What' s new

FortiPAM version 1.1.0 includes the following enhancements:

842754, 899220- Simplified ZTNA GUI

ZTNA servers and new proxy rules can only be set via the CLI. You can use the GUI to edit existing proxy rules.

When editing a proxy rule, the Edit Proxy Rule window has been simplified:

• A new Enable this rule toggle added.

• A new Access Proxy pane added. The pane display the corresponding access proxy and the VIP.

• A new ZTNA Control pane added. ZTNA Control allows you to enable/disable ZTNA control for the rule being edited.

  The pane contains ZTNA Tag and Match ZTNA tags options.

• ZTNA Server, Destination, Action, Protocol Options, and SSL/SSH Inspection options have been removed.
• The Logging Options pane has been removed.

865722, 863356- New backup GUI options

FortiPAM now includes the following new GUI changes in System > Backup:

• A new Port field to enter the port number for the backup server.

• A new Server Certificate Check toggle to enable/disable server identity check.

• A new Server CA Certificate dropdown to select a server CA certificate for server certificate check.

• A new Test Connectivity button to test the connection to the backup server.

863268- DLP related settings can be set up using GUI

New Data Leak Prevention and DLP File Pattern tabs in Secret Settings.

FortiPAM now allows you to set up DLP sensors, DLP filter rules, and DLP file pattern using the GUI.

When creating or editing a secret in Secrets > Secret List, you can now enable/disable DLP using the new DLP Status toggle. If DLP Status is enabled, you can enforce a DLP sensor on the secret using the new DLP Profile dropdown.

879947, 884995, 883168, 876986, 877093- Secret related GUI updates

While creating a secret in Secrets > Secret List, you can now:

• Enter values in the Field pane for a secret template directly.

• In the Service Setting tab:

  • The LDAPS Service toggle has been removed.

  • A new SFTP Service toggle added.

  • The SSH Service toggle controls Web SSH, Web SFTP, PuTTY, and the WinSCP launchers.

  • The RDP Service toggle controls Web RDP and the Remote Desktop-Windows launchers.

  • The VNC Service toggle controls the Web VNC, VNC Viewer, and TightVNC launchers.

  • The SAMBA Service toggle controls the Web SMB launcher.

  • The SFTP Service toggle controls the Web SFTP launcher.

• The Port option has been renamed to Use Template Default Port in SSH Service, RDP Service, VNC Service, SAMBA Service, and SFTP Service.

• A new Inherit ZTNA Control toggle added to the Secret Permission tab.

• Launch Device Control toggle renamed to ZTNA Control.

When editing a secret:

• The Edit Secret window has been renamed to Secret Details.

• The Undo Changes button has been renamed to Discard Changes.

In Secrets > Secret List:

• The following additional column filters have been introduced:

  • Target Address

  • Last Password Change

  • Last Password Verification

  • Auto Password Changing

  • ID

• You can now reorder columns.

• The following new columns have been added:

  • Target Address

  • Last Password Change

  • Auto Password Changing

883808, 868242- Configuring RAID via CLI on FortiPAM 1000G/3000G

The FortiPAM hardware devices 1000G and 3000G are equipped with a hardware RAID card. Therefore, you can now check the RAID status for the FortiPAM hardware devices by entering diagnose system raid status command in the CLI console.

Use the diagnose system disk health CLI command to check the disk status for the FortiPAM hardware devices.

Use the diagnose system disk info CLI command to check the disk information.

You can now create a RAID-10 disk group on FortiPAM hardware device using the execute raid create-and-format CLI command.

Further, you can also hot swap failed disks on FortiPAM hardware devices.

883594, 898709- FortiPAM on Microsoft Hyper-V

FortiPAM now supports Microsoft Hyper-V virtualization software.

860158- New pages in Log & report: Antivirus and DLP

FortiPAM now offers antivirus and DLP related log information in Log & Report.

