Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
- VM license
Folders
- Creating a folder
Secrets
- Secret list
- Secret launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Secret templates
  - Creating secret templates
- Policies
  - Creating a policy
    - Applying a policy to a folder
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Job list
  - Creating a job
Monitoring
- User monitor
- Active sessions
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Approval request
- My requests
  - Make a request
- Request review
  - Approve a request
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
Password changing
- Character sets
  - Creating a character set
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
Authentication
- Addresses
  - Creating an address
  - Creating an address group
- Scheme & Rules
  - Creating an authentication scheme
  - Creating an authentication rule
System
- Firmware
- Settings
- SNMP
- High availability
- Certificates
- ZTNA
- Backup
  - Sending backup file to a server Example
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- DNS settings
- Packet capture
  - Creating a packet capture filter
- Static routes
  - Creating an IPv4 static route
Security profile
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
Security fabric
- Fabric Connectors
  - FortiAnalyzer logging
Log & report
- Events
- Secret
- ZTNA
- SSH
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Change Log

Home FortiPAM 1.0.0 Administration Guide

1.0.0

Creating a user

By default, FortiPAM has a default user with the username admin and no password.

When you go into the system for the first time, you must set a password for this account. Additional users can be added later.

To create a user:

Go to User Management > User Definition, and select Create
The New User Definition wizard is launched.

Enter the following information, and click Next after each tab:

Configure Role

Choose a User Role type

Select from the following user role types:

Guest User

Standard User
Power User

Administrator

For Administrator, select from one of the available administrator roles from the Choose an Administrator Role dropdown.

The administrator role decides what the administrator can see. Depending on the nature of the administrator work, access level, or seniority, you can allow them to view and configure as much or as little as required.

Use the search bar to look for an administrator role.

For information on the user types and their roles, see Users in FortiPAM and Role.

Configure Type

Choose a User type

Select a user type:

Local User
To change the local user password, see Admin.
API User
Remote User: Select the option if you want to enable login for one remote user in a remote group, and assign the user the remote user type for the FortiPAM session.

For Remote User, select a remote group where the user is found. See User groups.

Use the search bar to look for a remote group.

For information on the user types, see Users in FortiPAM.

Configure User Details

Username

The username.

Do not use < > ( ) # " '` characters in the username.

Password

The password.

Note: This option is only available when the user type is local.

Confirm Password

Enter the password again to confirm.

Note: This option is only available when the user type is local.

Status

Enable/disable user login to FortiPAM.

Note: The option is not available when the user type is an API user.

Email address

The email address.

Comments

Optionally, enter comments about the user.

Two Factor Authentication

Enable/disable using two-factor authentication.

Note: Two factor authentication is disabled by default.

Note: Two factor authentication is not available for an API user.

You can also set up Two Factor Authentication using CLI. See Two Factor Authentication using CLI.

Authentication Type

Specify the type of user authentication used:

FortiToken
FortiToken Cloud. See 2FA with FortiToken Cloud example.
Email based two-factor authentication (default)

Token

From the dropdown, select a token. This option is mandatory.

Note: This option is only available when FortiToken is the Authentication Type.

Send Activation Code

Enable/disable sending activation codes.

Note: This option is only available when FortiToken Cloud is the Authentication Type.

Email address

The email address.

Note: This option is mandatory.

The email address is synched from the email address added in the Configure User Details pane.

Configure Trusted Hosts

IPv4 Trusted Hosts

Trusted IPv4 addresses users use to connect to FortiPAM.

Use + button to add a new IPv4 address and x to delete an added IPv4 address.

Configure the schedule for which the user can connect to the FortiPAM

Enable/disable configuring the login schedule for the users.

From the dropdown, select a schedule. See Schedule.

Note: This option is disabled by default.

In the Review tab, verify the information you entered and click Submit to create the user.
Use the pen icon to edit tabs.

Alternatively, use the CLI commands to create users.

To regenerate the API key:

Go to User Management > User Definition.
Select the API user whose API key you intend to change and then select Edit.
In the Details pane, select Re-generate API Key.
In the Re-generate API Key window, select Generate.
Regenerating the API key will immediately revoke access for any API consumers using the current key.
A new API key for the API user is generated.
Click Close.

