Fortinet black logo

Administration Guide

Home FortiPAM 1.3.0 Administration Guide
1.3.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

FortiPAM 1.3.0

FortiPAM 1.3.0

The following list contains new and expanded features added in FortiPAM 1.3.0.

985657- FortiPAM distributed architecture

FortiPAM now supports network gateway for distributed target deployment.

FortiPAM allows configuring a gateway, e.g., a FortiPAM, a FortiGate, or a FortiProxy device, when a target is not reachable directly from FortiPAM to proxy the connection to the target.

You can now add a gateway when configuring a target.

You can also add the gateway to a secret.

See:

For troubleshooting, see Troubleshooting network gateways.

968457- Display 2FA status

FortiPAM now displays the 2FA status for a user in the Two-factor Authentication column in User Management > User List. See User list.

913565, 927433- Automated remote user provisioning

Before FortiPAM 1.3.0, all FortiPAM users were created manually by the administrator. Starting FortiPAM 1.3.0, FortiPAM allows you to automatically sync up users based on group membership without limiting the authentication protocol (LDAP, RADIUS, or SAML).

You can define a remote user auto provision rule in User Management > Auto Provision Rules.

Based on the predefined auto provision rules, remote users can be auto provisioned upon their first successful login without requiring the manual creation of a user in the system prior to login.

The auto provision rule includes information about the remote user group and users' role (access profile) on auto provision. The type of role depends on the user's group membership.

Based on the group, FortiPAM decides if the user can log in to FortiPAM and the type of permission the user is granted. Once the user logs in, the user is automatically created and listed in User Management > User List.

A new Created By column in User List tells you if the user was manually created or auto provisioned.

See User list.

See Auto provision rules.

To set up auto provisioning rule using the CLI, see Setting up remote user auto provisioning using the CLI.

925187- Display ZTNA launch control inheritance settings for folders

When configuring permissions for a subfolder, in the Permission tab, with Inherit ZTNA Control enabled, ZTNA control settings from the parent folder are displayed. See Creating a folder.

883603- vTPM support for FortiPAM on GCP

FortiPAM supports vTPM on GCP. See Appendix K: Installation on GCP.

961527- Logs extracted as JSON and CSV file

FortiPAM allows you to extract log files in JSON and CSV formats in addition to exporting logs as text files.

A new Export dropdown is available in the following locations in Log & Report:

  • All the tabs in Secret

  • The Details tab in Events

  • ZTNA tab

  • SSH tab

  • Antivirus tab

  • Data Leak Prevention tab

See:

913157, 959127- New Web Telnet launcher

A new Web Telnet secret launcher is available. See Launchers.

957808- Password only viewable to the user checking out a secret

To ensure accountability, a secret password is only visible to the user with Edit or Owner permission for the secret the user is checking out.

Note that this is only valid when Requires Checkout is enabled in the Secret Setting pane when configuring the secret.

See Check out and check in a secret.

839929- Import remote LDAP users

To conveniently import LDAP users in bulk on FortiPAM, a new Import option is available in User Management > User List.

See Importing LDAP users.

878661- New remote server option when creating a remote user

When configuring a remote user, you are no more required to select a remote user group in the User Type pane. Instead, if the remote user does not belong to a remote user group, you can select the remote server where the user resides in the Choose a Remote Group where these users can be found or a Remote Server dropdown in the User Type pane.

See Creating a user.

963099- Customizing replacement messages

A new Replacement Messages tab in System to customize replacement messages for FortiPAM.

See:

975901, 963740- User deletion enhancements

You can delete users directly without deleting the references first.

If the deleted user alone owns resources not in the personal folder, e.g., secrets/folders in the public folder, targets, templates, user groups, or approved requests, etc., you can select a user who will own the resources once the user owning the resource is deleted.

See User list.

A sponsor admin can delete members within its sponsored group.

See Sponsored groups.

964873- Approver minimum permission

A new Minimum Permission dropdown when creating an approval profile in Secret Settings > Approval Profile.

You can set up the minimum secret permission required by the approver to view/approve/deny the secret request.

See Create an approval profile.

920066- Approver group email notification for access requests

A new Remote Group Email option when creating an approval profile in Secret Settings > Approval Profile.

The option appears when you select at least one remote user group in Approver Groups when creating or editing an approval profile in Secret Settings > Approval Profile.

Enabling Remote Group Email ensures that members of an approver group receive email notification when an access request is sent for a secret where Requires Approval to Launch Secret is enabled and an approval profile is selected with at least one remote user group as an approver.

