Gov Opsec Doc PDF
Gov Opsec Doc PDF
Gov Opsec Doc PDF
FortiPAM 1.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: techdoc@fortinet.com
Change Log 7
Introduction 9
FortiPAM concepts 9
Organization of the guide 10
Using the GUI 10
Banner 11
GUI based global search 11
CLI commands 12
Admin 12
Tables 16
Modes of operation 18
FortiPAM deployment options 19
Feature availability 22
FortiPAM installation 24
Installing FortiClient with the FortiPAM feature 24
FortiPAM appliance setup 25
FortiPAM with TPM 27
Connecting to target remote systems 29
Licensing 30
Dashboard 32
Adding a custom dashboard 35
System information widget 36
Licenses widget 37
VM license 38
Folders 39
Creating a folder 42
Secrets 49
Secret list 50
Creating a secret 51
Launching a secret 61
Check out and check in a secret 62
Uploading secrets using the secret upload template 63
Change password 64
Verify password 67
Example secret configurations example 68
Secret launchers 71
Creating a launcher 73
Secret templates 79
Creating secret templates 80
Policies 85
Creating a policy 86
SSH filter profiles 91
2023-02-07 Updated Change password on page 64 and FortiPAM appliance setup on page 25.
2023-02-22 Updated:
l Appendix A: Installation on KVM on page 277
2023-02-23 Updated:
l Launching a secret on page 61
2023-02-24 Updated Backup on page 226 and Sending backup file to a server Example on page 230.
2023-02-27 Updated:
l AntiVirus on page 245
2023-03-01 Updated:
l Events on page 258
2023-03-02 Updated Creating a secret on page 51, Creating a policy on page 86, and Launching a secret on
page 61.
Added Supported file types on page 250.
2023-03-20 Updated Troubleshoot using trace files on page 273, FortiPAM HTTP filter on page 275, and
Creating an authentication rule on page 180.
Added Troubleshooting on page 273 and Example troubleshooting example on page 274.
FortiPAM is a privileged access management solution. FortiPAM solutions are an important part of an enterprise
network, providing role-based access, auditing, and security options for privileged users (users that have system access
beyond that of a regular user).
FortiPAM delivers the following functionalities:
l Credential vaulting: Users do not need credentials, reducing the risk of credential leaking as no sensitive data is
on the user system after a session. Passwords are automatically changed.
l Privileged account access control: Users can only access FortiPAM resources based on their roles (standard
user or admin user).
FortiPAM offers secret permission control to access a target server. Admin users can define common policies and a
hierarchical approval system for standard users to access sensitive information. FortiPAM also provides options to
control risky user activities such as a user attempting to encrypt the disk.
FortiPAM offers ZTNA tag-based and protocol-based access control (RDP, SSH, VNC, and WEB) and allows
access from anywhere, including native web-based access.
l Privileged activity monitoring and recording: FortiPAM can monitor, record, and audit privileged user activities.
FortiPAM provides information on sessions, user keystrokes, and mouse events.
FortiPAM concepts
FortiPAM user
Target
A server/device with a privileged account supporting RDP, SSH, Web, or other admin protocols. Target systems include
Windows workstation, Windows domain controller, Web server, Unix server, SQL- server, router, or firewall.
Secrets
The secrets contain information on login, credentials, and the target server IP address. Secrets are core assets in
FortiPAM representing methods and credentials to access target systems in your organization.
Launchers
Launchers help users gain remote access to a target without needing to know, view, or copy the password stored in
FortiPAM.
Launchers can invoke client-side software on the FortiPAM user’s endpoint, which is software to perform management
tasks, e.g., Internet Explorer, PuTTY(ssh), RDP client, and SQL-commander.
Folders
Folders help manage a large number of secrets efficiently by organizing them in a hierarchical view. You can organize
customers, computers, regions, branch offices, etc., into folders.
You can quickly look for secrets from the folder tree view.
Granting permissions becomes faster as secrets in a folder share the same permission and policy.
This section presents an introduction to the graphical user interface (GUI) on your FortiPAM.
The following topics are included in this section:
l Banner on page 11
l Tables on page 16
For information about using the dashboards, see Dashboard on page 32.
Banner
Along the top of each page, the following options are included in the banner:
l Open/close side menu
l Search icon: opens GUI based global search. See GUI based global search on page 11.
l Build number
In the build number dropdown, select Hide Label to hide the build number.
l CLI console ( ): opens the CLI console. See CLI commands on page 12.
l Help ( ): opens the online help document.
l Notifications ( ): shows latest notifications.
l Theme: from the dropdown, select one of the available themes.
l Admin: from the dropdown, see FortiPAM version and build, go to system and configuration, change password, or
log out. See Admin on page 12.
The global search option in the GUI allows users to search for keywords appearing in objects and navigation menus to
quickly access the object and configuration page. Click the magnifying glass icon in the top-left corner of the banner to
access the global search.
The global search includes the following features:
l Keep a history of frequent and recent searches
l Sort results alphabetically by increasing or decreasing order, and relevance by search weight
l Search by category
l Search in Security Fabric members (accessed by the Security Fabric members dropdown menu in the banner)
In this example, searching for the word ZTNA yields the following results:
l ZTNA in System
l ZTNA in Log & Report
CLI commands
FortiPAM has CLI commands that are accessed using SSH or Telnet, or through the CLI console if a FortiPAM is
installed on a FortiHypervisor.
To open a CLI console, click the >_ icon in the top right corner of the GUI. The console opens on top of the GUI. It can be
minimized and multiple consoles can be opened.
CLI commands can be used to initially configure the unit, perform a factory reset, or reset the
values if the GUI is not accessible.
The FortiPAM-VM's console allows scrolling up and down through the CLI output by using
Shift+PageUp and Shift+PageDown.
Like FortiOS, the ? key can be used to display all possible options available to you, depending
upon where you are hierarchically-situated.
Admin
The following actions can only be performed when FortiPAM is in maintenance mode:
l Reboot.
l Shutdown.
l Uploading a firmware. See Uploading a firmware on page 14.
l Uploading a license. See Licensing on page 30.
l Restoring a configuration. See Backup and restore on page 15.
l Configuration: backup, restore, see configuration revisions, and run configuration scripts.
l Change Password: opens the Edit Password window where you can change the administrator password.
l Logout: log out of FortiPAM.
The glass breaking mode gives you access to all secrets in the system.
Glass breaking in FortiPAM means extending the user permission to access data that the user is not authorized to
access. Typically, user access is controlled by permission defined in every secret and folder. In a rare situation, such as
a network outage or the remote authentication server becoming unreachable, glass breaking allows you to temporarily
access important secrets and target servers to resolve issues.
As a best practice, only a few administrators should have access to the glass breaking mode. Further, the glass breaking
mode should only be activated under exceptional situations and for disaster recovery. Email notifications can also be
configured to send alerts whenever someone enters glass breaking mode. See Email alert when the glass breaking
mode is activated example on page 271.
Under glass breaking mode, all administrator activities should be logged for future audits.
Only a user configured with glass breaking permission can activate the glass breaking mode.
The permission is defined when configuring a user role in User Management > Role. See Role
on page 117.
When an administrator activates glass breaking mode on FortiPAM, the administrator can
bypass normal access control procedures, get access to all folders, secrets, and secret
requests, and launch any secret.
1. From the user dropdrown on the top-right, select Activate Glass Breaking Mode in System.
2. Enter a reason for activating the glass breaking mode.
3. Click OK.
The GUI is refreshed, and a red banner is shown on the top: FortiPAM is in glass breaking mode.
1. From the user dropdrown on the top-right, select Deactivate Glass Breaking Mode in System to deactivate the glass
breaking mode.
The GUI is refreshed, and a message appears on the bottom-right: Successfully demoted user.
When you are in the glass breaking mode, FortiPAM enforces video recording on launching a session.
Uploading a firmware
When in maintenance mode, select Renew Maintenance Mode in System, enter the new
duration and reason and then click OK to renew the maintenance mode.
When in maintenance mode, select Deactivate Maintenance Mode in System to deactivate the
maintenance mode.
To upload a firmware:
2. Go to File Upload:
a. Select Browse, then locate the firmware image on your local computer.
b. Click Open.
3. Click Confirm and Backup Config.
The firmware image uploads from your local computer to the FortiPAM device, which will then reboot. For a short
period of time during this reboot, the FortiPAM device is offline and unavailable.
Fortinet recommends that you back up your FortiPAM configuration to your management computer on a regular basis to
ensure that, should the system fail, you can quickly get the system back to its original state with minimal effect to the
network. You should also perform a back up after making any changes to the FortiPAM configuration.
You can encrypt the backup file to prevent tampering.
You can perform backups manually. Fortinet recommends backing up all configuration settings from your FortiPAM unit
before upgrading the FortiPAM firmware.
Your FortiPAM configuration can also be restored from a backup file on your management computer.
Revisions
Configurations scripts
Configuration scripts are text files that contain CLI command sequences. They can be created using a text editor or
copied from a CLI console, either manually or using the Record CLI Script function.
Scripts can be used to run the same task on multiple devices.
A comment line in a script starts with the number sign (#). Comments are not executed.
Tables
Many GUI pages contain tables of information that can be filtered and customized to display specific information in a
specific way.
Some tables allow content to be edited directly on that table.
Navigation
Some tables contain information and lists that span multiple pages. Navigation controls will be available at the bottom of
the page.
Filters
Filters are used to locate a specific set of information or content in a table. They can be particularly useful for locating
specific log entries. The filtering options vary, depending on the type of information in the log.
Depending on the table content, filters can be applied using the filter bar, using a column filter, or based on a cell's
content. Some tables allow filtering based on regular expressions.
Administrators with read and write access can define filters. Multiple filters can be applied at one time.
You can combine multiple filters by selecting + and repeating steps 2 to 5 for every new filter
that you require.
Column settings
1. Right-click a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Select columns to add or remove.
3. Click Apply.
1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Best Fit All Columns.
1. Right-click a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Reset Table.
1. Click the up or down arrow to arrange contents in a column by ascending or descending order respectively.
Modes of operation
The proxy mode is more secure than the non-proxy mode as it does not deliver sensitive
information to the client machine.
In the proxy mode, the administrator can terminate traffic connections if improper user behavior is detected.
Web SSH, Web RDP, Web VNC, Web SFTP, and Web SMB default launchers always use the proxy mode
irrespective of the proxy settings.
l Non-proxy: All the launched traffic is directly connected to the target server without FortiPAM. FortiPAM delivers
the credential information to the client machine. The native program, PuTTY or the website browser directly
connects to the server.
The direct connection (non-proxy) mode or the web browsing comes with an added risk of
credential leakage. To reduce such risks, this mode is strictly controlled by user
permissions.
Users without sufficient permission cannot access direct mode or web browsing launchers.
l SSH filters
l SSH auto password delivery
l Block RDP clipboard
l RDP security level
PuTTY and WinSCP launchers are not supported when the secret is in non-proxy mode, and the secret uses an
SSH key for authentication.
TightVNC launcher is not supported when the secret is in non-proxy mode and requires a username for
authentication.
When using launchers with non-proxy mode, launchers may require the environment to be initialized beforehand.
You may specify this with init-commands and clean-commands.
Note: Init-commands and clean-commands only run in the non-proxy mode.
To select the mode of operation, see the Proxy Mode option when creating or editing a
secret. See Creating a secret on page 51. Alternatively, see the Proxy Mode option when
creating or editing a policy. See Creating a policy on page 86.
A full FortiPAM solution involves FortiPAM, EMS, and standard FortiClient. When both FortiPAM and FortiClient register
to EMS, ZTNA endpoint control is available for secret launching and FortiPAM server access control. Both FortiPAM and
the target server is protected by the highest security level.
When EMS is not available, standalone FortiClient is recommended. With standalone FortiClient, native launchers such
as PuTTY, RDP, VNC Viewer, Tight VNC, and WinSCP can be used to connect to the target server and user can take
advantage of functionalities provided by these applications. Also, video recording for user activity on the target server is
sent to FortiPAM in real-time.
If FortiClient is not available, e.g., a user with Linux or MacOS system, Chrome and Edge extension called FortiPAM
Password Filler is available on Chrome Web Store and Microsoft Edge Add-ons. On this extension-only setup, web-
based launchers and web browsing are supported. The extension can record user activities on the target server.
On a system without FortiClient and browser extension, the user can still log in to FortiPAM and use the web-based
launchers. However, all other features mentioned above are not available.
1. If EMS (7.2.0 or later) is available:
a. EMS Server:
i. Enable Privilege Access Management-
i. Navigate to Endpoint Profiles > System Settings.
ii. Edit the Default System Setting Profiles.
iii. Navigate to Deployment & Installers > Manage Deployment and apply the FortiClient installer
package to select endpoint groups.
b. Windows: Download standard FortiClient (7.2.0 or later), and enable "ZTNA" and "PAM" functions during the
installation. Full FortiPAM features are then supported.
After FortiClient registers to EMS, EMS can automatically deploy the configured FortiClient version to Windows
PC.
c. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the
FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.
Note: ZTNA and Native launchers are not supported on extension-only systems.
2. If EMS (7.2.0 or later) is not available:
a. Windows: After downloading and installing standalone FortiClient (7.2.0 or later) manually, most PAM features
are supported.
Note: A standalone installer contains PAM in its filename such as FortiClientPAMSetup_7.2.0.0xxx_
x64.exe.
Note: ZTNA is not supported.
b. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the
FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.
Note: ZTNA and Native launchers are not supported on extension-only systems.
3. If FortiClient is not available (extension-only):
a. Windows: Install FortiPAM Password Filler extension from the Chrome Web Store or Microsoft Edge Add-ons.
Then use web-based launchers or web launcher to access the target server.
Note: ZTNA and Native launchers are not supported on extension-only systems.
b. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the
FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.
Note: ZTNA and Native launchers are not supported on extension-only systems.
Note: Chrome or Edge web browsers are suggested for use as there is some limitation on Firefox extension-only
deployment.
Feature availability
The following table lists FortiPAM 1.0.0 feature availability based on the type of deployment being used:
Windows OS ✓ ✓ ✓ ✓
Linux OS X X ✓ ✓
MacOS X X ✓ ✓
ZTNA ✓ X X X
Web-based
launchers, i.e, Web-
SSH, Web-RDP,
Web-VNC, Web-
SFTP, and Web- ✓ ✓ ✓ ✓
SMB (only supports
proxy mode;
credential protected
in FortiPAM)
Video recording ✓ ✓ ✓ X
Instant video
✓ ✓ X X
uploading
This chapter provides basic setup information for getting started with your FortiPAM.
On Windows, the user may install FortiClient which includes fortivrs as a recording daemon,
fortitcs as ZTNA daemon and a chrome extension. With FortiClient installed, the privileged
activity recording can be supported. Without it, only web mode can be supported.
See Installing FortiClient with the FortiPAM feature on page 24 and FortiPAM appliance setup on page 25.
To install FortiClient:
Ensure that the ZTNA and PAM features are enabled during installation.
Ensure that no other FortiClient version is installed. If another FortiClient version has already been installed, it
should first be uninstalled before installing the FortiPAM version. See Uninstalling FortiClient.
3. Reboot the PC.
Chrome, Firefox, and Edge can automatically install FortiPAM Password Filler in addition to
fortivrs and fortitcs daemons.
Uninstalling FortiClient
To uninstall FortiClient:
Before using FortiPAM-VM, you need to install the KVM or the VMware application to host the FortiPAM-VM device. The
installation instructions for FortiPAM-VM assume you are familiar with KVM or the VMware products and terminology.
Administrators need to configure a dedicated FortiPAM video disk for video recording.
Two hard disks and two virtual network interface cards need to be added to the VM in VM
manager before FortiPAM image installation.
See Appendix A: Installation on KVM on page 277.
set order 2
set partition "PAMVIDEOB471724F"
set device "/dev/vdb1"
set size 20029
set usage video
next
end
3. Enter the following CLI commands to set up FortiPAM:
config system interface
edit "port1"
set ip 172.16.x.x/x #Depending on your network setting
set allowaccess ssh https http
set type physical
set snmp-index 1
next
edit "port2"
set ip x.x.x.x/x
set allowaccess ssh https http
set type physical
set snmp-index 2
next
end
config router static
edit 1
set gateway x.x.x.x
set device "port1"
next
end
4. FortiPAM requires license. To upload a license. See Licensing on page 30.
If the network layout is unable to resolve the correct external FortiGuard server after an external DNS server is set,
enter the following commands:
config system fortiguard
set fortiguard-anycast disable
unset update-server-location
unset sdns-server-ip
end
Optionally, enter the following commands to use the external FortiGuard server in case the FortiGuard server
cannot be correctly resolved:
config system central-management
config server-list
edit 1
set server-type update rating
set server-address <addr>
next
end
set include-default-servers disable
end
5. To improve security, disable HTTP on the physical interface:
config system interface
edit "port1"
set allowaccess ssh
next
edit "port2"
set allowaccess ssh
next
end
6. Enter the following CLI commands to configure the firewall.
The CLI commands are used to allocate a static IP address as the virtual IP address for FortiPAM. The static IP
address is used as FortiPAM GUI server IP address.
config firewall vip
edit "fortipam_vip"
set type access-proxy
set extip 172.16.xxx.xxx #use an external visible virtual IP address that can be
same as the port1 interface
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
7. On a web browser, go to https://172.16.xxx.xxx to access FortiPAM GUI using the virtual IP address.
FortiPAM supports TPM (Trusted Platform Module) to improve protection for secret credentials.
If FortiPAM is a VM instance, the vTPM (virtual TPM) package must be installed, and vTPM enabled then.
See Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM on page 285.
The key must be the same for data restoration between source FortiPAM and destination
FortiPAM.
To disable TPM:
FortiPAM configured with less than 2 CPUs and 2048 MB of RAM works in the evaluation
mode until licensed. Otherwise, a valid license is required.
After placing an order for FortiPAM-VM, a license registration code is sent to the email address used in the order form.
Use the license registration code provided to register the FortiPAM-VM with FortiCloud.
Upon registration, download the license file. You will need this file to activate your FortiPAM-VM. You can configure
basic network settings from the CLI to complete the deployment. Once the license file is uploaded, the CLI and GUI are
fully functional.
1. Go to FortiCloud and create a new account or log in with an existing account.
The Asset Management portal opens.
2. On the Asset Management portal, click Register Now to register FortiPAM.
3. Provide the registration code:
a. Enter a registration code.
b. Choose your end user type as either a government or non-government user.
c. Click Next.
4. The Fortinet Product Registration Agreement page displays. Select the check box to indicate that you have read,
understood, and accepted the service contract. Click Next.
5. The Verification page displays. Select the checkbox to indicate that you accept the terms. Click Confirm.
Registration is now complete and your registration summary is displayed.
6. On the Registration Complete page, download the license file (.lic) to your computer.
You will upload this license to activate the FortiPAM-VM.
Note: After registering a license, Fortinet servers can take up to 30 minutes to fully recognize the new license. When you
upload the license file to activate the FortiPAM-VM, if you get an error that the license is invalid, wait 30 minutes and try
again.
