Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 1.8.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Examples

    Home FortiPAM 1.8.0 Examples
    1.8.0
    1.8.0
    1.7.0
    1.6.0
    1.5.0
    1.4.0
    1.3.0
    1.2.0
    1.1.0
    1.0.0

    Configuring traffic proxy on the gateway for forwarding secret launch (traffic plane)

    Configuring traffic proxy on the gateway for forwarding secret launch (traffic plane)

    We configure the traffic proxy on the gateway for forwarding secret launch.

    Traffic proxy can only be configured via the CLI console.
    To configure traffic proxy on the FortiPAM gateway:

    Starting 1.5.0, the default vip/access-proxy/policy is used for traffic proxy for reverse/service mode. There is no need to manually create traffic proxy in the gateway.

    There is always a default firewall address and policy for the reverse mode.

     config firewall address
  edit "fortipam_vip_gwy_addr"
   set uuid 71be08b0-9635-51ef-15dd-cc38fbd02e05
   set subnet 172.17.219.98 255.255.255.255
  next
 end

    The IP address in the default firewall.address is the same as the default VIP.

     config firewall policy
  edit 2001
   set type access-proxy
   set name "fortipam_vip_gwy_pol"
   set uuid 71be3eca-9635-51ef-ee0f-1fd59c381492
   set srcintf "any"
   set srcaddr
   set dstaddr "all"
   set action accept
   set schedule "always"
   set access-proxy "fortipam_access_proxy"
   set ssl-ssh-profile "deep-inspection"
  next
 end

    Both the reverse and the service mode work on the default fortipam_vip, so when you switch the mode on the Gateway device, there is no need to change the corresponding secret.gateway entry on the FortiPAM device.

    If the gateway device is required to function as both the forward and the reverse gateway, you must add a new firewall.address representing the source device IP address and add that address next to fortipam_vip_gwy_addr in the policy.

    Notes:

    • If the secret server and the gateway are different products, i.e., one is FortiPAM and the other is FortiSRA, the gateway always works on the reverse mode.

      If you require a customized VIP for traffic forwarding, follow the below configuration:

    1. In the CLI console, enter the following commands:
       config firewall vip
  edit "fortipam_vip_gw"
   set uuid d39c1138-032a-51ef-8508-24d8bb973e7a
   set type access-proxy
   set extip 10.59.112.97 
   set extintf "port1"
   set server-type https
   set extport 7443	
   set ssl-certificate "Fortinet_SSL"
  next
 end
 config firewall access-proxy
  edit "gw_access_proxy"
   set vip "fortipam_vip_gw"
   config api-gateway
    edit 2
     set url-map "/tcp"
     set service tcp-forwarding
     config realservers
      edit 1
       set address "all"
      next
     end
    next
   end
  next
 end
 config firewall policy
  edit 2
   set type access-proxy
   set uuid 380dc436-032b-51ef-0ef6-a260ec98f34b
   set srcintf "any"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set schedule "always"
   set access-proxy "gw_access_proxy"
   set ssl-ssh-profile "deep-inspection"
  next
 end

    extip and extport in vip are configured in the gateway entry on the FortiPAM server to proxy the traffic.
    To configure traffic proxy on the FortiGate gateway:
    1. In the CLI console, enter the following commands:
       
 config firewall vip
  edit "rvs_gw_vip"
   set uuid 070aabf8-1c88-51ef-7522-ee10d057882a
   set type access-proxy
   set server-type https
   set extip 10.59.112.131
   set extintf "port1"
   set client-cert disable
   set extport 9443
   set ssl-certificate "fortipam_gw5"
  next
 end
 config ztna traffic-forward-proxy
  edit "ztfp_fpam"
   set vip "rvs_gw_vip"
  next
 end					
 config firewall proxy-policy
  edit 3
   set uud 4d3ad48c-1d45-51ef-24ad-e8ec50ae317d
   set proxy ztna-proxy
   set ztna-proxy "ztfp_fpam"
   set srcintf "any"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set schedule "always"
   set logtraffic all
   set utm-status enable
   set ssl-ssh-profile "deep-inspection"
  next
 end

    The extip and the extport are configured in the gateway entry on the FortiPAM server to proxy the traffic.

