Brave-Dumps.

com
DO NOT REPRINT
© FORTINET

FortiPAM Administrator
Study Guide
FortiPAM 1.5
 Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

4/27/2025
 Brave-Dumps.com
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction to FortiPAM 4
02 System Configuration 32
03 Users and Roles 61
04 Secrets Management 88
05 ZTNA Access Control 125
06 Monitoring and Reporting 144
 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiPAM key features, components and use cases.

FortiPAM 1.5 Administrator Study Guide 4

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiPAM 1.5 Administrator Study Guide 5

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of FortiPAM features and use cases, you will be able to explain
its importance in safeguarding privileged access within your organization.

FortiPAM 1.5 Administrator Study Guide 6

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

PAM is a cybersecurity solution designed to control, monitor, and secure access to critical systems,
applications, and sensitive data. It focuses on managing and protecting the credentials of privileged accounts
because these accounts typically have elevated permissions.

The three main functions of PAM include:

• Manage privileged access to ensure only authorized users can access sensitive or critical systems. This is
often enforced through role-based access control (RBAC) and may require additional administrator
approval.
• Manage privileged credentials by storing them securely and, optionally, creating and rotating them
automatically. Privileged users do not have direct access to these credentials.
• Monitor and record sessions in real time and as part of later audits. This includes the ability to terminate
sessions manually, or after a specified time.

A PAM solution functions similarly to a bastion host. Authorized users first connect to the PAM system, and
after authentication, they can securely access the sensitive systems for which they have been granted
permissions.

A typical PAM system supports several access protocols, including Remote Desktop Protocol (RDP) and SSH
among several others.

FortiPAM 1.5 Administrator Study Guide 7

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Privileged access refers to the elevated or special permissions granted to specific accounts, users, or
systems that allow them to access sensitive resources, perform administrative tasks, or make critical changes
to IT environments.

Any system account with elevated permissions and access rights compared to standard accounts is
considered a privileged account. Examples include Windows administrator accounts, Linux root accounts, and
service accounts with special privileges.

Users with access to privileged accounts are classified as privileged users.

Privileged accounts and users are frequent targets for cybercriminals because these accounts can provide
attackers with access to critical systems and sensitive data. A breach of these accounts can have severe
consequences, including data leaks, service disruptions, financial losses, and reputational damage. Many
recently reported cyberattacks have one or more compromised privileged accounts at their root cause.

You can use a PAM solution to tackle the risks associated with privileged accounts.

FortiPAM 1.5 Administrator Study Guide 8

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Fortinet offers FortiPAM as its PAM solution. FortiPAM delivers all the essential PAM functionality along with
several additional features.

You can deploy FortiPAM as a stand-alone product. However, you should integrate it with other Fortinet
products to take advantage of additional, very powerful features.

Built on FortiOS and FortiProxy platforms, FortiPAM is available as both a hardware device and a VM. The
VM option is compatible with most private and public cloud platforms, providing deployment flexibility.

With a separate license, FortiPAM can also operate as part of an active-passive high availability (HA) cluster
with up to three nodes, ensuring reliability and fault tolerance.

You can manage FortiPAM through an intuitive GUI or a CLI. You can access the GUI through a virtual IP
(VIP) configured by default on port 1.

To enhance security, FortiPAM includes advanced malware protection. This protection consists of antivirus
scanning and data loss prevention (DLP) and is included with the FortiPAM VM license. The hardware device
requires a separate license for these features.

FortiPAM 1.5 Administrator Study Guide 9

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows some use cases that justify a FortiPAM implementation in an organization.

FortiPAM access control features reduce the risk of attacks on critical systems, regardless of whether those
attacks originate inside or outside the organization. FortiPAM can ensure that only authorized users reach
critical assets, limiting the risk of unauthorized actions, preventing external attackers from exploiting privileged
accounts, and reducing the likelihood of internal misuse by employees or contractors.

FortiPAM also allows for the secure authentication of external, remote employees, vendors, and contractors.
Adopting a least-privileged approach, external visitors can access only the resources explicitly configured by
the administrators.

FortiPAM enhances compliance and visibility by providing comprehensive tools for monitoring, auditing, and
reporting privileged access activities. Every session detail can be recorded and logged, including which
commands were executed and which applications were accessed, ensuring a full audit trail for privileged user
actions. This allows organizations to meet regulatory and cybersecurity insurance requirements.

The FortiPAM solution supports real-time monitoring of privileged sessions, allowing administrators to observe
user activities and terminate sessions if suspicious behavior is detected.

FortiPAM 1.5 Administrator Study Guide 10

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM functionality can be divided into three categories:

1. Manage privileged account credentials: stores privileged credentials in a protected vault, with options for
automatic creation and periodic rotation to enhance security.
2. Control privileged user access: ensures that access to critical or sensitive systems is restricted to
approved users using role-based permissions.
3. Monitor privileged activity: allows you to review user activities during sessions in real time or as part of
audit logs. Administrators can end active sessions manually or set time limits, among other options.

These functions complement each other, allowing FortiPAM to deliver robust privileged account management,
enforce strict access control to sensitive assets, and provide an advanced platform for session monitoring and
management.

To accomplish these functions, a comprehensive set of tools and features are available, some of them unique
to FortiPAM, to ensure access to the most critical assets in your organization is secure and fully auditable.

You will learn about several of these features in this course.

FortiPAM 1.5 Administrator Study Guide 11

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM manages privileged account credentials by securely storing them in an encrypted vault, ensuring
they are protected from unauthorized access, and minimizing the risk of credential leaks. It automates critical
tasks such as credential creation, rotation, and retirement, reducing the risks associated with static or shared
credentials.

FortiPAM enables authorized users to manage critical systems without exposing the credentials or passwords
of those systems, and without storing sensitive data on their devices.

Additionally, FortiPAM can automatically update passwords for sensitive assets based on custom schedules.
FortiPAM also supports manual updates when needed.

FortiPAM 1.5 Administrator Study Guide 12

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM allows administrators to control privileged user access by implementing the principle of least
privilege. This ensures that users can access only resources essential to their roles. Administrators can define
permissions and policies to provide granular control over user actions.

Privileged access to target systems is achieved through secrets, which can be checked out for exclusive use,
guaranteeing that only one user can manage a critical system at a time. Additionally, FortiPAM can enforce
hierarchical multilevel approvals to grant access, enhancing security and accountability.

Administrators can also apply restrictions to prevent specific commands or applications from executing during
a session, safeguarding sensitive systems.

FortiPAM also integrates zero trust network access (ZTNA) tag-based access control, offering an advanced
and adaptive approach to secure privileged access.

FortiPAM 1.5 Administrator Study Guide 13

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM provides comprehensive monitoring and logging of user sessions, ensuring detailed tracking of
privileged access activities. It includes powerful reporting features and can record all user activities during a
session, offering complete visibility into the actions performed.

When fully licensed, FortiPAM built-in antivirus and DLP engines monitor file transfers to prevent data leaks
and potential threats. FortiPAM can also send alerts whenever a security event is detected, enabling timely
responses to potential risks. Furthermore, FortiPAM supports live video recording of sessions, adding an extra
layer of oversight and security.

FortiPAM 1.5 Administrator Study Guide 14

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 15

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now understand FortiPAM features and use cases.

Now, you will learn about FortiPAM components and licensing.

FortiPAM 1.5 Administrator Study Guide 16

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of the key components of FortiPAM and FortiPAM licensing,
you can start planning your FortiPAM implementation.

FortiPAM 1.5 Administrator Study Guide 17

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You must configure the following FortiPAM key components to allow privileged users access critical systems:

• Users are the local or remote accounts administrators and privileged users use to log in to FortiPAM. They
can be assigned to specific roles according to their required access level. For example, the standard user
role can perform management tasks on the target systems and is typically assigned to IT managers and IT
system administrators. The administrator user role can perform management tasks on FortiPAM.

• Targets are the servers or devices with a privileged account supporting RDP, SSH, web, or other
administrative protocols. Target systems include Windows servers, web servers, Unix servers, and SQL
servers, among others. Targets allow a host to have a common configuration across secrets.

• Classification tags are used to categorize different targets by OS type, location, functionality, and so on.

• Secrets contain information about login, credentials, and the target server IP address. Secrets are the core
assets in FortiPAM representing methods and credentials to access target systems in your organization.
When users log in to FortiPAM, FortiPAM uses the credentials in the secret to log into critical systems.

• Launchers help users gain remote access to a target without knowing the password stored on FortiPAM.
Launchers can invoke client-side software to perform management tasks.

• Folders organize secrets in a hierarchical view. Using folders can be helpful when you are managing
environments that use a large number of secrets. For example, you can organize folders based on regions
or branch offices. When you use folders, you can quickly look for secrets from the folder tree view.
Granting permissions is also more efficient because secrets in a folder share the same permission and
policy by default.

FortiPAM 1.5 Administrator Study Guide 18

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows the relationship between FortiPAM and the other elements necessary to fulfill its functions.

FortiPAM acts as the central access control point and receives user connections from various environments
or locations. By directing all access requests through FortiPAM, organizations can centralize control and
ensure that only authorized users can interact with sensitive resources.

FortiPAM can also integrate with other authentication solutions, such as Active Directory and
FortiAuthenticator, for identity verification, and FortiClient EMS for security posture enforcement. These
integrations allow FortiPAM to verify user identity and enforce granular access controls.

FortiPAM can connect to a wide range of critical assets, including Windows and Linux servers, web servers,
firewalls, routers, switches, and so on.

In summary, a FortiPAM solution plays a central role in facilitating secure, policy-driven access to sensitive
systems.

FortiPAM 1.5 Administrator Study Guide 19

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM can operate in two modes: proxy and non-proxy.

