Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
- VM license
Folders
- Creating a folder
Secrets
- Secret list
- Secret launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Secret templates
  - Creating secret templates
- Policies
  - Creating a policy
    - Applying a policy to a folder
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Job list
  - Creating a job
Monitoring
- User monitor
- Active sessions
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Approval request
- My requests
  - Make a request
- Request review
  - Approve a request
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
Password changing
- Character sets
  - Creating a character set
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
Authentication
- Addresses
  - Creating an address
  - Creating an address group
- Scheme & Rules
  - Creating an authentication scheme
  - Creating an authentication rule
System
- Firmware
- Settings
- SNMP
- High availability
- Certificates
- ZTNA
- Backup
  - Sending backup file to a server Example
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- DNS settings
- Packet capture
  - Creating a packet capture filter
- Static routes
  - Creating an IPv4 static route
Security profile
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
Security fabric
- Fabric Connectors
  - FortiAnalyzer logging
Log & report
- Events
- Secret
- ZTNA
- SSH
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Change Log

Home FortiPAM 1.0.0 Administration Guide

1.0.0

Creating an interface

To create an interface:

Go to Network > Interfaces.
From +Create New, select Interface.
The New Interface window opens.

Enter the following information:

Name

Name of the interface.

Alias

Enter an alternate name for a physical interface on the FortiPAM device. This field appears when you edit an existing interface. The alias does not appear in logs.

The maximum length of the alias is 25 characters.

Type

From the dropdown, select a configuration type:

802.3ad Aggregate
Redundant Interface
VLAN (default)

VLAN protocol

Select either 802.1Q or 802.1AD.

Note: The field is available when Type is set to VLAN.

Interface

Select the name of the physical interface that you want to add a VLAN interface to. Once created, the VLAN interface is listed below its physical interface in the Interface list.

You cannot change the physical interface of a VLAN interface.

Use the search bar to look for an interface.

Use the pen icon next to an interface to edit the interface.

Note: The field is available when Type is set to VLAN.

VLAN ID

Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch that is connected to the VLAN subinterface.

The VLAN ID can be edited after the interface is added.

Note: The field is available when Type is set to VLAN.

Interface members

Select members for some interface types.

Note: The field is available when Type is set to 802.3ad Aggregate or Redundant Interface.

Role

Set the role setting for the interface. Different settings will be shown or hidden when editing an interface depending on the role:

LAN: Used to connected to a local network of endpoints. It is default role for new interfaces.
WAN: Used to connected to the internet. When WAN is selected, the Estimated bandwidth setting is available, and Create address object matching subnet is not available.
DMZ: Used to connected to the DMZ.
Undefined: The interface has no specific role. When selected, Create address object matching subnet is not available.

Estimated bandwidth

The estimated WAN bandwidth, in kbps (upstream and downstream).

The values can be entered manually, or saved from a speed test executed on the interface. These values are used to estimate WAN usage.

Note: The option is only available when the Role is set as WAN.

Address

Addressing mode

Select the addressing mode for the interface.

Manual: Add an IP address and netmask for the interface.
DHCP: Get the interface IP address and other network settings from a DHCP server.

IP/Netmask

If Addressing mode is set to Manual, enter an IPv4 address and subnet mask for the interface.

FortiPAM interfaces cannot have IP addresses on the same subnet.

Note: The option is only available when the Addressing mode is Manual.

Retrieve default gateway from server

Enable to retrieve the default gateway from the server.

The default gateway is added to the static routing table.

Note: The option is enabled by default.

Note: The option is only available when the Addressing mode is DHCP.

Distance

Enter the administrative distance for the default gateway retrieved from the DHCP server (default = 5, 1 - 255).

Distance specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route.

Note: The option is only available when Retrieve default gateway from server is enabled.

Override internal DNS

Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page.

Note: The option is enabled by default.

Note: The option is only available when the Addressing mode is DHCP.