884593, 896564, 890817, 908686- General GUI reorganization

FortiPAM 1.1.0 includes the following general GUI updates:

• Folders has been renamed to Personal Folder/Public Folder and moved to Secrets.

• My Requests has been renamed to My Request List and moved to Secrets.

• Request Review has been renamed to Approval List and moved to Secrets.

• A new Secret Settings menu with:

  • Templates- renamed form Secret Templates. Previously available in Secrets.

  • Launchers- renamed from Secret Launchers. Previously available in Secrets.

  • Policies- Previously available in Secrets.

  • Addresses- Previously available in Authentication.

  • Approval Profile- Previously available in Approval Request.

  • Password Changers- Previously available in Password Changing.

  • Password Policies- Previously available in Password Changing.

  • Character Sets- Previously available in Password Changing.

  • AntiVirus- Previously available in Security Profiles.

  • Data Leak Prevention

  • DLP File Pattern

  • SSH Filter Profiles- Previously available in Secrets.

  • Integrity Check

• New AntiVirus, Data Leak Prevention, and Debug Settings pages in Log & Report.

• Fabric Connectors moved from Security Fabric to Network.

• New FortiPAM License and FortiGuard License tabs in System.

• Approval Request has been removed.

• Password Changing has been removed.

• Authentication has been removed.

• Security Profiles has been removed.

• Security Fabric has been removed.

902469, 887801- Send/approve/deny multiple secret/job requests

When sending a secret/job request from Secrets > My Request List, you can now send access requests for multiple secrets/jobs using the Secret/Job option in the New secret request window.

FortiPAM now also allows you to approve/deny multiple secret/job requests together in Secrets > Approval List.

Also, FortiPAM now gives you the option to either combine multiple secret request notifications as one email when sending the notification to a reviewer or send them as separate emails.

For this, a new Send Multiple Secret Requests in option is available in the PAM Settings pane in System > Settings.

854712- Client software integrity check

For every launcher in FortiPAM, you can now configure a client software entry in the new Integrity Check tab in Secret Settings to enable integrity checks.

When the integrity check fails, the launching stops and a prompt appears showing where to download a version of the client software based on your FortiPAM configurations.

New Client Software option when creating or editing a secret launcher in Secret Settings > Launchers.

New Integrity Check option when creating a secret launcher in the Launcher pane as you create a new template in Secret Settings > Templates.

Client software integrity check requires FortiPAM 1.1 and FortiClient 7.2.2.

914149- Secret name displayed when editing a secret

When editing a secret, the Secret Details window displays the name of the secret being edited in the title across all the tabs.

840512- Tooltip when the number of users exceeds the licensed seats

When you attempt to create a new user that exceeds the licensed seats, the Status option in the Configure User Details tab cannot be enabled.

As you hover over the Enable button, a tooltip appears, alerting you that the user cannot be enabled as you have exceeded your license seat.

On the bottom-left of the user definitions list, the number of enabled users and the total number of allowed users are displayed as a label. This label is green when seats are available. The label turns red when all the seats have been used up. Once the seats are used up, new users cannot be enabled without disabling enabled users.

865654, 885138, 810687- Allowed and blocked addresses

FortiPAM now allows you to set up a list of allowed and blocked addresses in the Secret Permission tab using the new Address Filter option when editing a secret in Secrets > Secret List.

Allowlist and blocklist can only be configured when the secret has one of its fields as Domain type.

904160- FortiPAM on Microsoft Azure

FortiPAM now supports the Microsoft Azure virtualization software.

804808- Time-based One-Time Password (TOTP) settings for secrets

FortiPAM now supports enabling/disabling TOTP settings from the TOTP Setting pane when creating a secret in Secrets > Secret List.

TOTP is used when the target server requires TOTP as the 2FA.

The TOTP settings can also be configured from the TOTP Setting pane when creating a secret template in Secret Settings > Templates. The TOTP configuration from a secret template can be then inherited by all the secrets using the template. It is also possible to override the secret template TOTP settings from within a secret configuration.

