FortiPAM 1.2.0

The following list contains new and expanded features added in FortiPAM 1.2.0.

883168- Display secret last launch time

FortiPAM displays the secret last launch time in Secret > Secret List in the new Last Launch Time column. See Secret list.

934741, 925399, 913558- Sponsored groups

Super administrators can now create sponsored groups in User Management > Sponsored Groups.

In addition, there is now a sponsor admin role. Sponsor admins are assigned to a sponsored group, and they can only access logs for their specific secrets. This includes creating, editing, and disabling users within their assigned sponsored group. The super administrator defines the maximum number of users for each sponsored group.

Multiple sponsor admins can be assigned to a single sponsored group.

See Sponsored groups and Creating a user.

893189, 954666- Secret targets now created separately and must include a classification tag

Secret targets are now created separately from secrets and secret templates. Each target can be assigned to multiple secrets, as needed.

Classification tags must be added to each target, classifying the target according to your needs.

See Creating a target and Creating a classification tag.

When creating or editing a role in User Management > Role:

• You can now enable/disable editing secret targets in Secrets using the Edit Secret Target option in the Secret tab.

• You can now enable/disable editing the Classification Tag page in Secret Settings using the Edit Classification Tag option in the Secret tab.

See Role.

890566- Regular expressions supported for the expect string in password changing procedures

When creating or editing a password changing procedure, set the Type to Expect. You can now select the method to interpret the expect string.

For the Interpretation, you can select one of the following:

• Plain: Interpret the expect string as a plain command.

• Regex: Interpret the expect string as a regular expression. For example, if the response is "Current password:", then all of "Current", "password", "rent" will succeed to match.

See Creating a password changer.

923627- New AntiVirus and DLP profile control in Role

When creating or editing a role in User Management > Role:

• You can now set access levels for the AntiVirus page in Secret Settings and the AntiVirus settings in the ForitGuard License page in System using the Antivirus option in the System & Network tab.

• You can also set access levels for the Data Leak Prevention and the DLP File Pattern pages in Secret Settings using the Data Leak Prevention option in the System & Network tab.

See Role.

897591, 934000, 967356, 796667- New launchers and template supported

FortiPAM now includes the following four new secret launchers:

• HeidiSQL

• SSMS (Microsoft SQL Server Management Studio)

• MobaXterm

• Xshell

See Launchers.

FortiPAM now includes the following two new secret templates:

• HeidiSQL

• ESXi Web

See Templates.

Also, FortiPAM now offers a new ESXi Web password changer. See Password changers.

885005- Favorite secrets related updates

To improve the user experience:

• Favorite secrets now appear on a new page instead of being listed in the tree menu on the left.

• You can now add/remove multiple secrets to/from the favorite list by selecting the secrets, right-clicking on any of the selected secrets, and then selecting either Add/Remove Favorite.

• By selecting a secret from the Favorite Secrets page, you can now (depending on how the secret is configured):

  • Launch the secret

  • Make a request to launch the secret/perform an automated task (job)

  • Check-out/check-in the secret

  • Edit

  • Remove the secret from the favorite list.

900367- Event filter profile

FortiPAM can retrieve specific logs for events that occurred during an RDP session from a target.

You can now create new event filter profiles in Secret Settings > Event Filter Profile.

See Event filter profile.

When creating or editing a secret policy, a new RDP Event Filter Status dropdown is available. Once enabled you can enforce a particular event filter profile on the secret that resides in a folder where the policy applies.

See Creating a policy.

When creating or editing a secret, a new RDP Event Filter option is available in the Service Setting tab, given that RDP Service is enabled. Enabling the RDP Event filter option allows you to then select and apply an event filter profile to the secret from the RDP Event Filter Profile dropdown.

Note that if RDP Event Filter Status is set as Enable or Disable in the secret policy, the RDP Event Filter option cannot be changed when configuring a secret that resides in a folder where this policy applies.

Only when RDP Event Filter Status is set to Not Set in the secret policy, you can set the RDP Event Filter option from within a secret.

See Creating a secret.

Further, you can now set access levels for the Event Filter Profile page in Secret Settings using the Event Filter Profile option in the Secret tab when you create or edit a role in User Management > Role.

See Role.

929608- Stackable seat license for hardware models

For FortiPAM 1000G and 3000G hardware models, you can update the licensed seat using the provided key if you purchase a new stackable seat license with additional seats from FortiCare. See Stackable seat license for hardware models.

930016- System settings GUI reorganization

System > Settings has been reorganized:

• The PAM Settings pane, previously available in the General tab, is now available in the Advanced tab.

