FortiPAM integration
To configure the FortiPAM integration for FortiClient, you must configure the following:
- FortiPAM. The following instructions assume that you have a licensed FortiPAM ready for configuration. See To configure FortiPAM:.
- Enable the FortiPAM feature in EMS. Note that if using a standalone FortiPAM agent, there is no EMS involved. See To enable the FortiPAM feature in EMS:.
- Install FortiClient with the FortiPAM feature enabled, then register FortiClient to EMS. Ensure that the FortiPAM password filler extension is installed in the browser. See To install FortiClient with the FortiPAM feature enabled and verify the configuration:.
This document also describes the following use cases:
To configure FortiPAM:
- Log in to FortiPAM via the console.
- Configure the management IP address, default gateway, and DNS settings:
config system dns set primary 208.91.112.53 set secondary 96.45.46.46 end config router static edit 1 set gateway 172.17.162.3 set device "port1" next end config system interface edit "port1" set ip 172.17.162.167 255.255.254.0 set allowaccess ping https ssh http telnet set type physical set monitor-bandwidth enable set snmp-index 1 next end - Clear the browser cache.
- Log into FortiPAM via its interface IP address using HTTP. For example, if the interface IP address is 172.17.61.167, go to http://172.17.61.167. Do not use HTTPS. FortiPAM does not support HTTPS before license validation.
- Configure zero trust network access (ZTNA) rules and server in FortiPAM. This example sets the ZTNA server external IP address to 172.17.162.166. Users log in to FortiPAM with this IP address to launch a secret.
config firewall vip edit "fortipam_vip" set uuid 188232bc-3534-51ed-897e-7d522767d173 set type access-proxy set extip 172.17.162.166 set extintf "any" set server-type https set extport 443 set ssl-certificate "Fortinet_SSL" next end config firewall access-proxy edit "fortipam_access_proxy" set vip "fortipam_vip" config api-gateway edit 1 set url-map "/pam" set service pam-service next edit 2 set url-map "/tcp" set service tcp-forwarding config realservers edit 1 set address "all" next end next edit 3 set service gui config realservers edit 1 set ip 127.0.0.1 set port 80 next end next end next end config firewall policy edit 1 set type access-proxy set uuid 075cff8c-4e1e-51ed-4d83-41cb5da1944e set srcintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set access-proxy "fortipam_access_proxy" set groups "SSO_Guest_Users" set ssl-ssh-profile "deep-inspection" next end - Log in to FortiPAM as the admin user account. Add a "demo" user that will be used to log in to FortiPAM to launch predefined secrets for the user, or allow the user to create their own secret:
config system admin edit "demo" set accprofile "Power User" set password "1" next end
- Create a secret folder. In this example, the folder is called "f-demo". In FortiPAM, each secret must belong to a secret folder. The FortiPAM administrator can assign appropriate permissions for a user to the folder, such as owner or view-only permissions. Give owner permissions to the demo and admin users for the f-demo folder:
config secret folder edit 5 set name "f-demo" set inherit-policy disable set inherit-permission disable config user-permission edit 1 set user-name "demo" "admin" set folder-permission owner set secret-permission owner next end next end
- Add the "RDP Secret Launcher" secret and make it display in the f-demo folder. In this example, the folder ID is 5:
config secret database edit 22 set name "RDP Secret Launcher" set folder 5 set template "Windows Machine" set recording enable set proxy enable set block-rdp-clipboard disable set rdp-service-status up set samba-service-status up config credentials-history end config field edit 1 set name "Host" set value "172.17.60.8" next edit 2 set name "Username" set value "qa" next edit 3 set name "Password" set value "ENC lLUCAA722LevoHAohj7+Jnsyp0A=" next end next end
To enable the FortiPAM feature in EMS:
- The default port for communication between FortiPAM and EMS is 9191. This must match the port configured in FortiPAM in System > Settings > Client Port. To use a custom port, modify the port in both EMS and FortiPAM. In EMS, go to Endpoint Profiles > System Settings.
- Edit the desired profile or create a new one.
- Enable Privilege Access Management.
- In the Port field, enter 9191.
- Click Save.
