Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Creating a policy

Creating a policy

To create a policy:
  1. Go to Secrets > Policies.
  2. In Policies, select Create.

    The New Secret Policy window opens.

  3. Enter the following information:

    Name

    Name of the policy.

    Automatic Password Changing

    Select Enable, Disable, or Not Set.

    When enabled, password changer for secrets is activated to periodically change the password.

    Recursive

    Displays the password changing schedule based on your selections for the related settings.

    Start Time

    The date and time when the Change Interval (min) begins.

    Enter date (MM/DD/YYYY) and time or select the Calendar icon and then select a date and time.

    Recurrence

    From the dropdown, select from the following three frequencies of recurrence:

    • Daily

    • Weekly

    • Monthly

    Repeat every

    The number of days/weeks/months after which the password is changed (1- 400).

    Occurs on

    Select from the following days of the month when the password is automatically changed:

    • First

    • Second

    • Third

    • Last

    • Last Day

    • Day

    Select days of the week when the password is automatically changed.

    When you select Day, select + to add days of the month when the password is automatically changed.

    Note: The option is only available when Recurrence is set as Weekly or Monthly.

    Editable in Secret

    Enable/disable users from customizing the password change schedule in the secret.

    Automatic Password Verification

    Select Enable, Disable, or Not Set.

    When enabled, password changer for secrets is activated to periodically verify the password.

    Verification Interval (min)

    The time interval at which the secrets are tested for accuracy, in minutes (default = 60, 5 - 44640).

    Start Time

    The date and time when the Interval(min) begins.

    Enter date (MM/DD/YYYY) and time or select the Calendar icon and then select a date and time.

    Editable in Secret

    When enabled, you can customize the password verification schedule in the secret.

    Session Recording

    Select Enable, Disable, or Not Set.

    When enabled, user action performed on the secret is recorded.

    The video file is available in the log for users with appropriate permission.

    Proxy Mode

    Select Enable, Disable, or Not Set.

    When enabled, FortiPAM is responsible to proxy the connection from the user to the secret.

    When disabled, the non-proxy (direct) mode is used. See Modes of operation.

    Tunnel Encryption

    Select Enable, Disable, or Not Set.

    When launching a native launcher, FortiClient creates a tunnel between the endpoint and FortiPAM. The protocol stack is HTTP/TLS/TCP.

    The HTTP request gives information on the target server then FortiPAM connects to the target server. After that, two protocol options exist for the tunnel between FortiClient and FortiPAM. One is to clear the TLS layer for better throughput and performance. The other is to keep the TLS layer. The launcher's protocol traffic is inside the TLS secure tunnel.

    If the launcher's protocol is not secure, like VNC, it is strongly recommended to enable this option so that the traffic is in a secure tunnel.

    When there is an HTTPS Man In The Middle device, e.g., FortiGate or FortiWeb between FortiClient and FortiPAM, you must enable the Tunnel Encryption option. Otherwise, the connection will be disconnected, and the launching will fail.

    When set to Not Set, secrets using the policy can have the option set as either Enable or Disable.

    When the option is enabled or disabled, all the secrets using this policy have the same setting for this option as set in the policy.

    Requires Checkout

    Select Enable, Disable, or Not Set.

    When enabled, users are forced to check out the secret before gaining access.

    At a given time, only one user can check out a secret. Other approved users must wait for the secret to be checked in or wait for the checkout duration to lapse before accessing the secret.

    See Check out and check in a secret.

    Checkout duration

    The checkout duration, in minutes (default = 30, 3 - 120).

    Checkin Password Change

    Enable/disable automatically changing the password when the user checks in.

    Renew Checkout

    Enable/disable renewing checkouts.

    Max Renew Count

    When Renew Checkout is enabled, enter the maximum number of renewals allowed for the user with exclusive access to the secret (default = 1, 1 - 5).

    Requires Approval to Launch Secret

    Select Enable, Disable, or Not Set.

    When enabled, users are forced to request permission from the approvers defined in the approval profile before gaining access.

    See Make a request and Approval flow.

    Requires Approval to Launch Job

    When enabled, users are forced to request permission from the approvers defined in approval profile before being able to perform a job on a secret.

    See Make a request and Approval flow.

    Approval Profile

    From the dropdown, select an approval profile, or select Create to create a new approval profile. See Approval profile.