You must be in maintenance mode to be able to upload a license. See Maintenance mode in
Admin on page 12.
Use the https prefix with the FortiPAM IP address to access the FortiPAM-VM GUI.
2. In the Upload License File pane, select Upload and browse to the license file on your management computer.
3. Click OK.
4. After the boot up, the license status changes to valid.
Use the CLI command get system status to verify the license status.
Dashboard
The Dashboard page displays widgets that provide performance and status information, allowing you to configure some
basic system settings. These widgets appear on a single dashboard.
When you select the vertical ellipses ( ) option next to a dashboard the following actions are available:
Add Menu Shortcut Select to add the selected dashboard to Menu Shortcuts.
System Information Displays basic information about the FortiPAM system including host name, serial
number, firmware version, mode, system time, uptime, and WAN IP address.
From this widget you can manually update the FortiPAM firmware to a different
release. See Uploading a firmware on page 14 and System information widget on
page 36.
You can also configure system settings using this widget. For information on
system settings, see Settings on page 182.
Licenses Displays the status of your license and FortiGuard subscriptions. See Licenses
widget on page 37.
Virtual Machine Displays license information, number of allocated vCPUs, and how much RAM
has been allocated. See VM license on page 38.
CPU The real-time CPU usage is displayed for different time frames. Select the time
frame from the dropdown at the top of the widget. Hovering over any point on the
graph displays the average CPU usage along with a time stamp.
To see per core CPU usage, select the CPU widget and click
Show per core CPU usage.
Memory Real-time memory usage is displayed for different time frames. Select the time
frame from the dropdown at the top of the widget. Hovering over any point on the
graph displays the percentage of memory used along with a time stamp.
Proxy Sessions Displays how many proxy sessions are active. Select the time frame from the
dropdown at the top of the widget. Hovering over any point on the graph displays
the number of proxy sessions with a time stamp.
Log Rate Displays the real-time log rate. Select the time frame from the dropdown at the top
of the widget. See Log settings on page 267.
Bandwidth Displays the real-time incoming and outgoing traffic bandwidth for the selected
interface. Select the time frame from the dropdown at the top of the widget.
Hovering over any point on the graph displays the bandwidth with a time stamp.
You can add the Interface Bandwidth widget to monitor the real-time incoming and outgoing traffic bandwidth of the
selected interface over the selected time frame.
You can add the following System widgets to the Dashboard:
License Status Status of various licenses, such as FortiCare Support and IPS.
System Information General system information of the FortiPAM including hostname, serial number,
and firmware version.
You can add the following Resource Usage widgets to the Dashboard:
CPU Usage Real-time CPU usage over the selected time frame.
Log Rate Real-time log rate over the selected time frame.
Memory Usage Real-time memory usage over the selected time frame.
Proxy Session Real-time number of proxy sessions over the selected time frame.
Note: Options in Time period and Sort by may vary depending on the widget you intend to add.
l 1 hour
l 24 hours
l Events
Widget actions
All or some of the following actions are available for a widget when you click the vertical ellipsis ( ) option for a widget:
Resize Select and then select the number of squares you want to extend the widget to.
Settings Select and then in Edit Dashboard Widget - Widget Name, specify the Fabric
Member, interface (if available), and click OK.
Select from the following options:
l Default: Uses the current fabric member.
Select the pin ( ) icon on a widget to expand and pin hidden content.
The system dashboard includes a System Information widget, which displays the current status of FortiPAM and enables
you to configure basic system settings.
Host Name The identifying name assigned to this FortiPAM unit. For more information, see
Changing the host name on page 36.
Firmware The version and build number of the firmware installed on FortiPAM. To update
the firmware, you must download the latest version from FortiCloud.
See Uploading a firmware on page 14.
System Time The current date and time according to the FortiPAM unit's internal clock.
For more information, see Configuring the system date, time, and time zone on
page 37.
Uptime The duration of time FortiPAM has been running since it was last started or
restarted.
WAN IP The WAN IP address and location. Additionally, if the WAN IP is blocked in the
FortiGuard server, there is a notification in the notification area, located in the
upper right-hand corner of the Dashboard. Clicking on the notification opens a
window with the relevant blocklist information.
You can either manually set the FortiPAM system date and time, or configure the FortiPAM unit to automatically keep its
system time correct by synchronizing with an NTP server.
6. In Sync interval, enter how often, in minutes, that the device synchronizes time with the NTP server.
7. Click Apply to save changes.
Licenses widget
The Licenses widget displays the statuses of your licenses and FortiGuard subscriptions. It also allows you to update
your device’s registration status and FortiGuard definitions.
Hovering over the Licenses widget displays status information for Subscription License, FortiCare Support, Firmware &
General Updates, AntiVirus, and FortiToken.
VM license
Click on the Virtual Machine widget and then select FortiPAM VM License.
The FortiPAM VM License page displays whether the license is valid or not, the allocated vCPUs, RAM, and the license
expiry date.
You must be in maintenance mode to be able to upload a license. See Maintenance mode in
Admin on page 12.
Folders are the containers of secrets. Folders help you organize customers, computers, regions, and branch offices, etc.
Before you create any secret, you should choose a folder where the secret is added.
You can organize your folders as trees. With folders, granting permissions is simplified as all the secrets in a folder share
permissions.
Each folder has different permission to different user or user group. A folder may be set to have one of the following
permission:
l View: Ability to view secrets and subfolders in a folder.
l Add: Ability to create new secrets and subfolders.
l Edit: Ability to create/edit secrets, subfolders, and the folder itself.
l Owner: The highest possible permission level with the ability to create, edit, delete, and move secrets, subfolders,
and the folder itself.
The following shows a folder with the list of available secrets:
Create From the dropdown, create a secret or a folder. See Creating a secret on page 51
and Creating a folder on page 42.
Move Move a subfolder or a secret to a different folder. See Moving a subfolder on page
40 and Moving a secret to a different folder on page 40.
Launch Secret Launch the selected secret. See Launching a secret on page 61.
Make Request Make a request to launch the selected secret. See Make a request on page 143.
Search Enter a search term in the search field, then hit Enter to search the folders list.
To narrow down your search, see Column filter.
l Remove Folder
l Add Favorite
l Remove Favorite
Opening a folder
Before opening a folder, ensure that your account has sufficient permission to view folders.
To open a folder:
Moving a subfolder
Before moving a subfolder, ensure that your account has sufficient permission to move
subfolders.
To move a subfolder:
Before moving a secret, ensure that your account has sufficient permission to move secrets.
To move a secret:
Before editing a folder or a secret, ensure that your account has sufficient permission to edit
folders and secrets.
The options when editing the folder or a secret are same as when creating a folder or a
secret.
Before deleting a folder or a secret, ensure that your account has sufficient permission to
delete folders or secrets.
Adding a favorite:
To add a favorite:
Creating a folder
To create a folder:
You can create a folder in an existing folder or select Root to create a root folder.
Parent Folder From the dropdown, select a parent folder or select Create to create a new
parent folder.
Inherit Policy Enable to inherit policy that applies to the parent folder.
Secret Policy From the dropdown, select a policy that applies to the folder or select Create to
create a new policy.
See Creating a policy on page 86.
Folder Permission
Inherit Permission Enable to inherit permission from the parent folder.
Note: The setting can only be disabled if you have the Owner permission.
Also, the setting cannot be disabled for any subfolder of the personal folder,
i.e., the folder generated for every user.
User Permission The level of user access to the folder and secrets in the folder. See User
Permission on page 45.
5. Click Submit.
User Permission
1. In step 4 when Creating a folder, select Create in User Permission when Inherit Permission is disabled.
The New User Permission window opens.
Users Select + and from the list, select users in the Select Entries window.
1. From the Select Entries window, select Create and then select +User
Definition.
The New User Definition wizard opens.
2. Follow the steps in Creating a user on page 102, starting step 2 to create
a new user.
l List: Ability to list secrets. You cannot see detailed information on secrets.
l View: Ability to view secret details and launch a secret.
l Edit: Ability to create/edit secrets and launch the secrets.
l Owner: The highest possible permission level with the ability to create,
edit, delete, move, and launch secrets.
3. Click OK.
From the list, select a user permission and then select Edit to edit the user permission.
From the list, select user permissions and then select Delete to delete the user
permissions.
Group Permission
1. In step 4 when Creating a folder, select Create in Group Permission when Inherit Permission is disabled.
The New Group Permission window opens.
Groups Select + and from the list, select user groups in the Select Entries window.
Use the pen icon next to the user group to edit it.
l List: Ability to list secrets. You cannot see detailed information on secrets.
3. Click OK.
From the list, select a user group permission and then select Edit to edit the user group
permission.
From the list, select user group permissions and then select Delete to delete the user
group permissions.
User name and password/key of servers can be securely stored in FortiPAM as secrets. The secrets contain information
on login, credentials, and the target server IP address. The end user can use the secret to access servers.
In FortiPAM, actual credentials are protected, and FortiPAM users cannot access the credentials except in some cases
as described below. Login credentials can be changed automatically and manually for different use cases.
User names and password of domain controller can be securely stored in FortiPAM secrets.
Users with the following permission can view secret passwords on the GUI:
l Owner of the secret
l Editor of the secret
Viewer of the secret cannot see the secret password on the GUI.
Components:
l Servers: the server that the end users require to access.
l FortiClient: supports privileged activity recording and ZTNA tunnel setting up in proxy mode.
l FortiPAM: back to back user agent to access the target website in proxy mode.
RDP server
Besides client mode launch for secrets, FortiPAM also supports browser mode where no client
software is required.
Secret list
For each secret; name, last password verification, folder, template, description, and reference are shown.
The Last Password Verification column gives an overview of the secret password status.
Create Select to create a new secret. See Creating a secret on page 51.
Upload Select and then select Upload Secret to upload secrets using the secret upload
template file, or download the secret upload template by selecting Download
Template.
See Uploading secrets using the secret upload template on page 63.
Add favorite Select to add the selected secret to the favorite folder.
Remove favorite Select to remove the selected secret from the favorite folder.
Launch Secret Launch the selected secret. See Launching a secret on page 61.
Make Request Make request to launch or perform a job on the secret. Make a request on page
143.
Search Enter a search term in the search field, then hit Enter to search the secrets list.
To narrow down your search, see Column filter.
Not all options are available for a secret. The options depend on how the secret has been set
up, e.g., The Make Request option is only available when the secret has Requires Approval to
Launch Secret enabled.
Creating a secret
To create a secret:
The folder is already selected if you are creating secret from inside a folder.
5. To switch to either Service Setting or Secret Permission tab, select the tab.
Folder The folder where the secret is added. See Folders on page 39.
Associated Secret Enable and then from the dropdown, select an associated secret for the new
secret being created.
When enabled, changing password or verifying password requires credentials
from the associated secret.
Note: The option is disabled by default.
Fields Select a field in the table and then select edit to add a value.
Secret Settings
Some settings may not be configurable as they are protected by the policy that applies to
the folder where the secret is added.
The owner of the secret must configure password verification and change settings
before the secret utilizes the password changer and password verification. However, a
user can manually trigger these actions if they have sufficient permissions.
Recurrence From the dropdown, select from the following three frequencies of recurrence:
l Daily
l Weekly
l Monthly
Repeat every The number of days/weeks/months after which the password is changed (1-
400).
Occurs on Select from the following days of the month when the password is
automatically changed:
l First
l Second
l Third
l Last
l Last Day
l Day
When you select Day, select + to add days of the month when the password is
automatically changed.
Select days of the week when the password is automatically changed.
Note: The option is only available when Recurrence is set as Weekly or
Monthly.
Automatic Password Enable/disable automatic password verification.
Verification When enabled, password changer for secrets is activated to periodically verify
the password, and check if the target server is still available.
Interval (min) The time interval at which the secret passwords are tested for accuracy, in
minutes (default = 60, 5 - 44640).
Start Time The date and time when the Interval(min) begins.
Enter date (MM/DD/YYYY) and time or select the Calendar icon and then
select a date and time.
Session Recording Enable/disable session recording.
When enabled, user action performed on the secret is recorded.
The video file is available in the log for users with appropriate
permission.
secret password.
l Web launcher is disabled for users who do not have the permission to
view the secret password.
When disabled, the non-proxy (direct) mode is used. See Modes of operation
on page 18.
In the non-proxy mode:
l Web launcher is available to users who have the permission to view the
secret password.
l Web launcher is disabled for users who do not have the permission to
view the secret password.
At a given time, only one user can check out a secret. Other
approved users must wait for the secret to be checked in or
wait for the checkout duration to lapse before accessing the
secret.
Use the pen icon next to the approval profile to edit it.
See Make a request on page 143 and Approval flow on page 147.
Requires Approval to When enabled, users are forced to request permission from the approvers
Launch Job defined in approval profile before being able to perform a job on a secret.
From the dropdown, select an approval profile.
Use the pen icon next to the approval profile to edit it.
See Make a request on page 143 and Approval flow on page 147.
Service Settings
Turn on/off the service settings.
You can individually toggle on or off each service, controlling whether or not FortiPAM is
allowed to use the specific service to connect to the secret.
The port used by each service specified in the template can also be overridden to use a
custom port specific to the secret.
Port Use the template default port or disable and enter a port number.
SSH Filter Enable/disable using an SSH filter profile. See SSH filter profiles on page 91.
SSH Filter Profile From the dropdown, select an SSH filter profile.
Note: The option is only available when SSH Filter is enabled.
RSA Sign Algorithm To improve compatibility with different SSH servers, select a sign in algorithm
for RSA-based public key authentication:
l RSA SHA-256 signing algorithm
By default, secret permission is the same as the folder where they are located.
When customizing secret permission, ensure that you log in with an account with Owner or
Edit permission to the secret or the folder where the secret is located.
Only permitted devices with the selected tags are allowed to launch.
Device Match Logic Define the match logic for the device tags:
l OR: Devices with any of the selected tags are allowed to launch.
User Permission The level of user access to the secret. See User Permission on page 59.
7. Click Submit.
See Launching a secret on page 61 and Example secret configurations example on page 68.
User Permission
Users Select + and from the list, select users in the Select Entries window.
1. From the Select Entries window, select Create and then select +User
Definition.
The New User Definition wizard opens.
2. Follow the steps in Creating a user on page 102, starting step 2 to create
a new user.
l List: Ability to list secrets. You cannot see detailed information on secrets.
l View: Ability to view secret details and launch a secret.
l Edit: Ability to create/edit secrets and launch the secrets.
l Owner: The highest possible permission level with the ability to create,
edit, delete, and launch secrets.
3. Click OK.
From the list, select a user and then select Edit to edit the user.
From the list, select users and then select Delete to delete the users.
Group Permission
Groups Select + and from the list, select user groups in the Select Entries window.
l List: Ability to list secrets. You cannot see detailed information on secrets.
l View: Ability to view secret details and launch a secret.
l Edit: Ability to create/edit secrets and launch the secrets.
l Owner: The highest possible permission level with the ability to create,
edit, delete, and launch secrets.
3. Click OK.
From the list, select a user group and then select Edit to edit the user group.
From the list, select user groups and then select Delete to delete the user groups.
Launching a secret
To launch a secret:
If the secret does not show up, it may be because you do not have the necessary
permission to access the secret or the folder where the secret is located.
Chrome, Edge and Firefox have extensions to support video recording for browser based
launchers.
When using file launchers, the following two security features can be enabled in a secret:
Note: Examples of a file launcher include WinSCP, Web SMB, and Web SFTP.
a. By assigning an antivirus profile to a secret, the user can be protected from downloading viruses and the server
can be protected from virus being uploaded. See the Antivirus Scan option in Creating a policy on page 86 and
Creating a secret on page 51. Also, see AntiVirus on page 245.
b. By assigning a DLP sensor to a secret, the server can be protected from sensitive information being uploaded
and downloaded from the server. See Data loss prevention (DLP) protection for secrets on page 248.
5. After the session is finished, close the launcher.
See Check out and check in a secret on page 62.
When launching a secret with the Windows Domain Account template, you can input any IP address as the target secret.
Blocklist and allowlist can help you to improve security by allowing preconfigured IP addresses.
Notes:
l If address-blacklist is set, all IP addresses except those in <address> are blocked. All other IP addresses
are allowed.
l If address-whitelist is set, IP addresses in <address> are allowed. All other IP addresses are blocked.
Checking out a secret gives you exclusive access to the secret for a limited time.
Checking in a secret allows other approved users to access the secret.
If the secret does not show up, it may be because you do not have the necessary
permission to access the secret or the folder where the secret is located.
If the Check-out Secret button does not show up, it may be because another user has
checked out the secret. At a given time, only one user can check out a secret. Other
approved users must wait for the secret to be checked in or wait for the checkout duration
to lapse before accessing the secret.
See Requires Checkout option when Creating a secret on page 51.
To check in a secret:
On the Secret List page, the uploading secrets feature provides a convenient and faster way to import multiple secrets to
FortiPAM at once. You first download the secret upload file template from FortiPAM, input secret-related information
such as Secret Template, Target Address, Account Name, and Account Password into the file, and then import the file to
FortiPAM. All the secrets in the file are added to FortiPAM automatically.
Windows Domain Account, Unix Account (SSH Password), and Windows Machine secret
templates are supported.
Change password
You can also set up a secret to automatically change the password by enabling Automatic
Password Changing when creating or editing a secret.
See Automatic password changing on page 162.
To be able to successfully change the password manually, the password must follow
password requirements set in Password policies on page 152.
5. If the password changer failed to change the password last time, it reuses the previously attempted password if it
has not been reset.
In Reuse attempted password, select Yes to reuse the last attempted password that failed or select No to generate
a new password.
If you selected No in Reuse attempted password, select Randomly to generate a new password automatically or
select Customized to enter the password manually.
6. Click OK.
Once the password has changed, Password Changer Status shows the date and time when the password was
changed and its status.
Credential History
FortiPAM retains any previous credentials that have been used by the secret before. These credentials appear in the
Credential History tab in the secret page. If the last password change failed, FortiPAM retains the last credential that was
tried. You can use the credential history to restore the secret password if the credential on the remote server and
FortiPAM are out of sync.
When editing a secret, go to the Credential History tab to see a history of changes made to the password.
To configure Windows to allow FortiPAM to change its local user password by SAMBA:
Verify password
On FortiPAM, you can verify the password in a secret manually to check its accuracy, and confirm if the target server is
reachable.
You can also set up a secret to automatically verify the password by enabling Automatic
Password Verification when creating or editing a secret.
See Automatic password verification on page 163.
When ED25519 is selected as the encryption algorithm, Bits are not required.
d. Passphrase, if any
5. Ensure that proxy is enabled in the Secret Setting pane.
An SSH key can only be launched when the secret has Enable Proxy checked.
6. Click Submit.
If using an AWS-VM, ensure that RSA Sign Algorithm is set to RSA SHA-256 signing algorithm in the Service
Setting tab.
Secret launchers
Secret launchers allow users to remotely gain access to a target without the need to know, view, or copy the passwords
stored in FortiPAM.
