DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

Examples

Introduction
FortiToken and FortiToken Mobile
- 2FA with FortiToken Mobile
RADIUS authentication
- 2FA on FortiPAM for RADIUS users using FortiAuthenticator
SAML authentication
- 2FA on FortiPAM for SAML users using FortiAuthenticator
JWT
- JWT (JSON Web Token) integration with DevOps
ZTNA
- ZTNA endpoint control on FortiPAM
Secret configurations
- Accessing a Linux server using PuTTY
  - Creating a secret with Unix template
  - Launching a secret for the Linux server
- Accessing a Cisco router using PuTTY
  - Creating an associated secret
  - Creating a secret with Cisco User (SSH Secret) template
  - Launching a secret for the Cisco router
- Accessing a FortiGate using PuTTY, Web SSH, or the Web launcher
  - Creating a secret with Unix template
  - Launching a secret for the FortiGate
- Accessing a Windows server using the Remote Desktop- Windows launcher
  - Creating a secret with Windows Machine template
  - Launching a secret for the Windows server
- Visiting a web application/platform using web launchers
  - Installing Fortinet Privileged Access Agent web extension on Chrome/Edge
  - Creating a secret for general web application/platform
  - Creating a secret for AWS root/IAM account
  - Visiting web application/platform using web launcher
  - Reviewing video recording for the web launching session
  - Reviewing secret log for the web launching session
- Accessing a generic machine using Web VNC, VNC Viewer, or the TightVNC launcher
  - Creating a secret with Machine template
  - Launching a secret for the machine
- Accessing a target server using locally installed WinSCP client
  - Installing WinSCP on a local machine
  - Creating a secret with Unix Account (SSH Password) template
  - Launching a secret for the target server using the WinSCP launcher
- Accessing an SFTP server using the Web SFTP secret launcher
  - Creating a secret with Unix Account (SSH Password) template
  - Launching a secret for the SFTP server using the Web SFTP launcher
- Accessing an SMB server using Web SMB launcher
  - Creating a secret with Windows Domain Account (Samba) template
  - Verifying the password
  - Launching a secret for the SMB server using the Web SMB launcher
- Checking out and checking in a secret
  - Creating a secret with check out enabled
  - Checking out a secret
  - Checking in a secret
- Using a secret requiring approval
  - Creating an approval profile
  - Creating a secret with mandatory approval requirement
  - Sending a request to access a secret
  - Approving a secret request
  - Launching a secret that requires approval
- Running a script on a target server using jobs
  - Creating a job approval profile
  - Creating a secret with mandatory approval requirement for launching a job
  - Creating an ssh script type job
  - Sending a request to access the job
  - Approving a job request
  - Results
- Configuring a secret that supports TOTP
  - Configuring a secret template with TOTP
  - Creating a secret with TOTP enabled
- Accessing a MySQL server using MySQL CLI launcher
  - Creating a secret using the database server template
  - Launching a secret for the MySQL server
- Configuring integrity check for the PuTTY launcher
  - Creating an entry for the PuTTY launcher
  - Enabling integrity check in the launcher and secret template
  - Creating a secret with integrity check
  - Launching the secret
- Block uploading a JavaScript file via the Web SFTP launcher
  - Configuring the DLP file pattern
  - Configuring a DLP sensor profile
  - Creating a secret with a DLP sensor profile
  - Results
- Block transferring .exe files and log file downloads of size larger than 500KB
  - Configuring the DLP file pattern
  - Configuring a DLP sensor profile
  - Creating a secret with a DLP sensor profile
  - Results
- Updating a service account credential
  - Updating a service account credential
- Creating a secret with the Certificate Vault template
  - Creating a certificate secret
  - Setting up email alert for certificate expiry
- Configuring a secret using the Target Only secret template
  - Example 1: Creating a secret using the Target Only template
  - Example 1: Launching the secret
  - Example 2: Creating a secret using the Target Only template
  - Example 2: Launching the secret
- Smart association for Windows AD server as the target
  - Creating a secret with Windows Domain Account as the secret template
  - Creating a remote user
  - Results
- Access multiple Windows servers on the same domain
  - Creating targets
  - Creating a secret for the domain user
  - Creating a secret for the Windows PC- 10.59.112.201 and Windows PC- 10.59.112.208
  - Sharing secrets to a contractor
  - Result
- Azure AD password changer
  - Configuring the Azure portal
  - Configuring FortiPAM
  - Results
  - Troubleshooting
Audit
- Sponsored administrator audits secret activities
Web proxy
- Configuring the web proxy feature to prevent web credentials from leaking
RDP log retrieval
- RDP log retrieving on FortiPAM
Gateway
- FortiPAM connects to a target through a FortiProxy acting as the gateway
- Configuring FortiPAM/FortiGate as the reverse gateway
- Configuring FortiGate forwarding access request from FortiPAM to the private target
SSH filter profiles
- Configuring an SSH filter profile on FortiPAM to restrict SSH access to secret servers
  - Configuring SSH filter profiles in the CLI
  - Configuring SSH filter profiles using the GUI
Automation
- Using default automation stitch- Secret Credential View
  - Using the Secret Credential View automation stitch
  - Results
- Customizing an automation stitch
Windows application filter
- Creating a Windows application filter to prevent running executables
- Creating a non-Windows application filter to prevent running executables
  - Creating a target with server information as non-Windows
  - Creating a non-privilged secret
Web launcher
- Using web launcher to auto fill credentials on a website
Log and video disks
- Back up and restore your log and video files
Certificate management
- Configuring certificate using the ACME protocol to access a FortiPAM instance
  - Creating a certificate
  - Configuring the FortiPAM SSL certificate
- How to deploy FortiPAM CA to Windows host using EMS and FortiClient
Logging servers
- FortiAnalyzer Cloud as a logging server
FortiGate
- FortiPAM behind FortiGate
Change Log