In proxy mode, all the launched traffic to the target server is forwarded to FortiPAM first. FortiPAM then
connects to the target server. FortiPAM manages the credentials and login procedures to the target server.
Proxy mode is more secure than the non-proxy mode because it does not deliver sensitive information to the
client machine. In proxy mode, the administrator can terminate user sessions if improper behavior is detected.
Web SSH, web RDP, web VNC, web SFTP, web Telnet, and web SMB default launchers always use proxy
mode, irrespective of the proxy settings.

In non-proxy mode, all the launched traffic is directly connected to the target server without FortiPAM.
FortiPAM delivers the credential information to the client workstation. This mode introduces the risk of
credential leakage, so it is not recommended in most scenarios. However, using non-proxy mode could be
justified for process-intensive tasks requiring minimal delays, or in topologies where FortiPAM cannot reach
the target directly.

Several features do not work when FortiPAM is in non-proxy mode, including the following:

• Antivirus scan
• SSH filters
• PuTTY and WinSCP launchers when the secret uses an SSH key for authentication
• TightVNC launcher when the secret requires a username for authentication

The operation mode is configured in a secret policy and then applied to the desired folders.

FortiPAM 1.5 Administrator Study Guide 20

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Users can connect to FortiPAM in several ways, depending on the OS running on their workstations.

A complete FortiPAM solution involves FortiPAM, FortiClient EMS, and a standard FortiClient installation.
When both FortiPAM and FortiClient register with FortiClient EMS, ZTNA endpoint control is available for
secret launching and FortiPAM server access control. This solution supports all FortiPAM features.

When FortiClient EMS is unavailable, Fortinet recommends the stand-alone FortiPAM agent for Windows
workstations. With the stand-alone FortiPAM agent, users can connect to the target server using native
launchers such as PuTTY, RDP, VNC Viewer, Tight VNC, and WinSCP, and take advantage of the functions
provided by these applications. Also, video recordings of the user activity on the target server can be sent to
FortiPAM in real time. Note that installing the stand-alone agent prevents you from installing other FortiClient
software.

If FortiClient is unavailable, the Fortinet Privileged Access Agent browser extension is available from the
Chrome Web Store and Microsoft Edge Add-ons websites. For Firefox, the extension is a free download
available on the Fortinet support page. This extension-only setup supports web-based launchers and web
browsing. The extension also allows for the recording of user activities on the target servers.

On a system without FortiClient or the browser extension, the user can still log in to FortiPAM and use the
web-based launchers. This is known as agentless mode, and it doesn’t support some of the features
mentioned in this lesson.

FortiPAM 1.5 Administrator Study Guide 21

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The table on this slide lists several examples of how the deployment type affects the FortiPAM features
available. Refer to the FortiPAM Administration Guide for a complete list.

FortiPAM 1.5 Administrator Study Guide 22

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In simple scenarios, you can deploy FortiPAM in the same network segment as the assets it protects.
However, this solution is not considered the most secure and is often unavailable. For example, you may have
critical servers in multiple locations.

In more complex topologies, you would most likely place FortiPAM in a network segment without direct
access to the targets. In this situation, you may need to configure one or more secret gateways. For example,
a secret gateway can allow access from a FortiPAM device in a public network to a private enterprise
network.

The network gateway can be a FortiGate device, a FortiProxy device, or another FortiPAM device.

FortiPAM 1.5 Administrator Study Guide 23

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM supports two types of secret gateways: forward gateway and reverse gateway.

In a forward gateway setup, FortiPAM tries to connect to a target system through a gateway device such as
FortiGate, FortiPAM, or FortiProxy. The traffic flow goes from FortiPAM to the gateway first, then to the target.
This is the simplest mode, but it has one crucial downside. When FortiPAM is deployed outside the trusted
network and initiates a connection to a target located in the corporate network, firewalls may block the
inbound traffic and prevent FortiPAM from reaching the target.

The reverse gateway setup helps address the limitations of the forward gateway implementation. In this setup,
the gateway establishes a persistent control connection to FortiPAM, which works as the control plane. Since
the reverse connection is outbound from the internal network, it is more firewall friendly. Once the initial
connection is established, FortiPAM can send traffic through the gateway to reach the targets.

By default, FortiPAM sends periodic health check packets to verify the availability of the gateway.

FortiPAM 1.5 Administrator Study Guide 24

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Two modes are available when using a reverse gateway setup: reverse mode and service mode.

In reverse mode, sessions are launched from FortiPAM and passed through the gateway. The traffic flow
goes from the client to FortiPAM to the gateway to the target. In this scenario, the FortiPAM device receiving
the client requests is called the FortiPAM server or FortiPAM central server.

FortiPAM 1.5 Administrator Study Guide 25

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In service mode, clients receive authorization from the FortiPAM server, but sessions are launched directly
from the client to the device acting as the service gateway, bypassing the FortiPAM server. The secret
session traffic flow goes from the client to the service gateway to the target. This option’s main advantage is
reducing delay and the FortiPAM server load.

Note that authorization, session video recordings, and secret logs are still uploaded to the FortiPAM server for
central management.

FortiPAM 1.5 Administrator Study Guide 26

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

A newly deployed FortiPAM works in evaluation mode until you add a valid license. Evaluation mode is
available for 15 days and includes most FortiPAM features, but with several restrictions. For example, only
two users are allowed, including the default admin account.

You must place FortiPAM in maintenance mode to upload a license file.

Hardware device licenses are divided in three separate SKUs for the number of perpetual users allowed,
advanced malware support, and FortiCare premium support.

FortiPAM-VM licenses follow a subscription model and are available in durations of 1, 3, or 5 years. They
include the number of users allowed, advanced malware protection, and FortiCare premium support. The
minimum number of users to a subscription is five.

FortiPAM 1.5 Administrator Study Guide 27

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM-VM 1.5.0 and later support floating licenses.

This feature is intended for HA implementations, enabling the total number of seats in the cluster to equal the
combined seats available on each cluster member. For example, if the primary and the secondary nodes each
have 50 user seats, the HA cluster then supports up to 100 user seats in total.

If the primary node is offline, you have up to 7 days to restore it. After the grace period of 7 days, if the
primary node is still down, the administrator must reduce the number of active users on the secondary node to
match its own license capacity.

FortiPAM displays a notification when a license is close to expiring, but you can also configure it to send
emails for licensing and other critical system events.

FortiPAM 1.5 Administrator Study Guide 28

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 29

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiPAM 1.5 Administrator Study Guide 30

 Introduction to FortiPAM
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how FortiPAM features can help secure
privileged access in your organization.

FortiPAM 1.5 Administrator Study Guide 31

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about several common configuration changes that are required before you can
start using FortiPAM in your environment.

FortiPAM 1.5 Administrator Study Guide 32

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiPAM 1.5 Administrator Study Guide 33

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in understanding the initial system configuration of FortiPAM, you will be able
to add FortiPAM to your network and perform basic administrative tasks.

FortiPAM 1.5 Administrator Study Guide 34

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Deploying FortiPAM involves essential initial configuration tasks to ensure that the system is operational,
secure, and tailored to the requirements of your organization.

This slide shows some of the most common configuration steps that will help you to establish a baseline
configuration and to prepare FortiPAM to manage sensitive credentials and privileged accounts effectively.
These steps include:

• Configure basic network settings

• Set the hostname
• Set the system date, time, and time zone
• Configure email notifications
• Configure a login disclaimer
• Configure TPM
• Back up the configuration
• Configure HA

FortiPAM includes a setup wizard that you can use for the initial system configuration. This can help new
users configure the basic settings very easily.

FortiPAM 1.5 Administrator Study Guide 35

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In most scenarios, the first FortiPAM initial system configuration task involves the network settings.

It is recommended that you assign static IP addresses to all interfaces in use, as features like HA do not
support DHCP-enabled interfaces. Additionally, you can configure a custom virtual IP (VIP) for GUI access if it
must be different from the default. Keep in mind that larger scenarios may require more then one VIP. Finally,
you should tailor the administrative access for each interface to meet security and accessibility requirements.

By default, only port1 is configured with a VIP, and it allows ping and SSH traffic.

Another critical aspect is DNS configuration. By default, FortiPAM uses FortiGuard servers for DNS
resolution. However, administrators can adjust these settings to align with their specific environment. Proper
DNS configuration is required for receiving FortiGuard updates, which keeps the system up to date.

Lastly, you must configure static routes to define the routing behavior of FortiPAM. While a default route is
sufficient for simpler setups, more complex environments may require additional static routes to ensure
connectivity across the network.

FortiPAM 1.5 Administrator Study Guide 36

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Setting a unique hostname, accurate time, and email notifications in FortiPAM is essential for its effective
operation.

A unique hostname helps distinguish the device in complex networks, simplifying administration.

Proper time settings are critical for accurate logging and event tracking. For time synchronization, you can use
either the default FortiGuard NTP server or custom time servers.

Email notifications enhance system responsiveness by alerting administrators about critical events such as
expiring licenses, detected viruses, configuration changes, and certificates nearing expiration. To enable this
feature, you must configure an SMTP server. FortiPAM allows you to configure different sender and recipient
email addresses for different alert types.

FortiPAM 1.5 Administrator Study Guide 37

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

A login disclaimer in FortiPAM is important for legal, security, and informational purposes.

A disclaimer serves as a notice to users accessing the system, outlining acceptable use policies and warning
against unauthorized access. This helps protect the organization by deterring misuse and providing a basis for
legal action if necessary. A login disclaimer can also include important messages, such as compliance
requirements or specific instructions for users.

By displaying this information before allowing access, your organization improves security awareness and
ensures that users acknowledge their responsibilities when interacting with the FortiPAM system and the
critical assets it protects.

Although it is not shown on this slide, the default disclaimer includes information about the user’s last
successful login time and the last failed login time, if applicable.