A secret launcher stores an executable and the parameters needed to start a connection to a
target.
In proxy mode, browsing triggers ZTNA tunnel between the FortiClient and FortiPAM server.
The FortiPAM chrome extension may have compatibility issues for some specific login pages
and cannot fill in the user name and password.
For each secret launcher; name, type, executable, parameter, and references are displayed.
The TightVNC client does not support connecting to a macOS server in non-proxy mode.
Web SSH, Web RDP, Web VNC, Web SFTP, and Web SMB default launchers always work in
proxy mode irrespective of the Proxy Mode setting.
PuTTY and WinSCP launchers are not supported when the secret is in non-proxy mode, and
the secret uses an SSH key for authentication.
TightVNC launcher is not supported when the secret is in non-proxy mode and requires a
username for authentication.
l PuTTY
l WinSCP
l RDP
l VNC Viewer
l TightVNC
In non-proxy mode, the following launchers are available to all users:
l Web SSH (always in proxy mode)
l Web RDP (always in proxy mode)
l Web VNC (always in proxy mode)
l Web SFTP (always in proxy mode)
l Web SMB (always in proxy mode)
In non-proxy mode, the following launchers are only available to users with the permission to view secret password:
l PuTTY
l WinSCP
l RDP
l VNC Viewer
l TightVNC
l Web launcher is disabled for users who do not have the permission to view the secret.
Search Enter a search term in the search field, then hit Enter to search the launchers list.
To narrow down your search, see Column filter.
Creating a launcher
To create a launcher:
Executable The program file name, e.g., putty.exe for an SSH client.
Parameter The command line parameters from the Available Variables list.
Valid field variables are:
l $DOMAIN
l $HOST
l $USER
l $PASSWORD
l $VNCPASSWORD
l $PASSPHRASE
l $PUB_KEY
l $PRI_KEY
l $URL
l $PORT
l $TMPFILE
- Example
For putty.exe as the Executable, -|$USER -pw $PASSWORD $HOST are
the parameters.
For putty.exe as the Executable for SSH execution, -l $USER -pw
$PASSWORD $HOST -m C:\\Users\\user1\\Desktop\\cmd.txt
or
-l $USER -pw $PASSWORD $HOST -m \"C:\\Program
Files\\cmd.txt\" are the parameters.
For the full path of a file, use the escape character double
backslash (\\) for the -m parameter.
Note:
When there is no space in the path, double quotes are not necessary:
-l $USER -pw $PASSWORD $HOST -m
C:\\Users\\user1\\Desktop\\cmd.txt
When there is space in the path, double quotes must be used with backslash:
-l $USER -pw $PASSWORD $HOST -m \"C:\\Program
Files\\cmd.txt\"
Initial Commands
Configure initializing the environment. See Creating a new launcher command on page 76.
Clean Commands
Configure cleaning the environment. See Creating a new launcher command on page 76.
5. Click Submit.
Non-proxy environment
When using launchers with non-proxy mode, launchers may require the environment to be initialized beforehand. You
may specify this with init-commands and clean-commands.
Note: Init-commands and clean-commands only run in the non-proxy mode.
1. In step 3 when Creating a secret launcher, select Create in the Initial Commands or Clean Commands pane.
The New Launcher Command window opens.
3. Click OK.
l Select the command from the list and then select Edit to edit it.
l Select command(s) from the list and then select Delete to delete them.
You can create launchers to be used as file launchers for SSH clients, SMB over the Web,
SFTP over the Web, and other types of launchers.
Unix Account (SSH Password), Unix Account (SSH Key), and FortiProduct(SSH
Password) secret templates are preconfigured with Web SSH launcher.
7. In Fields, enter information by double-clicking individual fields, entering the required information, and clicking OK.
8. Click Submit.
9. In the secret list, select the newly created secret, and select Launch Secret.
10. In Launch Progress, select Web SSH, and then select Launch.
1. Repeat steps 1 to 5 from Configuring a secret with Web SSH launcher to create a new secret.
2. In the Template dropdown, select from the following templates if the templates meet your requirements else see
Creating secret templates on page 80 to create a new template:
a. Windows Domain Account
b. Windows Domain Account(Samba)
Note: Ensure that the template uses Web RDP as its launcher.
1. Repeat steps 1 to 5 from Configuring a secret with Web SSH launcher to create a new secret.
2. In the Template dropdown, select the Machine template if the template meet your requirements else see Creating
secret templates on page 80 to create a new template.
Note: Ensure that the template uses Web VNC as its launcher.
Alternatively, in the CLI console, enter the following commands to create a new template with Web VNC launcher:
config secret template
edit <name> #name of the template
config field
edit <name> #name of the field
set type username
set mandatory enable #the field is mandatory
next
edit <name>
set type password
set mandatory enable
next
end
config launcher
edit <id>
set launcher-name "Web VNC" #Web VNC set as the secret launcher
set port 5900 #default value
next
end
From the Template dropdown, select the template you created using the CLI.
3. Repeat steps 7 to 9 from Configuring a secret with Web SSH launcher.
Ensure that Automatic Password Changing is disabled.
4. In Launch Progress, select Web VNC, and then select Launch.
Secret templates
Cisco Enable Secret Basic template for Cisco enabled secret account.
Cisco User (SSH Secret) Basic template for Cisco SSH account.
FortiProduct (SSH Password) Basic template for a FortiProduct SSH Password account.
FortiProduct (SSH Key) Basic template for a FortiProduct SSH Key account.
Machine Basic template for a general machine, with all default launchers.
Unix Account (SSH Key) Basic template for a Unix SSH Key account.
Unix Account (SSH Password) Basic template for a Unix SSH Password account.
Unix Account (Web CIFS) Basic template for a Unix Web Samba account.
Windows Domain Account Basic template for a Samba Windows Domain account.
(Samba)
For each template; name, fields, launcher, password changer, server info, description, and references are displayed.
Create Select to create a new template. See Creating secret templates on page 80.
Search Enter a search term in the search field, then hit Enter to search the secret
templates list. To narrow down your search, see Column filter.
Server The general type of server to which the template is intended to connect:
Information l Cisco
l Like Unix
l Default
Mandatory Enable to make this field mandatory or disable if this field will be
optional.
From the list, select a field and then select Edit to edit the field.
From the list, select fields and then select Delete to delete the fields.
Launcher Launcher helps you access a target server. See Secret launchers on page 71.
A launcher allows you to log in to a website or device without you needing to know the
credentials.
To add a new launcher, select Create and then enter the following information, and click OK:
Note:
An absolute path is also supported. Use the
escape character (\) when using an absolute
path, e.g.:
C:\\Users\\user1\\Documents\\putt
y.exe
C:\\Users\\user1\\Documents\\New
folder\\putty.exe
l $TARGET
l $HOST
l $USER
l $PASSWORD
l $VNCPASSWORD
l $PASSPHRASE
l $PUB_KEY
l $PRI_KEY
l $URL
l $PORT
l $TMPFILE
- Example
For putty.exe as the Executable, -|$USER
-pw $PASSWORD $HOST are the parameters.
For putty.exe as the Executable for SSH
execution, -l $USER -pw $PASSWORD
$HOST -m
C:\\Users\\user1\\Desktop\\cmd.txt
or
-l $USER -pw $PASSWORD $HOST -m
\"C:\\Program Files\\cmd.txt\" are
the parameters.
Note:
When there is no space in the path, double
quotes are not necessary:
-l $USER -pw $PASSWORD $HOST -m
C:\\Users\\user1\\Desktop\\cmd.txt
When there is space in the path, double
quotes must be used with backslash:
-l $USER -pw $PASSWORD $HOST -m
\"C:\\Program Files\\cmd.txt\"
From the list, select a launcher and then select Edit to edit the launcher.
From the list, select launchers and then select Delete to delete the
launchers.
Password Changer
A password changer can be configured for a custom secret template to change the password of a secret
periodically and to check the health of a secret periodically.
Note: The option is enabled by default.
Password From the dropdown, select the password changer that will be used for this template or create a
Changer new password changer. See Creating a password changer on page 156.
Port The port used for the password changer (default = 22).
Password The password policy to use in the password changer.
Policy From the dropdown, select a password policy or create a new password policy. See Creating a
password policy on page 153.
Max Number The maximum number of retries allowed after which the connection fails (default = 10).
of Retries
Verify After When enabled, whenever secrets with the template conducts a password change, a verification
Password of the newly changed password is ran.
Change Note: The option is enabled by default.
4. Click OK.
Policies
A secret policy aims to establish guidelines for handling and to protect sensitive information, such as passwords, secret
attributes, and personal data. The secret policy helps organizations maintain the confidentiality, integrity, and availability
of sensitive information and to minimize the risk of data breaches.
Policies in Secrets displays a list of secret policies.
Secret policies controls the settings related to a secret. A policy is assigned to a folder when the folder is created.
Secrets in a folder follow the rules set in the policy associated with the folder.
A policy allows you to set the following attributes by default for a secret:
l Automatic Password Changing
l Automatic Password Verification
l Enable Session Recording
l Enable Proxy
l Tunnel Encryption
l Requires Checkout
l Requires Approval to Launch Secret
l Requires Approval to Launch Job
l Block RDP Clipboard
l SSH Filter
l Antivirus Scan
l RDP Security Level
The Policies tab looks like the following:
Search Enter a search term in the search field, then hit Enter to search the policies list.
To narrow down your search, see Column filter.
Creating a policy
To create a policy:
l Weekly
l Monthly
Repeat every The number of days/weeks/months after which the password is changed (1-
400).
Occurs on Select from the following days of the month when the password is
automatically changed:
l First
l Second
l Third
l Last
l Last Day
l Day
Select days of the week when the password is automatically changed.
When you select Day, select + to add days of the month when the password is
automatically changed.
Note: The option is only available when Recurrence is set as Weekly or
Monthly.
Editable in Secret Enable/disable users from customizing the password change schedule in the
secret.
The video file is available in the log for users with appropriate
permission.
The HTTP request gives information on the target server then FortiPAM
connects to the target server. After that, two protocol options exist for the
tunnel between FortiClient and FortiPAM. One is to clear the TLS layer for
better throughput and performance. The other is to keep the TLS layer. The
launcher's protocol traffic is inside the TLS secure tunnel.
If the launcher's protocol is not secure, like VNC, it is strongly recommended to
enable this option so that the traffic is in a secure tunnel.
When set to Not Set, secrets using the policy can have the option set as either
Enable or Disable.
When the option is enabled or disabled, all the secrets using this policy have
the same setting for this option as set in the policy.
At a given time, only one user can check out a secret. Other
approved users must wait for the secret to be checked in or
wait for the checkout duration to lapse before accessing the
secret.
Use the pen icon next to the approval profile to edit it.
RDP Security Level Select a security level when establishing a RDP connection to the secret:
l Best Effort: If the server supports NLA, FortiPAM uses NLA to
4. Click Submit.
See Applying a policy to a folder on page 90.
If Inherit Policy is disabled, from the Secret Policy dropdown, select a policy profile.
Select Create to create a new secret policy. See Creating a policy on page 86.
7. Click Submit.
SSH Filter Profiles tab in Secrets displays a list of SSH filter profiles.
A filter can be created to prevent certain commands from running on an SSH terminal.
For each SSH profile; name, block, log, default command log, extra shell commands, and reference are displayed.
The SSH Filter Profiles tab contains the following options:
Create Select to create a new SSH filter profile. See Creating an SSH filter on page 91.
Search Enter a search term in the search field, then hit Enter to search the SSH filter
profiles list. To narrow down your search, see Column filter.
Shell Commands
Shell commands can be created to block a command in the SSH terminal.
See Creating Shell Commands.
Select a shell command from the list and then select Edit to edit the command.
When editing a shell command the options are same as when creating one.
Select shell commands from the list then select Delete to delete the commands.
l SSH execution
l Port forwarding
l Tunnel forwarding
l SFTP
l SCP
l Unknown channel: Unknown channel (any channel other than the six
listed here and the shell channel.)
Log Activity SSH logging options.
These are log activities related to selected channels regardless of the blocking
status (multiple options may be selected):
l X11: X server forwarding
l SSH execution
l Port forwarding
l Tunnel forwarding
l SFTP
l SCP
l Unknown channel
4. Click Submit.
1. In the New SSH Filter Profile window, select Create in the Shell Commands pane.
l Block: Block the SSH shell command on the target server (default).
For example when the Type is Regex, the Pattern is conf.*, and the Action is
Block. This blocks all the configuration actions on the target server.
Severity The severity of the actions reported in Log & Report > SSH and alert
messages:
l Critical
l High
l Medium
l Low (default)
3. Click OK.
If the secret does not show up, it may be because you do not have the necessary
permission to access the secret or the folder where the secret is located.
To configure an SSH filter profile that only allows show command on the target server (FortiGate or
Cisco routers):
6. Click Submit.
To configure an SSH filter profile that blocks rm and sudo commands on the target Linux server:
Job list
Search Enter a search term in the search field, then hit Enter to search the jobs list. To
narrow down your search, see Column filter.
Creating a job
To create a job:
Type From the dropdown, select from the following two options:
l SSH Script: targeting secrets that work on linux-like machines (default).
l SSH Procedure: targeting secrets that run on SSH server, e.g., FortiGate,
Cisco, or Ubuntu.
Associated Secret Enable and then from the dropdown, select an associated secret or create a
new secret.
When enabled, changing password or verifying password requires credentials
from the associated secret.
Note: The option is disabled by default.
l Weekly
l Monthly
Note: The option is only available when Recursive is enabled.
Repeat every The number of days/weeks/months after which the job is executed (1- 400).
Note: The option is only available when Recursive is enabled.
Occurs on Select from the following days of the month when the job is automatically
executed:
l First
l Second
l Third
l Last
l Last Day
l Day
Select days of the week when the job is automatically executed.
When you select Day, select + to add days of the month when the job is
automatically executed.
Note: The option is only available when Recurrence is set as Weekly or
Monthly.
4. Click Submit.
When editing a job, select the Make Request option from the top to make a request to perform
a job on the secret associated with the job. See Make a request on page 143.
When editing a job, select the Log tabs to see logs related to the job. See Log & report on page
258.
Fort a script job type, you can check the result on the Edit Job page after the job is executed.
User monitor
The User Monitor tab in Monitoring displays all the logged-in users along with information such as their role, logged-in IP
address, the duration they have logged in for, traffic volume, and the timestamp of when they logged in. It is a helpful tool
for monitoring the overall activities of the users on FortiPAM. For example, if the administrator sees an unusual amount
of traffic from a specific user. It could indicate that a risky operation is being performed, and the administrator may
deauthenticate the user if the administrator deems the user is a malicious actor.
For every login; username, IP address, duration, traffic volume, and the last login date and time are displayed.
Search Enter a search term in the search field, then hit Enter to search the user monitor
list. To narrow down your search, see Column filter.
Active sessions
The Active Sessions tab in Monitoring provides a way to oversee activities of launched secrets from FortiPAM. The page
lists out all the launched secrets with information such as source IP: Port, destination IP: Port, the application that is
launched and username, etc. Additionally, an End Session(s) button is available if the administrator wishes to terminate
any of the launched secrets. This monitor is especially powerful in situations where there is malicious activity being
conducted by a user because the administrator will be able to terminate the session right away with the End Session(s)
button to protect the integrity of the secret.
On the top, the following widgets are displayed:
l Secret Name: displays the total count of the secrets being used.
l Username: displays the total count of the users using secrets.
For every session, the following columns are displayed:
l Session ID
l Source
l Source Port
l Destination
l Destination Port
l Application
l Account Name
l Secret Name
l Duration (sec)
l Expires (sec)
Search Enter a search term in the search field, then hit Enter to search the active
sessions list. To narrow down your search, see Column filter.
User definition
User Definition in User Management displays a list of FortiPAM users listed by their role types.
For each user; name, status, schedule, IPv4 trusted hosts, role, type, and references are shown.
Create Select to create a new user. See Creating a user on page 102.
Search Enter a search term in the search field, then hit Enter to search the user
definition list. To narrow down your search, see Column filter.
To enable/disable a user:
1. Hover over the Status column for a user and select the pen icon.
Creating a user
By default, FortiPAM has a default user with the username admin and no password.
When you go into the system for the first time, you must set a password for this account.
Additional users can be added later.
To create a user:
2. Enter the following information, and click Next after each tab:
Configure Role
Choose a User Role type Select from the following user role types:
l Guest User
l Standard User
l Power User
l Administrator
For Administrator, select from one of the available administrator roles from the
Choose an Administrator Role dropdown.
For information on the user types and their roles, see Users in FortiPAM on
page 106 and Role on page 117.
Configure Type
Choose a User type Select a user type:
l Local User
l API User
l Remote User: Select the option if you want to enable login for one remote
user in a remote group, and assign the user the remote user type for the
FortiPAM session.
For Remote User, select a remote group where the user is found. See User
groups on page 113.
For information on the user types, see Users in FortiPAM on page 106.
Note: The option is not available when the user type is an API user.
Email address The email address.
Comments Optionally, enter comments about the user.
l FortiToken Cloud. See 2FA with FortiToken Cloud example on page 106.
l Email based two-factor authentication (default)
Token From the dropdown, select a token. This option is mandatory.
Note: This option is only available when FortiToken is the Authentication Type.
Send Activation Code Enable/disable sending activation codes.
Note: This option is only available when FortiToken Cloud is the
Authentication Type.
Email address The email address.
Note: This option is mandatory.
Configure the schedule for Enable/disable configuring the login schedule for the users.
which the user can connect From the dropdown, select a schedule. See Schedule on page 136.
to the FortiPAM
Note: This option is disabled by default.
3. In the Review tab, verify the information you entered and click Submit to create the user.
Regenerating the API key will immediately revoke access for any API consumers using the
current key.
Users in FortiPAM
For Administrator, administrator roles are available. See Role on page 117.
3. Click Next.
4. In Choose a User type, select either Local User or Remote User.
In this example, Local User is selected.
For Remote User, select a remote group where the user is found. See User groups on
page 113.
5. Click Next.
6. In Configure User Detail:
a. In Username, enter a name.
b. In Password, enter a password.
c. In Confirm Password, reenter password to confirm.
d. In Status, enable logging in to FortiPAM.
7. Click Next.
8. Enable Two Factor Authentication, and:
a. In Authentication Type, select FortiToken Cloud.
b. Enable Send Activation Code.
c. In Email address, enter the email address where the activation code for FortiToken Cloud is sent.
d. Click Next.
9. Click Next.
10. In the Review tab, verify the information you entered and click Submit to create the user.
11. From the user dropdown on the top-right, select Logout.
12. On the login screen, enter the username and password for the user you just created, and select Continue.
13. On the token screen, enter the token from your FortiToken Mobile and select Continue to log in to FortiPAM, or
approve the push login request that appears on your mobile phone to log in to FortiPAM.
CLI configuration to set up a user with FortiToken Cloud as the authentication type - example:
next
end
3. Click Next.
For Remote User, select a remote group where the user is found. See User groups on
page 113.