845099- New target only secret template

FortiPAM now offers a new Target Only default secret template. Target Only is a basic template for a secret that only manages the target host.

Instead of using a shared common account, the Target Only secret template allows users to use user specific login name and password to access a credential-less target only secret.

The template includes only target server related fields, i.e., Host, URL, and Domain.

When you launch a secret based on the Target Only template, you have the following two options:

• You can use the current user's general FortiPAM login credentials to finish the authentication to the target server, i.e., SSO mode.

  Note that the SSO mode only applies to user logins via the general mode, and MFA credentials (if any) are dismissed.

• Dynamically enter the credentials for the target server during secret launching.

SAML user authentication is not available for secrets based on the Target Only template.

903079- Launcher pane editable for default secret templates

FortiPAM now allows you to edit the Launcher pane for default secret templates in Secret Settings > Templates.

849255- Secret template access control

FortiPAM now allows you to control access to templates by setting up user and user group permissions when creating a secret template in Secret Settings > Templates.

891443, 893734- New default templates

In addition to the new Target Only default secret template, the following new default secret templates have been introduced:

• Cisco XR Router: A basic template for Cisco server with XR IOS.

• ESXi Server: A basic template for ESXi server using username and password.

• Database Server: A basic template for SQL server using SQL username and password authentication.

Note that only the Launcher pane of a default secret template can be modified.

893198, 897591, 853452- New default launchers

FortiPAM now includes the following new default secret launcers:

• MYSQL CLI: A MYSQL CLI launcher for mysql.exe.

• Microsoft SQL CLI: A MSSQL CLI launcher for sqlcmd.exe.

• MySQL Shell: A MYSQL CLI launcher for mysqlsh.exe.

• PostgreSQL CLI: A MYSQL CLI launcher for mysqlsh.exe.

• SSH CLI: An SSH CLI launcher for ssh.exe.

• SecureCRT: An SSH Client using SecureCRT.

  Only the non-proxy mode is supported for database related CLI launchers.

Note that only the Client Software toggle/dropdown of a default secret launcher can be modified.

860209- Downloading debug logs and the new trace logs tool

FortiPAM now allows you to download the debug logs for troubleshooting from Log & Report > Debug Settings.

The trace log debug tool is available in the GUI in the Trace Logs pane in Log & Report > Debug Settings.

814300- Only enabled users listed

By default, FortiPAM now only lists enabled users in User Management > User Definition.

To see all the users in the user definition list, enable Show all users.

Note that you can disable a selected user by clicking Disable.

822815- Secret video download

From the new Download dropdown, FortiPAM now allows you to download secret videos in Log & Report > Secret > Secret/Secret Video.

848805- Timer when a secret request is granted access

When a secret request is approved, FortiPAM now displays a Launcher Status timer that shows the remaining time till you (as a requester) have access to the secret in:

• The Secret Details window when you double-click to open the secret from Secrets > Secret List.

• The Editing secret request (Read Only) window when you (as a requester) double-click to open the secret request from Secrets > My Request List.

• The Approving secret request (Read Only) window when you (as an approver) double-click to open the reviewed request in Requests that are reviewed column in Secrets > Approval List.

829558- Token Id for SSH logs

FortiPAM now displays the token ID for an SSH log in the new Token Id column in Log & Report > SSH.

New Corresponding secret and Corresponding secret video buttons available when you right-click an SSH log in Log & Report > SSH. The buttons take you to the corresponding secret log or the secret video log, respectively.

894252- Display status of a job

FortiPAM now displays the status of a job in the new Status column in Secrets > Job List.

891443, 893734- New default password changers

FortiPAM offers the following new default password changers:

• Cisco XR Router

• ESXi Password

881157- New customized user role type

FortiPAM now offers a new customized user role type.

A customized user has tailored permissions and restrictions to match their needs and responsibilities, allowing them to control access to features or pages based on assigned roles.