When Remote Group Email is enabled, a new Trust Time field appears. The Trust Time field controls how frequently the remote user needs to log in to FortiPAM to receive the approver email notification.

For example, when Trust Time is 5, a remote user belonging to the remote user group selected in Approver Groups must have logged in to FortiPAM at least once within five days from the access request creation time to receive the approver email notification.

See Create an approval profile.

993481- Sync sender name across all emails

A new Sender field in the Email Service pane in System > Settings.

The Sender email address is the email address used to send emails.

See Settings and How FortiPAM chooses the sender email address.

942734- Log and video disk encryption

FortiPAM supports disk encryption to protect logs and videos.

A new Disk Encryption option in Log & Report > Log Settings.

See Log settings.

964619- Immediate secret access on approval

When creating a secret access request in Secrets > My Requests List or directly from a secret in Secrets > Secret List, you can enable the Start Upon Approval option.

Enabling the Start Upon Approval option ensures that you can launch the secret once it is approved.

When Start Upon Approval is enabled, you see a new Duration option instead of the Request Duration option.

In the Duration option, specify the duration of time you need the secret access for (in minutes).

Note that the approver can still override when you get access to the secret and the duration of time you have access to the secret.

See Make a request.

954620, 997420- Adjust the timezone for the secret access requestor and approver

When creating a secret access request in Secrets > My Request List, FortiPAM shows the local time of the requestor in the New secret request window.

When approving/denying a secret access request in Secrets > Approval List, time according to the approver's timezone is displayed by default in the Approving secret request window.

By clicking the Enable Requestor Timezone option, you can enable the requestor's timezone and display the requestor's local time in the Approving secret request window.

New Enable/Disable Requestor Timezone option and Timezone column in Secrets > Approval List.

See:

877089- Secret list displays secret creation time

Secret List in Secrets includes a new Creation Time column that displays when a secret was created.

See Secret list.

955024- Customize Email template for secret request

FortiPAM allows you to customize email templates for secret requests in Secret Settings > Approval Email Template.

See Approval email template.

When creating a new approval profile in Secret Settings > Approval Profile, you can assign a customized email template to the approval profile using the new Customized Email Template option.

See Create an approval profile.

950516- RDP auto token for FortiAuthenticator

FortiPAM supports RDP 2FA auto delivery when the FortiAuthenticator agent is running on remote Windows.

A new RDP Auto TOTP option available when RDP Service is enabled and the RDP Security Level is TLS in the Service Setting tab when creating or editing a secret in Secrets > Secret List.

See Creating a secret.

A new RDP Auto TOTP option available when the RDP Security Level is TLS when creating or editing a secret policy in Secret Settings > Policies.

See Creating a policy.

840054- Auto discovery of secrets

FortiPAM scans an environment to find accounts and other associated resources. Once the accounts and the resources are found, they can be automatically imported to FortiPAM for centralized management.

See Discovery.

A new Secret Discovery option in the Secret tab when creating or editing a Role in User Management > Role.

See Role.

893740- Increased secret capacity

FortiPAM can now support setting up a maximum of 50000 secrets in FortiPAM 1000G and up to 100000 in FortiPAM 3000G and the VM platform.

919801- Updating service account credentials

If a service running on a machine relies on a credential managed by FortiPAM, dependency updater feature offers the ability to update the service credential immediately after FortiPAM changes the credential. FortiPAM ensures that the service does not fail during authentication.

A new Dependency Updater tab in Secret Settings.

See Dependency updater.

See Updating a service account credential Example.

A new Dependency tab when creating or editing a secret.

It allows you to assign the secret to a target where the service defined in the selected dependency updater runs.

See Creating a secret.

For information on service accounts, see Service accounts.

987061- Updated secret logs and active sessions GUI

In Log & Report > Secret:

  • A new Service Account page is available where you can view logs related to service accounts.

    See Service Account.

  • In the Secrets and the Password Changers pages, the following new columns are available:

    • Secret Address

    • Gateway

    Note that what the Destination IP column represents has changed. It is the next hop IP address. If the next hop is FortiPAM, this is the IP address of FortiPAM.

    • If the next hop is the actual target server, this is the IP address of the actual target server.

    • If the next hop is a gateway, this is the IP address of the gateway.

    See Secret.

In Monitoring > Active Sessions:

  • The following new columns are available:

    • Gateway

    • Gateway Port

    • Gateway Name

See Active sessions.