Create address object matching subnet

Enable to automatically create an address object that matches the interface subnet.

Note: The option is enabled by default.

Note: The option is available when Role is set to LAN or DMZ.

Secondary IP address

Add additional IPv4 addresses to this interface.

Note: The option is disabled by default.

Note: The option is only available when the Addressing mode is Manual.

Administrative Access

IPv4

Select the types of administrative access permitted for IPv4 connections to this interface.

Miscellaneous

Comments

Optionally, enter comments about the source interface.

Status

Enable/disable the source interface.

Click OK.

To create an interface:

Go to Network > Interfaces.
From +Create New, select Interface.
The New Interface window opens.

Enter the following information:

Name

Name of the interface.

Alias

Enter an alternate name for a physical interface on the FortiPAM device. This field appears when you edit an existing interface. The alias does not appear in logs.

The maximum length of the alias is 25 characters.

Type

From the dropdown, select a configuration type:

802.3ad Aggregate
Redundant Interface
VLAN (default)

VLAN protocol

Select either 802.1Q or 802.1AD.

Note: The field is available when Type is set to VLAN.

Interface

Select the name of the physical interface that you want to add a VLAN interface to. Once created, the VLAN interface is listed below its physical interface in the Interface list.

You cannot change the physical interface of a VLAN interface.

Use the search bar to look for an interface.

Use the pen icon next to an interface to edit the interface.

Note: The field is available when Type is set to VLAN.

VLAN ID

Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch that is connected to the VLAN subinterface.

The VLAN ID can be edited after the interface is added.

Note: The field is available when Type is set to VLAN.

Interface members

Select members for some interface types.

Note: The field is available when Type is set to 802.3ad Aggregate or Redundant Interface.

Role

Set the role setting for the interface. Different settings will be shown or hidden when editing an interface depending on the role:

LAN: Used to connected to a local network of endpoints. It is default role for new interfaces.
WAN: Used to connected to the internet. When WAN is selected, the Estimated bandwidth setting is available, and Create address object matching subnet is not available.
DMZ: Used to connected to the DMZ.
Undefined: The interface has no specific role. When selected, Create address object matching subnet is not available.

Estimated bandwidth

The estimated WAN bandwidth, in kbps (upstream and downstream).

The values can be entered manually, or saved from a speed test executed on the interface. These values are used to estimate WAN usage.

Note: The option is only available when the Role is set as WAN.

Address

Addressing mode

Select the addressing mode for the interface.

Manual: Add an IP address and netmask for the interface.
DHCP: Get the interface IP address and other network settings from a DHCP server.

IP/Netmask

If Addressing mode is set to Manual, enter an IPv4 address and subnet mask for the interface.

FortiPAM interfaces cannot have IP addresses on the same subnet.

Note: The option is only available when the Addressing mode is Manual.

Retrieve default gateway from server

Enable to retrieve the default gateway from the server.

The default gateway is added to the static routing table.

Note: The option is enabled by default.

Note: The option is only available when the Addressing mode is DHCP.

Distance

Enter the administrative distance for the default gateway retrieved from the DHCP server (default = 5, 1 - 255).

Distance specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route.

Note: The option is only available when Retrieve default gateway from server is enabled.

Override internal DNS

Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page.

Note: The option is enabled by default.

Note: The option is only available when the Addressing mode is DHCP.

Create address object matching subnet

Enable to automatically create an address object that matches the interface subnet.

Note: The option is enabled by default.

Note: The option is available when Role is set to LAN or DMZ.

Secondary IP address

Add additional IPv4 addresses to this interface.

Note: The option is disabled by default.

Note: The option is only available when the Addressing mode is Manual.

Administrative Access

IPv4

Select the types of administrative access permitted for IPv4 connections to this interface.

Miscellaneous

Comments

Optionally, enter comments about the source interface.

Status

Enable/disable the source interface.

Click OK.