FortiPAM 1.5 Administrator Study Guide 38

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM supports TPM both in the hardware device and in the FortiPAM-VM. TPM is a security chip
(hardware-based or virtual) that provides cryptographic functions to ensure system integrity, secure boot, and
protect sensitive data such as encryption keys, certificates, and passwords.

By leveraging TPM, FortiPAM ensures that cryptographic operations and key storage are performed in a
secure environment that is resistant to tampering.

It is highly recommended that you enable TPM during your initial system configuration. You must put
FortiPAM in maintenance mode before enabling or disabling TPM. It is also recommended that you back up
your configuration before any of these operations.

When working with FortiPAM-VM, you must ensure that the VM is set to boot using extensible firmware
interface (EFI) and that the virtual TPM hardware is added before the VM runs for the first time.

This slide shows the commands you must run to enable TPM in FortiPAM and FortiPAM-VM, as well as how
you can check if the feature is ready on the system. As part of enabling TPM you must enter the 32-character
key that is used for encrypting the sensitive data.

FortiPAM 1.5 Administrator Study Guide 39

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Fortinet recommends that you back up your FortiPAM configuration regularly to ensure that you can quickly
restore the system to its original state after a failure with minimal network impact. You should also create a
backup after making any changes to the FortiPAM configuration. Fortinet also recommends backing up all
configuration settings from your FortiPAM unit before upgrading the FortiPAM firmware.

You can perform backups in two ways:

• Manually trigger the process.

• Configure backups to run automatically and be saved to an FTP, SFTP, HTTP, or HTTPS server.

Optionally, you can encrypt the backup file to prevent tampering.

The FortiPAM configuration includes not only the system settings, but also all user information and encrypted
secret data. Be aware that backup files do not include system events, secret logs, and recorded videos of
secret sessions.

When restoring a backup configuration, remember that the secret password may not be the most recent one.
To ensure that all credentials are correct in a configuration file, you can enable maintenance mode first so that
no passwords are modified during the backup, and then manually trigger the configuration backup.

FortiPAM 1.5 Administrator Study Guide 40

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 41

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now understand the most common initial system configuration tasks that you should perform in
FortiPAM.

Now, let’s examine how you can implement HA.

FortiPAM 1.5 Administrator Study Guide 42

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring an HA cluster, you will be able to implement this feature to
enhance the reliability of your FortiPAM implementation.

FortiPAM 1.5 Administrator Study Guide 43

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM supports HA clustering to enhance reliability and ensure uninterrupted service. One device in the
cluster is designated as the primary, and others as secondary devices. The cluster operates in an AP mode,
where the primary node handles all tasks until a failover occurs.

System configuration elements, such as users, secrets, and the keys used to encrypt data, are synchronized
across all nodes in the cluster. This ensures that services can continue or be recovered seamlessly if the
primary node becomes unavailable. However, system events and logs are recorded only on the primary node.

An HA cluster can include up to three FortiPAM devices, with one active node and up to two passive nodes,
providing failover protection or disaster recovery capabilities. Each cluster device must have the same model
and version but can have different license seat counts. In addition to not being synchronized between nodes,
logs and recorded secret videos are also not accessible via FortiAnalyzer because each cluster member
serial number is used to identify logs exclusively stored on its own local disk.

FortiPAM 1.5 Administrator Study Guide 44

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Before setting up an HA cluster, you must ensure that none of the interfaces uses DHCP for IP addressing.

Each cluster member can be assigned a different priority to determine which device becomes the primary
node during a failover. Devices with higher priority take precedence. With the override option enabled, the
primary unit with the highest device priority will always become the primary unit.

You can enable the override option to ensure the device with the highest priority always becomes the primary
unit, even after a failover, as long as it is available. The override setting and priority values are not
automatically synchronized across the cluster and must be manually configured on each device.

To add security to the cluster, you can configure a password. This password must be consistent across all
cluster devices.

Heartbeat communication between all cluster members keeps track of the cluster’s health and triggers failover
processes when needed. Heartbeat interfaces should be dedicated and separate from user-facing interfaces.
If a monitored interface fails, traffic is rerouted to another cluster member, which then becomes the primary.

Administrators can configure heartbeat communication as unicast or broadcast. While broadcast is the default
mode, unicast is recommended for environments where broadcast may not be supported like in the case of
the public cloud. Unicast is also required for scenarios with a disaster recovery node placed on a remote
location.

When the primary FortiPAM device is down, a secondary device will take the primary role and permanently
enter maintenance mode. The administrator can bring up the original primary device or disable maintenance
mode on the new primary device to resume all FortiPAM features.

FortiPAM 1.5 Administrator Study Guide 45

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Disaster recovery (DR) refers to the strategies and processes used to restore critical IT systems and data
after an unexpected failure, such as hardware malfunctions, cyberattacks, or natural disasters. These
strategies ensure business continuity by minimizing downtime and data loss.

In general, DR implies the use of one or more remote sites that work in standby mode, and that are ready to
take over in the case of critical failures on the main site.

FortiPAM HA supports the use of a DR node, which can be placed in a different, offsite location, to where
users can be redirected when the need arises.

FortiPAM 1.5 Administrator Study Guide 46

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The DR node functions as part of the HA cluster alongside the primary and secondary nodes, forming a three-
member cluster.

When a failover occurs, the DR node assumes the role of the primary device and operates using its own VIP.
Users can then be redirected to the new VIP and continue performing their tasks.

Use the command shown on this slide to enable the DR node. All other settings in the DR also require the use
of the CLI.

You should keep in mind that the default interval for the DR heartbeats is six times longer than that of the
primary and secondary nodes. You can make this interval smaller if your environment requires it.

FortiPAM 1.5 Administrator Study Guide 47

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

A DR node on a remote site is most likely in a different network segment from the primary and secondary
nodes. For this reason, you must ensure that the following five settings are not synchronized to the DR node:

• System interface
• VIP
• Routes
• SAML server
• FortiToken mobile configuration

To achieve this, you must configure all nodes in the cluster with the VDOM exception commands shown on
the slide.

With this configuration, when HA fails over to the DR node, it then operates using the configured DR VIP.

You should note that when firewall.vip is configured in the system VDOM exception list, you must
manually apply all configuration changes related to the interface GUI portal on the secondary and DR nodes.

FortiPAM 1.5 Administrator Study Guide 48

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can upgrade the firmware in an HA cluster in one of two modes: uninterrupted and interrupted.

During an uninterrupted upgrade, secondary nodes are upgraded first, followed by a new primary node
selection. Then, the former primary node is upgraded. This ensures minimal service disruption. The primary
node is not upgraded until at least one secondary node rejoins the cluster after its upgrade.

Alternatively, an interrupted upgrade updates all devices simultaneously. This is faster but temporarily halts
cluster communication. This mode is disabled by default, but you can enable it with the command shown on
the slide.

It is highly recommended that you back up your FortiPAM configuration before you decide to perform a
firmware upgrade.

FortiPAM 1.5 Administrator Study Guide 49

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can deploy FortiPAM HA in all the public cloud environments that support a standalone implementation.
The principles of HA for FortiPAM in public clouds are the same as in on-premises deployments but are
tailored to leverage the cloud vendors features and infrastructure. For this reason, some of the steps, and the
capabilities offered, vary from vendor to vendor.

Since most public cloud platforms do not support broadcast communication natively, you must use the unicast
heartbeat method for FortiPAM HA in these environments to ensure proper synchronization among the
member nodes.

Visit https://docs.fortinet.com to learn about the latest supported implementation for each cloud
provider.

This slide shows the diagram of an HA implementation in AWS with FortiPAM instances in two availability
zones.

FortiPAM 1.5 Administrator Study Guide 50

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 51

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now know how to implement HA in FortiPAM

Now, you will learn about digital certificates and how they are used in FortiPAM.

FortiPAM 1.5 Administrator Study Guide 52

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in how digital certificates work, and the solutions available to trust FortiPAM
certificates, you will be able to allow users to connect to FortiPAM securely.

FortiPAM 1.5 Administrator Study Guide 53

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

A digital certificate is a file used to authenticate a device, server, or user through cryptography and public key
infrastructure (PKI). It is a digital document produced and signed by a certificate authority (CA), and ensures
that only trusted devices and users gain access to a resource. It identifies an end entity, such as a person (for
example, Joe Bloggings), a device (for example, webserver.acme.com), or thing (for example, a certificate
revocation list).

Another common use of digital certificates is an SSL certificate, which verifies a website’s legitimacy to a
browser.

Certificates serve three primary purposes:

• Authentication: The common name (CN) or subject alternative name (SAN) field, or both, are used to
identify the device that the certificate is represents.
• Encryption and decryption: Private and public key pairs are used to encrypt and decrypt traffic.
• Integrity: Messages are hashed using a secret key known to both the sender and the receiver. The receiver
uses the key to check the hash value, and to confirm the integrity and authenticity of the message data.

FortiPAM 1.5 Administrator Study Guide 54

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Web browsers maintain secure online communications by verifying the validity of digital certificates. When a
certificate is invalid, the browser generates a warning or error message, alerting users to potential security
risks. These warnings should never be ignored, especially in a production environment, as they indicate that
the connection may not be secure.

A certificate may be considered invalid for several reasons. One common issue is an expired certificate, which
occurs when the certificate owner fails to renew it before its expiration date. Another reason is that the
certificate comes from an untrusted source, meaning it was not issued by a recognized CA. Additionally, if a
certificate has been revoked due to compromise or misconfiguration, browsers and security systems will
consider it invalid.

This slide shows the certificate warning message that Firefox displays when it encounters an untrusted
certificate. The warning page includes the option to accept the risk and continue using the certificate.
Selecting this option creates a security exception in your browser. Other browsers display similar warning
messages and offer similar security exception options.