  • A new Live Recording option in the PAM Settings pane.

• User Password Policy, View Settings, and Email Service, previously available in the Advanced tab, are now available in the General tab.

• A new Other General Settings pane in the General tab contains the following settings previously available in the PAM Settings pane:

  • Login Disclaimer

  • GUI Session Timeout

  • Idle in/Force logout in

See Settings.

883603- FortiPAM on Google Cloud Platform (GCP)

FortiPAM now supports GCP virtualization software.

For information on installing FortiPAM on GCP, see Appendix K: Installation on GCP.

937021- Setting up the minimum SSL/TLS version and port number for LDAPS password changer/verification

For LDAPS password changer and verification, the minimum SSL/TLS version and the target server port number used by LDAPS can be set using the following CLI commands, provided the secret has an associated target:

 config secret target
  edit target_name
   set ldaps-min-ssl-version {default | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3}
   set ldaps-port <integer>
  end
end

See Password changers.

897302- Button to generate a password for the secret

When creating a secret that requires a password, FortiPAM now offers a new Generate button to automatically generate a password for the secret following the password policy as set in Password policies.

See Creating a secret.

860133- Bypass SSH command filter

Secret owners can now bypass the SSH command filter if the secret uses an SSH command filter. Secret owners can send otherwise prohibited commands (listed in the command filter profile) to targets.

The following new options are available in FortiPAM:

• When creating or editing a secret policy, a new Bypass For Owner option is available when SSH Filter is enabled.

• When creating or editing a secret, a new Bypass for Owner option is available when SSH Service and the SSH Filter options are enabled in the Service Setting tab.

Note that if SSH Filter is set as Enable or Disable in the secret policy, the SSH Filter option cannot be changed when configuring a secret that resides in a folder where this policy applies.

Only when SSH Filter is set to Not Set in the secret policy, you can set the Bypass For Owner option from within a secret.

See Creating a secret and Creating a policy.

943653- Display user location

FortiPAM displays the user location in Monitoring > User Monitor in the new Location column. See User monitor.

In Monitoring > Active Sessions, where the launched secret activities are displayed, FortiPAM now also displays the location from where the secret was launched in the new Source Location column.

Additionally, in Monitoring > Active Sessions:

The following new columns have been added:

• Token ID

• Username: Previously available as a widget on the top.

The End Session(s) button has been renamed to Disconnect, and the button is only available when you select a secret session.

See Active sessions.

923465- Customizing the report layout via GUI

You can now customize reports in the FortiPAM GUI by going to Log & Report > Reports, selecting General, and then going to the Layout & Schedule tab. See Layout & schedule.

Note that the Reports tab in Log & Report has been reorganized:

• New General and Secret Audit pages.

• The General page contains the following tabs:

  • Reports: Display/generate audit reports to comply with audit requirements.

  • Layout & Schedule: Allows customization of reports and schedule generation of reports.

  See Reports.

914109- Secret access audit report

You can now generate secret access audit reports by going to Log & Report > Reports and selecting Secret Audit. See Secret audit.

945474- User group permission

When creating or editing a user group in User Management > User Groups, a new Permission tab allows you to set up access control for the user group.

Note that when creating or editing a user group in User Management > User Groups, a new General tab contains all the general settings. See User groups.

904163- FortiPAM on Amazon Web Services (AWS)

FortiPAM now supports AWS virtualization software.

For information on installing FortiPAM on AWS, see Appendix J: Installation on AWS.

865796, 807856- Display logs stored on a FortiAnalyzer

When setting up FortiAnalyzer as the remote logging server in Network > Fabric Connectors, the following new option is available:

• Previously available non-editable Upload option has been replaced with a new Upload option that allows you to upload logs to FortiAnalyzer:
• In real time
• Every minute
• Every 5 minutes
• More

See FortiAnalyzer logging.

Logs stored on FortiAnalyzer can be viewed in Log & Report by selecting FortiAnalyzer as the source from the top-right.

Also, a new filter/time frame dropdown is available for the following tabs in Log & Report to filter logs by time:

• All the tabs in Secret

• Details in Events

• ZTNA

• SSH

• Antivirus

• Data Leak Prevention

See Log & report.

Note that secret videos recorded in HA are not available from FortiAnalyzer. See High availability.

876120, 948636, 951448- Web proxy for FortiPAM browser extensions

When accessing a target using the FortiPAM browser extension, the browser extension now sends the browser requests through the FortiPAM web proxy. This enhances security by not delivering credential information to the client.

