Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
- VM license
Folders
- Creating a folder
Secrets
- Secret list
- Secret launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Secret templates
  - Creating secret templates
- Policies
  - Creating a policy
    - Applying a policy to a folder
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Job list
  - Creating a job
Monitoring
- User monitor
- Active sessions
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Approval request
- My requests
  - Make a request
- Request review
  - Approve a request
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
Password changing
- Character sets
  - Creating a character set
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
Authentication
- Addresses
  - Creating an address
  - Creating an address group
- Scheme & Rules
  - Creating an authentication scheme
  - Creating an authentication rule
System
- Firmware
- Settings
- SNMP
- High availability
- Certificates
- ZTNA
- Backup
  - Sending backup file to a server Example
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- DNS settings
- Packet capture
  - Creating a packet capture filter
- Static routes
  - Creating an IPv4 static route
Security profile
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
Security fabric
- Fabric Connectors
  - FortiAnalyzer logging
Log & report
- Events
- Secret
- ZTNA
- SSH
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Change Log

Home FortiPAM 1.0.0 Administration Guide

1.0.0

Creating a certificate

To create a certificate

Go to System > Certificates.
From +Create/Import, select Certificate.
The Create Certificate wizard opens.

Enter the following information:

Choose Method

Automatically Provision Certificate

Select Use Let's Encrypt to automatically create a certificate using the ACME protocol with Let's Encrypt service.

You will need to enable DDNS or purchase a domain.

Generate New Certificate

Select Generate Certificate to generate a certificate using the self-signed Fortinet_CA_SSL CA.

Using a server certificate from a trusted CA is strongly recommended.

Import Certificate

Select Import Certificate to import an existing certificate by uploading the file.

Certificate Details

Enter the certificate details and click Create to create a certificate.

Automatically Provision Certificate

The certificate will be automatically provisioned using the ACME protocol with the Let's Encrypt service. It is the easiest way to install a trusted certificate.

Certificate name

The name of the certificate.

Domain

The public FQDN of FortiPAM.

Note: The option is only available when the Chosen Method is Automatically Provision Certificate.

Email

The email address.

Note: The option is only available when the Chosen Method is Automatically Provision Certificate.

Set ACME Interface

If this is the first time enrolling a server certificate with Let's Encrypt on this FortiPAM unit, the Set ACME Interface pane opens.

Note: The options in the pane are only available when the Chosen Method is Automatically Provision Certificate.

ACME Interface

Select + and from Select Entries, select ports, or create new interfaces on which the ACME client will listen for challenges to provision and renew certificates.

Click OK when you have selected interfaces.

Use the search bar to look for an interface.

Use the pen icon next to the interface to edit it.

Generate New Certificate

Certificate authority

The certificate authority.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Common name

The common name of the certificate. Enter an FQDN or an IPv4 address.

The common name should match the FQDN or the IP address of the primary SSL-VPN interface.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Subject alternative name

An IP address or FQDN.

Subject alternative names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Update Your List of Trusted Certificate Authorities

Select Download CA Certificate to download Fortinet_CA_SSL CA to your computer.

Fortinet_CA_SSL is a local CA certificate. To avoid certificate warnings, you must download it and install it on each client machine.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Import Certificate

Type

Select from the following three options:

Local Certificate
PKCS #12 Certificate
Certificate

Note: The option is only available when the Chosen Method is Import Certificate.

Certificate file

Select +Upload and locate the certificate file on your local computer.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is either Local Certificate or Certificate.

Certificate with key file

Select +Upload and locate the certificate with key file on your local computer.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is PKCS #12 Certificate.

Password

Enter the password.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is either PKCS #12 Certificate or Certificate.

Confirm Password

Reenter the password to confirm.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is PKCS #12 Certificate or Certificate.

Key file

Select +Upload and locate the key file on your local computer.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is Certificate.

Review

Enable ACME log to see logs related to the certificate created using the ACME protocol.

Note: The option is only available when Chosen Method is Automatically Provision Certificate.

Update Your List of Trusted Certificate Authorities

If you have not already downloaded the Fortinet_CA_SSL CA to your computer, select Download CA Certificate to download it.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Click OK.

To create a certificate

Go to System > Certificates.
From +Create/Import, select Certificate.
The Create Certificate wizard opens.

Enter the following information:

Choose Method

Automatically Provision Certificate

Select Use Let's Encrypt to automatically create a certificate using the ACME protocol with Let's Encrypt service.

You will need to enable DDNS or purchase a domain.

Generate New Certificate

Select Generate Certificate to generate a certificate using the self-signed Fortinet_CA_SSL CA.

Using a server certificate from a trusted CA is strongly recommended.

Import Certificate

Select Import Certificate to import an existing certificate by uploading the file.

Certificate Details

Enter the certificate details and click Create to create a certificate.

Automatically Provision Certificate

The certificate will be automatically provisioned using the ACME protocol with the Let's Encrypt service. It is the easiest way to install a trusted certificate.

Certificate name

The name of the certificate.

Domain

The public FQDN of FortiPAM.

Note: The option is only available when the Chosen Method is Automatically Provision Certificate.

Email

The email address.

Note: The option is only available when the Chosen Method is Automatically Provision Certificate.

Set ACME Interface

If this is the first time enrolling a server certificate with Let's Encrypt on this FortiPAM unit, the Set ACME Interface pane opens.

Note: The options in the pane are only available when the Chosen Method is Automatically Provision Certificate.

ACME Interface

Select + and from Select Entries, select ports, or create new interfaces on which the ACME client will listen for challenges to provision and renew certificates.

Click OK when you have selected interfaces.

Use the search bar to look for an interface.

Use the pen icon next to the interface to edit it.

Generate New Certificate

Certificate authority

The certificate authority.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Common name

The common name of the certificate. Enter an FQDN or an IPv4 address.

The common name should match the FQDN or the IP address of the primary SSL-VPN interface.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Subject alternative name

An IP address or FQDN.

Subject alternative names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Update Your List of Trusted Certificate Authorities

Select Download CA Certificate to download Fortinet_CA_SSL CA to your computer.

Fortinet_CA_SSL is a local CA certificate. To avoid certificate warnings, you must download it and install it on each client machine.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Import Certificate

Type

Select from the following three options:

Local Certificate
PKCS #12 Certificate
Certificate

Note: The option is only available when the Chosen Method is Import Certificate.

Certificate file

Select +Upload and locate the certificate file on your local computer.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is either Local Certificate or Certificate.

Certificate with key file

Select +Upload and locate the certificate with key file on your local computer.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is PKCS #12 Certificate.

Password

Enter the password.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is either PKCS #12 Certificate or Certificate.

Confirm Password

Reenter the password to confirm.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is PKCS #12 Certificate or Certificate.

Key file

Select +Upload and locate the key file on your local computer.

Note: The option is only available when the Chosen Method is Import Certificate and the Type is Certificate.

Review

Enable ACME log to see logs related to the certificate created using the ACME protocol.

Note: The option is only available when Chosen Method is Automatically Provision Certificate.

Update Your List of Trusted Certificate Authorities

If you have not already downloaded the Fortinet_CA_SSL CA to your computer, select Download CA Certificate to download it.

Note: The option is only available when the Chosen Method is Generate New Certificate.

Click OK.