Home FortiPAM 1.8.0 Examples

1.8.0

Configuring ZTNA on FortiGate for FortiPAM access

For information ZTNA and web proxy forwarding, see:

Prerequisites

FortiGate ZTNA external IP address, e.g., 10.59.112.158.
FQDN for FortiPAM, e.g., pam156b.fortipam.ca.
Public DNS server:
1. FQDN (pam156b.fortipam.ca) is resolved to the FortiGate ZTNA external IP address: 10.59.112.158.
2. FQDN (fos58.fortipam.ca) is resolved to the FortiGate GUI IP address: 10.59.112.58.
Private DNS server: FQDN (pam156b.fortipam.ca) is resolved to the FortiPAM GUI IP address: 10.1.100.156.
The PC connects to the public DNS server.
The FortiGate connects to the private DNS server.

Topology

Configuring ZTNA for FortiPAM access

To configure the FortiPAM FQDN:

In the FortiGate GUI, go to Policy & Objects > Addresses, and select Create new to configure address for the FortiPAM FQDN.
The New Address window opens.
In Name, enter a name for the address.
Ensure that Interface is any.
In Type, select FQDN.
In FQDN, enter the FortiPAM FQDN.
```
 pam156b.fortipam.ca
```
Click OK.

Alternatively, in the CLI console, enter the following commands:

 config firewall address
  edit "pam_156b_fqdn"
   set uuid b0997e8a-7888-51f0-54aa-9b97280518cd
   set type fqdn
   set "pam156b.fortipam.ca"
  next
 end

To configure the ZTNA server:

In the FortiGate GUI, go to Policy & Objects > ZTNA, and select Create new in the ZTNA Server tab.
The New ZTNA Server window opens.
In Name, enter a name for the ZTNA server.
In Interface, select port1.
In IP address, enter the IP address for the FortiGate, e.g., 10.59.112.158.
Ensure that the Port is 443.
In Default certificate, select Fortinet_SSL.
In Service/server mapping, select Create new.
The New Service/Server Mapping window opens.
1. Ensure that the Service is set to HTTPS.
2. In Virtual Host, select Specify.
3. In Host, enter the FortiPAM FQDN.
  See Configuring the FortiPAM FQDN.
4. In Use certificate, select Fortinet_SSL.
5. Ensure that Match path by is Substring.
6. In Address type, select FQDN.
7. In the Address dropdown, select the FortiPAM FQDN created in Configuring the FortiPAM FQDN.
8. Ensure that Port is 443.
9. Click OK.
Click OK.

