Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
- VM license
Folders
- Creating a folder
Secrets
- Secret list
- Secret launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Secret templates
  - Creating secret templates
- Policies
  - Creating a policy
    - Applying a policy to a folder
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Job list
  - Creating a job
Monitoring
- User monitor
- Active sessions
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Approval request
- My requests
  - Make a request
- Request review
  - Approve a request
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
Password changing
- Character sets
  - Creating a character set
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
Authentication
- Addresses
  - Creating an address
  - Creating an address group
- Scheme & Rules
  - Creating an authentication scheme
  - Creating an authentication rule
System
- Firmware
- Settings
- SNMP
- High availability
- Certificates
- ZTNA
- Backup
  - Sending backup file to a server Example
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- DNS settings
- Packet capture
  - Creating a packet capture filter
- Static routes
  - Creating an IPv4 static route
Security profile
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
Security fabric
- Fabric Connectors
  - FortiAnalyzer logging
Log & report
- Events
- Secret
- ZTNA
- SSH
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Change Log

Home FortiPAM 1.0.0 Administration Guide

1.0.0

Creating an SSH filter

To create an SSH filter profile:

Go to Secrets > SSH Filter Profiles.
In SSH Filter Profiles, select Create.
The New SSH Filter Profile window opens.

Enter the following information:

Name

Name of the SSH filter.

Shell Commands

Shell commands can be created to block a command in the SSH terminal.

See Creating Shell Commands.

Select a shell command from the list and then select Edit to edit the command.

When editing a shell command the options are same as when creating one.

Select shell commands from the list then select Delete to delete the commands.

Default Command Log

Enable/disable logging unmatched shell commands.

Note: The option is disabled by default

Other Channels

Use this tab for advanced settings.

Note: Settings in the tab require setting up a custom launcher.

Block Channel

Select from the SSH blocking options (multiple options may be selected):

X11: X server forwarding
SSH execution
Port forwarding
Tunnel forwarding
SFTP
SCP
Unknown channel: Unknown channel (any channel other than the six listed here and the shell channel.)

Log Activity

SSH logging options.

These are log activities related to selected channels regardless of the blocking status (multiple options may be selected):

X11: X server forwarding
SSH execution
Port forwarding
Tunnel forwarding
SFTP
SCP
Unknown channel

Click Submit.

To create a shell command:

In the New SSH Filter Profile window, select Create in the Shell Commands pane.

In the New Shell Command window, enter the following information:

Type	Select the matching type: Regex: Match command line using regular expression. Choosing the option blocks any command matching Regex in Pattern. Simple: Match single command (default). Choosing the option matches any command fitting the one in Pattern.
Pattern	SSH shell command pattern. For example: When the Type is Regex, pattern `.` stands for all the commands and pattern `sh.` stands for all the commands beginning with `sh` including show and shutdown. When the Type is Simple, pattern `rm` stands for the rm command on Linux, e.g., `'rm -rf /*'`, `'rm test.py'`.
Action	Action to take for URL filter matches: Allow: Allow the SSH shell command on the target server. Block: Block the SSH shell command on the target server (default). For example when the Type is Regex, the Pattern is `conf.`, and the Action* is Block. This blocks all the configuration actions on the target server.
Log	Enable/disable logging. When enabled, the action logs are available in Log & Report > SSH.
Alert	Enable/disable alert. When enabled, the alert message is sent based on the configurations in Log & Report > Email Alert Settings.
Severity	The severity of the actions reported in Log & Report > SSH and alert messages: Critical High Medium Low (default)

Click OK.