FortiPAM now offers a new web proxy feature to dynamically operate on the web browser tab's PAC rule (on Google Chrome and Microsoft Edge) to successfully proxy the traffic to FortiPAM based on the configured domain. On Mozilla Firefox, FortiPAM sends the request to the web proxy instead.

Fortinet Privileged Access Agent 7.2.3 (browser extension) or above is required to support the web proxy feature.

FortiPAM scans the incoming web traffic and can replace the password.

The web proxy feature is supported on both extension only deployment and extension with FortiClient deployment.

To enable the web proxy feature, you must first enable the feature globally for the interface that handles incoming and outgoing traffic using the following CLI commands:

config system interface
 edit "port1"
  set explicit-web-proxy enable #must be enabled
 next
end

Alternatively, you can enable the feature by enabling Explicit web proxy for the interface that handles incoming and outgoing traffic. See Creating an interface.

When creating or editing a target in Secrets > Target List, given that the Default Template is ESXi Web or a custom template with the URL field and the URL field is filled in, the Web Proxy option can be enabled for the secret target from the Advanced Web Setting pane. See Creating a target.

When creating or editing a secret in Secrets > Secret List, a new Web Proxy option is available in the Secret Setting pane if you enable and select a target for this secret that has Web Proxy set up.

Notes:

• The Web Proxy option is inherited from the secret target.

• When you edit the Web Proxy option, you are editing the Web Proxy option available from within the associated secret target.

See Creating a secret.

For information on how the web proxy feature works, see Web proxy.

912421- Display the last failed login time in the disclaimer

FortiPAM now displays the last failed login time in the disclaimer. See Settings.

963856- New description column for secrets list

FortiPAM now displays a new Description column in Secrets > Secret List.

Note that the new Description column is not visible by default.

To display the new Description column, select Configure Table icon as you click the header for the left-most column, select Description and then click Apply.

See Secret list.

958573, 960219- Deauthenticate a user and disconnect secret sessions

In Monitoring > User Monitor, the following new options are available in the Terminate dropdown when you select a user:

• Deauthenticate User

• Disconnect Launched Sessions

• Deauthenticate & Disconnect

See User monitor.

In Monitoring > Active Sessions, you can terminate an active session by clicking Disconnect the current secret session as you live stream the session. See Active sessions.

951931- New CA certificate download button

When you attempt to access a website using the web proxy feature, you may receive a warning about untrusted hosts on the web browser. To resolve this issue, you must download and install a CA certificate signed by FortiPAM.

When creating a secret with Web Proxy enabled, a new Download CA Certificate button on the top-right allows you to download the CA certificate.

Also, when there are multiple certificates that you need to install, a new Download All CA Certificates button is available instead.

When downloading multiple certificates, they are made available as a zip file named CA-Certificates.zip.

See Creating a secret.

802577- Concurrent logins for a user

A concurrent session occurs when multiple users access FortiPAM using the same account from different locations or web browsers.

You can allow concurrent login sessions for a user account by enabling the new Concurrent Log-on option in the General tab in System > Settings.

By default, the new Concurrent Log-on option is disabled.

See Settings.

949813- View secret log from the Secret Details page

For FortiPAM users without administrative privileges, such as a Sponsor Admin who may want to check specific secret log and activity but does not have global log permission, FortiPAM now offers the following two new permissions when configuring a role in User Management > Role:

• View Secret Log- The user can see the secret modification history, launch activity logs, and SSH filter logs (for SSH launcher) in the Secret Details page when editing/viewing a secret in Secrets > Secret List.

  The following new tabs are available when editing/viewing a secret:

  • Edit History

  • Activity

  • SSH Filter Log

• View Secret Video- The user can view the secret launching video.

Notes:

• The Sponsor Admin user has View Secret Log and View Secret Video permissions by default.

• You must have at least View permission for the secret to see the new Edit History, Activity, and SSH Filter Log tabs.

See:

• Role
• Users in FortiPAM
• Viewing secret edit history
• Viewing secret activity
• Viewing SSH filter logs for a secret
• Log permissions

850496- Over-the-shoulder monitoring

FortiPAM now allows administrators to monitor the user session and actions in real-time.

Prerequisites:

• Fortinet Privileged Access Agent 7.2.3 or above is required to support over-the-shoulder monitoring.

• When you launch a secret with Session Recording enabled, and given that Live Recording is enabled in the Advanced tab in System > Settings, you can monitor the user session in real-time.

You can terminate an active session by clicking Disconnect the current secret session as you live stream the session.

See Active sessions and Over-the-shoulder monitoring (Live recording).