Data Sheet

FortiPAM
Privileged Access and Session Management

Available in:

Virtual
Machine

Highlights

Connects, as part of
Fortinet’s Security Fabric,
Account Credentials, User Access, and Activity
with FortiAuthenticator,
FortiToken, and FortiClient Privileged Access and Session Management for managing account credentials, controlling
for a complete IAM solution privileged user access, and monitoring activity on privileged accounts. FortiPAM ensures
uptime with high availability active/standby HA capabilities.
Integrates with FortiClient
EMS for zero-trust network FortiPAM privileged access management provides controls over elevated privileged access
access (ZTNA) advanced and permissions for users, accounts, processes, systems, and sensitive data across the
access tagging entire IT environment. FortiPAM is an integral component of the Fortinet Identity and Access
Provides high-performance Management (IAM) solution which allows organizations to provide tight security for privileged
and low-latency for accounts and privileged credentials. FortiPAM provides tightly controlled privileged access
business-critical resources to the most sensitive resources within an organization. It enables end-to-end management
of privileged accounts, control of privileged user access, and visibility of account usage
Includes scheduled
credential changing including monitoring and audit capabilities. These features allow FortiPAM to introduce zero-
capabilities (LDAPS, trust principles to privileged accounts and dramatically lower an organizations’ overall attack
Samba, SSH, SSH key) surface.

Enables native program

Organizations looking to modernize IAM capabilities need to look beyond standard user
access with PuTTY and
identities and bring in controls for privileged accounts in the form of a PAM solution. These
RDP (FCT required) along
with browser-based access accounts have access to the most sensitive information which necessitates an extra level
via Chrome, Firefox, and of security. FortiPAM can assist with three primary use cases when it comes to privileged
Edge accounts. These are managing account credentials, controlling privileged user access, and
monitoring privileged activity.

1
 FortiPAM Data Sheet

Feature Highlights
ZTNA Elements - FortiPAM as Access Proxy
The components of a client-based ZTNA solution.

Manage Account Credentials

Managing privileged accounts goes beyond storing privileged credentials. It means fully automating
the privileged-accounts lifecycle. Organizations often struggle with orphaned privileged accounts
or ensuring these accounts have updated credential policies. FortiPAM can help manage privileged
accounts by automatically changing passwords based on policy. FortiPAM owns the privileged-
credential vault of specific resources so that users will not need to know the resource’s credentials.
This reduces the risk of the credentials falling into the wrong hands. FortiPAM also ensures that no
sensitive privileged account information will be delivered to the end-user’s device in proxy mode.

Control Privileged User Access

Privileged accounts need to use zero-trust principles because of the sensitive company resources
they have access to. FortiPAM can bring zero-trust to these privileged accounts by ensuring that
end users are only granted access to critical resources based on roles, such as standard user or
administrator, and always ensuring least privilege. FortiPAM provides full controls of all resource
secrets through administrator-defined central policies. These include options for automatic
password changes after check-in. Organizations are also able to use FortiPAM to implement a
hierarchical approval system and control risky commands.

Monitor Privileged Access

In addition to managing and controlling privileged accounts, it’s just as important to provide
monitoring capabilities for users of these highly sensitive resources. FortiPAM can provide
reporting of privileged account usage in the case of a security incident. FortiPAM can provide full-
session video recordings to provide a view of the users logged into privileged accounts, including
monitoring keystrokes and mouse events. When needed for audit purposes, FortiPAM can provide
full audit tracking of all privileged account usage. 2
 FortiPAM Data Sheet