5. Click Next.
6. In Configure User Detail:
a. In Username, enter a name.
b. In Password, enter a password.
c. In Confirm Password, reenter password to confirm.
d. In Status, enable logging in to FortiPAM.
e. In Email address, enter an email address.
7. Click Next.
8. Enable Two Factor Authentication, and:
a. In Authentication Type, select FortiToken.
b. From the Token dropdown, select a FortiToken.
d. Click Next.
9. Click Next.
10. In the Review tab, verify the information you entered and click Submit to create the user.
11. Go to User Management > FortiTokens, select the token used in step 8 from the list and then click Provision.
An email notification is sent to the user. This is the email address configured in step 8.
12. To enable FortiToken push notification:
a. Go to Network > Interfaces and double-click port1.
b. In Administrative Access, select FTM.
c. In the CLI console, enter the following commands:
config system ftm-push
set server-cert "Fortinet_Factory"
set server x.x.x.x #IP address of the FortiPAM interface
set status enable
end
13. From the user dropdown on the top-right, select Logout.
14. On the login screen, enter the username and password for the user you just created, and select Continue.
15. On the token screen, enter the token from your FortiToken Mobile and select Continue to log in to FortiPAM, or
approve the push login request that appears on your mobile phone to log in to FortiPAM. See Setting up FortiToken
Mobile on page 112.
CLI configuration to set up a user with FortiToken as the authentication type - example:
1. In the App Store, look for FortiToken Mobile and install the application.
2. After your system administrator assigns a token to you, you will receive a notification with an activation code and an
activation expiration date by which you must activate your token. For more information on Token Activation, see
FortiToken Mobile User Guide.
3. Open the FortiToken Mobile application and click + icon on the top-right to add a token.
4. There are two ways to add a token to the FortiToken Mobile application:
a. Scan QR code: If your device supports QR code recognition, select + in the FortiToken Mobile home screen
and point your device camera at the QR code attached to the activation email.
b. Enter Manually:
i. Select + and then select Enter Manually from the bottom.
ii. Select Fortinet and enter Name and Key.
Key is the activation key from your activation email notification and must be entered
exactly as it appears in the activation message, either by typing or copying and
pasting.
5. Click the eye icon to retrieve the token to be used in step 15 when configuring 2FA with FortiToken.
Alternatively, if approving the push login request in step 15 when configuring 2FA with FortiToken, click Approve in
Login Request.
User groups
User groups can contain references to individual users or references to groups defined on an existing LDAP server.
Users can be assigned to groups during user account configuration, or by creating or editing the groups to add users to
it.
The User Groups tab contains the following options:
Search Enter a search term in the search field, then hit Enter to search the user groups
list. To narrow down your search, see Column filter.
l Local User
Members Select + to add existing members to the user group from the list and select
Close, or select Create to create a new user.
See Creating a user on page 102.
Remote Groups By adding a remote server to the user group, the group will contain all user
accounts on that server.
Optionally, a specific user group on the remote server can be included to
restrict the scope to that group.
See Creating Remote Groups.
Note: This pane is available only when the Type is Remote.
Select remote groups from the list and select Delete to delet
e the remote groups.
Select a remote group from the list and select Edit to edit the
remote group.
4. Click OK.
1. In the Create New User Group window, select Create in Remote Groups.
The Remote Groups pane is only available when the Type is Remote.
At least one LDAP server must be already configured. See LDAP servers on page 127.
LDAP filters consist of one or more clauses which can be combined with logical
AND/OR operators.
Filter syntax differs depending on the LDAP server software.
See the following examples - examples:
l Users with given name starting with the letter "h":
(&(objectClass=person)(givenName=h*))
l All groups:
(&(objectClass=posixGroup)(cn=*))
b. Optionally, if a RADIUS server is selected, select +, and enter group names in Groups.
At least one RADIUS server must be already configured. See RADIUS servers on page
134.
c. Optionally, if a SAML server is selected, select +, and enter group names in Groups.
Role
Roles or access profiles define what a user can do when logged into FortiPAM.
When a new user is created, it must have a specific role. See Creating a user on page 102.
When you create a standard user, a default normal user role is assigned to the new user
automatically.
When setting up an administrator, administrator roles can be selected from the Choose an
Adminstrator Role dropdown. See Creating a user on page 102.
The administrator role decides what the administrator can see.
l Default Administrator: Read/write access same as a super administrator, but no access to maintenance mode and
glass breaking.
l Guest User: For demonstration purposes only. Guest users can only view secrets and have restricted access to
FortiPAM features.
l Power User: For managing general secret settings, e.g., a power user can change who approves secrets,
commands blocked on the target server, etc.
l Standard User: Logs in, makes requests for resources, and connect to the privileged resources.
Users with Standard User role do not have the privilege to manage FortiPAM devices.
Search Enter a search term in the search field, then hit Enter to search the roles list.
To narrow down your search, see Column filter.
To create a role:
Pages and features are organized and separated into different access controls.
There are two types of access controls:
Secret
Select None, Read, or Read/Write to set access level globally for all the secret features.
Secret List Set the access level for Secret list page.
It also controls whether pages: Secret Templates, Policies and Launchers can
be viewed.
Secret Folder Set the access level for Folders.
Note: You can restrict the corresponding folder and secret permissions under
a specific secret.
Root Folder Permission to create folders in Root.
Note: The Secret Folder must be set to at least Read permission to enable
accessing the root folder.
SSH Filter Profile Set the access level for SSH Filter Profiles page.
Job List Set the access level for Jobs List page.
Approval Request Set the access level for My Request and Request Review page in Approval
Request.
Approval Profile Set the access level for Approval Profile page in Approval Flow.
Password Changer Set the access level for Password Changers page in Password Changing.
Password Character Set Set the access level for Character Sets page in Password Changing.
Password Policy Set the access level for Password Policies page in Password Changing.
Create Personal Folder Enable/disable creating a personal folder right after the user is created.
Note: The Secret Folder permission must be Read/Write.
Edit Secret Templates Enable/disable editing the Secret Templates page.
Edit Secret Policies Enable/disable editing the Policies page.
Edit Secret Launchers Enable/disable editing the Secret Launchers page.
View Encrypted Secret Enable/disable viewing the secret password, passphrase, and ssh-key.
Information
Note: Secret List must be set to Read/Write permission to view the encrypted
secret information.
Permit File Transfer Enable/disable permitting file transfer.
User Management
Select None, Read, or Read/Write to set access level globally for all the user management features.
Administrator Users Set the access level for the User Definition page in User Management and the
Backup page in System.
User Groups Set the access level for User Groups page in User Management.
Note: Ldap Servers, Saml Single Sign-On, and Radius Servers must be set to
at least Read permission to access User Groups.
Role Set the access level for Role page in User Management.
Ldap Servers Set the access level for Ldap Servers page in User Management.
Note: Scheme & Rules must be set to at least Read permission to access
LDAP servers.
Saml Single Sign-On Set the access level for Saml Single Sign-On page in User Management.
Note: Addresses and Scheme & Rules must be set to at least Read
permission to access SAML servers.
Radius Servers Set the access level for Radius Servers page in User Management.
Note: Scheme & Rules must be set to at least Read permission to access
RADIUS servers.
Schedule Set the access level for Schedule page in User Management.
Authentication
Select None, Read, or Read/Write to set access level globally for all the authentication features.
The role must have Allow CLI Access enabled to access the
diagnostic commands.
Allow Firmware Upgrade & Enable/disable permission to use firmware upgrades and configuration
Backups backup features.
System
Select None, Read, or Read/Write to set access level globally for all the system features.
Configuration Set the access level for:
l DNS Settings in Network.
Network
Select None, Read, or Read/Write to set access level globally for all the network features.
Configuration Set the access level for Interfaces page in Network.
Packet Capture Set the access level for Packet Capture page in Network.
Static Routes Set the access level for Static Routes page in Network.
Fabric Set the access level for FortiAnalyzer Logging card on the Fabric Connectors
page in Security Fabric.
Endpoint Control Set the access level for FortiClient EMS card on the Fabric Connectors page in
Security Fabric and ZTNA Tags in System > ZTNA.
Manage System Certificates Enable/disable accessing the Certificates page in System.
Note: System Configuration must have the Write permission.
View Logs Enable/disable viewing Events, Secrets, ZTNA, and SSH logs in Log & Report.
View Secret Launching Video Enable/disable viewing playback videos in Secret Video.
Note: View Logs must be enabled since the secret videos are available in Log
& Report > Secret page.
9. Click OK.
When creating or editing a role, select Definitions to see access control definitions.
Secrets
Secret List It controls access to the Secret list page.
It also controls whether pages: Secret Templates, Policies and Launchers can be
viewed.
Secret Folder Controls the access to Folders.
Note: You can restrict the corresponding folder and secret permissions under a
specific folder and secret.
Root Folder Permission to create folders in Root.
SSH Filter Profile Access to the SSH Filter Profiles page.
Job List Access to the Job List page.
Approval Request Access to the My Request and Request Review page in Approval Request.
Approval Profile Access to the Approval Profile page in Approval Flow.
Password Changer Access to Password Changers page in Password Changing.
Password Character Set Access to Character Sets page in Password Changing.
Password Policy Access to Password Policies page in Password Changing.
Create Personal Folder Enable/disable creating a personal folder right after the user is created.
Edit Secret Templates Enable/disable editing the Secret Templates page.
Edit Secret Policies Enable/disable editing the Policies page.
Edit Secret Launchers Enable/disable editing the Secret Launchers page.
View Encrypted information Enable/disable viewing the secret password, passphrase and ssh-key. The
Secret list must have Write permission to view the encrypted secret information.
User Management
Administrator Users Access to the User Definition page in User Management and the Backup page in
System.
User Groups Access to the User Groups page in User Management.
Role Access to the Role page in User Management.
Ldap Servers Access to the Ldap Servers page in User Management.
Saml Single Sign-On Access to the Saml Single Sign-On page in User Management.
Radius Servers Access to the Radius Servers page in User Management.
Schedule Access to the Schedule page in User Management.
Allow CLI Access Enable/disable CLI access.
Allow CLI Diagnostic Enable/disable access to diagnostic CLI commands.
Commands
LDAP servers
Users can use remote authentication servers, such as an LDAP server, to connect to FortiPAM.
LDAP servers store users' information including credentials and group membership. This information can authenticate
FortiPAM remote users and provide groups for authorization.
Go to LDAP servers in User Management to see a list of LDAP servers.
Search Enter a search term in the search field, then hit Enter to search the LDAP
servers list. To narrow down your search, see Column filter.
2. Enter the following information, and click Next after each tab:
Set up server
Name Name of the server.
Server IP/name The IP address or FQDN for this remote server.
Server Port The port number for LDAP traffic (default = 636).
Common Name Identifier The common name identifier for the LDAP server. Most LDAP servers use cn.
However, some servers use other common name identifiers such as UID.
(default = cn).
Distinguished Name The distinguished name is used to look up entries on the LDAP server.
Server Identity Check Enable to verify server domain name/IP address against the server certificate.
Note: This option is only available when Secure Connection is enabled.
Note: This option is enabled by default.
Advanced Group Matching Group member check determines whether user or group objects' attributes are
used for matching. Group Filter is the filter used for group matching. Member
attribute is the name of the attribute from which to get the group membership.
Test connection is only available to users who have Write permission for Ldap Servers.
See Role on page 117.
2. Enter the following information, and click Next after each tab:
3. In the Review tab, verify the information you entered and click Submit to create the SAML SSO server.
RADIUS servers
Search Enter a search term in the search field, then hit Enter to search the RADIUS
server list. To narrow down your search, see Column filter.
2. Enter the following information, and click Next after each tab:
Configure Settings
Name The name of the RADIUS server.
Authentication Type Select either Default or Specify.
If Specify is selected, from the dropdown, select from the following
authentication types:
l CHAP: Challenge Handshake Authentication Protocol.
Configure Servers
Primary Server The access request is always be sent to the primary server first. If the request
is denied with an Access-Reject, then the user authentication fails.
IP/Name The IP address or the FQDN.
Secret The pre-shared passphrase used to access the RADIUS server.
Secondary Server If there is no response from the primary server, the access request is sent to
the secondary server.
IP/Name The IP address or the FQDN.
Secret The pre-shared passphrase used to access the RADIUS server.
Schedule
Search Enter a search term in the search field, then hit Enter to search the schedule list.
To create a schedule:
Days Select the days of the week when the schedule applies.
Note: This option is only available when the Type is Recurring.
Start Date Enter the start date and time. Alternatively, select the calendar icon and then
select a date.
Similarly, select the clock icon and then select a time.
Note: This option is only available when the Type is One Time.
Start Time Enter the start time. Alternatively, select the clock icon and then select a start
time.
Note: This option is only available when the Type is Recurring and All day is
disabled.
End Date Enter the end date and time. Alternatively, select the calendar icon and then
select a date.
Similarly, select the clock icon and then select a time.
Note: This option is only available when the Type is One Time.
Stop Time Enter the stop time. Alternatively, select the clock icon and then select a stop
time.
If the stop time is set earlier than the start time, the stop time
is the same time the next day.
Note: This option is only available when Type is Recurring and All day is
disabled.
Pre-expiration event log Select to create an event log Number of days before the End Date.
Note: This option is only available when the Type is One Time.
Number of days before Enter the number of days (1 - 100, default = 3).
Note: This option is only available when the Type is One Time and Pre-
expiration event log is enabled.
4. Click OK.
Members From the dropdown, select +, and in Select Entries, select members.
If a new schedule is required, select Create then select the type of schedule to
create a new schedule.
4. Click Close
5. Click OK.
FortiTokens
To access the FortiTokens page, you require Read or higher permission to User Groups, Ldap
Servers, Saml Single Sign-On, and Radius Servers. See Role on page 117.
For each FortiToken; type, serial number, status, user, drift, and comments are displayed by default.
To add the License column, click Configure Table when hovering over table headers, select
License, and click Apply.
To add FortiTokens:
l Mobile Token
Note: This option is only available when the Type is Hard Token.
Import Select the option to import multiple tokens by selecting one of the following
and clicking OK:
l Serial Number File: Select Upload to load a CSV file that contains token
serial numbers.
l Seed File: Select Upload to load a CSV file that contains token serial
numbers, encrypted seeds, and IV values.
Note: This option is only available when the Type is Hard Token.
3. Click OK.
Monitoring FortiTokens
You can also view the list of FortiTokens, their status, token clock drift, and which user they are assigned to from the
FortiToken list found at User Management > FortiTokens.
To launch secrets where approval from the members of the approval group(s) is required, you must send out a request.
The request would then be reviewed by the members of the approval group(s), and could be approved or denied by any
members of the groups.
My requests
Hover over a request in the list to see additional information about the secret.
When an approved request's access time is up, the secret session is terminated even though
the secret session is still on.
Create Select to create a new request. See Make a request on page 143.
Search Enter a search term in the search field, then hit Enter to search the requests list.
To narrow down your search, see Column filter.
Double-click a request to open it and select Go to Secret to go to the related secret or select
View Approvers Comments to view comments from the approvers.
Make a request
To make a request:
If the secret does not show up, it may be because you do not have the necessary
permission to access the secret or the folder where the secret is located.
3. On the top-right, click Make Request to send out a request to launch the secret.
If the Make Request option does not appear, it is because Requires Approval to Launch
Secret or Requires Approval to Launch Job is disabled in the Secret Setting pane when
creating or editing a secret.
See Creating a secret on page 51.
l Job
Secret When the Request Type is Launcher, from the dropdown, select a secret.
These are secrets with Requires Approval to Launch Secret enabled. See
Creating a secret on page 51.
Job When the Request Type is Job, secret associated with the job is automatically
selected. The option becomes non-editable. This is the secret with Requires
Approval to Launch Job enabled.
Request Duration When the Request Type is Launcher, from the dropdown, select a duration of
time or select Custom and then enter a date (MM/DD/YYYY) and time range.
Alternatively, select the calendar icon and select a start/end date and time.
When the Request Type is Job, the start time is the time set in the job. Enter an
end date (MM/DD/YYYY) and time.
5. Click Submit.
Once the request is submitted, it appears in My Requests and Request Review tab. See My requests on page 142
and Request review on page 145.
Reviewers specified in Approval profile on page 147 are sent email notifications so that they can log in to FortiPAM
from the email link. If the request is approved or denied, the status of the request changes to Approved or Denied
respectively in My Requests.
For the approver's email notification, an approver only receives the notification when the
request goes to the corresponding tier where the approver is located.
Request review
Go to Approval Request > Request Review to see a list of secret requests for review.
The Request Review tab looks like the following:
Search Enter a search term in the search field, then hit Enter to search the reviews list.
To narrow down your search, see Column filter.
Approve a request
1. Go to Approval Request > Request Review, select secret request, and then select Edit.
Alternatively, double-click a request to open it.
The Approving secret request window opens.
In Start time and End time, select the Calendar icon and select a new date and time range to
override the requested duration. Alternatively, enter a new date and time range.
3. Click Save.
Before a request is sent to the next tier or is finalized, the approval action can be revoked by the reviewer who approved
it.
If the Request Type is Job, the output of script can be checked in logs.
Once a secret request is approved or denied, the request status appears in the Request Review tab and the status is
updated in the My requests on page 142 tab.
If the request is denied, the user can see the reviewer comments.
Approval flow
To launch secrets where approval from the members of the approval group(s) is required, an approval profile needs to
be set up.
By default, secrets do not require approval to access them. See Enabling approval profiles for
a secret on page 148.
The approval profile defines the number of tiers of approvals required for the user to be able to launch the secret. Each
tier includes the following information:
l The number of approvals required to pass through the tier.
l The users reviewing the secret request.
l The user groups reviewing the secret request.
Approval profile
Go to Approval Profile in Approval Request to see a list of the configured approval profiles.
For every approval profile, the following fields are shown:
l Name
l Type
l Description
l Reference
For secret requests, before the request is finalized, a Deny action from any member of the
approval profile stops the request from going to the subsequent approval tier. The requester is
immediately alerted about the denial of the request.
Create Select to create a new approval profile. See Create an approval profile on page
149.
Search Enter a search term in the search field, then hit Enter to search the approval
profiles list. To narrow down your search, see Column filter.
Number of Approval Tiers The number of approval tiers a secret request is processed through.
Tier-1 Settings
Approvers Select + and from the list, select users in the Select Entries window.
The selected users will review the secret request.
Approver Groups Select + and from the list, select user groups in the Select Entries window.
The selected user groups will review the secret request.
4. Click OK.
Character sets
A character set is a group of varied characters used in password policies. Character sets provide building blocks for
passwords. See Password policies on page 152.
Character Sets in Password Changing displays a list of configured character sets.
For each character set; name, character set, and references are displayed.
Create Select to create a new character set. See Creating a character set on page 152.
Search Enter a search term in the search field, then hit Enter to search the character
sets list. To narrow down your search, see Column filter.
4. Click OK.
Password policies
Using a secure password is vital to prevent unauthorized access. FortiPAM allows you to create password policy for
secret passwords generated by the password changer. See Password changers on page 155.
