FortiPAM appliance setup
Before using FortiPAM-VM, you need to install the KVM or the VMware application to host the FortiPAM-VM device. The installation instructions for FortiPAM-VM assume you are familiar with KVM or the VMware products and terminology.
FortiPAM-VM image installation and initial setup
See Appendix A: Installation on KVM.
See Appendix B: Installation on VMware.
Once FortiPAM-VM is powered on:
-
At the login prompt, enter
admin
and hit Enter.By default, there is no password, however, a password must be set before you can proceed. Enter and confirm the new administrator password.
- At the CLI prompt, enter
show system storage
to verify the disk usage type for the two added hard disks. The output looks like the following:Administrators need to configure a dedicated FortiPAM video disk for video recording.
Two hard disks and two virtual network interface cards need to be added to the VM in VM manager before FortiPAM image installation.
config system storage
edit "HD1"
set status enable
set media-status enable
set order 1
set partition "LOGUSEDXDE8326F6"
set device "/dev/vda1"
set size 20023
set usage log
next
edit "HD2"
set status enable
set media-status enable
set order 2
set partition "PAMVIDEOB471724F"
set device "/dev/vdb1"
set size 20029
set usage video
next
end
-
Enter the following CLI commands to set up FortiPAM:
config system interface
edit "port1"
set ip 172.16.x.x/x #Depending on your network setting
set allowaccess ssh https http
set type physical
set snmp-index 1
next
edit "port2"
set ip x.x.x.x/x
set allowaccess ssh https http
set type physical
set snmp-index 2
next
end
config router static
edit 1
set gateway x.x.x.x
set device "port1"
next
end
- FortiPAM requires license. To upload a license. See Licensing.
If the network layout is unable to resolve the correct external FortiGuard server after an external DNS server is set, enter the following commands:
config system fortiguard
set fortiguard-anycast disable
unset update-server-location
unset sdns-server-ip
end
Optionally, enter the following commands to use the external FortiGuard server in case the FortiGuard server cannot be correctly resolved:
config system central-management
config server-list
edit 1
set server-type update rating
set server-address <addr>
next
end
set include-default-servers disable
end
- To improve security, disable HTTP on the physical interface:
config system interface
edit "port1"
set allowaccess ssh
next
edit "port2"
set allowaccess ssh
next
end
- Enter the following CLI commands to configure the firewall.
The CLI commands are used to allocate a static IP address as the virtual IP address for FortiPAM. The static IP address is used as FortiPAM GUI server IP address.
config firewall vip
edit "fortipam_vip"
set type access-proxy
set extip 172.16.xxx.xxx #use an external visible virtual IP address that can be same as the port1 interface
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
-
On a web browser, go to
https://172.16.xxx.xxx
to access FortiPAM GUI using the virtual IP address.
To update a firmware image:
- Enter maintenance mode. See Maintenance mode.
- In the user dropdown on the top-right, go to System > Firmware.
The Firmware Management window opens.
- Go to File Upload:
- Select Browse, then locate the
image.out
FortiPAM firmware image on your local computer. - Click Open.
- Select Browse, then locate the
- Click Confirm and Backup Config.
FortiPAM then reboots and the firmware has been updated.
FortiPAM may take few minutes to reboot.