Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Admin

Admin

The Admin dropdown contains the following information and options:

  • FortiPAM build number and version.

  • System: activate glass breaking mode, maintenance mode, reboot, shutdown, and upload a firmware.

    The following actions can only be performed when FortiPAM is in maintenance mode:

  • Configuration: backup, restore, see configuration revisions, and run configuration scripts.

  • Change Password: opens the Edit Password window where you can change the administrator password.

  • Logout: log out of FortiPAM.

Glass Breaking mode

The glass breaking mode gives you access to all secrets in the system.

Glass breaking in FortiPAM means extending the user permission to access data that the user is not authorized to access. Typically, user access is controlled by permission defined in every secret and folder. In a rare situation, such as a network outage or the remote authentication server becoming unreachable, glass breaking allows you to temporarily access important secrets and target servers to resolve issues.

As a best practice, only a few administrators should have access to the glass breaking mode. Further, the glass breaking mode should only be activated under exceptional situations and for disaster recovery. Email notifications can also be configured to send alerts whenever someone enters glass breaking mode. See Email alert when the glass breaking mode is activated example.

Under glass breaking mode, all administrator activities should be logged for future audits.

Only a user configured with glass breaking permission can activate the glass breaking mode. The permission is defined when configuring a user role in User Management > Role. See Role.

When an administrator activates glass breaking mode on FortiPAM, the administrator can bypass normal access control procedures, get access to all folders, secrets, and secret requests, and launch any secret.
To enter glass breaking mode:
  1. From the user dropdrown on the top-right, select Activate Glass Breaking Mode in System.
  2. Enter a reason for activating the glass breaking mode.
  3. Click OK.

    The GUI is refreshed, and a red banner is shown on the top: FortiPAM is in glass breaking mode.

To deactivate glass breaking mode:
  1. From the user dropdrown on the top-right, select Deactivate Glass Breaking Mode in System to deactivate the glass breaking mode.

    The GUI is refreshed, and a message appears on the bottom-right: Successfully demoted user.

When you are in the glass breaking mode, FortiPAM enforces video recording on launching a session.

To disable video recordings when in glass breaking mode:
  1. Go to System > Settings.
  2. In the PAM Settings pane, disable Enforce recording on glass breaking.
  3. Click Apply.
Activate maintenance mode

Suspend all critical processes to allow maintenance related activities.

Uploading a firmware

You can only upload a firmware when in maintenance mode.

To enter maintenance mode:
  1. From the user dropdrown, select Activate Maintenance Mode in System.
  2. In the Warning dialog:
    1. Enter the maximum duration, in minutes.
    2. Enter a reason for activating the maintenance mode.
    3. Click OK.

When in maintenance mode, select Renew Maintenance Mode in System, enter the new duration and reason and then click OK to renew the maintenance mode.

When in maintenance mode, select Deactivate Maintenance Mode in System to deactivate the maintenance mode.
To upload a firmware:
  1. In the user dropdown, go to System > Firmware.

    The Firmware Management window opens.

    The following tabs are available:

    Latest

    Displays the status of the current firmware.

    All Upgrades

    Displays if new upgrades are available.

    All Downgrades

    Displays if downgrades are available.

    File Upload

    Allows you to upload a new firmware image manually.

  2. Go to File Upload:
    1. Select Browse, then locate the firmware image on your local computer.
    2. Click Open.
  3. Click Confirm and Backup Config.

    The firmware image uploads from your local computer to the FortiPAM device, which will then reboot. For a short period of time during this reboot, the FortiPAM device is offline and unavailable.

Backup and restore

Fortinet recommends that you back up your FortiPAM configuration to your management computer on a regular basis to ensure that, should the system fail, you can quickly get the system back to its original state with minimal effect to the network. You should also perform a back up after making any changes to the FortiPAM configuration.

You can encrypt the backup file to prevent tampering.

You can perform backups manually. Fortinet recommends backing up all configuration settings from your FortiPAM unit before upgrading the FortiPAM firmware.

Your FortiPAM configuration can also be restored from a backup file on your management computer.

To backup FortiPAM configuration:
  1. In the user dropdown, go to Configuration > Backup.

    The Backup System Configuration window opens.

  2. Select Local PC as the backup option.
  3. Enable Encryption, enter and confirm password.
  4. Click OK.

    The backup file is downloaded to your local computer.

To restore FortiPAM configuration:
  1. Enter maintenance mode. See Maintenance mode.
  2. In the user dropdown, go to Configuration > Restore.

    The Restore System Configuration window opens.

  3. Select Local PC as the option to restore from.
  4. Select Upload:
    1. Locate the backup file on your local computer.
    2. Click Open.
  5. In Password, enter the encryption password.
  6. Click OK.

    When you restore the configuration from a backup file, any information changed since the backup will be lost. Any active sessions will be ended and must be restarted. You will have to log back in when the system reboots.

Revisions

You can manage multiple versions of configuration files on FortiPAM.

Configurations scripts

Configuration scripts are text files that contain CLI command sequences. They can be created using a text editor or copied from a CLI console, either manually or using the Record CLI Script function.

Scripts can be used to run the same task on multiple devices.

A comment line in a script starts with the number sign (#). Comments are not executed.
To run a script using the GUI:
  1. In the user dropdown, go to Configuration > Scripts.
  2. Select Run Script.
  3. In the Run Script window:
    1. Select either Local or Remote as the Source.
    2. Select Browse, then locate the script on your local computer.
    3. Click Open.
  4. Click OK.

    The script runs immediately, and the table is updated, showing if the script ran successfully.

