Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
- VM license
Folders
- Creating a folder
Secrets
- Secret list
- Secret launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Secret templates
  - Creating secret templates
- Policies
  - Creating a policy
    - Applying a policy to a folder
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Job list
  - Creating a job
Monitoring
- User monitor
- Active sessions
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Approval request
- My requests
  - Make a request
- Request review
  - Approve a request
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
Password changing
- Character sets
  - Creating a character set
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
Authentication
- Addresses
  - Creating an address
  - Creating an address group
- Scheme & Rules
  - Creating an authentication scheme
  - Creating an authentication rule
System
- Firmware
- Settings
- SNMP
- High availability
- Certificates
- ZTNA
- Backup
  - Sending backup file to a server Example
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- DNS settings
- Packet capture
  - Creating a packet capture filter
- Static routes
  - Creating an IPv4 static route
Security profile
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
Security fabric
- Fabric Connectors
  - FortiAnalyzer logging
Log & report
- Events
- Secret
- ZTNA
- SSH
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Change Log

Home FortiPAM 1.0.1 Administration Guide

1.0.1

Creating secret templates

To create a secret template:

Go to Secrets > Secret Templates.
In the secret templates list, select Create.
The New Secret Template window opens.

Enter the following information:

Name

Name of the template.

Description

Optionally, enter a description.

Server Information

The general type of server to which the template is intended to connect:

Cisco
Like Unix
Default

Fields

Secrets require fields to enter the secret related information.

To add new fields, select Create and then enter the following information, and click OK:

Field Name

The name of the field.

Type

From the dropdown, select a field type:

Domain: A domain field.
Passphrase: A passphrase fields.
Password: A password field.
Private-Key: A private-key field.
Public-Key: A public-key field.
Target-Address: A target address field.
Text: A text field.
URL: A URL field.
Username: A username field.

Mandatory

Enable to make this field mandatory or disable if this field will be optional.

From the list, select a field and then select Edit to edit the field.

From the list, select fields and then select Delete to delete the fields.

Launcher

Launcher helps you access a target server. See Secret launchers.

A launcher allows you to log in to a website or device without you needing to know the credentials.

To add a new launcher, select Create and then enter the following information, and click OK:

Launcher Name

From the dropdown, select a launcher.

Use the search bar to look up a launcher.

Use the pen icon to edit a custom launcher.

To create a new launcher, in the dropdown, select Create.

Enter the following information and click OK:

Name

The name of the launcher.

Type

From the dropdown, select a launcher type:

Other client: Other client launcher type.
Remote desktop: RDP client launcher type.
SSH client: SSH client launcher type.
VNC: VNC client launcher type.

Executable

The program file name, e.g., putty.exe for an SSH client.

Ensure that the program path is already added to the environment variable path in Windows before launching the secret.

Note:

An absolute path is also supported. Use the escape character (\) when using an absolute path, e.g.:

C:\\Users\\user1\\Documents\\putty.exe

C:\\Users\\user1\\Documents\\New folder\\putty.exe

Parameter

The command line parameters:

$DOMAIN
$TARGET
$HOST
$USER
$PASSWORD
$VNCPASSWORD
$PASSPHRASE
$PUB_KEY
$PRI_KEY
$URL
$PORT
$TMPFILE

Example

For putty.exe as the Executable, -|$USER -pw $PASSWORD $HOST are the parameters.

For putty.exe as the Executable for SSH execution, -l $USER -pw $PASSWORD $HOST -m C:\\Users\\user1\\Desktop\\cmd.txt

-l $USER -pw $PASSWORD $HOST -m \"C:\\Program Files\\cmd.txt\" are the parameters.

For the full path of a file, use the escape character double backslash (\\) for the -m parameter.

Note:

When there is no space in the path, double quotes are not necessary:

-l $USER -pw $PASSWORD $HOST -m C:\\Users\\user1\\Desktop\\cmd.txt

When there is space in the path, double quotes must be used with backslash:

-l $USER -pw $PASSWORD $HOST -m \"C:\\Program Files\\cmd.txt\"

Initial Commands

Configure initializing the environment. See Creating a new launcher command.

Clean Commands

Configure cleaning the environment. See Creating a new launcher command.

Launcher Port

The launcher port number.

The port number will be mapped to the launcher variable `$PORT`.

The minimum allowed value is 1.

From the list, select a launcher and then select Edit to edit the launcher.

From the list, select launchers and then select Delete to delete the launchers.

Password Changer

A password changer can be configured for a custom secret template to change the password of a secret periodically and to check the health of a secret periodically.

Note: The option is enabled by default.

Password Changer

From the dropdown, select the password changer that will be used for this template or create a new password changer. See Creating a password changer.

Use the search for to look up a password changer.

