DOCUMENT LIBRARY

Administration Guide

What's new in FortiPAM
- FortiPAM 1.4.1
- FortiPAM 1.4.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secrets
- Targets
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
  - Launch session monitor
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Window app filter
  - Creating a Windows app filter profile
- Integrity check
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Disk usage
- Automation
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Editing an interface
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA tags
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
  - Backing up/restoring log and video files using FTP CLI
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Concurrent user sessions
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
- FortiClient troubleshooting tips
- Troubleshooting Windows application filter
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Appendix I: Default launchers parameters
Appendix J: Installation on AWS
Appendix K: Installation on GCP
Appendix L: WinRM configuration for Windows server
Appendix M: FortiPAM browser extension and standalone FortiClient air-gapped installation
Appendix N: Performance test results
Appendix O: How to find a selector Example
Appendix P: How to input the authentication path Example
Appendix Q: FortiPAM HA on AWS
Appendix R: FortiPAM HA on Azure
Change Log

Home FortiPAM 1.4.1 Administration Guide

1.4.1

FortiPAM connects to a target through a FortiProxy acting as the gateway Example

Topology

FortiPAM configuration:

In the FortiPAM CLI console, enter the following commands to create the FortiProxy gateway:

 config secret gateway  
  edit test_gateway
   set address "172.16.80.112"
   set port 443
   set url-map "tcp"
   set ssl-max-version tls-1.3
  next
 end

In the FortiPAM CLI console, enter the following commands to create the secret target (Linux server):

 config secret target
  edit "172.16.80.100"
   set class "Other"
   set template "Unix Account (SSH Password)"
   set address "172.16.80.100"
   set gateway "test_gateway" #from step 1
   set creation-time 2023-11-10 09:34:23
   set web-proxy-status  disable
  next
 end

FortiProxy configuration:

In the FortiProxy CLI console, enter the following commands to configure a VIP:

 config firewall vip 
   edit "test_vip"
    set type access-proxy
    set server-type https
    set extip 172.16.80.112
    set extintf "any"
    set h2-support disable
    set extport 443
    set ssl-certificate "Fortinet_GUI_Server"
    set ssl-min-version tls-1.3
   next
  end

In the FortiProxy CLI console, enter the following commands to configure an IPv4 access proxy:

 config firewall access-proxy
  edit "test_access_proxy"
   set vip "test_vip" #from step 1
   set client-cert disable
   set auth-portal enable
   config api-gateway
    edit 1
     set url-map "/tcp"
     set service tcp-forwarding
     config realservers
      edit 1
       set address "all"
      next
     end
    next
   end
  next
 end

In the FortiProxy CLI console, enter the following commands to configure a firewall proxy:

 config firewall policy
  edit 1
   set type access-proxy
   set srcintf "any"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set schedule "always"
   set access-proxy "test_access_proxy" #from step 2
  next
 end

FortiPAM connects to a target through a FortiProxy acting as the gateway Example

Topology

FortiPAM configuration:

In the FortiPAM CLI console, enter the following commands to create the FortiProxy gateway:

 config secret gateway  
  edit test_gateway
   set address "172.16.80.112"
   set port 443
   set url-map "tcp"
   set ssl-max-version tls-1.3
  next
 end

In the FortiPAM CLI console, enter the following commands to create the secret target (Linux server):

 config secret target
  edit "172.16.80.100"
   set class "Other"
   set template "Unix Account (SSH Password)"
   set address "172.16.80.100"
   set gateway "test_gateway" #from step 1
   set creation-time 2023-11-10 09:34:23
   set web-proxy-status  disable
  next
 end

FortiProxy configuration:

In the FortiProxy CLI console, enter the following commands to configure a VIP:

 config firewall vip 
   edit "test_vip"
    set type access-proxy
    set server-type https
    set extip 172.16.80.112
    set extintf "any"
    set h2-support disable
    set extport 443
    set ssl-certificate "Fortinet_GUI_Server"
    set ssl-min-version tls-1.3
   next
  end

In the FortiProxy CLI console, enter the following commands to configure an IPv4 access proxy:

 config firewall access-proxy
  edit "test_access_proxy"
   set vip "test_vip" #from step 1
   set client-cert disable
   set auth-portal enable
   config api-gateway
    edit 1
     set url-map "/tcp"
     set service tcp-forwarding
     config realservers
      edit 1
       set address "all"
      next
     end
    next
   end
  next
 end

In the FortiProxy CLI console, enter the following commands to configure a firewall proxy:

 config firewall policy
  edit 1
   set type access-proxy
   set srcintf "any"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set schedule "always"
   set access-proxy "test_access_proxy" #from step 2
  next
 end

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

FortiPAM connects to a target through a FortiProxy acting as the gateway Example

FortiPAM connects to a target through a FortiProxy acting as the gateway Example

Topology

FortiPAM connects to a target through a FortiProxy acting as the gateway Example

FortiPAM connects to a target through a FortiProxy acting as the gateway Example

Topology