Document
Library

Administration Guide

What's new in FortiSRA
- FortiSRA 1.4.1
Introduction
- FortiSRA concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiSRA deployment options
- Feature availability
FortiSRA installation
- FortiSRA appliance setup
- FortiSRA with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiSRA-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secrets
- Targets
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Launch session monitor
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Window app filter
  - Creating a Windows app filter profile
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- SSH
- Antivirus
- Date leak prevention
- Disk usage
- Automation
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Editing an interface
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiSRA chooses the sender email address
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
  - Backing up/restoring log and video files using FTP CLI
- Firmware
- FortiSRA license
- FortiGuard license
- Concurrent user sessions
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiSRA HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
- Troubleshooting Windows application filter
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiSRA-VM
Appendix D: vTPM for FortiSRA on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: WinRM configuration for Windows server
Appendix H: How to find a selector Example
Appendix I: How to input the authentication path Example
Change Log

Home FortiSRA 1.4.1 Administration Guide

1.4.1

Gateway

Gateway

Introduction

FortiSRA supports network gateway for distributed target deployment.

Gateway in Secrets displays a list of configured gateways.

Gateway allows accessibility from a FortiSRA located in a public network to a private enterprise network.

You can configure a gateway, e.g., a FortiSRA, a FortiGate, or a FortiProxy device, when a target is not reachable directly from FortiSRA to proxy the connection to the target.

Gateway introduces forward type network gateway, i.e., the connection is from FortiSRA to the network gateway and then to the target. This type of in-bound connection can be blocked by an edge or internal firewall and FortiSRA cannot reach the target via the gateway.

To resolve this deployment restriction, FortiSRA also supports reverse gateway feature.

FortiSRA can be reached from a reverse gateway and the reverse gateway makes the first connection to FortiSRA as the control plane connection. This is a persistent connection that uses health checks to detect connection issues and supports reconnection.

Starting FortiOS 7.4.4, FortiSRA gateway is not supported on FortiGate hardware models with 2 GB RAM.

Forward type

In the forward type scenario, the FortiSRA deployed on a public site cannot reach the target server directly. The target server is in the private enterprise network and deployable at multiple locations. A FortiGate or a FortiProxy device acts as a network gateway. The network gateway can be applied to the target. All connections to the target are now proxied by FortiSRA and the network gateway.

Reverse type

For each gateway, the following columns are displayed by default:

Name
Type
Status
Address
Port
SSL Max Version
Client Certificate
Remote CA
Reference

The Gateway tab contains the following options:

Create	Select to create a new gateway. See Creating a gateway on the FortiSRA GUI.
Search	Enter a search term in the search field, then hit `Enter` to search the gateway list. To narrow down your search, see Column filter. The following column filters are available: Name Type Status Address Port SSL Max Version Client Certificate Remote CA Reference
Edit	Select to edit the selected gateway.
Delete	Select to delete the selected gateway.

For gateway related CLI configurations, see:

Previous

Next

Gateway

Gateway

Introduction

FortiSRA supports network gateway for distributed target deployment.

Gateway in Secrets displays a list of configured gateways.

Gateway allows accessibility from a FortiSRA located in a public network to a private enterprise network.

You can configure a gateway, e.g., a FortiSRA, a FortiGate, or a FortiProxy device, when a target is not reachable directly from FortiSRA to proxy the connection to the target.

Gateway introduces forward type network gateway, i.e., the connection is from FortiSRA to the network gateway and then to the target. This type of in-bound connection can be blocked by an edge or internal firewall and FortiSRA cannot reach the target via the gateway.

To resolve this deployment restriction, FortiSRA also supports reverse gateway feature.

FortiSRA can be reached from a reverse gateway and the reverse gateway makes the first connection to FortiSRA as the control plane connection. This is a persistent connection that uses health checks to detect connection issues and supports reconnection.

Starting FortiOS 7.4.4, FortiSRA gateway is not supported on FortiGate hardware models with 2 GB RAM.

Forward type

In the forward type scenario, the FortiSRA deployed on a public site cannot reach the target server directly. The target server is in the private enterprise network and deployable at multiple locations. A FortiGate or a FortiProxy device acts as a network gateway. The network gateway can be applied to the target. All connections to the target are now proxied by FortiSRA and the network gateway.

Reverse type

For each gateway, the following columns are displayed by default:

Name
Type
Status
Address
Port
SSL Max Version
Client Certificate
Remote CA
Reference

The Gateway tab contains the following options:

Create	Select to create a new gateway. See Creating a gateway on the FortiSRA GUI.
Search	Enter a search term in the search field, then hit `Enter` to search the gateway list. To narrow down your search, see Column filter. The following column filters are available: Name Type Status Address Port SSL Max Version Client Certificate Remote CA Reference
Edit	Select to edit the selected gateway.
Delete	Select to delete the selected gateway.

For gateway related CLI configurations, see:

Previous

Next