With password policies, you can enforce specific criteria for a new password, including:
l Minimum length between 8 and 64 characters.
l Maximum length up to 64 characters.
l The password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l The password must contain numbers (1, 2, 3).
l The password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and
)).
Password policies can only be applied to a secret template when Password Changer is
enabled for the template.
Password policies are not applicable to SSH keys (Password changer Type is SSH with Public
Key).
For each password policy; name, password requirement, minimum length, maximum length, and references are
displayed.
Create Select to create a new password policy. Password policies on page 152.
Search Enter a search term in the search field, then hit Enter to search the password
policies list. To narrow down your search, see Column filter.
Password Requirements The requirements for the password to be successfully created. See Password
Requirements.
4. Click OK.
Password Requirements
Minimum Number The minimum number of characters from the Character Set (default = 1).
Character Set From the dropdown, select a character set or create a new character set
(default = lower). See Creating a character set on page 152.
Use the pen icon next to the character set to edit it.
3. Click OK.
From the list, select a requirement and then select Edit to edit the requirement.
From the list, select requirements and then select Delete to delete the requirements.
3. In the Password Changer pane, from the Password Policy dropdown, select a password policy or create a new
password policy. See Creating a password policy on page 153 and Creating secret templates on page 80.
4. Click OK.
Password changers
A password changer can be configured for a custom secret template to periodically change the password of a secret and
periodically check the health of a secret.
For each password changer; name, type, changers, verifiers, change mode, verify mode, description, and references
are displayed.
Create Select to create a new password changer. See Creating a password changer on
page 156.
Search Enter a search term in the search field, then hit Enter to search the password
changers list. To narrow down your search, see Column filter.
1. Log in to FortiPAM with an account that has sufficient permission to create a password changer.
2. Go to Password Changing > Password Changers.
3. Select Create to create a new password changer.
The New Password Changer window opens.
l Open LDAP
l Samba
l SSH with Public Key
l SSH with Password (default)
secret.
See Associated Secret option when Creating a secret on page 51.
l Self: Secret can change its password (default).
secret.
See Associated Secret option when Creating a secret on page 51.
l Self: Secret can verify its password (default).
The option is available only when the Type is SSH with Publi
c Key
or SSH with Password.
The option is available only when the Type is SSH with Publi
c Key or SSH with Password.
5. Click OK.
Changers
l Expect
l Expect Prompt
l $PASSWORD
l $PASSPHRASE
l $NEWPASSWD
l $NEW_PUB_KEY
l $NEW_PRI_KEY
l $[0].$
l $PUB_KEY
Note: $[0].$ could be used when an associated secret is used. In this case,
$[0].$USER means the username of the associated secret.
$[0].$PASSWORD means the password of the associated secret.
Expect Action From the dropdown, select from the following three options:
l Abort procedure on string not matched
Delay (ms) The maximum waiting time for the current action, in ms (default = 50, 50 -
20000).
To reorder the changer sequence, drag from the sequence number and then drop.
3. Click OK.
From the list, select a changer and then select Edit to edit the changer.
From the list, select changer and then select Delete to delete the changer.
Verifiers
l Expect
l Expect Prompt
l $PASSWORD
l $PASSPHRASE
l $NEWPASSWD
l $NEW_PUB_KEY
l $NEW_PRI_KEY
l $[0].$
l $PUB_KEY
Note: $[0].$ could be used when an associated secret is used. In this case,
$[0].$USER means the username of the associated secret.
$[0].$PASSWORD means the password of the associated secret.
Expect Action From the dropdown, select from the following three options:
l Abort procedure on string not matched
Delay The maximum waiting time for the current action, in ms (default = 50, 50 -
20000).
To reorder the verifier sequence, drag from the sequence number and then drop.
3. Click OK.
From the list, select a verifier and then select Edit to edit the verifier.
From the list, select verifier and then select Delete to delete the verifier.
See Automatic password changing on page 162 and Automatic password verification on page 163.
A password changer linked to a secret template can be activated to periodically change the password in a secret that
uses this secret template.
If Automatic Password Changing is enabled then the Password Changer Status shows the
amount of time after which the password is automatically changed.
A password changer linked to a secret template can be activated to periodically verify the password, and check if the
target server is still available for a secret that uses this secret template.
If Automatic Password Verification is enabled then the Password Verification Status shows
the amount of time after which the password is automatically verified.
Addresses
+Create New From the dropdown, select Address or Address Group to create an address or an
address group.
See Creating an address on page 165 and Creating an address group on page
170
Search Enter a search term in the search field, then hit Enter to search the list. To
narrow down your search, see Column filter.
Refresh To refresh the contents, click the refresh icon on the bottom-right.
Creating an address
To create an address:
l Proxy Address
Color Select Change, and from the color palette choose a color.
Type From the dropdown, select from the following options when the Category is
Address:
l Subnet (default)
l IP Range
l FQDN
l addr_type_fqdn-group
l Geography
l Dynamic
l Device (MAC Address)
From the dropdown, select from the following options when the Category is
Proxy Address:
l Host Regex Match
Sub Type From the dropdown, select from the following options:
l ClearPass
Note: The option is only available when the Category is Address and the Type
is Dynamic.
SDN connector From the dropdown, select an SDN connector or create a new SDN connector.
Use the pen icon next to the SDN connector to edit it.
SPT (System Posture Token) From the dropdown, select from the following options:
l Checkup
l Healthy
l Infected
l Quarantine
l Transient
l Unknown (default)
Note: The option is only available when the Category is Address, Type is
Dynamic and the Subtype is ClearPass.
FSSO Group Select +, and in Select Entries, select FSSO groups or create an FSSO group,
click Close.
The address for the selected FSSO group is dynamically retrieved.
Use the pen icon next to the FSSO group to edit it.
MAC address Enter a MAC address. Select + to add a range of MAC addresses.
Note: The option is only available when:
l Category is Address and the Type is Device (MAC Address).
Host For Proxy Address, from the dropdown, select a host or create a host address,
address group, or proxy address.
URL Category Select +, and in Select Entries, select web filter categories or create a new
external connector.
Note: The option is only available when the Category is Proxy Address and the
Type is URL Category or Advanced (Destination).
Note: The option is only available when the Category is Proxy Address and the
Type is URL List.
Request Method Select +, and in Select Entries, select methods, and click Close.
Note: The option is only available when the Category is Proxy Address and the
Type is HTTP Method or Advanced (Source).
Note: The option is only available when the Category is Proxy Address and the
Type is User Agent or Advanced (Source).
Note: The option is only available when the Category is Proxy Address and the
Type is Advanced (Source).
Static route configuration Enable static route configuration to allow the address to be used in a static
route.
Note: The option is disabled by default and is only available when the
Category is Address and the Type is one of the following:
l Subnet
l IP Range
l FQDN
4. Click OK.
l Proxy Group
Color Select Change, and from the color palette choose a color.
Excluded members Enable, and select + to add members to be excluded or create addresses and
address groups to be excluded, click Close.
Note: The option is disabled by default and only available when Category is
IPv4 Group.
Static route configuration Enable static route configuration to allow the address group to be used in a
static route.
Note: The option is disabled by default and only available when Category is
IPv4 Group.
4. Click OK.
The Scheme & Rules tab in Authentication displays a list of the configured authentication rules and schemes.
An authentication scheme defines the method of authentication that is applied. By default, fortipam_auth_scheme and
fortipam_token_scheme authentication schemes are available.
In accordance with PAM design, you should avoid changing the default authentication
schemes.
An authentication rule defines the proxy sources and destinations that require authentication, and which authentication
scheme to apply.
For each authentication scheme, the following columns are displayed:
l Name
l Method
l User database
l Reference
l Authentication Scheme
l Comments
+Create New From the dropdown, select either Authentication Rule or Authentication Scheme
to create an authentication rule or authentication scheme respectively. See
Creating an authentication scheme on page 173 and Creating an authentication
rule on page 180.
Search Enter a search term in the search field, then hit Enter to search. To narrow down
your search, see Column filter.
Refresh To refresh the contents, click the refresh icon on the bottom-right.
Use the toggle on the top-right to switch between Authentication Rules and Authentication
Schemes.
Changes to the authentication rule sequence applies to both proxy policies and ZTNA rules.
Method Select +, from Select Entries, select one or more of the following options and
then click Close:
User database Select +, and in Select Entries, select remote servers (LDAP, RADIUS,
TACACS+) and user groups then click Close.
You can also create a new remote servers and user groups by selecting
+Create. See LDAP servers on page 127, RADIUS servers on page 134, and
User groups on page 113.
Use the pen icon next to a server or user group to edit it.
l Digest
l Form-based
l SAML
l SSH Public Key
l x-auth-user
l Digest
l Negotiate
l NTLM
Kerberos keytab From the dropdown, select a Kerberos Keytab or create a Kerberos Keytab.
See Creating a new kerberos keytab on page 176.
Domain Controller Enable/disable adding domain controllers, and from the dropdown, select a
domain controller or create a domain controller. See Creating a new domain
controller on page 177.
Note: The option is disabled by default when the Method is Negotiate.
FSSO Agent Enable/disable using FSSO agent when the Method is Negotiate. From the
dropdown, select an FSSO agent or create an FSSO agent. See Creating an
FSSO agent on page 178.
Note: The option is disabled by default.
SAML SSO server From the dropdown, select a SAML SSO server.
Note: The option is only available when the Method is SAML.
User database From the dropdown, select a user database server or create a user database
server.
SAML Timeout Enter the SAML authentication timeout, in seconds (default = 120).
Note: The option is only available when the Method is SAML.
4. Click OK.
1. In step 3 when Creating an authentication scheme on page 173 where the selected method is Negotiate, from the
Kerberos keytab dropdown, select +Create.
The New Kerberos Keytab window opens:
Principal Enter the unique identity that Kerberos uses to assign tickets to.
Note: Use / to separate components of the principal.
LDAP server From the dropdown, select an LDAP server or create an LDAP server. See
LDAP servers on page 127.
Keytab Enter the pre-shared key, and select Upload to locate the Base64 coded
keytab file on your local computer.
3. Click OK.
1. In step 3 when Creating an authentication scheme on page 173 where the selected method is Negotiate or NTLM,
from the Domain Controller dropdown, select +Create.
If the Method is set as Negotiate, enable Domain Controller.
Port The port number for the port to be used to communicate with the domain
controller (default = 445).
LDAP server From the dropdown, select an LDAP server or create an LDAP server. See
LDAP servers on page 127.
3. Click OK.
1. In step 3 when Creating an authentication scheme on page 173 where the selected method is Negotiate, enable
FSSO Agent.
2. From the FSSO Agent dropdown, select +Create.
The New External Connector window opens.
3. Select FSSO Agent on Windows AD.
Primary FSSO agent The FSSO agent server IP address or name and Password.
Select + to add additional FSSO agents.
To import a certificate:
collector agent.
l Local: User groups are specified in the FortiGate configuration.
LDAP server From the dropdown, select an LDAP server or create an LDAP server. See
LDAP servers on page 127.
Note: The option is only available when the User group source is Local.
Proactively retrieve from Enable to configure the search filter and Interval (in minutes).
LDAP server Note: The option is only available when the User group source is Local, and is
disabled by default.
Users/Groups Click Apply and Refresh to fetch group filters from the collector agent.
Note: The option is only available when the User group source is Collector
Agent.
5. Click OK.
Source Interface From the dropdown, select a source interface or create an interface.
Use the pen icon next to a source interface to edit the interfa
ce.
Source Address Select +, and from Select Entries, select source addresses, all or none. You
can also create a new source address.
Use the pen icon next to a source address to edit the source
address.
Authentication Scheme Enable Authentication Scheme to use an authentication scheme and then
from the dropdown, select which authentication scheme to use. You can also
create a new authentication scheme. See Creating an authentication scheme
on page 173.
Enable This Rule Select Enable or Disable to control whether the authentication rule is used or
ignored.
Note: The option is enabled by default.
4. Click OK.
Go to System to manage and configure the basic system options for FortiPAM.
You can also manage and update the firmware for FortiPAM, set up SNMP, HA cluster, manage certificates, configure
ZTNA related settings, and automated backup.
System contains the following tabs:
l Firmware on page 182
l Settings on page 182
l SNMP on page 186
l High availability on page 194
l Certificates on page 202
l ZTNA on page 211
l Backup on page 226
Firmware
Periodically, Fortinet issues firmware upgrades that fix known issues, add new features and functionality, and generally
improve your FortiPAM experience.
Before proceeding to upgrade the system, Fortinet recommends that you back up the configuration. See Backup and
restore on page 15.
To be able to upgrade the firmware, you must first register your FortiPAM with Fortinet. See Licensing on page 30.
To upgrade the firmware from FortiPAM GUI, see Uploading a firmware on page 14.
Always review all sections in FortiPAM Release Notes prior to upgrading your device.
Settings
Go to System > Settings to access system configuration that you can update after installing FortiPAM.
System time
Current system time The current date and time on the FortiPAM internal clock or NTP servers.
Time Zone From the dropdown, select a timezone.
Set Time Select from the following options:
l NTP: The NTP (Network Time Protocol) server (default).
l Manual Settings
Select Server Select a server from the following two options:
l FortiGuard (default)
l Custom
Note: The option is only available when Set Time is NTP.
Custom Server IP Address The custom server IP address.
Note: The option is only available when Set Time is NTP and the Select Server
is Custom.
Sync internal Enter how often, in minutes, that the device synchronizes its time with the NTP
server (default = 60, 1 - 1440).
Note: The option is only available when Set Time is NTP.
Date Enter the date or select the calendar icon, and from the dropdown, select a
date.
Note: The option is only available when Set Time is Manual Settings.
Time Enter the time or select the clock icon, and from the dropdown, select a time.
Note: The option is only available when Set Time is Manual Settings.
Setup device as local NTP Select True to configure the FortiPAM as a local NTP server (default = False).
server
Listen on Interfaces Set the interface or interfaces that the FortiPAM will listen for NTP requests on.
Note: The option is only available when Setup device on local NTP server is
set as True.
View Settings
Language From the dropdown, select a language.
Date/Time display Select from the following two options:
Email Service
Use custom settings Enable to edit options in the Email Service pane.
SMTP Server The SMTP server IP address or the hostname, e.g., smtp.example.com.
Port The recipient port number.
l SMTPS (default)
l STARTTLS
Default Reply To Optionally, enter the reply to email address, such as
noreply@example.com.
This address will override the Email from email address that is configured for
an alert email. See Email alert settings on page 270.
Debug Logs
Debug Logs Select Download to export the debug logs to your computer as a text file.
PAM Settings
Enforce recording on glass In glass breaking mode, the administrator has permission to launch all secrets.
breaking This setting is to enforce video recording on all launching sessions.
(default = enable).
Video Storage Limit The maximum percentage of the video disk partition size that can be used for
storing FortiPAM session video recordings (default = 95, 10 - 100).
Video Storage Mode From the dropdown, select a PAM session video recording storage mode
(default = Rolling):
l Rolling: Evict the oldest PAM video recording within the Video Storage
Video Storage Time The number of days for which a video is stored. Video files are removed from
FortiPAM once the time has elapsed (default = 365, 0 - 36500).
Note: The option is only available when the Video Storage Mode is Rolling.
Recording Resolution From the dropdown, select a resolution for the PAM video recordings:
l 480p
l 720p (default)
l 1080p
Recording FPS Enter the PAM video recording frame rate (default = 2, 1- 15).
Recording Color Depth From the dropdown, select a color depth (default = 16 Bit Color Depth):
l 16 Bit Color Depth
3. Click Apply.
SNMP
The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure
the hardware, such as the FortiPAM SNMP agent, to report system information and traps.
SNMP traps alert you to events that happen, such as a log disk becoming full, or a virus being detected. These traps are
sent to the SNMP managers. An SNMP manager (or host) is typically a computer running an application that can read
the incoming traps and event messages from the agent and can send out SNMP queries to the SNMP agents.
By using an SNMP manager, you can access SNMP traps and data from any FortiPAM interface configured for SNMP
management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiPAM unit it
will be monitoring. Otherwise, the SNMP manager will not receive any traps from, and be unable to query, that FortiPAM
unit.
When using SNMP, you must also ensure you have added the correct Management Information Base (MIB) files to the
unit, regardless of whether or not your SNMP manager already includes standard and private MIBs in a ready-to-use,
compiled database. A MIB is a text file that describes a list of SNMP data objects used by the SNMP manager. See
Fortinet MIBs on page 189 for more information.
The FortiPAM SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only
access to FortiPAM system information through queries and can receive trap messages from the unit.
The FortiPAM SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication
and privacy can be configured in the CLI or the GUI.
For security reasons, Fortinet recommends that neither “public” nor “private” be used for
SNMP community names.
If you want to allow SNMP access on an interface, you must go to Network > Interfaces and
select SNMP in Administrative Access in the settings for the interface that you want the SNMP
manager to connect to.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which
you can use to select the columns to display or to reset all the columns to their default settings.
You can also drag column headings to change their order.
Download Fortinet Core MIB Download the Fortinet MIB file. See Fortinet MIBs on page 189.
File
System Information
SNMP Agent Enable the FortiPAM SNMP agent. See SNMP agent on page 190.
SNMP v1/v2c
Enable to see the list of the communities for SNMP v1/v2c (disabled by default). From within this section, you can
create, edit or remove SNMP communities.
Create New Creates a new SNMP community. When you select Create New, the New SNMP
Community page opens. See Creating or editing an SNMP community on page
190.
Edit Modifies settings within an SNMP community. When you click Edit, the Edit
SNMP Community page opens.
Delete Removes an SNMP community from the list.
To remove multiple SNMP communities, select multiple rows in the list by holding
down the Ctrl or Shift keys and then select Delete.
Status Enable or disable the SNMP community.
Name The name of the community.
Queries Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A green
check mark indicates that queries are enabled; a red x indicates that queries are
disabled.
Traps Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green
check mark indicates that traps are enabled; a red x indicates that traps are
disabled.
Hosts List of hosts that are part of the SNMP community.
Events Number of events that have occurred.
Status Indicates whether the SNMP community is enabled or disabled.
SNMP v3
Lists the SNMP v3 users. From within this section, you can edit, create or remove an SNMP v3 user.
Create New Creates a new SNMP v3 user. When you select Create New, the Create New
SNMP User page opens. See Creating or editing an SNMP user on page 192.
Edit Modifies settings within the SNMP v3 user. When you click Edit, the Edit SNMP
User page opens.
Delete Removes an SNMP v3 user from the page.
To remove multiple SNMP v3 users, select multiple rows in the list by holding
down the Ctrl or Shift keys and then select Delete.
Status Enable or disable the SNMP v3 user.
Name The name of the SNMP v3 user.
Security Level The security level of the user.
Queries Indicates whether queries are enabled or disabled. A green check mark indicates
that queries are enabled; a red x indicates that queries are disabled.
Traps Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green
check mark indicates that traps are enabled; a red x indicates that traps are
disabled.
Hosts List of hosts.