FortiPAM 1.5 Administrator Study Guide 55

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

By default, FortiPAM uses a self-signed certificate to authenticate itself to HTTPS clients. Because the
corresponding CA certificate is not prepopulated in the certificate stores of client devices, the first HTTPS
connection to the FortiPAM GUI triggers a security warning.

Ensuring that every client trusts the system certificates is essential for secure authentication and encryption.
There are several approaches you can take to achieve this trust.

The best approach for production environments is to implement a PKI, which provides a structured method for
managing and distributing trusted certificates to all the devices in your organization.

If FortiPAM must accept connections from users outside your organization, you can purchase a certificate
signed by a recognized CA.

Optionally, but not recommended for production, you can instruct your users to accept the certificate warning
and establish the connection, allowing their browsers to import the self-signed FortiPAM certificate into the
certificate store. Use this option only in testing or lab environments.

FortiPAM 1.5 Administrator Study Guide 56

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Certificates in FortiPAM play an essential role in securing communications, authentication, and trust
management.

FortiPAM uses three types of certificates:

• Local certificates—Issued for a specific service or website. All the certificates you can use to encrypt the
access to FortiPAM GUI fall in this category.
• Local CA certificates—These CA certificates are used to generate and sign new local certificates.
• Remote CA certificates—These are CA certificates imported from third parties. For example. You must
import the IdP CA certificate to configure SAML authentication.

You can delete, import, download, and view the details of all certificate types that FortiPAM uses.

FortiPAM 1.5 Administrator Study Guide 57

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 58

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this
lesson.

FortiPAM 1.5 Administrator Study Guide 59

 System Configuration
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the initial configuration tasks for a newly
deployed FortiPAM.

FortiPAM 1.5 Administrator Study Guide 60

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to manage local users, remote users, user groups, and roles on FortiPAM.

FortiPAM 1.5 Administrator Study Guide 61

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiPAM 1.5 Administrator Study Guide 62

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of FortiPAM users and roles, you will be able to apply FortiPAM
users and roles effectively in your network.

FortiPAM 1.5 Administrator Study Guide 63

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You must create user accounts on FortiPAM so that users can log in and access the required resources.
FortiPAM supports three user types: local, remote, and API. The user role determines which areas on
FortiPAM a user account can access, and what they can do in those areas. To minimize security risks, you
should always follow the principle of least privilege when assigning roles.

Although the default admin user has full permission to configure all FortiPAM features, it is recommended that
you create separate accounts for daily administrative tasks.

Additionally, you can enhance the security of user accounts by implementing a strong password policy,
configuring trusted hosts for each account, creating login schedules, and requiring two-factor authentication
for all login attempts.

FortiPAM 1.5 Administrator Study Guide 64

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can enhance the securing of FortiPAM users by implementing the following measures:

• Enforce a strong password policy that requires a minimum password length, character complexity,
expiration dates, and limits the number of failed login attempts to prevent brute-force attacks. The
password policy on FortiPAM is configured at the system level.

• Configure trusted hosts for each user to restrict access to FortiPAM from specific IP addresses or subnets.
This ensures that users can connect from only authorized devices. This option may not be possible when
working with external users.

• Implement login schedules that define specific days and times when users can log in, reducing the risk of
unauthorized access outside of approved hours. You can create multiple schedules at the system level and
combine them into schedule groups if needed.

• Require two-factor authentication to add an extra layer of security by requiring a second verification step.
FortiPAM users can authenticate using email, FortiToken, FortiToken Cloud, or third-party authenticators.
Using two-factor authentication significantly reduces the risk of account compromise.

By combining these security measures, organizations can effectively protect FortiPAM user accounts while
maintaining secure access for authorized users.

FortiPAM 1.5 Administrator Study Guide 65

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The access level granted to FortiPAM users is based on their assigned role. Each user can be assigned a
single role.

FortiPAM includes six default roles, and you can create custom roles if the default ones don’t meet your
needs. The six default roles are, from most permissive to least permissive: super administrator, default
administrator, power user, sponsor admin, standard user, and guest user. The settings of these default roles
cannot be modified, but administrators can clone them to have a starting point when creating custom roles to
fit specific needs.

Each role comprises a combination of privileges in four categories: secrets, user management, system and
network, and admin settings. These categories contain subcategories with very granular permissions, allowing
for precise control over which user actions are allowed.

FortiPAM 1.5 Administrator Study Guide 66

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The table on this slide contains short descriptions of the six default FortiPAM roles. The top four roles are
considered administrative roles, while the bottom two are user roles. You should refer to the FortiPAM
Administration Guide to review the complete list of permissions available to each role.

Note that the difference between the super administrator and the default administrator roles is that the latter
cannot access glass-breaking mode, nor restore the system configuration from a backup file. For this reason,
you should not use the default admin account for your everyday tasks. You should create a new user account
with the default administrator role for all daily administrative tasks.

FortiPAM 1.5 Administrator Study Guide 67

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

When assigning roles to non-administrative users in FortiPAM, you should choose a role that aligns with their
access needs while maintaining security best practices. For this reason, you should assign non-administrative
users either the standard user role, the guest user role, or a custom role you create.

The guest user role is ideal for users who require temporary access to privileged resources but do not need to
create new secrets. This is suitable, for example, for external contractors or third-party consultants who need
limited access without the ability to modify or create new secrets.

For all other cases, the standard user role should be used.

If neither of these roles meets your requirements, administrators can create custom roles to tailor permissions
according to specific needs. Non-administrative users should only have permission from the secrets category,
ensuring they do not gain unnecessary privileges over system or administrative settings. If they need access
to make other system changes, they should be assigned one of the administrative roles instead.

FortiPAM 1.5 Administrator Study Guide 68

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Glass-breaking mode is a high-privileged access option within FortiPAM that grants administrators emergency
access to all secrets in the system. Due to its potential security implications, its use should be restricted to a
few administrators.

This mode is intended for use only in exceptional situations, such as dealing with disaster recovery, during
network outages, or when remote authentication servers become unreachable. By providing unrestricted
access in critical scenarios, glass-breaking mode ensures that organizations can maintain operational
continuity, even during severe disruptions.

To enhance security and accountability, all activity performed in this mode is logged, and any secrets
accessed are recorded by default. Additionally, email alerts should be configured to notify all administrators
when glass-breaking mode is activated, ensuring transparency and immediate oversight.

FortiPAM 1.5 Administrator Study Guide 69

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

API user accounts on FortiPAM are special accounts designed for automation and integration purposes.
These accounts are created and stored locally on FortiPAM and can access the system only through REST
API calls, meaning they cannot log in to the GUI or CLI.

Like other user accounts, API accounts can be configured with a role, login schedule, two-factor
authentication, and trusted hosts, ensuring secure and controlled access.

Unlike other user accounts, API users authenticate using a token instead of a password. This token is
automatically generated during account creation and is required for making API requests. If an API token is
lost, administrators can edit the API user account to generate a new token.

These accounts are useful in automated deployments, such as when using Terraform to manage FortiPAM.

The following types of REST APIs are supported: configuration APIs, monitor APIs, internal APIs, and utility
APIs.

Keep in mind that the API user must have correct permissions to perform the desired action.

FortiPAM 1.5 Administrator Study Guide 70

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 71

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now know how to manage local users and roles on FortiPAM.

Now, you will learn how to manage remote users on FortiPAM.

FortiPAM 1.5 Administrator Study Guide 72

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in describing the options available for remote users, you will be able to
configure FortiPAM to allow non-local users to authenticate and access privileged resources.

FortiPAM 1.5 Administrator Study Guide 73

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can configure FortiPAM to leverage remote authentication servers to allow users to log in or deny them
access. This method is desirable when your organization already has a centralized authentication solution.

FortiPAM supports the following as remote authentication servers: LDAP, RADIUS, and SAML.

When you use a remote authentication server to authenticate users, FortiPAM sends the user’s entered
credentials to the remote authentication server. The remote authentication server responds by indicating
whether the credentials are valid or not. If valid, FortiPAM consults its configuration to deal with the traffic.

Note that it is the remote authentication server—not FortiPAM—that evaluates the user credentials.

When the server-based password authentication method is used, FortiPAM does not store all (or in the case
of some configurations, any) of the user information locally.

FortiPAM 1.5 Administrator Study Guide 74

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LDAP is an application protocol used for accessing and maintaining distributed directory information services.

The LDAP protocol is used to maintain authentication data that may include departments, users, user groups,
passwords, email addresses, and so on.

The LDAP protocol includes a number of operations that a client can request, such as search, compare, add
an entry, and delete an entry. Binding is the operation in which the LDAP server authenticates users. If a user
is successfully authenticated, binding allows the user access to the LDAP server, based on that user’s
permissions.

Note that it is important to understand that LDAP on port 389 is not secure because it sends the password in
clear text. Fortinet recommends that you use LDAPS, which is more secure.

FortiPAM 1.5 Administrator Study Guide 75

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

RADIUS is very different from LDAP because there is no directory tree structure to consider. RADIUS is a
standard protocol that provides authentication, authorization, and accounting (AAA) services.

When a user authenticates, the client (FortiPAM) sends an ACCESS-REQUEST packet to the RADIUS server.
The reply from the server is one of the following:

• ACCESS-ACCEPT means that the user credentials are correct.

• ACCESS-REJECT means that the credentials are wrong.
• ACCESS-CHALLENGE means that the server requests a secondary password ID, token, or certificate.

FortiPAM 1.5 Administrator Study Guide 76

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

SAML is an open standard protocol that enables an identity provider (IdP) to send users credentials to a
service provider (SP) to authenticate and authorize those users to access a service. With SAML,
organizations can allow their employees to use single sign-on (SSO).

SAML functions by passing user attributes or credentials between the IdP and the SP. Each user logs in once
to sign on with the IdP, then the IdP passes the SAML attributes to the SP whenever the user attempts to
access that service.