CLI configuration to set up a local user example:

config system admin

edit <user_name>

set accprofile <role_name>

set password <password>

end

CLI configuration to set up a remote LDAP user example:

config system admin

edit <ldap_username>

set remote-auth enable

set accprofile <profname>

set remote-group <ldap_group_name>

end

CLI configuration to set up a remote RADIUS user example:

config system admin

edit <radius_username>

set remote-auth enable

set accprofile <profname>

set remote-group <radius_group_name>

end

CLI configuration to enable two-factor authentication example:

config system admin

edit <username>

set password "myPassword"

set two-factor <fortitoken | fortitoken-cloud | email>

set fortitoken <serial_number>

set email-to "username@example.com"

end

By default, FortiPAM has a default user with the username admin and no password.

When you go into the system for the first time, you must set a password for this account. Additional users can be added later.

To create a user:

Go to User Management > User Definition, and select Create
The New User Definition wizard is launched.

Enter the following information, and click Next after each tab:

Configure Role

Choose a User Role type

Select from the following user role types:

Guest User

Standard User
Power User

Administrator

For Administrator, select from one of the available administrator roles from the Choose an Administrator Role dropdown.

Use the search bar to look for an administrator role.

For information on the user types and their roles, see Users in FortiPAM and Role.

Configure Type

Choose a User type

Select a user type:

Local User
To change the local user password, see Admin.
API User
Remote User: Select the option if you want to enable login for one remote user in a remote group, and assign the user the remote user type for the FortiPAM session.

For Remote User, select a remote group where the user is found. See User groups.

Use the search bar to look for a remote group.

For information on the user types, see Users in FortiPAM.

Configure User Details

Username

The username.

Do not use < > ( ) # " '` characters in the username.

Password

The password.

Note: This option is only available when the user type is local.

Confirm Password

Enter the password again to confirm.

Note: This option is only available when the user type is local.

Status

Enable/disable user login to FortiPAM.

Note: The option is not available when the user type is an API user.

Email address

The email address.

Comments

Optionally, enter comments about the user.

Two Factor Authentication

Enable/disable using two-factor authentication.

Note: Two factor authentication is disabled by default.

Note: Two factor authentication is not available for an API user.

You can also set up Two Factor Authentication using CLI. See Two Factor Authentication using CLI.

Authentication Type

Specify the type of user authentication used:

FortiToken
FortiToken Cloud. See 2FA with FortiToken Cloud example.
Email based two-factor authentication (default)

Token

From the dropdown, select a token. This option is mandatory.

Note: This option is only available when FortiToken is the Authentication Type.

Send Activation Code

Enable/disable sending activation codes.

Note: This option is only available when FortiToken Cloud is the Authentication Type.

Email address

The email address.

Note: This option is mandatory.

The email address is synched from the email address added in the Configure User Details pane.

Configure Trusted Hosts

IPv4 Trusted Hosts

Trusted IPv4 addresses users use to connect to FortiPAM.

Use + button to add a new IPv4 address and x to delete an added IPv4 address.

Configure the schedule for which the user can connect to the FortiPAM

Enable/disable configuring the login schedule for the users.

From the dropdown, select a schedule. See Schedule.

Note: This option is disabled by default.

In the Review tab, verify the information you entered and click Submit to create the user.
Use the pen icon to edit tabs.

Alternatively, use the CLI commands to create users.

To regenerate the API key:

Go to User Management > User Definition.
Select the API user whose API key you intend to change and then select Edit.
In the Details pane, select Re-generate API Key.
In the Re-generate API Key window, select Generate.
Regenerating the API key will immediately revoke access for any API consumers using the current key.
A new API key for the API user is generated.
Click Close.

CLI configuration to set up a local user example:

config system admin

edit <user_name>

set accprofile <role_name>

set password <password>

end

CLI configuration to set up a remote LDAP user example:

config system admin

edit <ldap_username>

set remote-auth enable

set accprofile <profname>

set remote-group <ldap_group_name>

end

CLI configuration to set up a remote RADIUS user example:

config system admin

edit <radius_username>

set remote-auth enable

set accprofile <profname>

set remote-group <radius_group_name>

end

CLI configuration to enable two-factor authentication example:

config system admin

edit <username>

set password "myPassword"

set two-factor <fortitoken | fortitoken-cloud | email>

set fortitoken <serial_number>

set email-to "username@example.com"

end