Starting FortiPAM 1.7.0, FortiPAM supports SSH log association with the secret session video playback.
When reviewing an SSH session:
-
Users can click the command play (
) button from the Jump column in the SSH Event log (left pane). -
The video playback (right pane) will automatically jump to the timestamp where that command was executed.
Secret configuration requirements:
-
Create an SSH filter (in either Deny or Allow mode).
Note: Ensure that the pattern you enter has Log enabled.
-
When creating the secret that supports an SSH launcher, select Enable SSH service in the Settings tab, and select an SSH Filter profile.
Also, ensure that Session Recording in enabled in the Session Security tab.
See Creating a secret.
Note:
-
Only commands with logging enabled in the SSH filter will be linked to the video.
-
There may be a 1 – 2 second time difference between the log and the video timestamp.
Limitations
- In the agentless mode (for web based launchers, e.g., Web SSH), you cannot associate the SSH log to the video.
See Secret event & video.
1166023- Secret audit report enhancements
Starting FortiPAM 1.7.0, when generating a secret audit report in Log & Report > Reports, new Secret ID and Folder ID columns are available.
Also, the complete folder path is displayed in the Folder column.
See Secret audit.
1096109- Support single-button global TLS version control
Starting FortiPAM 1.7.0:
-
A new global Minimum SSL Version setting is available when editing system settings (System > Settings) in the Security pane.
See Settings.
-
When editing an interface, a new Minimum SSL Version setting is available in the Service Access Setting pane.
See Editing an interface.
-
When creating or editing a secret target that uses an SQL template, a new Minimum SSL Version setting (in the Advanced SQL Setting) is available.
See Creating a target.
-
When creating or editing a secret target that uses a template with Domain field, a new Minimum SSL Version setting (in the Advanced RDP Setting) is available.
See Creating a target.
1167148- Add video access audit logs
Starting FortiPAM 1.7.0, FortiPAM supports logging access over video, including playing/stopping video, etc.
Each time a user plays/stops/downloads a secret video, a log entry is generated.
The related logs are displayed in the following locations:
-
Audit > Secret Log when you open the secret in Secrets > Secrets.
-
Log & Report > Secret Event & Video.
Additionally, when using Over-the-shoulder monitoring (Live recording), the corresponding play/stop log is generated.
See Viewing secret edit history and Secret event & video.
Others
1123018- Browser extension download directly
Starting FortiPAM 1.7.0, the Integrity Check tab has been renamed to Client Software.
After FortiPAM installation, you can find the FortiPAM Chrome and Edge extension: Fortinet Privileged Access Agent in Secret Settings > Client Software.
If a user launches a secret without the extension, the FortiPAM GUI prompts them to install the extension automatically.
If FortiPAM is in an air-gapped environment, you can remove/edit the default Chrome/ Edge extension.
You can also upload the Chrome/Edge extension to the FortiPAM local disk.
You can use the feature to save FortiClient and the native application to the FortiPAM disk or a remote URL.
When FortiClient and the native application are needed, the user is prompted to install them automatically.
Also, when creating/editing a launcher, the Application Integrity Check option has been renamed to Client Software.
See Client software.
1171798- FortiPAM on Nutanix
FortiPAM supports the Nutanix virtual environment.