FortiPAM 1.5 Administrator Study Guide 77

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

With FortiPAM, remote user onboarding can be handled manually or through auto-provisioning rules. Each
method has distinct advantages and drawbacks.

Manual user creation involves administrators manually adding each remote user, assigning roles, and defining
all the user account settings by hand. This method provides granular control over user attributes but is time-
consuming, error-prone, and inefficient in large-scale environments. Additionally, manual provisioning
increases the risk of inconsistencies and delays, especially when managing dynamic user populations.

On the other hand, auto-provisioning rules automate user onboarding by integrating with supported remote
authentication servers. These rules ensure users are assigned appropriate permissions based on predefined
criteria, such as roles. Auto-provisioning enhances efficiency, reduces administrative overhead, and
minimizes human errors. Furthermore, it improves security by enforcing standardized access policies and
reducing the risk of privilege mismanagement.

While manual provisioning may be suitable for small-scale environments, auto-provisioning rules provide a
scalable, consistent, and secure approach to user management on FortiPAM, making them the preferred
choice in most scenarios.

FortiPAM 1.5 Administrator Study Guide 78

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can use auto-provisioning rules to have FortiPAM create remote user accounts automatically after they
successfully log in for the first time. This streamlines user management for remote accounts.

This feature is not restricted to a specific authentication protocol. FortiPAM can create users dynamically
based on their group membership, regardless of whether LDAP, RADIUS, or SAML is used. The auto-
provisioning rule defines the remote user group that must be matched and the role assigned to that user. If
you create multiple rules, the rules are checked for matches from top to bottom; therefore, the order of the
rules is important.

After a user successfully logs in for the first time, they are automatically added to the FortiPAM list of user
accounts.

It is important to remember that user accounts provisioned with this feature count towards the number of
licensed seats.

When you delete, disable, or edit a rule, all user accounts provisioned by that rule are assigned an out-of-sync
status. While in this status, a user account does not occupy a license seat and may not match any rule until
the next successful login.

You can convert an auto-provisioned user into a manually created user to assign it a different user role. This
is a one-way process, and you cannot convert the user account back to auto-provisioned without deleting it.

FortiPAM 1.5 Administrator Study Guide 79

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 80

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now know how to support remote users with FortiPAM.

Now, you will learn about user groups.

FortiPAM 1.5 Administrator Study Guide 81

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in describing the purpose of FortiPAM user groups, including sponsored
groups, you will be able to create a group structure that meets the needs of your organization.

FortiPAM 1.5 Administrator Study Guide 82

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Using groups to assign permissions on FortiPAM offers a structured and efficient approach to user
management. Instead of granting permissions individually, administrators can simplify administration tasks by
assigning users to groups, ensuring consistent access control.

Groups improve consistency by standardizing permission assignments across multiple users. This reduces
the risk of misconfigurations and ensures that users with similar roles receive the same level of access.
Additionally, using groups makes the system more scalable because new users can be easily added to the
appropriate group without the need for manual adjustments.

FortiPAM groups can contain both local and remote users, providing flexibility in managing on-premises and
externally authenticated users.

Group membership can be used to determine the access level to secrets, targets, and folders, allowing
administrators to enforce role-based access control (RBAC) efficiently.

FortiPAM 1.5 Administrator Study Guide 83

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can use sponsored groups on FortiPAM as a method to delegate administrative permissions over specific
user accounts, improving security and efficiency in user management. This approach is useful when you need
to distribute workload among administrators or when you need more visibility over contractor users.

Each sponsored group is assigned a fixed, but editable, number of users and is managed by one or more
sponsor administrators. Sponsor administrators have limited administrative access, allowing them to manage
users, secrets, and logs within only their assigned sponsored group. This restriction ensures that sponsor
administrators cannot view or modify resources outside their designated scope. This model helps enforce the
principle of least privilege, ensuring that administrative responsibilities are distributed efficiently, without
compromising security.

FortiPAM 1.5 Administrator Study Guide 84

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 85

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiPAM 1.5 Administrator Study Guide 86

 Users and Roles
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the user, group, and role types
available on FortiPAM, and how you can implement them to meet the needs of your organization.

FortiPAM 1.5 Administrator Study Guide 87

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiPAM secrets and their settings. You will also learn about the
configuration of folders and targets.

FortiPAM 1.5 Administrator Study Guide 88

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiPAM 1.5 Administrator Study Guide 89

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By mastering the use of folders, you will be able to implement a logical and hierarchical structure for the
privileged assets protected by FortiPAM.

FortiPAM 1.5 Administrator Study Guide 90

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM supports the use of folders to store secrets. Before creating a secret, you must select a folder where
it will be stored.

You can also create subfolders, allowing for efficient resource organization in a hierarchical structure. This
simplifies permission management because all secrets within a folder inherit the access level and policies of
their parent folder by default. You can also stop the inheritance and assign specific permissions and policies
at the subfolder level. This is useful when each subfolder requires custom access levels for different users or
groups, ensuring granular access control.

FortiPAM supports two folder types: public and personal.

FortiPAM 1.5 Administrator Study Guide 91

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Public folders are designed for team-based scenarios where multiple users or groups must access the same
privileged resources.

By default, permissions applied to a higher-level folder are inherited by subfolders, reducing administrative
overhead. This also enables organizations to enforce consistent access control to secrets. Administrators
control access to public folders, ensuring compliance with organizational security policies.

Personal folders isolate credentials for individual users and ensure they have a private space to store and
manage their personal secrets. Each personal folder is accessible only by its owner, and no other users can
be granted access to it. Unlike public folders, personal folders do not inherit access permissions from higher-
level personal folders. However, they can inherit the secret policy from a higher-level personal folder.

FortiPAM 1.5 Administrator Study Guide 92

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows three examples of folder hierarchy designs based on different scenarios.

Starting from the left, these examples illustrate the following:

• A design based on the type of systems present in the organization

• A design for a cybersecurity team or department
• A design of a managed service provider (MSP) managing multiple client infrastructures

FortiPAM 1.5 Administrator Study Guide 93

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The access control to a folder has three components: folder permissions, secret policy assigned, and zero
trust network access (ZTNA) control settings.

You can grant one of the following folder permissions to users:

• View: allows users to view secrets and subfolders in a folder.

• Add secret: allows users to create new secrets and subfolders.
• Edit: allows users to create and edit the folder, as well as its secrets and subfolders.
• Owner: is the highest permission level. It allows users to create, edit, delete, and move the folder and its
secrets and subfolders.

Each folder must have a secret policy assigned. The assigned policy controls the level of access to the
secrets stored in that folder. You will learn more about secret policies in this lesson.

Optionally, when all the requirements for ZTNA-based access control are in place, you can set a folder to
inherit the ZTNA control setting from its parent or use custom ZTNA tags. You will learn more about ZTNA-
based access control in another lesson.

FortiPAM 1.5 Administrator Study Guide 94

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM allows administrators to enforce consistent access control policies across folder hierarchies by
propagating specific security settings from parent folders to subfolders.

For public folders, the following access control mechanisms can be inherited by subfolders:

• Folder permissions
• Secret policy
• ZTNA control

For personal folders, inheritance is more restrictive to maintain user-specific access controls. The following
mechanisms can be propagated from a parent personal folder to a subfolder:

• Secret policy
• ZTNA control

In both cases, inheritance can be stopped when custom permissions are required for a subfolder. You can
also stop inheritance at the secret level.

FortiPAM 1.5 Administrator Study Guide 95

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 96

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now understand how you can use folders in FortiPAM.

Now, you will learn about the management and configuration of targets in FortiPAM.

FortiPAM 1.5 Administrator Study Guide 97

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By mastering the use of FortiPAM targets, you can implement a secure and consistent method to access the
privileged assets protected by FortiPAM.

FortiPAM 1.5 Administrator Study Guide 98

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

A target is a device with a privileged account that supports Remote Desktop Protocol, SSH, web, or other
administrative protocols. Targets can point to Windows workstations, Windows domain controllers, web
servers, Unix servers, SQL servers, routers, or firewalls, among others.

Targets allow a host to have a common configuration across secrets.

Every secret requires an existing target. Generally, you should create the target before the secret. However,
the GUI allows you to create a target during the creation of a secret. If appropriate, you can use one target for
multiple secrets.

FortiPAM 1.5 Administrator Study Guide 99

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Classification tags provide a method of categorizing targets. Classification tags act as metadata labels that
help administrators organize assets based on parameters that they consider helpful. For example, a company
might use tags such as Production, Development, Critical Systems, or Third-Party Access.

Classification tags improve visibility, allowing security teams to quickly filter and review targets based on their
tags.

FortiPAM 1.5 Administrator Study Guide 100

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

All users have read/write access to targets by default, allowing them to view and modify those targets.
However, administrators can define custom permissions to enforce stricter access controls.

FortiPAM provides two categories of custom target permissions:

• Create secret: allows users to create secrets using the target but does not allow them to modify or delete
the target itself.
• Owner: provides full control over the target, including creating secrets, as well as editing and deleting the
target.

Permissions can be assigned at user and group levels, enabling flexible access control configurations.

FortiPAM 1.5 Administrator Study Guide 101

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The configuration options available for a target depend on the template used, ensuring that only relevant
parameters are applied to each resource type. For example, web-based targets require a URL as part of their
configuration, while other types of targets, such as servers or network devices, may require only a hostname
or IP address.

Despite these variations, several parameters are common across different target types, including:

• Name: provides a unique identifier for the target.

• Classification tag: helps categorize targets.
• Default template: specifies the predefined secret template applied to the target.
• Host or URL: defines the network location of the target system.
• Gateway: indicates whether access requires a jump host or intermediary system. This is an optional
setting.
• Description: provides additional context or notes about the target.