Previous
Next

FortiPAM 1.3.0

The following list contains new and expanded features added in FortiPAM 1.3.0.

985657- FortiPAM distributed architecture

FortiPAM now supports network gateway for distributed target deployment.

FortiPAM allows configuring a gateway, e.g., a FortiPAM, a FortiGate, or a FortiProxy device, when a target is not reachable directly from FortiPAM to proxy the connection to the target.

You can now add a gateway when configuring a target.

You can also add the gateway to a secret.

See:

For troubleshooting, see Troubleshooting network gateways.

968457- Display 2FA status

FortiPAM now displays the 2FA status for a user in the Two-factor Authentication column in User Management > User List. See User list.

913565, 927433- Automated remote user provisioning

Before FortiPAM 1.3.0, all FortiPAM users were created manually by the administrator. Starting FortiPAM 1.3.0, FortiPAM allows you to automatically sync up users based on group membership without limiting the authentication protocol (LDAP, RADIUS, or SAML).

You can define a remote user auto provision rule in User Management > Auto Provision Rules.

Based on the predefined auto provision rules, remote users can be auto provisioned upon their first successful login without requiring the manual creation of a user in the system prior to login.

The auto provision rule includes information about the remote user group and users' role (access profile) on auto provision. The type of role depends on the user's group membership.

Based on the group, FortiPAM decides if the user can log in to FortiPAM and the type of permission the user is granted. Once the user logs in, the user is automatically created and listed in User Management > User List.

A new Created By column in User List tells you if the user was manually created or auto provisioned.

See User list.

See Auto provision rules.

To set up auto provisioning rule using the CLI, see Setting up remote user auto provisioning using the CLI.

925187- Display ZTNA launch control inheritance settings for folders

When configuring permissions for a subfolder, in the Permission tab, with Inherit ZTNA Control enabled, ZTNA control settings from the parent folder are displayed. See Creating a folder.

883603- vTPM support for FortiPAM on GCP

FortiPAM supports vTPM on GCP. See Appendix K: Installation on GCP.

961527- Logs extracted as JSON and CSV file

FortiPAM allows you to extract log files in JSON and CSV formats in addition to exporting logs as text files.

A new Export dropdown is available in the following locations in Log & Report:

  • All the tabs in Secret

  • The Details tab in Events

  • ZTNA tab

  • SSH tab

  • Antivirus tab

  • Data Leak Prevention tab

See:

913157, 959127- New Web Telnet launcher

A new Web Telnet secret launcher is available. See Launchers.

957808- Password only viewable to the user checking out a secret

To ensure accountability, a secret password is only visible to the user with Edit or Owner permission for the secret the user is checking out.

Note that this is only valid when Requires Checkout is enabled in the Secret Setting pane when configuring the secret.

See Check out and check in a secret.

839929- Import remote LDAP users

To conveniently import LDAP users in bulk on FortiPAM, a new Import option is available in User Management > User List.

See Importing LDAP users.

878661- New remote server option when creating a remote user

When configuring a remote user, you are no more required to select a remote user group in the User Type pane. Instead, if the remote user does not belong to a remote user group, you can select the remote server where the user resides in the Choose a Remote Group where these users can be found or a Remote Server dropdown in the User Type pane.

See Creating a user.

963099- Customizing replacement messages

A new Replacement Messages tab in System to customize replacement messages for FortiPAM.

See:

975901, 963740- User deletion enhancements

You can delete users directly without deleting the references first.

If the deleted user alone owns resources not in the personal folder, e.g., secrets/folders in the public folder, targets, templates, user groups, or approved requests, etc., you can select a user who will own the resources once the user owning the resource is deleted.

See User list.

A sponsor admin can delete members within its sponsored group.

See Sponsored groups.

964873- Approver minimum permission

A new Minimum Permission dropdown when creating an approval profile in Secret Settings > Approval Profile.

You can set up the minimum secret permission required by the approver to view/approve/deny the secret request.

See Create an approval profile.

920066- Approver group email notification for access requests

A new Remote Group Email option when creating an approval profile in Secret Settings > Approval Profile.

The option appears when you select at least one remote user group in Approver Groups when creating or editing an approval profile in Secret Settings > Approval Profile.

Enabling Remote Group Email ensures that members of an approver group receive email notification when an access request is sent for a secret where Requires Approval to Launch Secret is enabled and an approval profile is selected with at least one remote user group as an approver.

