DOCUMENT LIBRARY

Administration Guide

What's new in FortiPAM
- FortiPAM 1.4.1
- FortiPAM 1.4.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secrets
- Targets
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
  - Launch session monitor
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Window app filter
  - Creating a Windows app filter profile
- Integrity check
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Disk usage
- Automation
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Editing an interface
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA tags
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
  - Backing up/restoring log and video files using FTP CLI
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Concurrent user sessions
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
- FortiClient troubleshooting tips
- Troubleshooting Windows application filter
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Appendix I: Default launchers parameters
Appendix J: Installation on AWS
Appendix K: Installation on GCP
Appendix L: WinRM configuration for Windows server
Appendix M: FortiPAM browser extension and standalone FortiClient air-gapped installation
Appendix N: Performance test results
Appendix O: How to find a selector Example
Appendix P: How to input the authentication path Example
Appendix Q: FortiPAM HA on AWS
Appendix R: FortiPAM HA on Azure
Change Log

Home FortiPAM 1.4.1 Administration Guide

1.4.1

Troubleshooting log and video disk encryption issues

Issue 1:

How to check disk encryption configuration and disk format?

The command execute disk encryption status shows both disk encryption configuration under config secret setting and also the format of log and video disks.

For example:

execute disk encryption status
In Configuration file, Disk encryption setting is Enable
Log Disk is /dev/sdb1 and it is in encrypted format.
Video Disk is /dev/sdc1 and it is in encrypted format.
							
[Good] Disk format matches the disk encryption setting in configuration file.

If there is problem regarding log or video,
Run command 'execute disk encryption log' for more information.
Run command 'execute disk encryption video' for more information.

Issue 2:

How to check the log or video disk status?

Use execute disk encryption log or execute disk encryption video command.

Where:

Mount: Indicates if the directory for log and video is correctly mounted to the disk device. An error usually means the log or video cannot be successfully saved into FortiPAM.
Configuration: Shows both the disk encryption configuration under config secret setting and the format of log and video disk. When configuration and disk format do not match, you need to check whether the correct configuration file is used or format the disk based on the setting in the configuration file.
Open: Disks can only be opened by using the correct disk-encryption-password. When the disk fails to open, it usually means the password in the configuration is incorrect.
LUKS HEADER: Dumps the encrypted disk header containing the disk label and other information.

For example:

execute disk encryption log

Log disk status:

Mount:
device name: /dev/mapper/dm_log
directory: /var/log
filesystem type: ext4
Configuration:
In the configuration file, disk encryption is Enable.
Disk is /dev/sdb1 and it is in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.
Open:
[Good] Disk is opened and active.
Disk LUKS HEADER:
LUKS header information
Version: 2
Epoch:3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 5633c25c-19e7-42e7-97f6-c62d2829bbba
Label: LOGUSEDX8FAC98BD
Subsystem: (no subsystem)
Flags: (no flags)

Data segments:

0: crypt

offset: 16777216 [bytes]

length: (whole device)

cipher: aes-xts-plain64

sector: 512 [bytes]

Keyslots:

0: luks2

Key: 512 bits

Priority: normal

Cipher: aes-xts-plain64

Cipher key: 512 bits

PBKDF: argon2id

Time cost: 4

Memory: 774464

Threads: 2

Salt: d7 8c 1c f1 6d c0 f1 99 ed 00 3b 48 5f 6a 10 07

b4 17 f0 06 67 1b 51 f0 d9 53 80 df 0d 39 ff 74

AF stripes: 4000

AF hash: sha256

Area offset:32768 [bytes]

Area length:258048 [bytes]

Digest ID: 0

Tokens:

Digests:

0: pbkdf2

Hash: sha256

Iterations: 81715

Salt: 56 69 3c d0 f3 77 04 e5 e7 ec 2b 71 dd 66 28 33

0e 5c 07 8b 43 0c 27 47 48 ab 29 ee 95 ab 5d 58

Digest: 5e 8a dc b8

Issue 3:

What to do when there is `Open disk failed!`message after FortiPAM starts?

When there is Open disk failed! message when FortiPAM starts such as following:

System is starting...
we have 2 interfaces
Open disk failed! dev=/dev/vda1
Open dev /dev/vda1 in encryption format failed. ret=-4

Use execute disk encryption to get more help message.

execute disk encryption

enable: enable disk encryption on log and video disk.

disable: disable disk encryption on log and video disk.

log: check log disk encryption status.

status: check disk encryption status.

video: check video disk encryption status

Issue 4:

What to do when configuration does not match the disk format?

When disk-encryption setting in the configuration file and disk format does not match, use commands execute disk encryption status to get more help message.

FPAVUL2022103101 login:Disk Encryption is disabled in configuration file, but disk is in encrypted format! Device: /dev/vdb1

Run command 'execute disk encryption stat[ 35.678543] EXT4-fs (vdb1): VFS: Can't find ext4 filesystem us' for more information.

Storage HD2 mount failed. Giving up.

FPAVUL2022103101 login: admin

Password:

Welcome!

FPAVUL2022103101 # execute disk encryption status

In the configuration file, disk encryption setting is Disable

Log Disk is /dev/vda1 and it is in encrypted format.

Video Disk is /dev/vdb1 and it is in encrypted format.

[Error] Disk format does not match the disk encryption setting in configuration file.

Option 1:

Restore a previous backup configuration that contain set disk-encryption enable under config secret setting.

Contents in the disks could be kept if correct configuration is restored.

Option 2:

To enable disk encryption, run execute disk encryption enable command.

Option 3:

Run execute disk format command to format disk based on disk encryption setting.

Note that for option 2 and 3, disk will be encrypted/ formatted and all the content on the log and video disk is lost.