FortiPAM 1.5 Administrator Study Guide 102

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 103

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now understand FortiPAM targets.

Now, you will learn about the management and configuration of FortiPAM secrets.

FortiPAM 1.5 Administrator Study Guide 104

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By mastering the implementation of FortiPAM secrets, you will be able to control and secure the access to the
privileged assets protected by FortiPAM.

FortiPAM 1.5 Administrator Study Guide 105

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Secrets are the core elements of FortiPAM. They contain all the parameters used for accessing target
systems in your organization. Secrets contain information about credentials, the target IP address,
administrative protocols, and several policy and service-related settings that determine how users can
communicate with the protected assets.

This slide shows some of the configuration options associated with a secret. These options vary depending on
the target and the template used.

FortiPAM 1.5 Administrator Study Guide 106

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

A secret template stores common settings that you can use to configure secrets, ensuring consistency in
secret creation.

A secret template specifies key attributes, such as the server type, authentication parameters, and the
launchers that can be used. FortiPAM secret templates also support automated password changers, which
help enforce compliance by rotating credentials at defined intervals.

FortiPAM includes several default secret templates for a wide variety of asset types. These default templates
allow you to edit only the Launcher section. If more customization is required, you can clone a default
template. You will then be able to customize the clone fully. You can also create new templates from scratch.

FortiPAM 1.5 Administrator Study Guide 107

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You must attach a secret policy to a folder. The corresponding policy settings are applied to all secrets in that
folder. Subfolders inherit the secret policy of the parent folder by default.

FortiPAM includes one default policy. You can create custom policies from scratch or by cloning and editing
an existing policy.

A policy consists of several settings that you can enable, disable, or not set.

You cannot change any policy setting you enabled or disabled in the secret where it is applied. However, you
can customize any policy setting configured as Not Set.

FortiPAM 1.5 Administrator Study Guide 108

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The table on this slide shows some of the policy settings available, and a short description of their functionality
when enabled.

Refer to the FortiPAM Administration Guide for a complete list of policy settings.

FortiPAM 1.5 Administrator Study Guide 109

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can enable the explicit web proxy to enhance security when accessing web-based accounts. This feature
requires that clients have the Fortinet Privileged Access browser extension installed.

When a user accesses a target through a supported browser, the browser extension redirects the requests
through the FortiPAM web proxy. This redirection is achieved using proxy auto-configuration (PAC) rules to
dynamically operate on the web browser and successfully proxy the traffic to FortiPAM based on the
configured domain. The web proxy runs on port 8080 by default, but you can configure it to run on a custom
port if needed.

This setup allows FortiPAM to inspect HTTPS traffic and securely inject credentials, replacing passwords
before they reach the client device and protecting sensitive information from being exposed locally.

When the option to replace web credentials on the proxy is enabled, FortiPAM handles the credentials
exclusively, offering greater protection.

When clients cannot reach the FortiPAM interface directly—for example, when FortiPAM is deployed behind a
firewall—you must configure a VIP on the firewall and set it to forward traffic from the VIP to the FortiPAM
interface. You must add the VIP to your DNS server and give it an FQDN.

On the FortiPAM side, add the FQDN to your web proxy configuration using the following CLI commands:
config web-proxy global
set proxy-fqdn [FQDN of VIP]
end

FortiPAM 1.5 Administrator Study Guide 110

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Discovery is the process by which FortiPAM scans an Active Directory (AD) environment to find accounts and
other associated resources. Once the accounts and resources are found, they can be automatically imported
to FortiPAM for centralized management.

Discovery helps provide a better overview of the existing accounts in an AD. The automatic import feature
saves time.

FortiPAM 1.5 Administrator Study Guide 111

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM provides SSH filter profiles to enhance the security of SSH access to privileged systems. These
filters define what users can do within an SSH session, helping organizations prevent unauthorized actions.

With SSH profile filters, administrators can restrict which commands a user can execute. For example, filters
can block risky configuration commands to prevent accidental or malicious actions.

SSH filter profiles can operate in two modes:

• Deny: You can configure a list of SSH command patterns that cannot be used by the FortiPAM user.
• Allow: You can configure a list of SSH command patterns that the user can execute. FortiPAM blocks other
commands entered by the user.

An SSH filter profile can use the following patterns to determine which commands are allowed:

• Start with a single word

• Exact match
• Regex

This slide shows an example of a command being denied during an SSH session.

Note that SSH filters look for character matches in the pattern, not for the actual commands. Abbreviated
versions of commands may circumvent the filter. For example, a pattern set to match commands that start
with config, will not match the command conf sys interface.

FortiPAM 1.5 Administrator Study Guide 112

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Windows application filters on FortiPAM provide a security mechanism to control and restrict the use of
specific applications during privileged sessions. These filters ensure that users can access only authorized
applications, preventing unauthorized software execution and reducing the risk of malware infections or data
leaks.

Administrators can configure allowlists and blocklists to define which applications users can run within a
Windows session. For example, a finance team may be restricted to using only accounting software, while IT
administrators may have access to system management tools. By blocking unauthorized applications like web
browsers, file-sharing programs, or scripting tools, organizations can enforce security policies and minimize
the risk of data exfiltration.

Windows application filters support three types of patterns. Each profile filter stands for a particular deny
pattern for certain types.

• Executable: Executable files such as EXE, COM, and any portable executable files
• Script: Scripts such as PS1, BAT, CMD, VBS, and JS
• Installer: Windows installer files such as MSI, MST, MSP

This slide shows the message a user receives when they try to open an application that is not allowed.

FortiPAM 1.5 Administrator Study Guide 113

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The approval process on FortiPAM provides a secure mechanism to control access to sensitive secrets by
requiring designated authorization before use. When a secret is configured with an approval policy, users
must first submit a request to access it. This request typically includes details such as the reason for access
and the time window during which the session is intended.

Once submitted, the request enters an approval workflow where one or more predefined approvers are
notified. These approvers can review the request, add comments, and choose to either approve or deny it.
The approval workflow can be tailored to support a single approver or multiple approvers based on the
organization's policies.

If approved, FortiPAM grants the requesting user temporary access to the secret and allows them to launch a
session. If the session is not initiated within the approved window, access automatically expires to prevent
unauthorized use. All approval actions and session activity are logged for auditing and compliance purposes,
ensuring transparency and traceability in privileged access management.

An approver can also approve the request by responding to a secret approval request email directly without
logging in to FortiPAM. When the reviewer clicks Approve or Deny in the email, they will use a preset email
template to send their responses. If the approval email server settings are correctly configured, FortiPAM will
act as an email client to fetch the response emails periodically.

To use this feature, you must configure an approval email server in System > Settings.

You can allow secret owners to bypass the secret request and approval process. When Bypass Approval is
enabled, secret owners do not need approval to launch their secrets.

FortiPAM 1.5 Administrator Study Guide 114

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM approval profiles define the rules and workflows required for users to access privileged resources.
These profiles help enforce security policies by requiring approvals before executing specific actions, such as
accessing secrets, initiating privileged sessions, or modifying configurations.

Administrators can configure multilevel approval workflows, ensuring that requests go through one or more
approvers based on criteria such as user roles, target classification, or request urgency. For example,
accessing a highly sensitive database may require two-factor approval, where a manager and a security
officer must grant permission.

Approval profiles also support time-based restrictions, allowing organizations to enforce just-in-time (JIT)
access. This limits access duration, reducing the risk of credential misuse. All approval requests and
responses are also logged for auditing and compliance, providing visibility into privileged access activities.

Organizations can strengthen security, enforce access governance, and reduce the risk of unauthorized
privilege escalation by implementing approval profiles. This ensures that sensitive resources are accessed
only when necessary and with proper oversight.

FortiPAM 1.5 Administrator Study Guide 115

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM offers the unique ability to prevent, detect, and remove malware when you transfer files between the
local workstation and privileged servers. FortiPAM detects potential malware uploaded to or downloaded from
the related secret server, if a secret is configured with an antivirus profile.

This feature is available for only specific launcher types like WinSCP, Web SMB, and Web SFTP.

You can use the default profile included with FortiPAM, or you can create new custom profiles to inspect
specific protocols, remove viruses, and so on.

Note that you must inspect the HTTP protocol in the antivirus profile for Web SMB and Web SFTP launchers,
while the SSH protocol needs to be inspected for a WinSCP launcher.

For HTTP and SSH protocols, you can set the antivirus service as one of the following:

• Disable: Disable antivirus scanning and monitoring.

• Block: When a virus is detected, it prevents the infected files from uploading to or downloading from the
target server. A security log is recorded. This is the default.
• Monitor: When a virus is detected, it allows the infected files. A security log is recorded.

FortiPAM 1.5 Administrator Study Guide 116

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Data loss prevention (DLP) is a cybersecurity solution that detects and prevents data breaches. Since it
blocks the extraction of sensitive data, users can use it for internal security and regulatory compliance.

DLP can also prevent unwanted data from entering your network and archive some or all the content that
passes through FortiPAM.

This feature is available only for specific launcher types like WinSCP, Web SMB, and Web SFTP.

FortiPAM offers the following preconfigured DLP sensors:

• All_Executables: includes a DLP filter rule that filters all the available protocols by their file types.
• Content_Archive: records details of all the activity detected by the profile.
• Content_Summary: records a summary of all the activity detected by the profile.
• Large_Files: includes a DLP filter rule that filters all the available protocols by file size.

FortiPAM 1.5 Administrator Study Guide 117

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can use FortiPAM password changers to automate rotating and updating credentials for privileged
accounts, ensuring security best practices while reducing manual management overhead. These automated
changers help enforce password policies, prevent credential reuse, and mitigate risks associated with
compromised accounts. This ensures that privileged accounts always have fresh, unique passwords, reducing
the chances of unauthorized access.

