DOCUMENT LIBRARY

Administration Guide

What's new in FortiPAM
- FortiPAM 1.4.1
- FortiPAM 1.4.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secrets
- Targets
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
  - Launch session monitor
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Window app filter
  - Creating a Windows app filter profile
- Integrity check
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Disk usage
- Automation
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Editing an interface
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA tags
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
  - Backing up/restoring log and video files using FTP CLI
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Concurrent user sessions
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
- FortiClient troubleshooting tips
- Troubleshooting Windows application filter
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Appendix I: Default launchers parameters
Appendix J: Installation on AWS
Appendix K: Installation on GCP
Appendix L: WinRM configuration for Windows server
Appendix M: FortiPAM browser extension and standalone FortiClient air-gapped installation
Appendix N: Performance test results
Appendix O: How to find a selector Example
Appendix P: How to input the authentication path Example
Appendix Q: FortiPAM HA on AWS
Appendix R: FortiPAM HA on Azure
Change Log

Home FortiPAM 1.4.1 Administration Guide

1.4.1

Creating a folder

To create a folder:

Go to Secrets > Personal/Public Folder and select Open Tree.
In the Open window, select where you intend to create a folder.
You can create a folder in an existing folder or select Folder from the Create dropdown in Root to create a root folder.
Click Open.
From the Create dropdown, select Folder.
The New Secret Folder window opens.

Enter the following information:

General

Name

Name of the folder.

Parent Folder

From the dropdown, select a parent folder or select Create to create a new parent folder.

The parent folder is set in step 2.

The parent folder cannot be changed for a root folder.

Use the search bar to look for a folder.

Use the pen icon next to the folder to edit it.

Inherit Policy

Enable to inherit policy that applies to the parent folder.

The option is enabled by default when creating a subfolder.

You cannot inherit policy for a root folder.

Secret Policy

From the dropdown, select a policy that applies to the folder or select Create to create a new policy.

See Creating a policy.

Use the search bar to look for a policy.

Use the pen icon next to the policy to edit it.

This option is only available when Inherit Policy is disabled.

Permission

Use the settings in the pane to control access to the folder.

ZTNA

Inherit ZTNA Control

Enable to inherit ZTNA control access permission from the parent folder.

When configuring a subfolder, FortiPAM displays the ZTNA control settings from the parent folder.

By default, secrets in a folder follow the ZTNA control set up in the parent folder. However, when creating or editing a secret you can customize the ZTNA control in the Secret Permission tab. See Creating a secret.

The option is enabled by default when creating a subfolder.

You cannot inherit ZTNA control access permission for a root folder.

ZTNA Control

Enable to limit access by ztna-ems-tag.

You can choose whether to match all the tags or only one of them.

The option is only available when Inherit ZTNA Control is disabled.

Device Tags

Select + to add ZTNA tags or groups.

Use the search bar to look up a ZTNA tag or ZTNA tag group.

Only permitted devices with the selected tags are allowed to launch.

Device Match Logic

Define the match logic for the device tags:

OR: Devices with any of the selected tags are allowed to launch.
AND: Devices must acquire all the selected tags to launch.

Inherit Permission

Enable to inherit permission from the parent folder.

The option is enabled by default when creating a subfolder.

You cannot inherit permission for a root folder.

Note: The setting can only be disabled if you have the Owner permission. Also, the setting cannot be disabled for any subfolder of the personal folder, i.e., the folder generated for every user.

Permission

The level of user/user group access to the folder and secrets in the folder.

See User Permission and Group Permission.

Click Submit.

User Permission

To create a user permission:

In step 4 when Creating a folder, select the user from the User/Group dropdown in the Permission pane.
To add a new user:
Select + and then select +User List.
The New User List wizard opens.
Follow the steps in Creating a user, starting step 2 to create a new user.
Use the search bar to look up a user.
Use the pen icon next to the user to edit it.
In the Folder Permission dropdown, select from the following:
- View: Ability to view secrets and subfolders in the folder.
- Add Secret: Ability to create new secrets.
- Edit: Ability to create/edit secrets, subfolders, and the folder itself.
- Owner: The highest possible permission level with the ability to create, edit, delete, and move secrets, subfolders, and the folder itself.
In the Secret Permission dropdown, select from the following:
- View: Ability to view secret details and launch a secret.
- Edit: Ability to create/edit secrets and launch the secrets.
- Owner: The highest possible permission level with the ability to create, edit, delete, move, and launch secrets.
In Allowed Service, from the Select Entries list, select the services, click Close.
Use the search bar to look up a service.
Click Submit.

From the list, click x next to a user permission entry to delete it.

Group Permission

To create group permission:

In step 4 when Creating a folder, select the user group from the User/Group dropdown.
To add a new user group:
Select + and then select +User Group.
The Create New User Group window opens.
Follow the steps in Creating user groups, starting step 3.
Use the search bar to look up a user.
Use the pen icon next to a user to edit it.
In the Folder Permission dropdown, select from the following:
- View: Ability to view secrets and subfolders in the folder.
- Add Secret: Ability to create new secrets.
- Edit: Ability to create/edit secrets, subfolders, and the folder itself.
- Owner: The highest possible permission level with the ability to create, edit, delete, and move secrets, subfolders, and the folder itself.
In the Secret Permission dropdown, select from the following:
- View: Ability to view secret details and launch a secret.
- Edit: Ability to create/edit secrets and launch the secrets.
- Owner: The highest possible permission level with the ability to create, edit, delete, move, and launch secrets.
In Allowed Service, from the Select Entries list, select the services, click Close.
Use the search bar to look up a service.
Click Submit.

From the list, click x next to a group permission entry to delete it.