Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secret list
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approve a request
  - Reviewing multiple requests
- Job list
  - Creating a job
Secret settings
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Integrity check
  - Creating a client software entry for integrity check
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
- ZTNA
- High availability
- Certificates
- SNMP
- Backup
  - Sending backup file to a server Example
- Firmware
- FortiPAM license
- FortiGuard license
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Change Log

Home FortiPAM 1.1.2 Administration Guide

1.1.2

Launchers

Secret launchers allow users to remotely gain access to a target without the need to know, view, or copy the passwords stored in FortiPAM.

A secret launcher stores an executable and the parameters needed to start a connection to a target.

In proxy mode, browsing triggers ZTNA tunnel between the FortiClient and FortiPAM server.

The FortiPAM chrome extension may have compatibility issues for some specific login pages and cannot fill in the user name and password.

To avoid DoS attacks, multiple secret launching from the same user within 1 second is blocked.

For each secret launcher; name, type, file launcher, client software, executable, parameter, and references are displayed.

The following default launchers are available in FortiPAM:

MySQL CLI: A MYSQL CLI launcher for mysql.exe.
Microsoft SQL CLI: A MSSQL CLI launcher for sqlcmd.exe.
MySQL Shell: A MYSQL CLI launcher for mysqlsh.exe.

PostgreSQL CLI: A MYSQL CLI launcher for mysqlsh.exe.

PostgreSQL CLI default launcher is connected to postgres by default.

To switch the database:

use \l to see the full list of all the available database.
Use \c \<dbname\> to change to the desired database.

Only the non-proxy mode is supported for database related CLI launchers.

PuTTY: A basic SSH client using PuTTY.
Remote Desktop- Windows: A basic RDP client using remote desktop.
SSH CLI: An SSH CLI launcher for ssh.exe.
SecureCRT: An SSH Client using SecureCRT.

TightVNC: A basic VNC client using TightVNC.

The TightVNC client does not support connecting to a macOS server in non-proxy mode.

VNC Viewer: A basic VNC client using VNC Viewer.

Web Launcher: A basic web launcher using Fortinet’s FortiClient web extension.

Web Launcher is unavailable to users with only View permission, as the password can be retrieved using browser dev tools.

Web Launcher is only available to users with Edit or Owner permission.

For information on setting up folder and secret permissions, see Creating a folder or Creating a secret.

Web RDP: A basic browser based RDP launcher.
Web SFTP: A basic browser based SFTP web launcher.
Web SMB: A basic browser based SMB web launcher.

Web SSH: A basic browser based SSH web launcher.

To copy and paste in the Web SSH console, select the text and then use Ctrl+ Shift + v.

Web VNC: A basic browser based VNC web launcher.
WinSCP: A basic WinSCP client using SSH.
FortiClient Web extension FortiClient Web Launcher
RDP over Web RDP over Web Launcher
SSH over Web SSH over Web Launcher
VNC over Web VNC over Web Launcher
SMB over Web SMB over Web Launcher
SFTP over Web SFTP over Web Launcher

The following launchers should not be used for customized launcher:

FortiClient Web extension FortiClient Web Launcher
RDP over Web RDP over Web Launcher
SSH over Web SSH over Web Launcher
VNC over Web VNC over Web Launcher
SMB over Web SMB over Web Launcher
SFTP over Web SFTP over Web Launcher

These launchers will be removed in a future FortiPAM version.

Chrome, Edge, and Firefox are the supported browsers.

Starting FortiPAM 1.1.0, only the Client Software toggle/dropdown of a default secret launcher can be modified.

Web SSH, Web RDP, Web VNC, Web SFTP, and Web SMB default launchers always work in proxy mode irrespective of the Proxy Mode setting.

PuTTY and WinSCP launchers are not supported when the secret is in non-proxy mode, and the secret uses an SSH key for authentication.

TightVNC launcher is not supported when the secret is in non-proxy mode and requires a username for authentication.

In proxy mode, the following launchers are available to all users:

Web SSH
Web RDP
Web VNC
Web SFTP
Web SMB
Web Launcher
PuTTY
WinSCP
RDP
VNC Viewer
TightVNC

In non-proxy mode, the following launchers are available to all users:

Web SSH (always in proxy mode)
Web RDP (always in proxy mode)
Web VNC (always in proxy mode)
Web SFTP (always in proxy mode)
Web SMB (always in proxy mode)

In non-proxy mode, the following launchers are only available to users with the permission to view secret password:

PuTTY
WinSCP
RDP
VNC Viewer
TightVNC

The Launchers tab contains the following options:

Create	Select to create a new launcher.Creating a launcher.
Edit	Select to edit the selected launcher.
Delete	Select to delete the selected launchers.
Clone	Select to clone the selected launcher.
Search	Enter a search term in the search field, then hit `Enter` to search the launchers list. To narrow down your search, see Column filter.