Password changers follow the requirements of the password policy configured on FortiPAM. For successful
updates, the password policy of the target device must be compatible with the FortiPAM password policy. For
example, if the target policy requires that special characters be used in the password and FortiPAM policy
doesn’t, an attempt to change the password fails. Whenever possible, it is recommended that both policies
have the requirements.

This slide lists some of the default FortiPAM password changers. For the complete list, refer to the FortiPAM
Administration Guide. You cannot edit the default password changers. However, you can clone them or create
new ones from scratch.

FortiPAM 1.5 Administrator Study Guide 118

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM password changer settings are organized in three categories: general, changers, and verifiers. The
verifiers settings are optional.

General settings define the overall behavior of the password changer. They include the password changer
name and type, corresponding to the protocol and method used. They also include settings to specify the
newline character that the target device expects. For example, some devices expect a carriage return (CR
(\r)), while others expect a carriage return and line feed (CRLF (\r\n)). This category also includes settings for
configuring whether the main secret or an associated secret is responsible for changing or verifying the
password.

Changers settings include the step-by-step command sequence required to change the password. Each step
can be rearranged and is defined by one of three command types: execute, expect, or expect prompt. The
logic for each command depends on its type and whether it is marked as critical. FortiPAM also supports
variables within commands, such as $NEWPASSWORD, to apply new credentials dynamically during command
execution.

Verifiers settings are optional and function similarly to the changers settings, but instead of changing the
password, these settings are used to verify that the password configured on FortiPAM is current. Among the
built-in password changers in FortiPAM, only the Cisco Enable Secret template includes verifiers settings by
default.

FortiPAM 1.5 Administrator Study Guide 119

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows an example of a password changer configuration used to update passwords on FortiGate
devices. The command sequence is exactly what you would type if you were changing the password directly
on the device.

This example is based on the SSH Password (FortiProduct) default password changer, but it includes only
some sections. The complete configuration includes more steps and more fields for each step.

FortiPAM 1.5 Administrator Study Guide 120

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Service accounts are non-human, privileged accounts that systems use to run applications, automated tasks,
or background services. Service accounts assign identities and permissions to processes, often with broad
access across systems or domains. While some are created manually, many come preconfigured with
software or operating systems. Due to their continuous operation and high-level privileges, service accounts
pose significant security risks. This makes them attractive targets for attackers who try to exploit them to gain
persistent, stealthy access across IT environments.

If a service running on a machine relies on a credential managed by FortiPAM, the dependency updater
feature offers the ability to update the service credential immediately after FortiPAM changes the credential.
FortiPAM ensures that the service does not fail during authentication.

When you edit a secret, the Dependency tab displays a list of dependency updaters, or you can add new
ones as needed. A dependency updater defines the service identifier, its type, and whether the service is
restarted after a password update.

FortiPAM 1.5 Administrator Study Guide 121

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 122

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiPAM 1.5 Administrator Study Guide 123

 Secrets Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure FortiPAM folders, targets,
and secret settings.

FortiPAM 1.5 Administrator Study Guide 124

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about zero trust network access (ZTNA) and how to use it on FortiPAM.

By demonstrating competence in configuring ZTNA, you will be able to use ZTNA security posture tags to
control access to the privileged assets that FortiPAM protects.

FortiPAM 1.5 Administrator Study Guide 125

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiPAM 1.5 Administrator Study Guide 126

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding ZTNA access and its benefits, you will be able to explain how
you can use this technology to provide secure access to your organization's resources.

FortiPAM 1.5 Administrator Study Guide 127

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Fortinet universal ZTNA is a solution that secures user access to corporate resources that can be hosted
anywhere, from any location, and on any device.

The key components of ZTNA are:

• An endpoint management server (EMS)

• Endpoint devices with FortiClient installed and connected to an EMS server
• ZTNA application gateways

The EMS server is used to manage endpoints centrally, gain visibility into endpoint posture, define security
posture tagging rules, and configure all FortiClient endpoint security features, including ZTNA, remote access,
antivirus, malware protection, and so on.

FortiClient is a client agent that combines ZTNA, VPN, vulnerability scan, and endpoint protection. It is
supported on Windows, macOS, Linux, and mobile devices running Android and iOS.

The ZTNA application gateway is an access proxy embedded as a FortiOS feature. It enforces zero-trust
policies based on user and device identity, continuous device posture checks, and granular access policies.
This enables flexible enforcement of ZTNA policies for on-premises and remote access. Several Fortinet
products, including FortiPAM, support this capability.

FortiPAM 1.5 Administrator Study Guide 128

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows some of the benefits of using ZTNA. These benefits include, but are not limited to:

• Its flexible deployment enables organizations to apply access policies for remote and on-site workers. This
ensures a seamless security posture, regardless of location.

• It provides granular control, granting users access to specific resources only for the duration of their
session.

• It continuously verifies the user identity, device health, and security posture before granting application
access.

• The unified FortiClient agent simplifies endpoint security by integrating ZTNA, vulnerability scanning, URL
filtering, and endpoint protection into a single solution.

FortiPAM 1.5 Administrator Study Guide 129

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiClient must connect to FortiClient EMS for ZTNA to work.

To provide connectivity to the remote FortiClient endpoints, you must allow access to port 8013 on the
FortiClient EMS through the corporate firewalls.

You can verify the connection status on the FortiClient console in its ZERO TRUST TELEMETRY menu, or on
the FortiClient EMS GUI by navigating to the Endpoints > All Endpoints page.

FortiPAM 1.5 Administrator Study Guide 130

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Security posture tags determine the security posture of an endpoint running FortiClient. They are configured
through security posture tagging rules on the FortiClient EMS server.

Administrators can create security posture tagging rules for Windows, macOS, Linux, iOS, and Android
endpoints based on their OS versions, antivirus software installation, logged-in domains, running processes,
and many other criteria.

The endpoints running FortiClient maintain a continuous connection to FortiClient EMS and automatically
synchronize the security posture tags for compliance checks. You can grant access to resources only after
verifying the device, authenticating the user identity, and performing context-based posture checks using
security posture tags. If the verification fails, access is denied.

FortiPAM 1.5 Administrator Study Guide 131

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

You can create, edit, and delete security posture tagging rules for Windows, macOS, Linux, iOS, and Android
endpoints. The configuration available for each rule varies depending on which OS you select.

This slide shows five examples of available security posture tagging rule types. Each rule type provides
different configuration options. For example, if you select File as the rule type, then you must enter the
desired filename and path that must be present on the endpoint.

You can configure multiple conditions for all rule types and require whether endpoints must satisfy all or any
configured conditions to meet the rule.

You can also use the NOT logical operator to check for the absence of a condition instead. Note that not all
rule types support the NOT operator. Refer to the EMS Administration Guide for more detailed information
about tagging rules.

FortiPAM 1.5 Administrator Study Guide 132

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 133

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now understand the basic concepts of ZTNA.

Now, you will learn about the configuration of ZTNA access control with FortiPAM.

FortiPAM 1.5 Administrator Study Guide 134

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the steps to configure ZTNA access control with FortiPAM,
you will be able to increase the security of critical resources in your organization.

FortiPAM 1.5 Administrator Study Guide 135

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows a use case of an on-premises employee accessing protected resources on the LAN.

FortiPAM 1.5 Administrator Study Guide 136

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows a use case of a remote employee accessing protected resources on the LAN and in the
public cloud.

FortiPAM 1.5 Administrator Study Guide 137

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

When on-premises and remote FortiClient endpoints register with FortiClient EMS, they share device
information, user information, and security posture over ZTNA telemetry with the EMS server. Clients also
make a certificate signing request to obtain a client certificate from the EMS acting as the ZTNA certificate
authority (CA).

Based on the client information, EMS applies matching security posture tagging rules to tag the clients. These
tags and the client certificate information are synchronized with FortiPAM in real time. This allows FortiPAM to
verify the client's identity using the client certificate and grant access based on the tags applied by the ZTNA
rule.

This slide shows the flow of events when FortiPAM uses ZTNA to provide access to an on-premises or a
remote endpoint.

1. FortiClient endpoints register on FortiClient EMS and share device information, user login information,
and security posture over ZTNA telemetry with the FortiClient EMS server. Clients also make a certificate
signing request to obtain a client certificate from the FortiClient EMS acting as the ZTNA CA.
2. FortiClient EMS collects the information, signs the client certificate, and uses telemetry communications
to send the applicable security posture tags administrators created.
3. FortiClient EMS synchronizes the FortiClient certificate information and security posture tags with
FortiPAM.
4. FortiClient endpoints send a request to access a resource protected by FortiPAM.
5. FortiPAM performs a device check by verifying whether the certificate provided by FortiClient matches the
certificate on FortiPAM. FortiPAM then performs a posture check based on the security posture tags. If
the verification succeeds, FortiPAM provides encrypted access to the protected resource.

FortiPAM 1.5 Administrator Study Guide 138

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The configuration of ZTNA access control on FortiPAM involves several steps.

First, you must configure EMS tagging rules to classify and tag devices based on their security posture.

Next, you must configure a fabric connector on FortiPAM to enable communication with the EMS server and
retrieve endpoint security posture tags.

For the next step, you must authorize FortiPAM on the EMS server.

FortiPAM 1.5 Administrator Study Guide 139

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Once authorization is complete, you should verify that FortiPAM receives all tags from the EMS server.

You can then configure ZTNA for GUI access on the desired interface, ensuring that only compliant devices
can access the FortiPAM GUI.

Finally, you can configure ZTNA at the secret level for more granular access to restrict privileged credential
access to the corresponding resource.

Note that, by default, secrets in a folder inherit the ZTNA control settings configured in the parent folder.
However, you can break that inheritance and customize the ZTNA control settings when you create or edit a
secret.