Specifications
function function
User Management Launcher
Local User PuTTY (FCT required)
Remote Authentication: LDAP Server Remote Desktop - Windows (FCT required)
Remote Authentication: Radius Server Web Launcher
SAML Web SSH
MFA: FortiToken Web RDP
MFA: Email Token Web VNC
MFA: SMS Token VNC Viewer (FCT required)
Administrator Role Management Tight VNC (FCT required)
User Group Custom Launcher
API User Secret Request Approval
User Trusted Host Approval Profile (up to three Tiers)
FortiToken Cloud Request Review and Approve
Secret Folder Request Notification
Public Folder Multiple Approvals Requirement
Personal Folder Script
Folder Permission Control Password Changer
Secret Policy Management Password Policy
Secret Template and Access Custom Password Changer
Unix SSH (Password or Key) Monitor and Record
Windows Domain Account (LDAPS or Samba) User Monitor
Template - FortiGate Active Sessions Monitor
Template - Cisco Device Session Recording
Template - Web Account Log and Audit
Template - Machine Events - System
Custom Template Events - User
Events - HA
Secret
Logs - Secrets
Secret Check-out/Check-in
Logs - Video (Record and Replay)
Renew Secret Check-out
System
Approval Request
HA
Verify Password
Glass Breaking
Periodical Password Changer
Maintenance Mode
Password Heartbeat
Automatic Configuration Backup
Video Recording
Max Duration for the Launcher Session
SSH Filter
vTPM: KVM
Auto Password Delivery on Native Launcher
vTPM: VMWare
Cisco Device Auto-Enable on Native Launcher
ZTNA Tag Endpoint Control
Associated Secret Launcher
FortiClient: Custom FCT FortiVRS (video recording daemon) Port
Associated Secret Password Changer
Authentication
SSH Keyboard Interactive Authentication on Native Launcher
Address (Used in AD Target Restriction)
RDP Security Level
Scheme and Rules
Block RDP Clipboard
Stability
AD Target Restriction
Long Session
Move/Clone a Secret
Stress Test (Overload, CPU 70%)
Secret Permission Control
Installation
Favorite Secrets
Upgrade
Installation Doc/ Administration Guide
Security

3
 FortiPAM Data Sheet

Ordering Information
Product SKU Description
FortiPAM-VM FC1-10-PAVUL-591-02-DD Subscription for one FortiPAM Virtual Machine seat for between 5 to 9 users. Includes FortiClient VRS agent for FPAM. Includes 24/7
FortiCare support. HA requires additional license for an additional unit with the same user seats license on the backup unit.
FC2-10-PAVUL-591-02-DD Subscription for one FortiPAM Virtual Machine seat for between 10 to 24 users. Includes FortiClient VRS agent for FPAM. Includes 24/7
FortiCare support. HA requires additional license for an additional unit with the same user seats license on the backup unit.
FC3-10-PAVUL-591-02-DD Subscription for one FortiPAM Virtual Machine seat for between 25 to 49 users. Includes FortiClient VRS agent for FPAM. Includes 24/7
FortiCare support. HA requires additional license for an additional unit with the same user seats license on the backup unit.
FC4-10-PAVUL-591-02-DD Subscription for one FortiPAM Virtual Machine seat for between 50 to 99 users. Includes FortiClient VRS agent for FPAM. Includes 24/7
FortiCare support. HA requires additional license for an additional unit with the same user seats license on the backup unit.
FC5-10-PAVUL-591-02-DD Subscription for one FortiPAM Virtual Machine seat for between 100 to 249 users. Includes FortiClient VRS agent for FPAM. Includes 24/7
FortiCare support. HA requires additional license for an additional unit with the same user seats license on the backup unit.
FC6-10-PAVUL-591-02-DD Subscription for one FortiPAM Virtual Machine seat for 250 or more users. Includes FortiClient VRS agent for FPAM. Includes 24/7 FortiCare
support. HA requires additional license for an additional unit with the same user seats license on the backup unit.
FortiPAM Licensed FortiClient with PAM function activated. This is the recommended deployment as additional SSL VPN, ZTNA, SSOMA functions can
License also be activated. This uses the existing EMS licenses - no additional license required.w
Options
Dedicated unlicensed standalone FortiClient with PAM function which does not require EMS. This standalone FortiClient can not be
combined with other FCT standalone versions and can only be used for FortiPAM.

4
 www.fortinet.com

Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.

January 26, 2023

FPM-DAT-R01-20230126