Previous
Next

Admin

The Admin dropdown contains the following information and options:

  • FortiPAM build number and version.

  • System: activate glass breaking mode, maintenance mode, reboot, shutdown, and upload a firmware.

    The following actions can only be performed when FortiPAM is in maintenance mode:

  • Configuration: backup, restore, see configuration revisions, and run configuration scripts.

  • Change Password: opens the Edit Password window where you can change the administrator password.

  • Logout: log out of FortiPAM.

Glass Breaking mode

The glass breaking mode gives you access to all secrets in the system.

Glass breaking in FortiPAM means extending the user permission to access data that the user is not authorized to access. Typically, user access is controlled by permission defined in every secret and folder. In a rare situation, such as a network outage or the remote authentication server becoming unreachable, glass breaking allows you to temporarily access important secrets and target servers to resolve issues.

As a best practice, only a few administrators should have access to the glass breaking mode. Further, the glass breaking mode should only be activated under exceptional situations and for disaster recovery. Email notifications can also be configured to send alerts whenever someone enters glass breaking mode. See Email alert when the glass breaking mode is activated example.

Under glass breaking mode, all administrator activities should be logged for future audits.

Only a user configured with glass breaking permission can activate the glass breaking mode. The permission is defined when configuring a user role in User Management > Role. See Role.

When an administrator activates glass breaking mode on FortiPAM, the administrator can bypass normal access control procedures, get access to all folders, secrets, and secret requests, and launch any secret.
To enter glass breaking mode:
  1. From the user dropdrown on the top-right, select Activate Glass Breaking Mode in System.
  2. Enter a reason for activating the glass breaking mode.
  3. Click OK.

    The GUI is refreshed, and a red banner is shown on the top: FortiPAM is in glass breaking mode.

To deactivate glass breaking mode:
  1. From the user dropdrown on the top-right, select Deactivate Glass Breaking Mode in System to deactivate the glass breaking mode.

    The GUI is refreshed, and a message appears on the bottom-right: Successfully demoted user.

When you are in the glass breaking mode, FortiPAM enforces video recording on launching a session.

To disable video recordings when in glass breaking mode:
  1. Go to System > Settings.
  2. In the PAM Settings pane, disable Enforce recording on glass breaking.
  3. Click Apply.
Activate maintenance mode

Suspend all critical processes to allow maintenance related activities.

Uploading a firmware

You can only upload a firmware when in maintenance mode.

To enter maintenance mode:
  1. From the user dropdrown, select Activate Maintenance Mode in System.
  2. In the Warning dialog:
    1. Enter the maximum duration, in minutes.
    2. Enter a reason for activating the maintenance mode.
    3. Click OK.

When in maintenance mode, select Renew Maintenance Mode in System, enter the new duration and reason and then click OK to renew the maintenance mode.

When in maintenance mode, select Deactivate Maintenance Mode in System to deactivate the maintenance mode.
To upload a firmware:
  1. In the user dropdown, go to System > Firmware.

    The Firmware Management window opens.

    The following tabs are available:

    Latest

    Displays the status of the current firmware.

    All Upgrades

    Displays if new upgrades are available.

    All Downgrades

    Displays if downgrades are available.

    File Upload

    Allows you to upload a new firmware image manually.

  2. Go to File Upload:
    1. Select Browse, then locate the firmware image on your local computer.
    2. Click Open.
  3. Click Confirm and Backup Config.

    The firmware image uploads from your local computer to the FortiPAM device, which will then reboot. For a short period of time during this reboot, the FortiPAM device is offline and unavailable.

Backup and restore

Fortinet recommends that you back up your FortiPAM configuration to your management computer on a regular basis to ensure that, should the system fail, you can quickly get the system back to its original state with minimal effect to the network. You should also perform a back up after making any changes to the FortiPAM configuration.

You can encrypt the backup file to prevent tampering.

You can perform backups manually. Fortinet recommends backing up all configuration settings from your FortiPAM unit before upgrading the FortiPAM firmware.

Your FortiPAM configuration can also be restored from a backup file on your management computer.

To backup FortiPAM configuration:
  1. In the user dropdown, go to Configuration > Backup.

    The Backup System Configuration window opens.

  2. Select Local PC as the backup option.
  3. Enable Encryption, enter and confirm password.
  4. Click OK.

    The backup file is downloaded to your local computer.

To restore FortiPAM configuration:
  1. Enter maintenance mode. See Maintenance mode.
  2. In the user dropdown, go to Configuration > Restore.

    The Restore System Configuration window opens.

  3. Select Local PC as the option to restore from.
  4. Select Upload:
    1. Locate the backup file on your local computer.
    2. Click Open.
  5. In Password, enter the encryption password.
  6. Click OK.

    When you restore the configuration from a backup file, any information changed since the backup will be lost. Any active sessions will be ended and must be restarted. You will have to log back in when the system reboots.

Revisions

You can manage multiple versions of configuration files on FortiPAM.

Configurations scripts

Configuration scripts are text files that contain CLI command sequences. They can be created using a text editor or copied from a CLI console, either manually or using the Record CLI Script function.

Scripts can be used to run the same task on multiple devices.

A comment line in a script starts with the number sign (#). Comments are not executed.
To run a script using the GUI:
  1. In the user dropdown, go to Configuration > Scripts.
  2. Select Run Script.
  3. In the Run Script window:
    1. Select either Local or Remote as the Source.
    2. Select Browse, then locate the script on your local computer.
    3. Click Open.
  4. Click OK.

    The script runs immediately, and the table is updated, showing if the script ran successfully.

Previous
Next