What's new

The following list contains new and expanded features added in FortiPAM 1.9.0.

Secret/Launch

1239092- TCP forwarding for native RDP launch

When creating a secret with RDP Service enabled, a new TCP Forwarding option is available.

Enabling TCP Forwarding routes the RDP traffic through TCP forwarding consistent with an Other clientType launcher.

As a result, RDP Security Level, RDP Restricted Admin Mode, RDP Auto TOTP, and Block Clipboard are not supported for native RDP launchers.

You can enable TCP Forwarding for the following reasons:

1. Bypass the certificate revocation check failure warning during the native RDP launch.
2. When connecting to a legacy or 3^rd party RDP server that only supports plain text RDP.
3. When the native RDP launch fails due to recent RDP protocol change.

1230813- Secret launcher elevation

Some processes can only be started by the System level, e.g., SSMS, while others require a user.

In FortiPAM 1.9.0, a new Privilege option available when configuring a secret launcher in Secret Settings > Launchers.

The following options are available under Privilege:

• Launch secret and run init/clean command under USER (default)

• Launch secret under SYSTEM

• Run init/clean command under SYSTEM

• Launch secret and run init/clean command under SYSTEM

The Privilege flag instructs FortiClient whether a process should be launched under System or under a user account.

When FortiClient 7.x works with FortiPAM 1.9.0 or later, it uses the legacy hardcoded configuration to launch a process on the client PC, i.e., only SSMS.exe is started by the System, others require a user.

1229992- Kerberos authentication for RDP sessions

Starting FortiPAM 1.9.0, FortiPAM introduces support for Kerberos authentication when launching native RDP sessions using Network Level Authentication (NLA).

Kerberos provides a stronger and more secure authentication mechanism compared to NTLM, and is the preferred method in modern Active Directory environments.

In Active Directory environments, the Kerberos realm typically aligns with the DNS name of the Windows domain, by convention.

FortiPAM automatically uses the configured domain associated with the secret or its target to construct the Kerberos Realm for authentication.

When Kerberos authentication is enabled, FortiPAM uses the domain information configured in the secret target to request a Kerberos ticket from the appropriate Key Distribution Center (KDC).

Best Practices

1. Create a secret using the Target Only secret template with target computer FQDN as the host information.

   Associate the secret with the corresponding Windows Domain Account secret, and launch the RDP session using the associated secret credentials.

2. Create a secret using Windows Domain Account secret template.

   When launching an RDP session, enter the target FQDN in the Enter Target field.

Limitations

• Kerberos authentication is supported only for the native RDP launcher.

1186793- Secret gateway permission support

FortiPAM 1.9.0 introduces the following two new permissions for Secret Gateways:

• Viewer: Viewer permission provides visibility and usage rights but does not allow modifying or deleting the gateway.

  A user with Viewer permission can use the gateway when configuring a target.

• Owner: A user with Owner permission receives all capabilities of the Viewer role plus the ability to update/delete the secret gateway.

This enhancement provides more granular administrative control and is primarily designed to support the Secret Gateway Proxy Chain feature.

1227053- Approval email using Microsoft Graph

FortiPAM 1.9.0 introduces support for configuring the Approval Email Server using Microsoft Graph, enabling customers to integrate approval workflows with Microsoft 365 mailboxes using modern OAuth based authentication.

This feature provides a secure alternative to traditional SMTP configurations.

1241246- Just‑In‑Time (JIT) privilege via Secret checkout/check‑in (PowerShell)

Starting 1.9.0, FortiPAM introduces Just‑In‑Time (JIT) privilege elevation for Windows targets during a secret checkout/check‑in.

Administrators can attach PowerShell scripts to a secret so that, when a user checks out the secret, FortiPAM will remotely connect to the target via WinRM and add the user to an elevated group, e.g., administrators.

On check‑in, FortiPAM removes the user from that group, returning the machine to a least‑privilege state.

1272600- Support additional authentication on secret access/launch

Starting 1.9.0, FortiPAM supports setting up additional authentication for accessing and launching secrets:

1. A new Access Authentication setting available when configuring a new secret policy in Secret Settings > Policies.

   When enabled, all secrets in the folder where the policy applies require authentication to access/launch them (default) unless the authentication setting is disabled per secret.

2. A new Access Authentication setting available in the Session Security pane when configuring a secret in Secrets > Secrets.

   Access Authentication Status displays the remaining duration of time you have access to the secret.

3. When you open to edit a secret that requires authentication, a new Access Authentication dialog opens requiring you to authenticate before accessing the secret.

   The following warning is displayed when you open a secret without authenticating:

    Editing of the secret is disabled because  
    You don't have permission to access this secret. 
    Please click here or re-access this page to complete the authentication.

   Most settings related to a secret that requires authentication for access are not available unless successfully authenticated.
4. When launching a secret with Access Authentication enabled, authentication is mandatory for successful launch of the secret.
5. When you attempt to access/launch a secret while being logged in to FortiPAM as a remote RADIUS/LDAP user, select Authenticate using PAM login credentials to authenticate using FortiPAM login credentials.