When Remote Group Email is enabled, a new Trust Time field appears. The Trust Time field controls how frequently the remote user needs to log in to FortiPAM to receive the approver email notification.

For example, when Trust Time is 5, a remote user belonging to the remote user group selected in Approver Groups must have logged in to FortiPAM at least once within five days from the access request creation time to receive the approver email notification.

See Create an approval profile.

993481- Sync sender name across all emails

A new Sender field in the Email Service pane in System > Settings.

The Sender email address is the email address used to send emails.

See Settings and How FortiPAM chooses the sender email address.

942734- Log and video disk encryption

FortiPAM supports disk encryption to protect logs and videos.

A new Disk Encryption option in Log & Report > Log Settings.

See Log settings.

964619- Immediate secret access on approval

When creating a secret access request in Secrets > My Requests List or directly from a secret in Secrets > Secret List, you can enable the Start Upon Approval option.

Enabling the Start Upon Approval option ensures that you can launch the secret once it is approved.

When Start Upon Approval is enabled, you see a new Duration option instead of the Request Duration option.

In the Duration option, specify the duration of time you need the secret access for (in minutes).

Note that the approver can still override when you get access to the secret and the duration of time you have access to the secret.

See Make a request.

954620, 997420- Adjust the timezone for the secret access requestor and approver

When creating a secret access request in Secrets > My Request List, FortiPAM shows the local time of the requestor in the New secret request window.

When approving/denying a secret access request in Secrets > Approval List, time according to the approver's timezone is displayed by default in the Approving secret request window.

By clicking the Enable Requestor Timezone option, you can enable the requestor's timezone and display the requestor's local time in the Approving secret request window.

New Enable/Disable Requestor Timezone option and Timezone column in Secrets > Approval List.

See:

877089- Secret list displays secret creation time

Secret List in Secrets includes a new Creation Time column that displays when a secret was created.

See Secret list.

955024- Customize Email template for secret request

FortiPAM allows you to customize email templates for secret requests in Secret Settings > Approval Email Template.

See Approval email template.

When creating a new approval profile in Secret Settings > Approval Profile, you can assign a customized email template to the approval profile using the new Customized Email Template option.

See Create an approval profile.

950516- RDP auto token for FortiAuthenticator

FortiPAM supports RDP 2FA auto delivery when the FortiAuthenticator agent is running on remote Windows.

A new RDP Auto TOTP option available when RDP Service is enabled and the RDP Security Level is TLS in the Service Setting tab when creating or editing a secret in Secrets > Secret List.

See Creating a secret.

A new RDP Auto TOTP option available when the RDP Security Level is TLS when creating or editing a secret policy in Secret Settings > Policies.

See Creating a policy.

840054- Auto discovery of secrets

FortiPAM scans an environment to find accounts and other associated resources. Once the accounts and the resources are found, they can be automatically imported to FortiPAM for centralized management.

See Discovery.

A new Secret Discovery option in the Secret tab when creating or editing a Role in User Management > Role.

See Role.

893740- Increased secret capacity

FortiPAM can now support setting up a maximum of 50000 secrets in FortiPAM 1000G and up to 100000 in FortiPAM 3000G and the VM platform.

919801- Updating service account credentials

If a service running on a machine relies on a credential managed by FortiPAM, dependency updater feature offers the ability to update the service credential immediately after FortiPAM changes the credential. FortiPAM ensures that the service does not fail during authentication.

A new Dependency Updater tab in Secret Settings.

See Dependency updater.

See Updating a service account credential Example.

A new Dependency tab when creating or editing a secret.

It allows you to assign the secret to a target where the service defined in the selected dependency updater runs.

See Creating a secret.

For information on service accounts, see Service accounts.

987061- Updated secret logs and active sessions GUI

In Log & Report > Secret:

  • A new Service Account page is available where you can view logs related to service accounts.

    See Service Account.

  • In the Secrets and the Password Changers pages, the following new columns are available:

    • Secret Address

    • Gateway

    Note that what the Destination IP column represents has changed. It is the next hop IP address. If the next hop is FortiPAM, this is the IP address of FortiPAM.

    • If the next hop is the actual target server, this is the IP address of the actual target server.

    • If the next hop is a gateway, this is the IP address of the gateway.

    See Secret.

In Monitoring > Active Sessions:

  • The following new columns are available:

    • Gateway

    • Gateway Port

    • Gateway Name

See Active sessions.

Previous
Next