    Use the search bar to look up an approval profile.

    Use the pen icon next to the approval profile to edit it.

    Block RDP Clipboard

    Select Enable, Disable, or Not Set.

    When enabled, user is unable to copy/paste from the secret launcher.

    SSH Filter

    Select Enable, Disable, or Not Set.

    When enabled, commands defined in the SSH profile to be executed on the secret are blocked.

    SSH Filter Profile

    From the dropdown, select an SSH filter profile.

    Antivirus Scan

    Select Enable, Disable, or Not Set.

    When enabled, it enforces an antivirus profile on the secret. See AntiVirus.

    Antivirus Profile

    From the dropdown, select an antivirus profile.

    RDP Security Level

    Select a security level when establishing a RDP connection to the secret:

    • Best Effort: If the server supports NLA, FortiPAM uses NLA to authenticate. Otherwise, FortiPAM conducts standard RDP authentication with the server through RDP over TLS.

    • NLA: Network Level Authentication (CredSSP).

      When an RDP launcher is launched, FortiPAM is forced to use CredSSP (NLA) to authenticate with the target server.

    • Not Set

    • RDP: FortiPAM uses the standard RDP encryption provided by the RDP protocol without using TLS (Web-RDP only).

    • TLS: RDP over TLS.

      FortiPAM uses secured connection with encryption protocol TLS to connect with the target server.

    RDP Restricted Admin Mode

    Enable/disable RDP restricted admin mode.

    Restricted admin mode prevents the transmission of reusable credentials to the remote system to which you connect using remote desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromised.

    Note: The option is only available when RDP Security Level is set as Best Effort or NLA.

    Settings set as Enable or Disable cannot be changed on the secret.

    Settings set as Not Set can be customized in the secret.

    For example example:

    While setting up a policy:

    • If Automatic Password Changing is enabled, then the secrets in the folder where the policy applies has Automatic Password Changing enabled as well.

    • If Automatic Password Changing is not set, then the secrets in the folder where the policy applies can have Automatic Password Changing set as either Enable or Disable.

  4. Click Submit.

See Applying a policy to a folder.

Previous
Next

Creating a policy

To create a policy:
  1. Go to Secrets > Policies.
  2. In Policies, select Create.

    The New Secret Policy window opens.

  3. Enter the following information:

    Name

    Name of the policy.

    Automatic Password Changing

    Select Enable, Disable, or Not Set.

    When enabled, password changer for secrets is activated to periodically change the password.

    Recursive

    Displays the password changing schedule based on your selections for the related settings.

    Start Time

    The date and time when the Change Interval (min) begins.

    Enter date (MM/DD/YYYY) and time or select the Calendar icon and then select a date and time.

    Recurrence

    From the dropdown, select from the following three frequencies of recurrence:

    • Daily

    • Weekly

    • Monthly

    Repeat every

    The number of days/weeks/months after which the password is changed (1- 400).

    Occurs on

    Select from the following days of the month when the password is automatically changed:

    • First

    • Second

    • Third

    • Last

    • Last Day

    • Day

    Select days of the week when the password is automatically changed.

    When you select Day, select + to add days of the month when the password is automatically changed.

    Note: The option is only available when Recurrence is set as Weekly or Monthly.

    Editable in Secret

    Enable/disable users from customizing the password change schedule in the secret.

    Automatic Password Verification

    Select Enable, Disable, or Not Set.

    When enabled, password changer for secrets is activated to periodically verify the password.

    Verification Interval (min)

    The time interval at which the secrets are tested for accuracy, in minutes (default = 60, 5 - 44640).

    Start Time

    The date and time when the Interval(min) begins.

    Enter date (MM/DD/YYYY) and time or select the Calendar icon and then select a date and time.

    Editable in Secret

    When enabled, you can customize the password verification schedule in the secret.

    Session Recording

    Select Enable, Disable, or Not Set.

    When enabled, user action performed on the secret is recorded.

    The video file is available in the log for users with appropriate permission.

    Proxy Mode

    Select Enable, Disable, or Not Set.

    When enabled, FortiPAM is responsible to proxy the connection from the user to the secret.

    When disabled, the non-proxy (direct) mode is used. See Modes of operation.

    Tunnel Encryption

    Select Enable, Disable, or Not Set.