Fortinet MIBs
The FortiPAM SNMP agent supports Fortinet proprietary MIBs, as well as standard RFC 1213 and RFC 2665 MIBs. RFC
support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to
FortiPAM unit configuration.
There are two MIB files for FortiPAM units; both files are required for proper SNMP data collection:
l Fortinet MIB: contains traps, fields, and information that is common to all Fortinet products.
l FortiPAM MIB: contains traps, fields, and information that is specific to FortiPAM units.
The Fortinet MIB and FortiPAM MIB, along with the two RFC MIBs, are listed in the table in this section.
To download the MIB files, go to System > SNMP and select a MIB link in the SNMP section. See SNMP on page 186.
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You
must add the Fortinet proprietary MIB to this database to have access to the Fortinet-specific information.
MIB files are updated for each version of FortiPAM. When upgrading the firmware, ensure that
you update the Fortinet FortiPAM MIB file compiled in your SNMP manager as well.
FORTINET-CORE-MIB.mib The Fortinet MIB includes all system configuration information and trap
information that is common to all Fortinet products. Your SNMP manager requires
this information to monitor FortiPAM unit configuration settings and receive traps
from the FortiPAM SNMP agent.
FORTINET-FORTIPAM- The FortiPAM MIB includes all system configuration information and trap
MIB.mib information that is specific to FortiPAM units. Your SNMP manager requires this
information to monitor FortiPAM configuration settings and receive traps from the
FortiPAM SNMP agent. FortiManager systems require this MIB to monitor
FortiPAM units.
Normally, to get configuration and status information for a FortiPAM unit, an SNMP manager would use an SNMP get
command to get the information in a MIB field. The SNMP get command syntax would be similar to:
snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>}
where:
l <community_name> refers to the SNMP community name added to the FortiPAM configuration. You can add
more than one community name to a FortiPAM SNMP configuration. The most commonly used community name is
public. For security reasons, Fortinet recommends that neither public nor private be used for SNMP community
names.
l <address_ipv4> is the IP address of the FortiPAM interface that the SNMP manager connects to
l {<OID> | <MIB_field>} is the object identifier for the MIB field or the MIB field name itself.
For example, to retrieve the serial number of the FortiPAM device, the following command could be issued:
snmpget -v2c -c fortinet 192.168.1.110 1.3.6.1.4.1.12356.100.1.1.1.0
iso.3.6.1.4.1.12356.100.1.1.1.0 = STRING: "FPXVM2TM22000445"
In this example, the community name is fortinet, the IP address of the interface configured for SNMP management
access is 192.168.1.110. The serial number of the FortiPAM device is queried using the OID:
1.3.6.1.4.1.12356.100.1.1.1.0.
SNMP agent
The FortiPAM SNMP agent must be enabled before configuring other SNMP options. Enter information about the
FortiPAM unit to identify it so that when your SNMP manager receives traps from the FortiPAM unit, you will know which
unit sent the information.
An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community,
devices can communicate by sending and receiving traps and other information. One device can belong to multiple
communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community.
Add SNMP communities to your FortiPAM unit so that SNMP managers can view system information and receive SNMP
traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP
queries and traps and can be configured to monitor the FortiPAM unit for a different set of events. You can also add the
IP addresses of up to sixteen SNMP managers to each community.
Enabling SNMP v1/v2c and selecting Create New in the SNMP v1/v2c pane opens the New SNMP Community page,
which provides settings for configuring a new SNMP community. Double-clicking a community from the SNMP v1/v2c
table opens the Edit SNMP Community page. Alternatively, select a community from the list and then select Edit to edit
the SNMP community.
Configure the following settings in the New SNMP Community page or Edit SNMP Community page and click OK:
Community Name Enter a name to identify the SNMP community. After you create the SNMP
community, you cannot edit the name.
Hosts
Settings for configuring the hosts of an SNMP community.
IP Address Enter the IP address/netmask of the SNMP managers that can use the settings in
this SNMP community to monitor the unit.
You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use
this SNMP community.
Host Type Select one of the following: Accept queries and send traps, Accept queries only,
or Send traps only.
X Removes an SNMP manager from the list within the Hosts section.
+ Select to add a blank line to the Hosts list. You can add up to 16 SNMP managers
to a single community.
Queries
Traps
Settings for configuring local and remote ports for both v1 and v2c.
v1 Enabled Enable or disable SNMP v1 traps.
Local Port Enter the local port numbers (162 by default) that the unit uses to send SNMP v1
or SNMP v2c traps to the SNMP managers in this community.
The SNMP client software and the unit must use the same port for traps.
Remote Port Enter the remote port number (162 by default) that the unit uses to send SNMP
traps to the SNMP managers in this community.
The SNMP client software and the unit must use the same port for traps.
v2C Enabled Enable or disable SNMP v2c traps.
SNMP Events
Enable each SNMP event for which the unit should send traps to the SNMP managers in this community.
Note: The CPU usage too high trapʼs sensitivity is slightly reduced by spreading values out over 8 polling cycles.
This reduction prevents sharp spikes due to CPU intensive short-term events such as changing a policy.
Selecting Create New in the SNMP v3 pane opens the New SNMP User page, which provides settings for configuring a
new SNMP v3 user. Double-clicking a user from the SNMP v3 table opens the Edit SNMP User page. Alternatively,
select an SNMP user and then select Edit to edit the SNMP user.
Configure the following settings in the New SNMP User page or Edit SNMP User page and click OK:
User Name Enter the name of the user. After you create an SNMP user, you cannot change
the user name.
Security Level
Select the type of security level the user will have:
l No Authentication
l Authentication and No Private—Select the authentication algorithm and enter password to use.
l Authentication and Private—Select the authentication and encryption algorithm and enter the passwords to use.
Authentication/Encryption If the security level is set to Authentication and No Private, you can select from the
Algorithm following authentication algorithms:
l MD5
l SHA1 (default)
l SHA224
l SHA256
l SHA384
l SHA512
If the security level is set to Authentication and Private, you can also select from
the following encryption algorithms in addition to authentication algorithms:
l AES (default)
l DES
l AES256
l AES256 Cisco
Password If the security level is set to Authentication, select Change and enter a password
in the Password field.
Hosts
Settings for configuring the hosts of an SNMP community.
IP Address Enter the IP address of the notification host. If you want to add more than one
host, select + to add another host. Up to 16 hosts can be added. Select X to delete
any hosts.
Queries
Settings for configuring queries for both SNMP v1 and v2c.
Enabled Enable or disable the query. By default, the query is enabled.
Port Enter the port number in the Port field (161 by default).
Traps
Settings for configuring local and remote ports for both v1 and v2c.
Enabled Enable or disable the trap.
Local Port Enter the local port number (162 by default).
SNMP Events
Select the SNMP events that will be associated with the user.
High availability
Multiple FortiPAM units can operate as an high availability (HA) cluster to provide even higher reliability.
FortiPAM can operate in Active-Passive HA mode.
Active-Passive: Clustered fail-over mode where all of the configuration is synchronized between the devices.
PAM configurations, such as users and secrets, are automatically synced to secondary devices to ensure PAM services
can be operated or recovered when the primary device is down. All tasks are handled by the primary device as long as
system events and logs are only recorded on the primary device.
Your FortiPAM device can be configured as a standalone unit or you can configure two FortiPAM devices in the Active-
Passive mode for failover protection.
The following shows FortiPAM devices in Active-Passive mode:
Status, priority, hostname, serial number, role, system uptime, sessions, and throughput are displayed for each unit in
the HA cluster.
The primary unit in an Active-Passive cluster cannot be removed from the cluster.
Before configuring an HA cluster, ensure that interfaces are not using the DHCP mode to get
IP addresses.
Device priority You can set a different device priority for each cluster member to control the
order in which cluster units become the primary unit (HA primary) when the
primary unit fails. The device with the highest device priority becomes the
primary unit (default = 128, 0 - 255).
Since all videos and logs are only stored on the primary
device, one FortiPAM should be configured with higher
priority.
And with override enabled, the primary unit with the highest
device priority will always become the primary unit.
Cluster Settings
Group name Enter a name to identify the cluster.
Password Select Change to enter a password to identify the HA cluster. The maximum
password length is 15 characters. The password must be the same for all
cluster FortiPAM units before the FortiPAM units can form the HA cluster.
When the cluster is operating, you can add a password, if required.
Monitor interfaces Select the specific ports to monitor or create new interfaces.
The heartbeat interface with the highest priority processes all heartbeat traffic.
You must select at least one heartbeat interface. If the interface functioning as
the heartbeat fails, the heartbeat is transferred to another interface configured
as a heartbeat interface. If heartbeat communication is interrupted, the cluster
stops processing traffic. Priority ranges from 0 to 512.
When disabling this option to change from HA unicast to multicast, you must reboot all
units in the cluster for the change to take effect.
Peer IP Enter the IP address of the HA heartbeat interface of the other FortiPAM-VM in
the HA cluster.
Note: The option is only available when Unicast Heartbeat is enabled.
Override Enable to use the primary server by default whenever it is available.
Note: The option is enabled by default.
3. Click OK.
HA failover
When primary FortiPAM is down, secondary will take the primary role and permanently enter maintenance mode. Under
maintenance mode, all critical processes will be temporarily suspended. Admin can bring up the original primary device
or disable maintenance mode on the new primary device to resume all FortiPAM features.
Mode Active-Passive.
Except for the device priority, these settings must be the same on all FortiPAM devices in
the cluster.
4. Leave the remaining settings on default. They can be changed after the cluster is in operation.
5. Click OK.
The FortiPAM negotiates to establish an HA cluster. Connectivity with the FortiPAM may
be temporarily lost.
6. Factory reset the other FortiPAM that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting
setting the device priority, to join the cluster.
Changing the host name makes it easier to identify individual cluster units in the cluster
operations.
4. Enable HA
config system ha
set mode active-passive
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end
5. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
6. Repeat steps 1 to 5 on the other FortiPAM devices to join the cluster, giving each device a unique hostname.
You can upgrade the firmware on an HA cluster in the same way as on a standalone FortiPAM. During a firmware
upgrade, the cluster upgrades the primary unit and all of the secondary units to the new firmware image.
Before upgrading a cluster, back up your configuration. See Backup and restore on page 15.
Uninterrupted upgrade
Interrupted upgrade
An interrupted upgrade upgrades all cluster members at the same time. This takes less time than an uninterrupted
upgrade, but it interrupts communication in the cluster.
config system ha
set uninterruptible-upgrade disable
end
Disaster recovery
FortiPAM supports adding a disaster recovery node in a remote site. It uses HA to implement this feature.
The HA primary and secondary nodes are set up in a location while HA disaster recovery node is set up in a remote
location. The 3 nodes form an HA cluster.
On the disaster recovery node, use the following CLI command to enable it:
config system ha
set disaster-recovery-node enable
end
The disaster recovery node has a lower heartbeat interval, in ms (default = 600).
Use the following CLI command to change the interval:
config system ha
set disaster-recovery-hb-interval <integer>
end
A disaster recovery node on a remote site is most likely under a different network segment from the primary. You must
configure different interface IP, VIP, and gateway for the disaster recovery node based on the network design. In this
case, the below setting should be configured. So that the VIP, system interface, static route, SAML server, and
FortiToken Mobile push configuration among the primary, secondary, and disaster recovery nodes do not sync. When
HA fails over to the disaster recovery node, FortiPAM can operate on the disaster recovery node's VIP as long as other
services.
config system vdom-exception
edit 1
set object firewall.vip
next
edit 2
set object system.interface
next
edit 3
set object router.static
next
edit 4
set object user.saml
next
edit 5
set object system.ftm-push
next
end
If you do wish to sync the above settings from the primary to the secondary, you need to edit
them on the secondary manually.
When HA primary, secondary, and disaster recovery nodes use different VIPs, they must be added individually as
service providers on a SAML server. And the SAML server configurations on FortiPAM HA members are also different.
Certificates
+Create/Import From the dropdown, select Certificate, Generate CSR, CA Certificate, Remote
Certificate, and CRL.
See:
l Creating a certificate on page 203
Creating a certificate
To create a certificate
Choose Method
Automatically Provision Select Use Let's Encrypt to automatically create a certificate using the ACME
Certificate protocol with Let's Encrypt service.
Generate New Certificate Select Generate Certificate to generate a certificate using the self-signed
Fortinet_CA_SSL CA.
Import Certificate Select Import Certificate to import an existing certificate by uploading the file.
Certificate Details
Enter the certificate details and click Create to create a certificate.
Automatically Provision The certificate will be automatically provisioned using the ACME protocol with
Certificate the Let's Encrypt service. It is the easiest way to install a trusted certificate.
Certificate name The name of the certificate.
Domain The public FQDN of FortiPAM.
Note: The option is only available when the Chosen Method is Automatically
Provision Certificate.
Email The email address.
Note: The option is only available when the Chosen Method is Automatically
Provision Certificate.
Set ACME Interface If this is the first time enrolling a server certificate with Let's Encrypt on this
FortiPAM unit, the Set ACME Interface pane opens.
Note: The options in the pane are only available when the Chosen Method is
Automatically Provision Certificate.
ACME Interface Select + and from Select Entries, select ports, or create new interfaces on
which the ACME client will listen for challenges to provision and renew
certificates.
Click OK when you have selected interfaces.
Note: The option is only available when the Chosen Method is Generate New
Certificate.
Common name The common name of the certificate. Enter an FQDN or an IPv4 address.
Note: The option is only available when the Chosen Method is Generate New
Certificate.
Subject alternative name An IP address or FQDN.
Subject alternative names (SAN) allow you to protect multiple host names with
a single SSL certificate. SAN is part of the X.509 certificate standard.
Note: The option is only available when the Chosen Method is Generate New
Certificate.
Update Your List of Trusted Select Download CA Certificate to download Fortinet_CA_SSL CA to your
Certificate Authorities computer.
Note: The option is only available when the Chosen Method is Generate New
Certificate.
Import Certificate
Note: The option is only available when the Chosen Method is Import
Certificate and the Type is PKCS #12 Certificate or Certificate.
Key file Select +Upload and locate the key file on your local computer.
Note: The option is only available when the Chosen Method is Import
Certificate and the Type is Certificate.
Review
Enable ACME log to see logs related to the certificate created using the ACME protocol.
Note: The option is only available when Chosen Method is Automatically Provision Certificate.
Update Your List of Trusted If you have not already downloaded the Fortinet_CA_SSL CA to your
Certificate Authorities computer, select Download CA Certificate to download it.
Note: The option is only available when the Chosen Method is Generate New
Certificate.
4. Click OK.
Whether you create certificates locally or obtain them from an external certificate service, you need to generate a
Certificate Signing Request (CSR).
When a CSR is generated, a private and public key pair is created for FortiPAM. The generated request includes the
public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The
device private key remains confidential on the unit.
After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital
certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the
certificate, after which you can install the certificate on FortiPAM.
To generate a CSR:
Certificate Name Enter a unique name for the certificate request, such as the host name or the
serial number of the device.
Subject Information
ID Type Select the ID type:
l Host IP: Select if the unit has a static IP address. Enter the device IP
Optional Information
Optional information to further identify the device.
Organizational Unit The name of the department.
Key Size If you selected RSA for the Key Type, select the Key size: 1024 Bit, 1536 Bit,
2048 Bit (default), or 4096 Bit.
If you selected Elliptic Curve for the Key Type, select the Curve Name:
secp256r1 (default), secp384r1, or secp521r1.
4. Click OK.
Importing CA certificate
CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to whole
company; they are one step higher up in the organizational chain. Using the local certificate example, a CA root
certificate would be issued for all of www.example.com instead of just the smaller single web page.
You can import a CA certificate to FortiPAM.
To import a CA certificate:
4. Click OK.
Remote certificates are public certificates without a private key. Remote certificates can be uploaded to the FortiPAM
unit.
Certificate revocation list (CRL) is a list of certificates that have been revoked and are no longer usable. This list includes
certificates that have expired, been stolen, or otherwise compromised. If your certificate is on this list, it will not be
accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL
will be issued as well as a sequence number to help ensure you have the most current version of the CRL.
CRLs can be imported to FortiPAM.
To import a CRL:
HTTP
Enable HTTP updating and enter the URL of the HTTP server.
Note: The option disabled by default.
Note: The pane is only available when the Imported Method is Online Updating.
LDAP
Enable LDAP updating and select an LDAP server from the dropdown or create a new one.
Use the pen icon next to an LDAP server to edit the server.
SCEP
Enable SCEP updating and select a local certificate or create a new certificate for SCEP communication for the
online CRL.
4. Click OK.
ZTNA
For an introduction to Zero Trust Network Access (ZTNA), see Zero Trust Network Access introduction in the FortiOS
Admin Guide.
In System > ZTNA, you can set up ZTNA rules, ZTNA servers, and ZTNA tags.
The ZTNA tab looks like the following:
+Create New Select to create a ZTNA rule, ZTNA server, or a ZTNA tag depending on the tab
you are in.
See:
l Creating a ZTNA rule on page 211
Edit Select to edit the selected ZTNA rule, ZTNA server, or a ZTNA tag.
Delete Select to delete the selected ZTNA rules, ZTNA server, and ZTNA tags.
Search Use the search bar to look for a ZTNA rule, ZTNA server, or a ZTNA tag.
Export From the dropdown, select to export the list of ZTNA rules to your computer as a
CSV file or a JSON file.
Refresh To refresh the contents, click the refresh icon on the bottom-right.
Note: The option may not be available in all the tabs.
A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero
trust role based access. Security profiles can be configured to protect this traffic.
l Address Group
l User
l User Group
ZTNA Tag Add the ZTNA tags or tag groups that are allowed access.
ZTNA tags are synchronized from the EMS side.
ZTNA Server From the dropdown, select a ZTNA server or create a ZTNA server.
l Address Group
l User
l User Group
l DENY
Protocol Options From the dropdown, select a protocol or create a new protocol.
Logging Options
Log Allowed Traffic Enable to record any log messages about the accepted traffic.
Select from the following two options:
l Security Events: Record only log messages related to security events
4. Click OK.
To configure a ZTNA server, define the access proxy VIP and the real servers that clients will connect to. The access
proxy VIP is the FortiPAM ZTNA gateway that clients make HTTPS connections to. The service/server mappings define
the virtual host matching rules and the real server mappings of the HTTPS requests.
Network
External interface From the dropdown, select an external interface or create a new interface.
SAML
Note: The option is disabled by default.
SAML SSO server From the dropdown, select a SAML SSO server.
Service/servermapping Select +Create New to create a new service/server mapping. See Creating a
service/server mapping on page 217.
4. Click OK.
1. In step 3 when Creating a ZTNA server on page 215, select +Create New in Service/server mapping.
The New Service/Server Mapping window opens.
l HTTPS (default)
l TCP Forwarding
Note: The option is only available when the Virtual Host is Specify.
Match path by The path can be matched by one of the following three options:
l Substring
l Wildcard
l Regular Expression
Note: The option is not available when the Service is set as TCP Forwarding.
Path The path.