Use the pen icon next to a password changer to edit it.

Port

The port used for the password changer (default = 22).

Password Policy

The password policy to use in the password changer.

From the dropdown, select a password policy or create a new password policy. See Creating a password policy.

Use the search for to look up a password policy.

Use the pen icon next to a password policy to edit it.

Max Number of Retries

The maximum number of retries allowed after which the connection fails (default = 10).

Verify After Password Change

When enabled, whenever secrets with the template conducts a password change, a verification of the newly changed password is ran.

Note: The option is enabled by default.

Click OK.

To create a secret template:

Go to Secrets > Secret Templates.
In the secret templates list, select Create.
The New Secret Template window opens.

Enter the following information:

Name

Name of the template.

Description

Optionally, enter a description.

Server Information

The general type of server to which the template is intended to connect:

Cisco
Like Unix
Default

Fields

Secrets require fields to enter the secret related information.

To add new fields, select Create and then enter the following information, and click OK:

Field Name

The name of the field.

Type

From the dropdown, select a field type:

Domain: A domain field.
Passphrase: A passphrase fields.
Password: A password field.
Private-Key: A private-key field.
Public-Key: A public-key field.
Target-Address: A target address field.
Text: A text field.
URL: A URL field.
Username: A username field.

Mandatory

Enable to make this field mandatory or disable if this field will be optional.

From the list, select a field and then select Edit to edit the field.

From the list, select fields and then select Delete to delete the fields.

Launcher

Launcher helps you access a target server. See Secret launchers.

A launcher allows you to log in to a website or device without you needing to know the credentials.

To add a new launcher, select Create and then enter the following information, and click OK:

Launcher Name

From the dropdown, select a launcher.

Use the search bar to look up a launcher.

Use the pen icon to edit a custom launcher.

To create a new launcher, in the dropdown, select Create.

Enter the following information and click OK:

Name

The name of the launcher.

Type

From the dropdown, select a launcher type:

Other client: Other client launcher type.
Remote desktop: RDP client launcher type.
SSH client: SSH client launcher type.
VNC: VNC client launcher type.

Executable

The program file name, e.g., putty.exe for an SSH client.

Ensure that the program path is already added to the environment variable path in Windows before launching the secret.

Note:

An absolute path is also supported. Use the escape character (\) when using an absolute path, e.g.:

C:\\Users\\user1\\Documents\\putty.exe

C:\\Users\\user1\\Documents\\New folder\\putty.exe

Parameter

The command line parameters:

$DOMAIN
$TARGET
$HOST
$USER
$PASSWORD
$VNCPASSWORD
$PASSPHRASE
$PUB_KEY
$PRI_KEY
$URL
$PORT
$TMPFILE

Example

For putty.exe as the Executable, -|$USER -pw $PASSWORD $HOST are the parameters.

For putty.exe as the Executable for SSH execution, -l $USER -pw $PASSWORD $HOST -m C:\\Users\\user1\\Desktop\\cmd.txt

-l $USER -pw $PASSWORD $HOST -m \"C:\\Program Files\\cmd.txt\" are the parameters.

For the full path of a file, use the escape character double backslash (\\) for the -m parameter.

Note:

When there is no space in the path, double quotes are not necessary:

-l $USER -pw $PASSWORD $HOST -m C:\\Users\\user1\\Desktop\\cmd.txt

When there is space in the path, double quotes must be used with backslash:

-l $USER -pw $PASSWORD $HOST -m \"C:\\Program Files\\cmd.txt\"

Initial Commands

Configure initializing the environment. See Creating a new launcher command.

Clean Commands

Configure cleaning the environment. See Creating a new launcher command.

Launcher Port

The launcher port number.

The port number will be mapped to the launcher variable `$PORT`.

The minimum allowed value is 1.

From the list, select a launcher and then select Edit to edit the launcher.

From the list, select launchers and then select Delete to delete the launchers.

Password Changer

A password changer can be configured for a custom secret template to change the password of a secret periodically and to check the health of a secret periodically.

Note: The option is enabled by default.

Password Changer

From the dropdown, select the password changer that will be used for this template or create a new password changer. See Creating a password changer.

Use the search for to look up a password changer.

Use the pen icon next to a password changer to edit it.

Port

The port used for the password changer (default = 22).

Password Policy

The password policy to use in the password changer.

From the dropdown, select a password policy or create a new password policy. See Creating a password policy.

Use the search for to look up a password policy.

Use the pen icon next to a password policy to edit it.

Max Number of Retries

The maximum number of retries allowed after which the connection fails (default = 10).

Verify After Password Change

When enabled, whenever secrets with the template conducts a password change, a verification of the newly changed password is ran.

Note: The option is enabled by default.

Click OK.