Alternatively, in the CLI console, enter the following commands:

 config firewall vip
  edit "ZTNA_PAM156b"
   set uuid f1ecb802-7888-51f0-222d-713912cbeb51
   set type access-proxy
   set server-type https
   set extip 10.59.112.158
   set extintf "port1"
   set extport 443
   set ssl-certificate "Fortinet_SSL"
  next
 end
 config firewall access-proxy
  edit "ZTNA_PAM156b"
   set vip "ZTNA_PAM156b"
   set client-cert disable #Disable if FortiGate is not connected with the EMS
   set svr-pool-multiplex disable 
   config api-gateway
    edit 1
     set virtual-host "auto-ZTNA_PAM156b-0"
     config realservers
      edit 1
       set addr-type fqdn
       set address "pam_156b_fqdn"
      next
     end
    next
   end
  next
 end
 config firewall access-proxy-virtual-host
   edit "auto-ZTNA-PAM156-0"
    set ssl-certificate "Fortinet_SSL"
    set host "pam156b.FORTIPAM.CA"
   next
 end

To configure the firewall policy:

In the FortiGate console, enter the following commands:

 config firewall policy
  edit 6
   set name "ZTNA_PAM156b_Policy"
   set uuid 5c0cf6de-7889-51f0-24ae-e45e7e6a4f12
   set srcintf "port1"
   set dstintf "any"
   set action accept
   set srcaddr "all"
   set dstaddr "ZTNA_PAM156b"
   set schedule "always"
   set nat enable
  next
 end

To configure web proxy forwarding on FortiGate:

In the CLI console, enter the following commands:

 config system interface
  edit "port1"
   set  vdom "root"
   set ip 10.49.112.58 255.255.255.0
   set allowaccess ping https ssh http
   set type physical
   set explicit-web-proxy enable #enable web proxy
   set snmp-index 1
  next
 end
 config web-proxy explicit
  set status enable
  set https-incoming-port 8080 
 end 
 config web-proxy forward-server
  edit "pam156b_web_proxy"
   set addr-type fqdn
   set fqdn "pam156b.fortipam.ca"
   set port 8080
  next
 end
 config firewall proxy-policy
  edit 2
   set uuid 024adcf4-7967-51f0-01cd-00e184cc0c25
   set name "pam156b_proxy_policy"
   set proxy explicit-web
   set dstintf "any"
   set srcaddr "all"
   set dstaddr "all"
   set service "webproxy"
   set action accept
   set schedule "always"
   set logtraffic all
   set webproxy-forward-server "pam156b_web_proxy"
  next
 end

To configure FortiPAM:

In the CLI console, enter the following commands to enable web proxy on the port interface:

 config system interface
  edit "port2"
   set ip 10.1.100.156 255.255.255.0
   set allowaccess ping ssh
   set type physical
   set explicit-web-proxy enable
   set snmp-index 2
  next
 end

In the CLI console, enter the following commands to change the proxy-fqdn to the FortiGate GUI FQDN:
```
 config web -proxy global
  set proxy-fqdn "fos58.fortipam.ca"
 end
```

In the CLI console, enter the following commands to verify the web proxy listening port number:

 config web-proxy explicit-proxy
  edit "web-proxy"
   set status enable
   set interface "any"
   set http-incoming-port 8080 #Sync with the web proxy forward port configured on the FortiGate
 next
end

In the FortiPAM GUI, go to Secrets > Secrets, from the list, open a secret:
1. Go to the Settings tab, enable Tunnel Encryption, and click Save.