Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

FortiPAM appliance setup

FortiPAM appliance setup

Before using FortiPAM-VM, you need to install the KVM or the VMware application to host the FortiPAM-VM device. The installation instructions for FortiPAM-VM assume you are familiar with KVM or the VMware products and terminology.

FortiPAM-VM image installation and initial setup

See Appendix A: Installation on KVM.

See Appendix B: Installation on VMware.

Once FortiPAM-VM is powered on:

  1. At the login prompt, enter admin and hit Enter.

    By default, there is no password, however, a password must be set before you can proceed. Enter and confirm the new administrator password.

  2. At the CLI prompt, enter show system storage to verify the disk usage type for the two added hard disks. The output looks like the following:

    Administrators need to configure a dedicated FortiPAM video disk for video recording.

    Two hard disks and two virtual network interface cards need to be added to the VM in VM manager before FortiPAM image installation.

    See Appendix A: Installation on KVM.

    config system storage

    edit "HD1"

    set status enable

    set media-status enable

    set order 1

    set partition "LOGUSEDXDE8326F6"

    set device "/dev/vda1"

    set size 20023

    set usage log

    next

    edit "HD2"

    set status enable

    set media-status enable

    set order 2

    set partition "PAMVIDEOB471724F"

    set device "/dev/vdb1"

    set size 20029

    set usage video

    next

    end

  3. Enter the following CLI commands to set up FortiPAM:

    config system interface

    edit "port1"

    set ip 172.16.x.x/x #Depending on your network setting

    set allowaccess ssh https http

    set type physical

    set snmp-index 1

    next

    edit "port2"

    set ip x.x.x.x/x

    set allowaccess ssh https http

    set type physical

    set snmp-index 2

    next

    end

    config router static

    edit 1

    set gateway x.x.x.x

    set device "port1"

    next

    end

  4. FortiPAM requires license. To upload a license. See Licensing.

    If the network layout is unable to resolve the correct external FortiGuard server after an external DNS server is set, enter the following commands:

    config system fortiguard

    set fortiguard-anycast disable

    unset update-server-location

    unset sdns-server-ip

    end

    Optionally, enter the following commands to use the external FortiGuard server in case the FortiGuard server cannot be correctly resolved:

    config system central-management

    config server-list

    edit 1

    set server-type update rating

    set server-address <addr>

    next

    end

    set include-default-servers disable

    end

  5. To improve security, disable HTTP on the physical interface:

    config system interface

    edit "port1"

    set allowaccess ssh

    next

    edit "port2"

    set allowaccess ssh

    next

    end

  6. Enter the following CLI commands to configure the firewall.

    The CLI commands are used to allocate a static IP address as the virtual IP address for FortiPAM. The static IP address is used as FortiPAM GUI server IP address.

    config firewall vip

    edit "fortipam_vip"

    set type access-proxy

    set extip 172.16.xxx.xxx #use an external visible virtual IP address that can be same as the port1 interface

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

  7. On a web browser, go to https://172.16.xxx.xxx to access FortiPAM GUI using the virtual IP address.
To update a firmware image:
  1. Enter maintenance mode. See Maintenance mode.
  2. In the user dropdown on the top-right, go to System > Firmware.

    The Firmware Management window opens.

  3. Go to File Upload:
    1. Select Browse, then locate the image.out FortiPAM firmware image on your local computer.
    2. Click Open.
  4. Click Confirm and Backup Config. FortiPAM then reboots and the firmware has been updated.

    FortiPAM may take few minutes to reboot.

Previous
Next

FortiPAM appliance setup

Before using FortiPAM-VM, you need to install the KVM or the VMware application to host the FortiPAM-VM device. The installation instructions for FortiPAM-VM assume you are familiar with KVM or the VMware products and terminology.

FortiPAM-VM image installation and initial setup

See Appendix A: Installation on KVM.

See Appendix B: Installation on VMware.

Once FortiPAM-VM is powered on:

  1. At the login prompt, enter admin and hit Enter.

    By default, there is no password, however, a password must be set before you can proceed. Enter and confirm the new administrator password.

  2. At the CLI prompt, enter show system storage to verify the disk usage type for the two added hard disks. The output looks like the following:

    Administrators need to configure a dedicated FortiPAM video disk for video recording.

    Two hard disks and two virtual network interface cards need to be added to the VM in VM manager before FortiPAM image installation.

    See Appendix A: Installation on KVM.

    config system storage

    edit "HD1"

    set status enable

    set media-status enable

    set order 1

    set partition "LOGUSEDXDE8326F6"

    set device "/dev/vda1"

    set size 20023

    set usage log

    next

    edit "HD2"

    set status enable

    set media-status enable

    set order 2

    set partition "PAMVIDEOB471724F"

    set device "/dev/vdb1"

    set size 20029

    set usage video

    next

    end

  3. Enter the following CLI commands to set up FortiPAM:

    config system interface

    edit "port1"

    set ip 172.16.x.x/x #Depending on your network setting

    set allowaccess ssh https http

    set type physical

    set snmp-index 1

    next

    edit "port2"

    set ip x.x.x.x/x

    set allowaccess ssh https http

    set type physical

    set snmp-index 2

    next

    end

    config router static

    edit 1

    set gateway x.x.x.x

    set device "port1"

    next

    end

  4. FortiPAM requires license. To upload a license. See Licensing.

    If the network layout is unable to resolve the correct external FortiGuard server after an external DNS server is set, enter the following commands:

    config system fortiguard

    set fortiguard-anycast disable

    unset update-server-location

    unset sdns-server-ip

    end

    Optionally, enter the following commands to use the external FortiGuard server in case the FortiGuard server cannot be correctly resolved:

    config system central-management

    config server-list

    edit 1

    set server-type update rating

    set server-address <addr>

    next

    end

    set include-default-servers disable

    end

  5. To improve security, disable HTTP on the physical interface:

    config system interface

    edit "port1"

    set allowaccess ssh

    next

    edit "port2"

    set allowaccess ssh

    next

    end

  6. Enter the following CLI commands to configure the firewall.

    The CLI commands are used to allocate a static IP address as the virtual IP address for FortiPAM. The static IP address is used as FortiPAM GUI server IP address.

    config firewall vip

    edit "fortipam_vip"

    set type access-proxy

    set extip 172.16.xxx.xxx #use an external visible virtual IP address that can be same as the port1 interface

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

  7. On a web browser, go to https://172.16.xxx.xxx to access FortiPAM GUI using the virtual IP address.
To update a firmware image:
  1. Enter maintenance mode. See Maintenance mode.
  2. In the user dropdown on the top-right, go to System > Firmware.

    The Firmware Management window opens.

  3. Go to File Upload:
    1. Select Browse, then locate the image.out FortiPAM firmware image on your local computer.
    2. Click Open.
  4. Click Confirm and Backup Config. FortiPAM then reboots and the firmware has been updated.

    FortiPAM may take few minutes to reboot.

Previous
Next