In all cases, you can define the matching logic for the device tags using one of the following:

• Logical OR: Devices with any of the selected tags are allowed to launch the secret. Note that this option is
called Any in the case of GUI access.
• Logical AND: Devices must have all the selected tags to launch the secret. Note that this option is called
All in the case of GUI access.

FortiPAM 1.5 Administrator Study Guide 140

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 141

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiPAM 1.5 Administrator Study Guide 142

 ZTNA Access Control
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide lists the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use ZTNA security posture tags to
control access to the privileged assets that FortiPAM protects.

FortiPAM 1.5 Administrator Study Guide 143

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the monitoring and reporting capabilities of FortiPAM.

FortiPAM 1.5 Administrator Study Guide 144

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide.

FortiPAM 1.5 Administrator Study Guide 145

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in monitoring user sessions and activity, you will be able to maintain a well-
audited and controlled environment.

FortiPAM 1.5 Administrator Study Guide 146

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

On the Monitoring > User Monitor page, administrators can view all the users currently logged in to
FortiPAM, along with information such as their user role, source IP address, the duration of their login, traffic
volume, and timestamp of when they last logged in.

This tool is designed to help monitor user activities on FortiPAM. For instance, if the administrator notices an
unusual amount of traffic from a particular user, it could indicate that a potentially risky operation is taking
place. In such cases, the administrator may terminate the user session if it is deemed a malicious action.

For each entry in the list, administrators can select one of the following actions for the corresponding user
session:

• Deauthenticate user: Forcefully log out the current user.

• Disconnect launched sessions: Terminate all the user’s launched secret sessions.
• Deauthenticate and disconnect: Forcefully log out the current user and all the launched secret sessions
associated with the user.

FortiPAM 1.5 Administrator Study Guide 147

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

On the Monitoring > Active Sessions page, administrators can oversee the activities of launched secrets
sessions.

The page lists all the launched secrets and includes the following information:

• Username
• Account configured in the secret
• Source and destination IP addresses and ports
• The application that is launched
• If applicable, details about the secret gateway
• Application launched, for example, RDP over web and PuTTY
• Duration of the session

Additionally, a camera icon is displayed if the session is being recorded.

Administrators can terminate the selected launched secret session by selecting it, and then clicking
Disconnect.

This monitor is particularly effective when a user engages in malicious activity because the administrator can
promptly terminate the session to protect the integrity of the secret.

Note that disconnecting native nonproxy sessions is currently not supported.

FortiPAM 1.5 Administrator Study Guide 148

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

When you launch a secret with Session Recording enabled, and Live Recording is enabled on the Advanced
tab under System > Settings, you can monitor the launched secret session in real time.

To ensure seamless real-time video recording and transmission to FortiPAM, consider the following system
resource guidelines for launching multiple concurrent sessions:

• CPU: 8 logical processors

• Memory: 16 GB

Secret sessions with a red video recording icon are ready to be livestreamed.

You can terminate an active secret session while you monitor it by clicking the Disconnect the current
secret session icon at the top-right of the screen.

FortiPAM 1.5 Administrator Study Guide 149

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 150

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now understand how you can monitor user sessions and activity in FortiPAM.

Now, let’s examine how to manage logs.

FortiPAM 1.5 Administrator Study Guide 151

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in managing and viewing FortiPAM logs, you will be able to ensure compliance
with auditing requirements and gain valuable insights into user and system activities.

FortiPAM 1.5 Administrator Study Guide 152

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Administrators can configure log settings in FortiPAM under Log & Report > Log Settings to define key
parameters for log management. These settings determine which information is recorded, where the logs are
stored, and how frequently they are captured.

By default, logs are stored locally on the device. However, administrators can also configure FortiPAM to send
logs to external solutions, such as a syslog server or FortiAnalyzer, for centralized storage and analysis.

FortiPAM logs all system events by default, including system activity, user activity, and high availability (HA)
events. The system automatically deletes older logs when disk space becomes low to optimize storage,
ensuring that recent and relevant logs remain accessible.

Proper log configuration enhances monitoring, security auditing, and overall system management.

FortiPAM 1.5 Administrator Study Guide 153

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

To enable logging to a custom syslog server in FortiPAM, administrators must first configure the necessary
settings on the Log Settings page. The first step is specifying the server’s IP address or fully qualified
domain name (FQDN) to establish a reliable connection.

Specific configuration parameters for the syslog server must be set using the CLI. These parameters include
the syslog logging mode, the server’s listening port number, the log format, and the log transmission priority.
Additionally, administrators can define the maximum log rate in megabytes per second (MBps) to control the
volume of log data sent to the syslog server.

The FortiPAM Administration Guide provides a detailed breakdown of available configurations and best
practices. Properly configuring these settings ensures effective log management and seamless integration
with external logging systems.

FortiPAM 1.5 Administrator Study Guide 154

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiAnalyzer serves as a remote logging server that ensures an additional copy of logs from FortiPAM is
securely stored. This integration is made possible through a fabric connector, which establishes seamless
communication between the two systems.

Once the connection between FortiPAM and FortiAnalyzer is successfully configured, all subsequent logs
generated by FortiPAM become accessible within the corresponding FortiAnalyzer instance. This setup
enhances log management by providing a centralized repository for monitoring and analysis.

When reviewing logs within the Log & Report page of FortiPAM, administrators can select FortiAnalyzer as
the preferred log source. This capability allows for efficient log retrieval and analysis, ensuring comprehensive
visibility into system events and security activities.

FortiPAM 1.5 Administrator Study Guide 155

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

All FortiPAM logs are accessible under the Log & Report section, categorized by type.

The primary log categories include Secret Event and Video, System Event, Security Event, and ZTNA
Traffic. Each category is further divided into subcategories to facilitate easier log management and analysis.

For example, the Secret Event and Video category contains logs related to password events, request
events, certificate events, and other secret-related activities. FortiPAM provides standard log filtering options,
allowing administrators to refine their search based on specific criteria.

Double-clicking any log entry reveals its full details, providing deeper insights into the recorded event. The
available log fields vary depending on the log type, ensuring that relevant information is displayed based on
the context of the event. This structured logging system enhances monitoring, troubleshooting, and auditing
within FortiPAM.

FortiPAM 1.5 Administrator Study Guide 156

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM allows administrators to review logs specific to a secret while editing it. These logs can be accessed
on the Logs tab and provide detailed insights into activities related to the selected secret.

The three available views for examining secret logs are:

• Secret—Displays general log entries related to the secret.

• SSH—Shows logs related to SSH sessions associated with the secret.
• Edit History—Tracks modifications made to the secret over time.

Additionally, the window provides further details, including the password changer status, password verification
status, and the last launch time. This structured log access enhances monitoring, security auditing, and
troubleshooting for secret management within FortiPAM.

You must have View Secret Log permission to view the secret edit history.

FortiPAM 1.5 Administrator Study Guide 157

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM allows administrators to subscribe to secret events and receive email notifications when specific
actions occur. By subscribing to these events, administrators can enhance security monitoring and ensure
prompt awareness of critical changes or potential issues related to stored secrets.

Email notifications must first be properly configured within the system to utilize this feature.

Subscribing to secret events is available when editing a secret on the Event Subscription tab. Administrators
can choose to receive alerts for various events, including:

• Secret Entry Change—Notifies you when a secret has been modified.

• Password Change Failed—Alerts you when a password change operation is unsuccessful.
• View Password Clear Text—Triggers when a password is viewed in plaintext.
• Password Verify Failed—Indicates a failed password verification attempt.
• Secret Check-in—Logs when a secret check-in event occurs.
• Secret Check-out—Tracks when a secret is checked out.
• Secret Launch—Notifies you when a secret launch is attempted.

FortiPAM 1.5 Administrator Study Guide 158

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 159

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Good job! You now understand how to manage logs in FortiPAM.

Now, let’s examine reports in FortiPAM.

FortiPAM 1.5 Administrator Study Guide 160

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in managing and creating FortiPAM reports, you will be able to analyze
recorded activities effectively, generate insightful compliance and security audits, customize reports to meet
specific organizational needs and enhance overall system visibility and accountability.

FortiPAM 1.5 Administrator Study Guide 161

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM provides reports that present recorded activity in an easy-to-read format, enabling administrators to
review system events efficiently.

By default, FortiPAM generates a daily report using a standard layout that includes all available fields.
However, administrators have the flexibility to create custom layouts to include only the specific information
they require.

Reports can be further refined using filters, allowing for a more granular level of detail based on selected
criteria. The main categories available in FortiPAM reports include:

• User Login Activity—Tracks user authentication events.

• System Activity—Logs system-related actions and status changes.
• Secret Activity—Records operations involving secrets.

Each category is further divided into subcategories for more detailed insights. For example, under Secret
Activity, administrators can view reports such as Top Secret Launch by Secret Name, providing a focused
analysis of secret usage trends.

FortiPAM 1.5 Administrator Study Guide 162

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

The Secret Audit page displays a list of secret audit reports.

Secret audit reports simplify the administrator's understanding of permission distribution for each secret within
the system. This enables them to swiftly and accurately track any changes in user permissions, including
additions and deletions. Additionally, these reports give auditors a comprehensive view of how permissions
are distributed among users and the clear ownership of each key.

A secret audit report contains the following information about each secret:

• Target server
• User account accessing the secret
• Folder where the secret resides
• Secret name
• User or user group with access to the secret
• Secret access permission level for the user accessing the secret

Each report entry displays the report name and the date when the report was generated.

FortiPAM 1.5 Administrator Study Guide 163

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiPAM 1.5 Administrator Study Guide 164

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiPAM 1.5 Administrator Study Guide 165

 Monitoring and Reporting
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use the monitoring and reporting
capabilities of FortiPAM.

FortiPAM 1.5 Administrator Study Guide 166

 Brave-Dumps.com
DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.