DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

What's new in FortiPAM
- FortiPAM 1.8.1
- FortiPAM 1.8.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
- Agentless mode
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
FortiPAM designs
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
- Concurrent logon licensing (VM only)
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secrets
- Targets
  - Creating a target
  - Web proxy
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Jobs
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Templates
  - Creating secret templates
    - Setting up VNC connections Example
    - Service address field type Example
- Launchers
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Classification tags
  - Creating a classification tag
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Window app filter
  - Creating a Windows app filter profile
- RDP event filter profile
  - Creating an event filter profile
- Secret event subscription
- Client software
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- JWT key management
  - Create a JWT key
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
- Invited users
Log & report
- Secret event & video
- System event
- Security event
- ZTNA traffic
- Disk usage
- Automation
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Editing an interface
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
    - FortiAnalyzer Cloud logging
- Packet capture
  - Creating a packet capture filter
- FortiPAM server
- Secret gateway
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA tags
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
  - Backing up/restoring log and video files using FTP CLI
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Setup wizard
- Concurrent user sessions
  - Concurrent secret launch limitation
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
- FortiClient troubleshooting tips
- Troubleshooting Windows application filter
- Issue: Some configurations are removed after last reboot
- Troubleshooting a secret that uses Windows Machine template with the default SAMBA password changer
- Abnormal traffic detection and resolution
- Issue: Remote desktop under non-proxy mode requires entering password manually
- Verifying HA table synchronization CLI
Guest user experience in FortiPAM
Installation on public cloud
- Installation on Alibaba Cloud
- Installation on AWS
- Installation on Azure
- Installation on GCP
- Installation on OCI
Installation on private cloud
- Installation on KVM
- Installation on VMware
- Installation on Hyper-V
- Installation on Proxmox
- Installation on Nutanix
HA setup
- FortiPAM HA on AWS
- FortiPAM HA on Azure
- FortiPAM HA on Alibaba Cloud
- FortiPAM HA on VMware
- Deploying FortiPAM-VM HA on AWS between multiple zones
Security and hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
- Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
- vTPM for FortiPAM on VMware
- Enabling soft RAID on KVM or VMware
- FortiPAM hardware RAID CLI commands
- Encryption algorithm settings
Performance and optimization
- Performance test results
Integration and automation
- Terraform- FortiPAM as a provider
Advanced configuration and developer tools
- Default launchers parameters
- How to find a selector Example
- How to input the authentication path Example
- How to change the FortiClient local port for FortiPAM
Client access and endpoint configuration
- WinRM configuration for Windows server
- FortiPAM browser extension and standalone FortiClient air-gapped installation
Hardware installation
- FortiPAM 1000G and 3000G hardware installation
Change Log

Home FortiPAM 1.8.1 Administration Guide

1.8.1

Encryption algorithm settings

FortiPAM supports configurable encryption levels to secure log data and SSH communications.

Use the set ssh-algorithm command to define the encryption strength and compatibility level.

Command syntax

set ssh-algorithm {compatible | high-encryption}

Command	Description
set ssh-algorithm compatible	Allow a broad set of encryption algorithms for best compatibility.
set ssh-algorithm high-encryption	Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

Supported algorithm sets

Key Exchange (KEX) algorithms

Strong set:

curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256

Compatible set:

Includes Strong set and the following:

diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
diffie-hellman-group-exchange-sha1

Ciphers

Strong set:

aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com

Compatible set:

Includes Strong set and the following:

aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour256
arcfour128
blowfish-cbc
chacha20-poly1305@openssh.com
cast128-cbc
3des-cbc
rijndael-cbc@lysator.liu.se

MAC Algorithms

Strong set:

umac-128-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-128@openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha1

Compatible set:

Includes Strong set and the following:

umac-64-etm@openssh.com
hmac-ripemd160-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64@openssh.com
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1-96
hmac-md5
hmac-md5-96

Encryption algorithm settings

FortiPAM supports configurable encryption levels to secure log data and SSH communications.

Use the set ssh-algorithm command to define the encryption strength and compatibility level.

Command syntax

set ssh-algorithm {compatible | high-encryption}

Command	Description
set ssh-algorithm compatible	Allow a broad set of encryption algorithms for best compatibility.
set ssh-algorithm high-encryption	Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

Supported algorithm sets

Key Exchange (KEX) algorithms

Strong set:

curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256

Compatible set:

Includes Strong set and the following:

diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
diffie-hellman-group-exchange-sha1

Ciphers

Strong set:

aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com

Compatible set:

Includes Strong set and the following:

aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour256
arcfour128
blowfish-cbc
chacha20-poly1305@openssh.com
cast128-cbc
3des-cbc
rijndael-cbc@lysator.liu.se

MAC Algorithms

Strong set:

umac-128-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-128@openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha1

Compatible set:

Includes Strong set and the following:

umac-64-etm@openssh.com
hmac-ripemd160-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64@openssh.com
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1-96
hmac-md5
hmac-md5-96

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Encryption algorithm settings

Encryption algorithm settings

Command syntax

Supported algorithm sets

Key Exchange (KEX) algorithms

Strong set:

Compatible set:

Ciphers

Strong set:

Compatible set:

MAC Algorithms