When creating a new user in User Management > User Definition:

• A new Customized User role type option when you create a new user.

• When the Customized User role type is selected, a new Choose a custom defined Role dropdown appears, allowing you to select a role from one of the available custom roles.

897541- Send critical system and general alerts to users

FortiPAM now allows sending critical system and general alerts to users via email.

When creating a new user in User Management > User Definition the following two new options are available in the Configure User Details tab:

• Critical System Email Alert: Enable/disable sending critical system alerts via email.

• General Email Alert: Enable/disable sending general alerts via email.

Note that the Glassbreaking Notification tab in Log & Report > Email Alert Settings has been renamed to Critical System Notification, and it now supports glass breaking and license expiry notifications.

886975- ZTNA based access control for folders

FortiPAM now allows you to set up ZTNA based access control for folders, i.e., access to the folder is controlled by ZTNA tags.

The following new options are available when creating a new folder in Secrets:

• Inherit ZTNA Control: Enable to inherit ZTNA control access permission from the parent folder.

• ZTNA Control: Enable to limit access by ztna-ems-tag.

• Device Tags: Add ZTNA tags or groups by which access to the folder is limited.

• Device Match Logic: Define the match logic for the device tags.

896115- New default user group

A new default user group named everyone is available.

By default, every user belongs to the new everyone default user group.

891441-Cloning secret policies

FortiPAM now allows you to clone existing secret policies (including the default secret policy) using the new Clone button in Secret Settings > Policies.

923636- Simplified system settings

System > Settings is now divided into two tabs:

• General: Host name, System time, and PAM Settings panes.

• Advanced: User Password Policy, View Settings, and Email Service pane.

Admin Session Timeout has been renamed to User Session Timeout in the PAM Settings pane.

The Debug Logs pane has been removed.

867443-Test email service

In System > Settings, you can now check if the email service was set up correctly by sending a test email using the new Test Connection button.

897542- Setting up login disclaimers in GUI

In System > Settings, you can now set up login disclaimers using the Login Disclaimer toggle and text box available in the PAM Settings pane.

The login disclaimer now also tells you when the last successful login occurred.

790421- Display number for the VNC service

FortiPAM now supports adding a display number as well as custom port for the VNC service.

When VNC Service is enabled in the Service Setting tab as you create or edit a secret in Secrets > Secret List, a new Display Number option is available when Use Template Default Port is enabled. The option allows you to enter the display number to be added to the VNC port defined in the template.

920458, 864749- Bypass secret request/approval process

FortiPAM now allows secret owners to bypass secret request/approval process.

When creating or editing a secret in Secrets > Secret List, a new Bypass Approval option is available when Requires Approval to Launch Job is enabled.

The option allows secret owners to bypass the secret request/approval process, i.e., secret owners do not require approval to launch secrets they own, given that Bypass Approval is enabled.

899609- Automation trigger settings

FortiPAM can now be configured to perform actions when an event log is triggered.

You can use config system automation-trigger CLI command to configure automation trigger settings.

904137- Alerts for license expiry

FortiPAM now allows you to set up email alerts for license expiry. You can set up the email alert in the Critical System Notification tab in Log & Report > Email Alert Settings.

When a FortiPAM license is about to expire, i.e., the license is expiring within the next 30 days; a warning dialog appears when you log in to FortiPAM.

Also, a red banner appears on the top once you are logged in, alerting you about license expiry.

For expiring Advanced Malware Protection and FortiCare support, license expiration email notifications and warnings are sent.

877321- Secure import of secrets

FortiPAM now allows you to securely import multiple secrets at once using the fpam_secret.xlsm secret upload template.

Before downloading, you can encrypt the secret upload template file for added security. When uploading the filled in secret upload template, you are asked the password to decrypt the template file.

Note that all the default secret templates are now supported. Also, you can now create a custom secret template in the secret upload template file.