1218001- Secret gateway chaining

FortiPAM now supports Secret Gateway Chaining, which enables multiple secret gateways to be dynamically chained together to securely access targets across segmented networks.

This enhancement simplifies deployment and improves scalability for hybrid and multi‑cloud architectures.

In environments where FortiPAM or service gateways are deployed in public cloud or DMZ networks and targets reside in isolated internal networks, Secret Gateway Chaining allows downstream gateways to establish secure reverse connections to upstream gateways.

Gateway information is automatically advertised to the central (root) FortiPAM, eliminating the need for manual configuration of intermediate gateways.

The following new settings are available when configuring the reverse gateway in the Reverse Service tab in Network > Secret Gateway:

• Root FortiPAM SN: Identifies the current device as the root (central) FortiPAM. This serial number is copied to downstream gateway configurations so they can advertise their gateway information to the correct root FortiPAM.

• Gateway ID Whitelist: Restricts which downstream gateways are allowed to establish reverse connections based on the CN of their gateway certificate

The following new settings are available when configuring a server in Network > FortiPAM Server:

• Launch via Service Gateway

• A new Gateway Setting pane

An updated Gateway pane in Secrets > Targets that allows you to select either a dynamic or a static gateway.

Note:

• Only the terminal gateway in the chain requires direct network connectivity to the target.

• All communication between gateways and FortiPAM uses mutual TLS (mTLS) with certificate‑based authentication.

1241743- Launcher Process matcher

FortiPAM 1.9.0 introduces three new ways to identify the main process: Default, Window Title, and Command Line.

Window Title matches a Regex against the GUI window title, and Command Line matches a Regex against the process execution string.

When proc-matcher-type is not default, Multiprocess Mode and Full-screen Recording are forced to Enable so FortiClient can watch the whole tree to find the match and guarantee the audit trail is captured.

1231937- Single secret to multiple target hosts

FortiPAM 1.9.0 adds support for using a single secret with multiple approved target hosts.

A new Multiple Target Address Field Type when configuring a secret template in Secret Settings > Templates.

The Multiple Target Address replaces the standard Service Address Field Type.

You can configure a Multiple Target Address allowlist that supports IP ranges, CIDR, FQDNs, and wildcard FQDNs, and users can select a destination from the approved list when launching a session.

1218004- Support for revoking approved secret access requests

Starting FortiPAM 1.9.0, FortiPAM allows approvers to revoke their approvals.

A new Revoke Approval option available in a secret approval request that has already been approved (Secrets > Approvals).

An approver can revoke their approval at any time regardless of the approval tier or even when the requester has already launched the secret.

Once the approval is revoked:

• If the requester had already launched the secret, the secret session is immediately terminated.

• The secret approval request resets and must be approved/denied.

1231609- Support for Loading Balancing Information for Web RDP targets

Starting FortiPAM 1.9.0, FortiPAM introduces a new Loading Balancing Information attribute for targets that use templates with Web RDP default launcher.

This value provides the load balancing information or cookie that should be sent to the connection broker and is configured in the target setting.

User/Group

1221052- Auto provision email address and display name for LDAP users

Starting FortiPAM 1.9.0, FortiPAM supports getting user display name and email address for auto provisioned remote LDAP users.

The following two new fields are available when editing an auto provisioned remote LDAP user:

• Display Name

• Email address

1. A new auto-provision rule for LDAP user group is configured.
2. When an LDAP user attempts to log in to FortiPAM, it attempts to fetch user display name and email address fields.

FortiPAM auto provisions the user email address and display name from the remote LDAP server with best effort.

Notes:

• When no display name or email address information synchronizes from the remote server, the administrator can edit those fields.

• After auto-provision users are imported into FortiPAM and managed as local users, the display name and the email address field values stop synchronizing with the remote server.

1251884- Non‑TOTP 2FA support in WebSSH

Starting FortiPAM 1.9.0, the WebSSH launcher now supports non‑TOTP‑based 2FA for SSH targets that require an additional authentication challenge during login.

This enhancement allows users to manually enter real‑time 2FA codes directly in the WebSSH console.

During login, if the SSH server issues a 2FA challenge, FortiPAM displays the following prompt:

Enter token code or no code to send a notification to your FortiToken Mobile

You can then manually enter the correct verification code to complete authentication.

Supported 2FA methods

1. FortiAuthenticator-based 2FA
   1. FortiToken Mobile/FortiToken Cloud
   2. SMS
   3. Email
2. 3^rd party authentication applications
   1. Google Authenticator and other compatible token tools

   This update ensures that WebSSH can handle a wider range of real‑time authentication methods without requiring built‑in TOTP configuration on the FortiPAM side.

Configuration requirements

For most deployments, no additional configuration is needed.