    By default, the client-cert is enabled. If client-cert is set to enable, add the FortiPAM certificate CA to the FortiGate:

     config authentication setting
  set user-cert-ca "CA_Cert_1"
 end
    Previous
    Next

    Configuring traffic proxy on the gateway for forwarding secret launch (traffic plane)

    Configuring traffic proxy on the gateway for forwarding secret launch (traffic plane)

    We configure the traffic proxy on the gateway for forwarding secret launch.

    Traffic proxy can only be configured via the CLI console.
    To configure traffic proxy on the FortiPAM gateway:

    Starting 1.5.0, the default vip/access-proxy/policy is used for traffic proxy for reverse/service mode. There is no need to manually create traffic proxy in the gateway.

    There is always a default firewall address and policy for the reverse mode.

     config firewall address
  edit "fortipam_vip_gwy_addr"
   set uuid 71be08b0-9635-51ef-15dd-cc38fbd02e05
   set subnet 172.17.219.98 255.255.255.255
  next
 end

    The IP address in the default firewall.address is the same as the default VIP.

     config firewall policy
  edit 2001
   set type access-proxy
   set name "fortipam_vip_gwy_pol"
   set uuid 71be3eca-9635-51ef-ee0f-1fd59c381492
   set srcintf "any"
   set srcaddr
   set dstaddr "all"
   set action accept
   set schedule "always"
   set access-proxy "fortipam_access_proxy"
   set ssl-ssh-profile "deep-inspection"
  next
 end

    Both the reverse and the service mode work on the default fortipam_vip, so when you switch the mode on the Gateway device, there is no need to change the corresponding secret.gateway entry on the FortiPAM device.

    If the gateway device is required to function as both the forward and the reverse gateway, you must add a new firewall.address representing the source device IP address and add that address next to fortipam_vip_gwy_addr in the policy.

    Notes:

    • If the secret server and the gateway are different products, i.e., one is FortiPAM and the other is FortiSRA, the gateway always works on the reverse mode.

      If you require a customized VIP for traffic forwarding, follow the below configuration:

    1. In the CLI console, enter the following commands:
       config firewall vip
  edit "fortipam_vip_gw"
   set uuid d39c1138-032a-51ef-8508-24d8bb973e7a
   set type access-proxy
   set extip 10.59.112.97 
   set extintf "port1"
   set server-type https
   set extport 7443	
   set ssl-certificate "Fortinet_SSL"
  next
 end
 config firewall access-proxy
  edit "gw_access_proxy"
   set vip "fortipam_vip_gw"
   config api-gateway
    edit 2
     set url-map "/tcp"
     set service tcp-forwarding
     config realservers
      edit 1
       set address "all"
      next
     end
    next
   end
  next
 end
 config firewall policy
  edit 2
   set type access-proxy
   set uuid 380dc436-032b-51ef-0ef6-a260ec98f34b
   set srcintf "any"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set schedule "always"
   set access-proxy "gw_access_proxy"
   set ssl-ssh-profile "deep-inspection"
  next
 end

    extip and extport in vip are configured in the gateway entry on the FortiPAM server to proxy the traffic.
    To configure traffic proxy on the FortiGate gateway:
    1. In the CLI console, enter the following commands:
       
 config firewall vip
  edit "rvs_gw_vip"
   set uuid 070aabf8-1c88-51ef-7522-ee10d057882a
   set type access-proxy
   set server-type https
   set extip 10.59.112.131
   set extintf "port1"
   set client-cert disable
   set extport 9443
   set ssl-certificate "fortipam_gw5"
  next
 end
 config ztna traffic-forward-proxy
  edit "ztfp_fpam"
   set vip "rvs_gw_vip"
  next
 end					
 config firewall proxy-policy
  edit 3
   set uud 4d3ad48c-1d45-51ef-24ad-e8ec50ae317d
   set proxy ztna-proxy
   set ztna-proxy "ztfp_fpam"
   set srcintf "any"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set schedule "always"
   set logtraffic all
   set utm-status enable
   set ssl-ssh-profile "deep-inspection"
  next
 end

    The extip and the extport are configured in the gateway entry on the FortiPAM server to proxy the traffic.

    By default, the client-cert is enabled. If client-cert is set to enable, add the FortiPAM certificate CA to the FortiGate:

     config authentication setting
  set user-cert-ca "CA_Cert_1"
 end
    Previous
    Next