For example, if the virtual host is specified as www.example1.com, and the
path substring is map1, then www.example1/map1 will be matched.
Note: The option is not available when the Service is set as TCP Forwarding.
Servers
Select +Create New to create a new server. See Creating a server on page 219.
To edit or delete a server, select a server and then click Edit or Delete.
Load balancing Enable and select one of the following load balancing methods:
l Round Robin: Distribute to server based round robin order.
3. Click OK.
Creating a server
To create a server:
1. In step 2 when Creating a service/server mapping on page 217, select +Create New.
The New Server window opens.
Use the pen icon next to the address to edit the address.
After FortiPAM connects to the FortiClient EMS, it automatically synchronizes ZTNA tags.
Hover over a tag name to see more information about the tag, such as its resolved address.
When EMS is set up on FortiPAM, you can only connect to FortiPAM and launch a secret from the endpoint PC with
allowed ZTNA tags. The endpoint PC must install FortiClient and connect to the same EMS server.
Refer to FortiClient EMS Status to check the status of the FortiClient EMS.
If there is an error connecting to the EMS server, log in to the EMS server, authorize FortiPAM in Administration >
Fabric Device, and click Accept in Verify EMS Server Certificate.
For more information, see Fabric Connectors on page 253.
For clients not connected to the same EMS as FortiPAM, configure another access
proxy with a different VIP and client certificate disabled to launch secrets without
device control successfully.
On an EMS server, you can create Zero Trust tagging rules for endpoints based on operating system versions, logged-in
domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints with different tags.
FortiPAM can use these ZTNA tags in firewall policy to control which endpoint has access. See ZTNA tag control
example on page 222.
In the access proxy, client-cert must be enabled. You can use ztna-ems-tag to give FortiPAM access to
endpoints with this tag.
1. In the CLI console enter the following commands:
config firewall access-proxy
edit "fortipam_access_proxy"
set vip "fortipam_vip"
set client-cert enable <---
config api-gateway
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall policy
edit 1
set type access-proxy
set name "FortiPAM_Default"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy"
set ztna-ems-tag "FCTEMS8822002925_pam-ems-tag-office" <---
set utm-status enable
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end
When ZTNA control is enforced on FortiPAM, devices without FortiClient installed cannot access FortiPAM.
If you want to grant access to the user using the browser extension-only solution, you can
create multiple ZTNA servers and ZTNA rules to achieve it.
GUI only supports basic ZTNA configuration. It is recommended to use CLI to configure
additional ZTNA rules (config firewall policy) and ZTNA servers (config
firewall access-proxy).
CLI configuration for a user from endpoint installed with FortiClient - example
In this example, a user from an endpoint installed with FortiClient can access FortiPAM via VIP 192.168.1.109
provided that the endpoint contains FCTEMS8822008307_Office_Windows_PC or FCTEMS8822008307_MIS_Team
ZTNA tag.
1. In the CLI console, enter the following commands:
config firewall vip
edit "fortipam_vip"
set type access-proxy
set extip 192.168.1.109
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
config firewall access-proxy
edit "fortipam_access_proxy"
set vip "fortipam_vip"
set client-cert enable
config api-gateway
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall policy
edit 1
set type access-proxy
set name "FortiPAM_Default"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy"
set ztna-ems-tag "FCTEMS8822008307_Office_Windows_PC" "FCTEMS8822008307_MIS_
Team"
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end
In this example, users with IP address 192.168.1.2 access FortiPAM via the VIP 192.168.1.108 from an endpoint
with no FortiClient installed or no match with the ZTNA policy in the previous example.
The firewall policy is more restrictive than the previous example and allows fewer source addresses. Also, you can set it
up to allow access within a certain schedule only.
next
end
Backup
FortiPAM configuration contains not only the system settings but also all user information and secret data. It is crucial to
have a backup to avoid data loss. Whenever a hardware failure or system relocation is needed, a new FortiPAM can be
easily set up by restoring the previous backup configuration. In the case of accidentally deleting data, you can retrieve
the original configuration from the backup and paste the data back.
FortiPAM has two ways to back up its configuration:
l Manually trigger from the user menu. See Backup and restore in Admin on page 12.
l Configure automatically and periodically backup to an FTP, SFTP, HTTP or HTTPS server in System > Backup as
discussed here.
System Events, secret logs, and videos are not contained in backup configuration file.
Whenever restoring a backup configuration, keep in mind that the secret password or key may
not be the most recent one.
To ensure that all credentials are correct in a configuration file, you can enable maintenance mode first so that no
password changer is executed. And then manually trigger the configuration backup. See Activate maintenance mode in
Admin on page 12.
l SFTP server
l HTTP server
l HTTPS server (default)
Encrypt File Enable and enter cipher key to encrypt the backup file.
Server Path The path to store the backup file in the server.
Identifier Name The variable name that server uses to identify the file.
Note: Only required for HTTP/HTTPS server type.
Last updated time The date and time when automatic backup was last done (noneditable).
3. Click Apply.
Variables Description
l sftp
l http
l https (default)
server-copyname <string> Enter the copy name of the file (default = files).
filename-pattern {$SN $YYYY Enter the file name pattern of the backup configuration (default = $ID.conf).
$MM $DD $hh $mm $ss $ID} Note: The $ID variable is mandatory in the filename pattern.
interval<integer> Enter an interval for the backup, in minutes (60 - 4294967295, default = 60).
updated-time <integer> The time when the last update was done.
Note: The variable cannot be modified.
If user authentication is not required for HTTP and HTTPS servers, server-user and server-pass variables are not
required.
Following is an example of php file to accept the submitted backup file.
fwd-svr@fwdsvr-virtual-machine:/var/www/html/http_user$ cat upload.php
<?php
$name = $_FILES['file']['name'];
$temp = $_FILES['file']['tmp_name'];
if(move_uploaded_file($temp,"backup/".$name)){
echo "Your file was uploaded";
}
else
{
echo "Your file couldn't upload";
}
?>
The example shows how an administrator can verify system backup configuration and the connection to the backup
server.
Interfaces
In Network > Interfaces, you can configure the interfaces that handle incoming and outgoing traffic.
For each interface/zone; name, type, members, IP/Netmask, administrative access, and references are displayed.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which
you can use to select the columns to display or to reset all the columns to their default settings.
You can also drag column headings to change their order.
+Create New Select to create an interface or a zone. See Creating an interface on page 233
and Creating a zone on page 236.
Group By Type From the dropdown, group the list of interfaces or zones by type, role, status, or
zone.
Refresh To refresh the contents, click the refresh icon on the bottom-right.
Creating an interface
To create an interface:
Alias Enter an alternate name for a physical interface on the FortiPAM device. This
field appears when you edit an existing interface. The alias does not appear in
logs.
The maximum length of the alias is 25 characters.
l Redundant Interface
l VLAN (default)
Interface Select the name of the physical interface that you want to add a VLAN
interface to. Once created, the VLAN interface is listed below its physical
interface in the Interface list.
VLAN ID Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and
must match the VLAN ID added by the IEEE 802.1Q-compliant router or
switch that is connected to the VLAN subinterface.
The VLAN ID can be edited after the interface is added.
Note: The field is available when Type is set to VLAN.
Role Set the role setting for the interface. Different settings will be shown or hidden
when editing an interface depending on the role:
l LAN: Used to connected to a local network of endpoints. It is default role
Estimated bandwidth The estimated WAN bandwidth, in kbps (upstream and downstream).
The values can be entered manually, or saved from a speed test executed on
the interface. These values are used to estimate WAN usage.
Note: The option is only available when the Role is set as WAN.
Address
Addressing mode Select the addressing mode for the interface.
l Manual: Add an IP address and netmask for the interface.
l DHCP: Get the interface IP address and other network settings from a
DHCP server.
IP/Netmask If Addressing mode is set to Manual, enter an IPv4 address and subnet mask
for the interface.
Note: The option is only available when the Addressing mode is Manual.
Retrieve default gateway Enable to retrieve the default gateway from the server.
from server The default gateway is added to the static routing table.
Note: The option is enabled by default.
Note: The option is only available when the Addressing mode is DHCP.
Distance Enter the administrative distance for the default gateway retrieved from the
DHCP server (default = 5, 1 - 255).
Distance specifies the relative priority of a route when there are multiple routes
to the same destination. A lower administrative distance indicates a more
preferred route.
Note: The option is only available when Retrieve default gateway from server
is enabled.
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP server instead of
the DNS server IP addresses on the DNS page.
Note: The option is enabled by default.
Note: The option is only available when the Addressing mode is DHCP.
Create address object Enable to automatically create an address object that matches the interface
matching subnet subnet.
Note: The option is enabled by default.
Note: The option is available when Role is set to LAN or DMZ.
Secondary IP address Add additional IPv4 addresses to this interface.
Note: The option is disabled by default.
Note: The option is only available when the Addressing mode is Manual.
Administrative Access
IPv4 Select the types of administrative access permitted for IPv4 connections to this
interface.
Miscellaneous
Comments Optionally, enter comments about the source interface.
Status Enable/disable the source interface.
4. Click OK.
Creating a zone
To create a zone:
Name Name of the zone. You can change the name of the zone after creating it.
Interface members Select the ports to be included in the zone or create new ports.
4. Click OK.
DNS settings
Domain name system (DNS) is used by devices to locate websites by mapping a domain name to a website’s IP
address.
You can specify the IP addresses of the DNS servers to which your FortiPAM unit connects.
To configure DNS settings, go to Network > DNS Settings.
DNS servers Select Use FortiGuard Severs or Specify. If you select Specify, enter the IP
addresses for the primary and secondary DNS servers.
Primary DNS server Enter the IPv4 or IPv6 address for the primary DNS server.
Note: For an IPv4 address, the option is only available to edit when DNS
servers is Specify.
Secondary DNS server Enter the IPv4 or IPv6 address for the secondary DNS server.
Note: For an IPv4 address, the option is only available to edit when DNS
servers is Specify.
Local domain name The domain name to append to addresses with no domain portion when
performing DNS lookups.
DNS Protocols
DNS (UDP/53) Enable or disable the use of clear-text DNS over port 53.
Note: The option is disabled by default and only available to edit when DNS
servers is Specify.
TLS (TCP/853) Enable or disable the use of DNS over TLS (DoT).
Note: The option is enabled by default and only available to edit when DNS
servers is Specify.
HTTPS (TCP/443) Enable or disable the use of DNS over HTTPS (DoH).
Note: The option is disabled by default and only available to edit when DNS
servers is Specify.
SSL certificate From the dropdown, select an SSL certificate or click Create to import a
certificate (default = Fortinet_Factory).
SSL certificate is used by the DNS proxy as a DNS server so that the DNS
proxy can provide service over TLS as well as normal UDP/TCP.
Server hostname The host name of the DNS server (default = globalsdns.fortinet.net).
3. Click Apply.
2. Enable Show modified changes only (enabled by default) to show the modified changes instead of the full
configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.
Packet capture
You can create a filter on an interface to capture a specified number of packets to examine.
Go to Network > Packet Capture to see existing packet capture filters.
For each packet capture filter the following are displayed:
l Interfaces
l Host filter
l Post filter
l VLAN filter
l Protocol filter
l Packets
l Maximum packet count
l Status
Hover over the leftmost edge of the column heading to display the Configure Table icon, which
you can use to select the columns to display or to reset all the columns to their default settings.
You can also drag column headings to change their order.
+Create New Select to create a new packet capture filter. See Creating a packet capture filter
on page 240.
Search Use the search bar to look for a packet capture filter.
Maximum Captured Packets Enter how many packets to collect (default = 4000, 1 - 1000000).
Filters Enable Filters, you can create filters for host names, ports, VLAN identifiers,
and protocols.
Include Non-IP Packets Select this option if you want to include packets from non-IP protocols.
Note: The option is disabled by default.
API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview.
4. Click OK.
Static routes
Go to Network > Static Routing to see a list of static routes that control the flow of traffic through the FortiPAM device.
For each static route; destination, gateway IP address, interface, status, and comments are displayed.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which
you can use to select the columns to display or to reset all the columns to their default settings.
You can also drag column headings to change their order.
+Create New From the dropdown, select to create an IPv4 static route. See Creating an IPv4
static route on page 242.
Destination The destination IP addresses and network masks of packets that the FortiPAM
unit intercepts.
Enter the IPv4 address and netmask of the new static route.
Gateway Address The IP addresses of the next-hop routers to which intercepted packets are
forwarded.
Enter the gateway IP address for those packets that you intend to intercept.
Note: Gateway Address is unavailable when the Interface is Blackhole.
Administrative Distance The number of hops the static route has to the configured gateway.
The administrative distance is used to determine the cost of the route. Smaller
distances are considered "better" route that should be used when multiple
paths exist to the same destination (default = 10, 1 - 255).
The route with same distance are considered as equal-cost multi-path
(ECMP).
Advanced Options
Priority A number for the priority of the static route. Routes with a larger number will
have a lower priority. Routes with the same priority are considered as ECMP
(default = 1 when creating an IPv4 static route, 1 - 65535).
API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview.
4. Click OK.
Security profile
The section contains information about configuring FortiPAM security features, including:
l AntiVirus on page 245
AntiVirus
FortiPAM offers the unique ability to prevent, detect, and remove malware when you transfer files between local PCs and
privileged servers. FortiPAM will detect the potential malware uploaded to or downloaded from the related secret server
if a secret is configured with an antivirus profile. Examples of file launchers include WinSCP, Web SMB, and Web SFTP.
For each antivirus profile; name, comments, and references are displayed.
Once configured, you can add the antivirus profile to a secret. See Enabling antivirus scan in a secret on page 247.
You can also customize these profiles or create your profile to inspect specific protocols, remove viruses, analyze
suspicious files with FortiSandbox, and apply botnet protection to network traffic. Note that for Web SMB and Web SFTP
launchers, you must inspect the HTTP protocol in the AV profile. While for WinSCP launcher, SSH protocol needs to be
inspected.
The AntiVirus tab contains the following options:
Search Enter a search term in the search field, then hit Enter to search the antivirus
profile list.
1. Go to Security Profiles > AntiVirus and select Create New to create a new antivirus profile.
The Create AntiVirus Profile window opens.
l Block: When a virus is detected, prevent the infected files from uploading to or downloading from the target
server. A security log is recorded and available in Log & Report > ZTNA.
l Monitor: When a virus is detected, allow the infected files. A security log is recorded and available Log &
Report > ZTNA.
Notes:
l HTTP protocol applies to Web SFTP and Web SMB launchers.
3. Click OK.
If the secret does not show up, it may be because you do not have the necessary
permission to access the secret or the folder where the secret is located.
DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks the
extraction of sensitive data, users can use it for internal security and regulatory compliance.
The filters in a DLP sensor can examine traffic for the following:
l Known files using DLP fingerprinting
l Known files using DLP watermarking
l Particular file types
l Particular file names
l Files larger than a specified size
l Data matching a specified regular expression
l Credit card and Social Security numbers
DLP is primarily used to stop sensitive data from leaving your network. DLP can also prevent unwanted data from
entering your network and archive some or all of the content that passes through the FortiPAM. DLP archiving is
configured per filter, which allows a single sensor to archive only the required data. You can configure the DLP archiving
protocol in the CLI. Note, currently, DLP can only be configured in the CLI and can be applied to file-transfer-based
launchers (WinSCP, Web SFTP, and Web SMB).
1. In the CLI console, enter the following commands to create a file pattern to filter files based on the file name pattern
or file type. In this example, we intend to filter for GIFs and PDFs:
config dlp filepattern
edit 11
set name "sample_config"
config entries
edit "*.gif"
set filter-type pattern
next
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
2. Create the DLP sensor (Note: http-get and http-post protocols apply to Web SFTP and Web SMB launchers):
next
end
Type Description
Type Description
msoffice Match MS-Office files. For example, DOC, XLS, PPT, and so on.
msofficex Match MS-Office XML files. For example, DOCX, XLSX, PPTX, and so on.
rm Match RM files
Type Description
xz Match XZ files
*
This file type is only available in DLP profiles.
The Security Fabric allows your network to automatically see and dynamically isolate affected devices, partition network
segments, update rules, push out new policies, and remove malware.
The Security Fabric is designed to cover the entire attack surface and provide you with complete visibility into your
network. It allows you to collect, share, and correlate threat intelligence between security and network devices, centrally
manage and orchestrate policies, automatically synchronize resources to enforce policies, and coordinate a response to
threats detected anywhere across the extended network. The unified management interface provides you with
cooperative security alerts, recommendations, audit reports, and full policy control across the Security Fabric that will
give you confidence that your network is secure.
See Fabric Connectors on page 253.
Fabric Connectors
Fabric connectors provide integration with Fortinet products to automate the process of managing dynamic security
updates without manual intervention.
In HA and DR setup, the EMS configuration, such as server name and IP, can be synced to secondary and DR nodes.
However, secondary and DR nodes need to be authorized by EMS individually. It is recommended that after configuring
HA, admin test failover, log in to the new primary, and follow the same procedure to authorize secondary and DR nodes
on the EMS server.
l FortiClient EMS
l FortiClient EMS Cloud
IP/Domain name The IP address or the domain name of the FortiClient EMS.
HTTPS port The HTTPS port number for the FortiClient EMS (default = 443, 1 - 65535).
EMS Threat Feed Enable to allow FortiPAM to pull FortiClient malware hash from FortiClient
EMS.
Note: The option is enabled by default.
Synchronize firewall Enable to automatically create and synchronize firewall addresses for all EMS
addresses tags.
Note: The option is enabled by default.
4. Click OK.
FortiPAM attempts to verify the EMS server certificate.
To delete a fabric connector, select Delete to delete the selected fabric connector.
8. In the Verify EMS Server Certificate window, select Accept to accept the certificate from the EMS-side.
FortiPAM is now successfully connected to the EMS server.
FortiAnalyzer logging
FortiAnalyzer is a remote logging server that helps keep an extra copy of logs and videos from FortiPAM.
l Weekly
l Monthly
Day From the dropdown, select a day.
Note: The option is only available when the Upload interval is Weekly.
Date From the dropdown, select a date.
Note: The option is only available when the Upload interval is Monthly.
Time Enter a time or select the clock icon to select a time.
Allow access to FortiPAM Enable/disable FortiPAM REST API access (default = enable).
REST API
Verify FortiAnalyzer Enable/disable verifying the FortiAnalyzer certificate (default = enable).
certificate
Note: The option is only available when Allow access to FortiPAM REST API
is enabled.
5. Click OK.
6. In the window that opens, verify the FortiAnalyzer serial number and click Accept.
7. Check the FortiAnalyzer Status. If the connection is unauthorized, click Authorize to log in to FortiAnalyzer and
authorize FortiPAM.
Logging and reporting are valuable components to help you understand what is happening on your network and to
inform you about network activities, such as system and user events.
Reports show the recorded activity in a more readable format. A report gathers all the log information that it needs, then
presents it in a graphical format with a customizable design and automatically generated charts showing what is
happening on the network.