    When launching a native launcher, FortiClient creates a tunnel between the endpoint and FortiPAM. The protocol stack is HTTP/TLS/TCP.

    The HTTP request gives information on the target server then FortiPAM connects to the target server. After that, two protocol options exist for the tunnel between FortiClient and FortiPAM. One is to clear the TLS layer for better throughput and performance. The other is to keep the TLS layer. The launcher's protocol traffic is inside the TLS secure tunnel.

    If the launcher's protocol is not secure, like VNC, it is strongly recommended to enable this option so that the traffic is in a secure tunnel.

    When there is an HTTPS Man In The Middle device, e.g., FortiGate or FortiWeb between FortiClient and FortiPAM, you must enable the Tunnel Encryption option. Otherwise, the connection will be disconnected, and the launching will fail.

    When set to Not Set, secrets using the policy can have the option set as either Enable or Disable.

    When the option is enabled or disabled, all the secrets using this policy have the same setting for this option as set in the policy.

    Requires Checkout

    Select Enable, Disable, or Not Set.

    When enabled, users are forced to check out the secret before gaining access.

    At a given time, only one user can check out a secret. Other approved users must wait for the secret to be checked in or wait for the checkout duration to lapse before accessing the secret.

    See Check out and check in a secret.

    Checkout duration

    The checkout duration, in minutes (default = 30, 3 - 120).

    Checkin Password Change

    Enable/disable automatically changing the password when the user checks in.

    Renew Checkout

    Enable/disable renewing checkouts.

    Max Renew Count

    When Renew Checkout is enabled, enter the maximum number of renewals allowed for the user with exclusive access to the secret (default = 1, 1 - 5).

    Requires Approval to Launch Secret

    Select Enable, Disable, or Not Set.

    When enabled, users are forced to request permission from the approvers defined in the approval profile before gaining access.

    See Make a request and Approval flow.

    Requires Approval to Launch Job

    When enabled, users are forced to request permission from the approvers defined in approval profile before being able to perform a job on a secret.

    See Make a request and Approval flow.

    Approval Profile

    From the dropdown, select an approval profile, or select Create to create a new approval profile. See Approval profile.

    Use the search bar to look up an approval profile.

    Use the pen icon next to the approval profile to edit it.

    Block RDP Clipboard

    Select Enable, Disable, or Not Set.

    When enabled, user is unable to copy/paste from the secret launcher.

    SSH Filter

    Select Enable, Disable, or Not Set.

    When enabled, commands defined in the SSH profile to be executed on the secret are blocked.

    SSH Filter Profile

    From the dropdown, select an SSH filter profile.

    Antivirus Scan

    Select Enable, Disable, or Not Set.

    When enabled, it enforces an antivirus profile on the secret. See AntiVirus.

    Antivirus Profile

    From the dropdown, select an antivirus profile.

    RDP Security Level

    Select a security level when establishing a RDP connection to the secret:

    • Best Effort: If the server supports NLA, FortiPAM uses NLA to authenticate. Otherwise, FortiPAM conducts standard RDP authentication with the server through RDP over TLS.

    • NLA: Network Level Authentication (CredSSP).

      When an RDP launcher is launched, FortiPAM is forced to use CredSSP (NLA) to authenticate with the target server.

    • Not Set

    • RDP: FortiPAM uses the standard RDP encryption provided by the RDP protocol without using TLS (Web-RDP only).

    • TLS: RDP over TLS.

      FortiPAM uses secured connection with encryption protocol TLS to connect with the target server.

    RDP Restricted Admin Mode

    Enable/disable RDP restricted admin mode.

    Restricted admin mode prevents the transmission of reusable credentials to the remote system to which you connect using remote desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromised.

    Note: The option is only available when RDP Security Level is set as Best Effort or NLA.

    Settings set as Enable or Disable cannot be changed on the secret.

    Settings set as Not Set can be customized in the secret.

    For example example:

    While setting up a policy:

    • If Automatic Password Changing is enabled, then the secrets in the folder where the policy applies has Automatic Password Changing enabled as well.

    • If Automatic Password Changing is not set, then the secrets in the folder where the policy applies can have Automatic Password Changing set as either Enable or Disable.

  4. Click Submit.

See Applying a policy to a folder.

Previous
Next