To install FortiClient with the FortiPAM feature enabled and verify the configuration:
- On an endpoint with the FortiPAM feature enabled, open Task Manager. Confirm that the Fortvrs.exe and Fortitcs.exe daemons are running.
- On the desired browser, ensure that the FortiPAM password filler extension is installed.
- In FortiPAM, go to Secrets > Secret List.
- Select RDP Secret Launcher, then click Launch Secret.
- Select Remote Desktop-Windows, then click Launch.
- In the prompt, select Yes. You should successfully log in to the remote Windows machine without needing to enter credentials.
To configure a secret for SSH to a FortiGate:
- Install PuTTY on the client machine.
- Install FortiClient on the endpoint. The FortiPAM feature must be enabled.
- Register FortiClient to EMS. Ensure that the profile assigned to the endpoint has the FortiPAM feature enabled.
- Log in to FortiPAM as the administrator. Add the SSH secret:
- Obtain the ID for the secret folder that you will use for this secret by running
show secret folder. In this example, the desired directory is f-demo, which has an ID of 5. - Obtain the list of secret IDs being used by running
show secret database. In this example, the ID 22 is already being used. The example uses 23 as the ID for the new SSH secret:show secret database id Secret ID. 22 RDP Secret Launcher
- Add a secret for SSH to FortiGate, using secret ID 23. The following commands enable proxy and session recording. Replace the demo, host, username, password, and URL values for your own configuration before running the commands:
config secret database edit 23 set name "ID23 SSHtoFGT" set folder 5 set template "FortiGate (SSH Password)" set recording enable set proxy enable set ssh-filter enable set ssh-filter-profile "DEMO" set ssh-service-status up config credentials-history end config field edit 1 set name "Host" set value "172.17.61.28" next edit 2 set name "Username" set value "admin" next edit 3 set name "Password" set value "ENC kseKVIslSftEmwBy8OqUPyYryoA=" next edit 4 set name "URL" set value "https://172.17.61.28" next end next end
- Obtain the ID for the secret folder that you will use for this secret by running
- In Microsoft Edge, log in to FortiPAM as the demo user to launch the secret and ensure that it works properly by going to Secrets > Secret List, selecting the newly created, secret, and clicking Launch Secret. Edge is preferred over Chrome and Firefox for testing this configuration. You should be able to log in to FortiOS successfully without needing to provide for credentials. A PuTTY dialog opens. After the end of the session, go to Log & Reports > Secrets > Secret Video to ensure that a video was recorded as configured.
To use a secret to log in to a website:
The following provides instructions on how to use a secret to log in to a website. The example website is AWS.
- Log in to FortiPAM and create a secret to log in to AWS:
config secret database edit 25 set name "Login AWS" set folder 5 set template "AWS Web Account" set recording enable set proxy enable config credentials-history end config field edit 1 set name "URL" set value "https://aws.amazon.com/" next edit 2 set name "Username" set value "yours@gmail.com" next edit 3 set name "Password" set value "ENC yNhlyigiX2TX0nJNuetRYI3EJI4=" next edit 4 set name "AccountID" next end next end
- Click Launch Secret.
- Click Sign in.
- Click the root user email address.
- Select Use FortiPAM session credentials to autofill the user account, then click Next.
- Select Use FortiPAM session credentials to autofill in the password, then click Sign in. FortiClient starts the session recording and sending the video to FortiPAM until the session finishes.
To debug the integration:
By default, FortiClient-side FortiPAM daemon (fortivrs.exe) debug logs are enabled. File names are as follows. You can find the files in the trace folder:
- fortivrs_session_0_1.log
- fortivrs_session_1_1.log
The C:\Users\Public\FortiClient\ztna\config.json directory contains zero trust network access (ZTNA) rules. In the example from To use a secret to log in to a website:, the file contains one ZTNA rule entry as follows: {"rules":[{"name":"InternalPamRuleItem1","mode":"transparent","destination":"aws.amazon.com:443","gateway":"172.17.162.166:443","encryption":0}]}.
To debug on the FortiPAM side, you can do the following:
- Go to Network > Packet Capture.
- Use the following commands to troubleshoot:
diagnose debug enable diagnose wad debug enable level verbose diagnose wad debug enable category secret diagnose wad debug enable category ssh diagnose debug console timestamp enable