Go to Log & Report to access the following tabs:
l Events on page 258
l Secret on page 260
l ZTNA on page 263
l SSH on page 265
l Reports on page 265
l Log settings on page 267
l Email alert settings on page 270
Events
Time frame From the dropdown, select from the following time filters:
l 5 minutes
l 1 hour
l 24 hours
l 7 days
In System Events, User Events, or HA Events widgets, select an event to open the
corresponding details tab with all the logs for the event listed in a table.
l Details
The tab displays the related information of each log for a specific event type. The event type can be toggled with the
event type dropdown located right of the search bar. Different filters can be added, such as date/time to filter logs in
a time range.
Download log Select to export the selected log entry to your computer as a text file.
+Add Filter From the dropdown, select a filter, select or add additional details about the
filter to be used and hit Enter.
Note: Logs can be filtered by date and time. The log viewer can be filtered with
a custom range or with specific time frames.
Time frame settings for each Log & Report page are
independent. For example, changing the time frame on the
System Events page does not automatically change the time
frame on the User Events and HA Events pages.
System Events From the dropdown, select from the following event types to display:
l System Events
l User Events
l HA Events
Details Select a log entry and then select Details to see more information about the
log.
Secret
Go back to Secret.
Back ( )
Download log Select to export the selected secret session log to your computer as a text file
named as secret-xyz-YYYY_MM_DD.txt.
Search Enter a search term in the search field, then hit Enter to search the secret
video list. To narrow down your search, see Column filter.
Secret
Selecting Secret opens all the secret logs. Different subcategories of secret logs are displayed when you click on a
secret log.
Clear Text
Selecting Clear Text shows logs related to viewing passwords. This category of the secret log shows all the information
related to the launching of a secret, uploading of a video, termination of a launched session, and status of a FortiPAM
token.
Selecting Check-outs and Check-ins shows logs related to password check-ins and check-outs. It displays all the
information related to secret check-out and check-in.
Password Changes
Selecting Password Changers shows logs related to password changers. It displays all the information about when a
password changer is triggered on a secret. It indicates whether the operation is successful and who initiated the
operation. Operations such as password verification or change of password are recorded here.
Secret Video
Selecting Secret Video shows logs related to secret videos. This category of the secret log shows all the videos of
launched secrets from FortiPAM. It is helpful to assist in auditing a user's behavior on the secret, ensuring that no
malicious activity is performed. To view a recorded video of a launched secret, select the log with the operation labelled
as Video Finish, then click the Details button located at the right of the menu button. Once the slider opens up, the
administrator can see the video player.
Secret Request
Selecting Secret Request shows logs related to secret requests. This category of the secret log shows all the information
related to a secret that requires secret approval. It indicates when a request is submitted for a secret or when a request is
approved or denied.
Job
Selecting Job shows all logs related to jobs. This category of secret log keeps track of all the events related to an
execution of a job on a secret. This includes the job name, the user who initiated the job, the type of the job, and whether
the job is executed successfully.
ZTNA
Download Log Select to export the selected ZTNA log to your computer as a text file.
+Add Filter From the dropdown, select a filter, select or add additional details about the filter
to be used and hit Enter.
Note: Logs can be filtered by date and time. The log viewer can be filtered with a
custom range or with specific time frames.
SSH
Go back to SSH.
Back ( )
Download log Select to export the selected SSH log to your computer as a text file.
Search Enter a search term in the search field, then hit Enter to search the secret video
list. To narrow down your search, see Column filter.
Reports
Reports in Log & Reports show a list of audit reports generated to comply with audit requirements. The reports include:
l User Login: Top successful logins, top failed logins, and top failed logins by reason.
l System: Maintenance mode, top maintenance mode activation by user, glass breaking mode, top glass breaking
mode activation by user, and HA mode.
l Secret (includes the following):
l Secret launch success
l Top secret launch success by secret name
l Top secret launch success by secret name and user
l Password change
l Top successful password change by secret name
l Top successful password change by secret name and user
l Top failed password change by secret name
l Top failed password change by secret name and reason
l Top failed password change by secret name, user and reason
l Password verification
l Top successful password verification by secret name
l Top successful password verification by secret name and user
l Top failed password verification by secret name
l Top failed password verification by secret name and reason
l Top failed password verification by secret name, user and reason
Download Select to export the selected report to your computer as a pdf file.
Generate Now Select to regenerate a report and click OK in the Confirm window.
Before enabling the option, you must configure an email messaging server in System >
Settings and configure a username in Email Alert Settings.
See Email alert settings on page 270.
Customizing reports
FortiPAM allows you to customize reports to display attributes according to your preference.
You can change the report attributes from the CLI console only.
Log settings
Log settings determine what information is recorded in logs, where the logs are stored, and how often storage occurs.
Local Log
Log Disk Partition Usage The disk usage (free and used space).
Video Disk Partition Usage The video disk partition usage (free and used video disk partition).
Log Settings
Event Logging By default, the system logs all the events: system activity, user activity, and HA.
You can customize event logging by selecting Customize and then unselecting
options under Customize.
Note: No event logs are recorded and displayed on the Log & Report > Events
page for unselected events.
Although it is not suggested that you disable the disk storage, FortiPAM allows you to disable the disk storage via the
CLI.
If you intend to disable the disk storage, ensure that the memory storage is enabled to make
the log pages work correctly:
config log memory setting
set status enable
end
The following parameters are only available when the status is set as enable.
port <integer> The server listening port number (default = 514, 0 - 65535).
facility {kernel | user | mail The remote syslog facility (default = local7):
| daemon | auth | syslog | lpr | l kernel: Kernel messages.
max-log-rate <integer> The syslog maximum log rate in MBps (default = 0, 0 - 100000 where 0 =
unlimited).
interface-select-method {auto | Specify how to select outgoing interface to reach the server:
sdwan | specify} l auto: Set outgoing interface automatically (default).
Enabling Email Alert Settings allows FortiPAM to send alert emails to administrators.
1. Go to Log & Report > Email Alert Settings, and select Enable email notification.
Interval The time interval at which the alerts are sent, in minutes (default = 5, 1-
99999).
Note: The option is only available when the Alert parameter is set as Events.
Security
Note: The pane is only available when the Alert parameter is set as Events.
Virus detected Enable/disable sending alerts when virus detected.
Administrative
Note: The pane is only available when the Alert parameter is set as Events.
Configuration change Enable/disable sending alerts when a configuration is changed.
Note: The option is disabled by default.
HA status change Enable/disable sending alerts when the HA status changes.
Note: The option is disabled by default.
4. Click Apply.
1. Ensure that Email Service is set up in System > Settings. See Settings on page 182.
2. Go to Log & Report > Email Alert Settings, and select Enable email notification.
Setting up an email alert for glass breaking excludes other important notifications, e.g.,
administrative change (configuration and HA status) and security (virus detection).
FortiPAM operation requires multiple components to work together. Generally, a browser and FortiClient are necessary
on the client side to connect to the FortiPAM GUI. Secrets on FortiPAM can then be used to connect to the target host.
If the FortiPAM system runs abnormally, pinpointing the failed component can be challenging. This chapter presents the
usage of built-in debug tools to speed up finding errors.
You must have system administrator and CLI permissions to use the debug features including
debug trace files. See Role on page 117.
To use FortiPAM debug feature, debug category and level must be set.
In the CLI console, enter the following commands to set debug category and level:
diagnose wad debug enable category <category>
diagnose wad debug enable level <level>
For example:
diagnose wad debug enable category session #The category is session
diagnose wad debug enable level info #The level is set to info
For debug level settings, all the higher level traces are included, e.g., when the debug level is
set to info, error and warn levels are displayed too, but verbose is hidden.
Once the category and level variables are set up in the CLI, traces are displayed in the CLI.
For more troubleshooting information and a Q&A section, check out the FortiPAM Community
page: https://community.fortinet.com/t5/FortiPAM/tkb-p/TKB52.
To successfully capture each daemon's trace as separate log files, use FortiPAM debug trace files. You can then view
each file and locate the source of an issue.
To use FortiPAM trace file debug feature, debug category and level must be set. See
Troubleshooting on page 273.
Command Description
diagnose wad debug file max_ Set the maximum size for trace files.
size <size>
diagnose wad debug file Allow overwriting when the file reaches maximum size.
overwrite {enable | disable}
diagnose wad debug file clear Clear all the trace files.
diagnose wad debug file list Show all trace related file stats.
diagnose wad debug file show Show a specific or all trace file content.
{trace_file_name
| all}
diagnose wad debug file send tftp Send trace files to TFTP server.
<addr> <save_zip_name.tar.gz>
diagnose wad debug file send ftp Send trace files to FTP server.
<save_zip_name.tar.gz> <addr>:
[port] [username] [password]
1. In the CLI console, enter the following commands to set debug category and level:
diagnose wad debug enable category secret
diagnose wad debug enable level info
2. Enter the following command to set the maximum size for trace files:
diagnose wad debug file max-size 2
3. Enter the following command to enable dump trace to files:
diagnose wad debug file enable
Trace file is displayed now.
4. Enter the following command to disable dump trace to files:
diagnose wad debug file disable
5. Enter the following command to show all trace related file stats:
diagnose wad debug file list
size:0000000000, wad_worker-1.log
size:0000000000, wad_cert-inspection-0.log
size:0000000000, wad_debug-0.log
size:0000000000, wad_algo-0.log
size:0000000000, wad_user-info-0.log
size:0000000000, wad_dispatcher-0.log
size:0000000000, wad_secret-approval-0.log
size:0000000000, wad_config-notify-0.log
size:0000000000, wad_informer-0.log
size:0000000000, wad_YouTube-filter-cache-service-0.log
size:0000006869, wad_worker-0.log
size:0000000000, wad_pwd-changer-0.log
size:0000000000, wad_manager-0.log
6. Enter the following command to clear all the trace files:
diagnose wad debug clear
7. Enter the following command to show a specific file content:
diagnose wad debug file show wad_worker-0.log
When turning on the HTTP category debug, it can generate a lot of traces from the GUI. In the case where GUI traffic is
not needed, using the FortiPAM HTTP filter helps clean out traffic that is not required.
You must have system administrator and CLI permissions to use the FortiPAM HTTP filter.
1. In the CLI console, enter the following command to set the debug category to http:
diagnose wad debug enable category http
2. Optionally, enter the following command to set the debug level:
diagnose wad debug enable level <level>
3. Use the following CLI command to set up a filter for the FortiPAM traffic:
diagnose wad filter pam
Variable Description
For most cases, the both option is recommended for the filter.
The FortiPAM filter can be used with diagnose wad filter drop-unknown-
session 1 to ignore more information during session initialization.
- Examples
1. Turning on drop-unknown-session with the internal option (diagnose wad filter pam internal)
and launching a secret shows the following trace:
PAM # [I][p:1070][s:930509823][r:2694] wad_http_req_proc_policy: 10453 ses_
ctx:ct|Pvx|M|H|C|A1 fwd_srv=<nil>[I][p:1070][s:930509823][r:2694] wad_dump_fwd_
http_resp: 2663 hreq=0x7f34b46a2e58 Forward response from Internal:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 309
[I][p:1070][s:930509826][r:2701] wad_dump_fwd_http_resp: 2663 hreq=0x7f34b46a2e58
Forward response from Internal:
HTTP/1.1 200 OK
Proxy-Agent: FortiPAM/1.0
X-Range: bytes=773458-
Content-Length: 0
2. Turning on drop-unknown-session with the tcp-forward option (diagnose wad filter pam tcp-
forward) and launching a secret shows the following trace:
[I][p:1070][s:930509852][r:2799] wad_http_req_check_vs_tunnel_type :5182 Check redir
PROXY port=22((null))
[I][p:1070][s:930509852][r:2799] wad_http_req_check_vs_tunnel_type :5190 TCP tunnel
detected without type.
[I][p:1070][s:930509852][r:2799] wad_dump_fwd_http_resp :2663 hreq=0x7f34b46a41f8
Forward response from Internal:
HTTP/1.1 101 Switching Protocols
Upgrade: tcp-forwarding/1.0
Connection: Upgrade
Once you have downloaded the fortipam.qcow2 you can create the virtual machine in your KVM account.
Before opening your virtual machine for the first time you will need to configure two additional hard disks.
1. Click Add Hardware in the Virt-manager application, and select the option to add an additional storage disk.
2. For the Storage size, select a size according to the disk sizing guidelines. See System requirements in the KVM
Admin Guide.
3. For Bus type select VirtIO.
4. Click Finish.
Before opening your virtual machine for the first time you will need to configure two ethernet interfaces.
1. In the Virtual Machine Manager, locate the VM name, then select Open from the toolbar.
2. Select NIC:xxxx; the default network adapter.
3. In Network source dropdown, select Host device enxxxx: macvtap.
4. In the Device model dropdown, select virtio.
5. Click Apply.
6. Click Add Hardware, and select the option to add an additional interface.
7. In the Device model dropdown, select virtio.
8. Select Finish.
9. Click Begin Installation to start installing the new VM.
To add log/video disks or modify disk sizes after first powering up FortiPAM-VM:
1. In the CLI console, enter sh sys storage to verify that the disk size change was successful:
config system storage
edit "HD1"
set status enable
set media-status enable
set order 1
set partition "LOGUSEDX83555B0F"
set device "/dev/vda1"
set size 20029
set usage log
next
edit "HD2"
set status enable
set media-status enable
set order 2
set partition "PAMVIDEOBAED79CD"
set device "/dev/vdb1"
set size 301354
set usage video
next
edit "HD3"
set status enable
set media-status disable
set order 3
set partition ''
set device ''
If the displayed disk size is not what you had configured, enter the following command to format the log and the
video disk:
execute disk format <disk_ref>
Note: <disk_ref> can be checked using the command execute disk list.
HD1 is used for the log disk and the disk_ref is 256.
HD2 is used for the video disk and the disk_ref is 16.
In the above example, disks can be formatted by entering the following commands:
execute disk format 256 #HD1
execute disk format 16 #HD2
Disk formatting results in the loss of all existing logs and videos.
Once you have downloaded the out.ovf.zip file and extracted the package contents to a folder on your management
computer, you can deploy it into your VMware environment.
1. Connect to your VMware ESXi server by visiting its URL in your browser. Enter your username and password, and
click Log in.
2. Select Create/Register VM.
The VM creation wizard opens.
3. Select Deploy a virtual machine from an OVF or OVA file, and click Next.
4. Enter a name for your VM and select the files (FortiPAM-VM64.ovf, fortipam.vmdk, datadrive.vmdk, and
datadriv2.vmdk) previously extracted to your management computer, and click Next.
5. Select which ESXi server's datastore to use for the deployment of FortiPAM-VM, and click Next.
7. Select the appropriate network mappings, disk provisioning, and power on options for your deployment, and click
Next.
l Thin Provision: This option optimizes storage use at the cost of sub-optimal disk I/O rates. It allocates disk
space only when a write occurs to a block, but the total volume size is reported by VMFS to the OS. Other
volumes can take the remaining space. This allows you to float between your servers and expand storage
when your size monitoring indicates there is a problem. Once a Thin Provisioned block is allocated, it remains
in the volume regardless of whether you have deleted data, etc.
l Thick Provision: This option has higher storage requirements, but benefits from optimal disk I/O rates. It
allocates the disk space statically. No other volumes can take the allocated space.
By default, the log disk and video disk size are 30 GB. If you want to change the size, unselect Power on
automatically to ensure that any disk size change is made before first powering on the VM.
See FortiPAM appliance setup on page 25 for CLI related settings to verify the disk usage type and set up FortiPAM.
10. The default size for the log and the video disk is 30 GB. If the size does not meet your requirement, see Log and
video disk size guidelines in System requirements in the VMware ESXi Admin Guide.
Disk size tuning results in the loss of existing logs and videos.
d. Adjust Hard disk 2 for log disk size and adjust Hard disk 3 for video disk size.
If the displayed disk size is not what you had configured, enter the following command to format the log and the
video disk:
execute disk format <disk_ref>
Note: <disk_ref> can be checked using the command execute disk list.
HD1 is used for the log disk and the disk_ref is 256.
HD2 is used for the video disk and the disk_ref is 16.
In the above example, disks can be formatted by entering the following commands:
execute disk format 256 #HD1
execute disk format 16 #HD2
Disk formatting results in the loss of all existing logs and videos.
For added security when installing FortiPAM on KVM, vTPM package must be installed, and vTPM added to the
FortiPAM-VM.
d. Click Finish.
This adds TPM v2.0 to the list of hardware devices on the left.
To successfully enable vTPM, you must configure a key provider on the VMware vSphere client.
Ensure that vTPM is set up as part of the initial configuration (before powering on the
FortiPAM-VM for the first time.)
1. Select the virtual appliance in the VMware vSphere client and go to Configure > Security > Key Providers.
2. In Key Providers, from the Add dropdown, select Add Native Key Provider.
3. In the Add Native Key Provider window:
a. Enter a name for the native key provider.
b. Deselect Use key provider only with TPM protected ESXi hosts.
c. Select ADD KEY PROVIDER.
4. Select the new key provider from the key providers list and then select BACK UP.
The Back up Native Key Provider window opens.
5. Select BACK UP KEY PROVIDER.
The key provider is saved on your computer.
1. Right-click the virtual appliance in the VMware vSphere client and select Edit Settings.
Ensure that the Guest OS Version in VM Options tab is set to Other 4.x or later Linux (64-
bit) or higher.
2. In Edit Settings, click Add New Device and select Trusted Platform Module.
3. Click OK.
To expand hard disk capacity, you can enable RAID on the FortiPAM-VM. After RAID is enabled, hard disk capacity can
be expanded from 2 TB to 16 TB.
Individual disks of sizes up to 2 TB are supported.
Soft RAID is supported on KVM and VMware platforms. Hyper-V and other platforms are not supported yet.
Note: Soft RAID for VMware requires disks of the same size.
Enabling, disabling, and changing the RAID level, erases all the data on the log and video disk.
Also, the FortiPAM device reboots every time RAID is enabled, disabled, or the RAID level is
changed.
1. Before enabling RAID, enter the following command in the CLI console to verify that the FortiPAM has multiple
disks:
execute disk list
or
diagnose hardware deviceinfo disk
2. In the CLI console, enter the following command to enable RAID:
execute disk raid enable <RAID level> #The default value is Raid-0
Two partitions will be created after RAID is enabled. One partition for log and one for video.
When there are two disks, RAID level 0 and 1 are available. Only when there are four
disks, RAID level 5 and 10 are available.
3. From the Admin dropdown in the banner, go to System > Reboot to reboot FortiPAM.
5. In the CLI console, check the RAID status by entering the following command:
execute disk raid status #Raid is now available
If the above steps do not enable RAID on FortiPAM-VM, use the following workaround:
1. Factory reset your FortiPAM-VM.
2. Remove disk from your FortiPAM-VM, then add the disk again.
3. Now follow the steps in Configuring RAID via CLI.
Admin can only rebuild RAID at the same RAID level if a RAID error has been detected. Also, changing the RAID level
takes a while and deletes all data on the disk.
Use the following CLI command to rebuild RAID:
execute disk raid rebuild-level <RAID level>
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.