However, when using FortiAuthenticator with SMS or Email delivery, FortiPAM requires that at least one of the following SSH‑related settings be enabled within the secret:

When configuring a secret in Secrets > Secrets, go to the SSH Service pane in the Settings tab, and configure any of the following:

1. Select Enable SSH service and select an SSH filter from the SSH Filter dropdown.

   A placeholder (empty) profile is acceptable if no filtering is required.

2. Enable SSH Auto-Password.
3. Use a Target Only secret template.

   Users manually enter the username and password during login.

Limitation

If a user enters an incorrect 2FA token, the SSH session cannot retry the challenge within the same connection.

• The WebSSH session must be closed.

• The user must relaunch the secret and authenticate again with the correct real‑time token.

Recommendation

In some environments, FortiAuthenticator automatic push notifications (FortiToken Mobile auto‑push) may behave inconsistently.

For best reliability, manual entry of the 2FA token is recommended.

1186793- Wildcard user support

FortiPAM 1.9.0 introduces support for wildcard users when using the Concurrent Logon license model.

To configure a wildcard remote user, select the new Match all users in a remote server or group option available when configuring a new remote user in User Management > User List.

This capability allows administrators to permit login for any remote user who matches a remote server group without creating individual static user entries in FortiPAM.

This feature is beneficial for environments with large number of temporary users.

1192951- SCIM service support

This feature delivers comprehensive SCIM‑driven identity lifecycle management combined with administrative visibility and control through the GUI.

It supports automatic provisioning and enforcement, as well as manual import and review of SCIM users and groups.

The system tightly integrates SCIM, SAML, and Auto Provision Rules (APL) to deliver instant identity synchronization, dynamic role and policy assignment, and immediate session enforcement when user or group membership changes.

Go to User Management > SCIM Service to create a SCIM client.

A new SCIM profile dropdown available when configuring a SAML SSO server in User Management > Saml Single Sign-On.

The new SCIM profile dropdown allows you to select a configured SCIM client.

This allows the system to link SAML‑authenticated users with SCIM‑synchronized user and group data, enabling automatic provisioning, dynamic role updates, and real‑time authorization enforcement based on SCIM lifecycle events.

1055670- Message-Authenticator support for RADIUS

FortiPAM 1.9.0 adds the Message-Authenticator attribute to RADIUS requests and introduces the require-message-authenticator option under RADIUS server configuration.

This option is enabled by default, which makes validation of the Message-Authenticator in the RADIUS response mandatory.

Administrators can set it to disable as a workaround if the RADIUS server does not provide the attribute in the response.

System/Log

1237561- Auto purging auto-provisioned users

Automatic disabling of auto-provisioned users due to prolonged inactivity was introduced in FortiPAM 1.8.0.

Starting FortiPAM 1.9.0, FortiPAM supports automatically purging disabled auto-provisioned users.

A new Provisioned User Auto-purging pane available in the Advanced tab in System > Settings.

The following settings are available in Provisioned User Auto-purging:

• User Max Disabled Days (new): The number of days after which a disabled auto-provisioned user is deleted.

• User Max Inactivity Days: The number of days after which an inactive auto-provisioned user is disabled.

Others

1235062- FortiPAM-VM active-passive HA on OCI

You can now deploy FortiPAM-VM active-passive HA on the OCI platform within an AD.

1208446- New FortiPAM 400G hardware model

Starting FortiPAM 1.9.0, FortiPAM now supports a new FortiPAM 400G hardware model.

For information on configuration capacity for the FortiPAM 400G hardware model, see Configuration capacity for FortiPAM hardware appliances and VM in the latest FortiPAM Release Notes.

1051767- New FortiPAM 100G hardware model

Starting FortiPAM 1.9.0, FortiPAM now supports a new FortiPAM 100G hardware model.

For information on configuration capacity for the FortiPAM 100G hardware model, see Configuration capacity for FortiPAM hardware appliances and VM in the latest FortiPAM Release Notes.

1261155- New FortiPAM login page

Starting 1.9.0, FortiPAM offers a new login page that supports viewing clear passwords during entry.

1221902- TCP Segmentation Offload (TSO) and Generic Segmentation Offload (GSO)

Starting 1.9.0, FortiPAM supports TCP Segmentation Offload (TSO) and Generic Segmentation Offload (GSO) at the system interface level.

These two new settings are enabled by default and are designed to improve overall network performance by reducing CPU overhead during packet transmission.

Both settings are configurable per interface and can be enabled or disabled as needed.

TSO and GSO allow the operating system to transmit large data packets and delegate the task of segmenting them into smaller, network-compliant packets to the NIC or kernel. This offloading significantly reduces CPU processing required for packet segmentation, resulting in improved throughput and lower system load.

In FortiPAM 1.9.0:

• TSO is enabled by default on all system interfaces

• GSO is enabled by default on all system interfaces

Configuration

 config system interface
  edit "port1"
   set tso {enable | disable}
   set gso {enable | disable}
  next
 end