Document
Library

Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
- VM license
Folders
- Creating a folder
Secrets
- Secret list
- Secret launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Secret templates
  - Creating secret templates
- Policies
  - Creating a policy
    - Applying a policy to a folder
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Job list
  - Creating a job
Monitoring
- User monitor
- Active sessions
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Approval request
- My requests
  - Make a request
- Request review
  - Approve a request
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
Password changing
- Character sets
  - Creating a character set
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
Authentication
- Addresses
  - Creating an address
  - Creating an address group
- Scheme & Rules
  - Creating an authentication scheme
  - Creating an authentication rule
System
- Firmware
- Settings
- SNMP
- High availability
- Certificates
- ZTNA
- Backup
  - Sending backup file to a server Example
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- DNS settings
- Packet capture
  - Creating a packet capture filter
- Static routes
  - Creating an IPv4 static route
Security profile
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
Security fabric
- Fabric Connectors
  - FortiAnalyzer logging
Log & report
- Events
- Secret
- ZTNA
- SSH
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Change Log

Home FortiPAM 1.0.0 Administration Guide

1.0.0

FortiPAM HTTP filter

FortiPAM HTTP filter

When turning on the HTTP category debug, it can generate a lot of traces from the GUI. In the case where GUI traffic is not needed, using the FortiPAM HTTP filter helps clean out traffic that is not required.

You must have system administrator and CLI permissions to use the FortiPAM HTTP filter.

To use the FortiPAM trace filter feature:

In the CLI console, enter the following command to set the debug category to http:
diagnose wad debug enable category http
Optionally, enter the following command to set the debug level:
diagnose wad debug enable level <level>

Use the following CLI command to set up a filter for the FortiPAM traffic:

diagnose wad filter pam

Variable	Description
none	Reset FortiPAM filter setting. All the HTTP traffic traces are displayed.
internal	Internal FortiPAM trace. HTTP traffic with `/pam api-gateway` is displayed, e.g., FortiClient and secret launcher traffic.
tcp-forward	TCP-forward trace. Traffic trace with `/tcp api-gateway` is displayed, e.g., TCP tunneling information when starting a launcher.
both	Internal FortiPAM and TCP-forward trace. HTTP traffic with `/tcp` and `/pam api-gateway` is displayed.

For most cases, the both option is recommended for the filter.

The FortiPAM filter can be used with diagnose wad filter drop-unknown-session 1 to ignore more information during session initialization.

Examples

Turning on drop-unknown-session with the internal option (diagnose wad filter pam internal) and launching a secret shows the following trace:
PAM # [I][p:1070][s:930509823][r:2694] wad_http_req_proc_policy: 10453 ses_ctx:ct|Pvx|M|H|C|A1 fwd_srv=<nil>[I][p:1070][s:930509823][r:2694] wad_dump_fwd_http_resp: 2663 hreq=0x7f34b46a2e58 Forward response from Internal:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 309
[I][p:1070][s:930509826][r:2701] wad_dump_fwd_http_resp: 2663 hreq=0x7f34b46a2e58 Forward response from Internal:
HTTP/1.1 200 OK
Proxy-Agent: FortiPAM/1.0
X-Range: bytes=773458-
Content-Length: 0
Turning on drop-unknown-session with the tcp-forward option (diagnose wad filter pam tcp-forward) and launching a secret shows the following trace:
[I][p:1070][s:930509852][r:2799] wad_http_req_check_vs_tunnel_type :5182 Check redir PROXY port=22((null))
[I][p:1070][s:930509852][r:2799] wad_http_req_check_vs_tunnel_type :5190 TCP tunnel detected without type.
[I][p:1070][s:930509852][r:2799] wad_dump_fwd_http_resp :2663 hreq=0x7f34b46a41f8 Forward response from Internal:
HTTP/1.1 101 Switching Protocols
Upgrade: tcp-forwarding/1.0
Connection: Upgrade

Previous

Next

FortiPAM HTTP filter

When turning on the HTTP category debug, it can generate a lot of traces from the GUI. In the case where GUI traffic is not needed, using the FortiPAM HTTP filter helps clean out traffic that is not required.

You must have system administrator and CLI permissions to use the FortiPAM HTTP filter.

To use the FortiPAM trace filter feature:

In the CLI console, enter the following command to set the debug category to http:
diagnose wad debug enable category http
Optionally, enter the following command to set the debug level:
diagnose wad debug enable level <level>

Use the following CLI command to set up a filter for the FortiPAM traffic:

diagnose wad filter pam

Variable	Description
none	Reset FortiPAM filter setting. All the HTTP traffic traces are displayed.
internal	Internal FortiPAM trace. HTTP traffic with `/pam api-gateway` is displayed, e.g., FortiClient and secret launcher traffic.
tcp-forward	TCP-forward trace. Traffic trace with `/tcp api-gateway` is displayed, e.g., TCP tunneling information when starting a launcher.
both	Internal FortiPAM and TCP-forward trace. HTTP traffic with `/tcp` and `/pam api-gateway` is displayed.

For most cases, the both option is recommended for the filter.

The FortiPAM filter can be used with diagnose wad filter drop-unknown-session 1 to ignore more information during session initialization.

Examples

Turning on drop-unknown-session with the internal option (diagnose wad filter pam internal) and launching a secret shows the following trace:
PAM # [I][p:1070][s:930509823][r:2694] wad_http_req_proc_policy: 10453 ses_ctx:ct|Pvx|M|H|C|A1 fwd_srv=<nil>[I][p:1070][s:930509823][r:2694] wad_dump_fwd_http_resp: 2663 hreq=0x7f34b46a2e58 Forward response from Internal:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 309
[I][p:1070][s:930509826][r:2701] wad_dump_fwd_http_resp: 2663 hreq=0x7f34b46a2e58 Forward response from Internal:
HTTP/1.1 200 OK
Proxy-Agent: FortiPAM/1.0
X-Range: bytes=773458-
Content-Length: 0
Turning on drop-unknown-session with the tcp-forward option (diagnose wad filter pam tcp-forward) and launching a secret shows the following trace:
[I][p:1070][s:930509852][r:2799] wad_http_req_check_vs_tunnel_type :5182 Check redir PROXY port=22((null))
[I][p:1070][s:930509852][r:2799] wad_http_req_check_vs_tunnel_type :5190 TCP tunnel detected without type.
[I][p:1070][s:930509852][r:2799] wad_dump_fwd_http_resp :2663 hreq=0x7f34b46a41f8 Forward response from Internal:
HTTP/1.1 101 Switching Protocols
Upgrade: tcp-forwarding/1.0
Connection: Upgrade

Previous

Next