Help
FortiPAM
FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
sfernando
Staff
Staff

Created on ‎10-03-2025 06:58 AM

Article Id 411144

Technical Tip: Configuring a Web launch to acess a FortiPAM through a FortiGate

Description This article describes how to configure a web launch to a target where FortPAM is behind a FortiGate.
Scope FortiPAM v1.4 and above.
Solution

Refer to the diagram below, which shows the enterprise LAN is protected by a FortiGate, and FortiPAM is behind the FortiGate. Users on the internet need to access the targets, as it is first required to connect to FortiPAM.

 

FortiPAM Web launch.jpg

 

To configure the above setup, the following steps need to be followed.

 

FortiPAM uses port 1444 to access targets.

10.56.244.59 is a public IP as per the diagram.

VLAN between FortiGate and FortiPAM is 3

VLAN between FortiPAM and Target is 49

Targets are directly connected to FortiPAM; hence, no gateways are configured.

 

  1. Configure a VIP on the FortiGate; either the interface IP or any other IP in the Subnet of the Interface IP can be used. The internet user will connect to this IP address to access FortiPAM.

 

config firewall vip
    edit "test1"
        set uuid acf19156-83a4-51f0-0dfd-6e2d5c85e333
        set extip 10.56.244.59
        set mappedip "10.3.0.64"
        set extintf "any"
        set portforward enable
        set extport 443-2000
        set mappedport 443-2000
        set portmapping-type m-to-n
    next
end

 

Note 1: The port range should cover the ports used to access the target from the FortiPAM.

 

  1. Configure the firewall policy using the above-mentioned VIP on the FortiGate.

 

config firewall policy
    edit 4
        set name "Incoming to PAM"
        set uuid b67ed8be-83a4-51f0-c819-55e08d886986
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "test1"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end

 

  1. On the FortiPAM, enable web proxy on the port connecting to the FortiGate.

Note 2: Currently, only one port on FortiPAM can have this enabled.

 

config system interface

    edit "port3"
        set ip 10.3.0.64 255.255.240.0
        set allowaccess ping ssh
        set type physical
        set explicit-web-proxy enable
        set snmp-index 3

     next

end

 

  1. Configure the web-proxy port on the FortiPAM.

 

config web-proxy explicit-proxy
    edit "web-proxy"
        set status enable
        set interface "any"
        set http-incoming-port 1444   <-- This port needs to be covered in Note 1.
    next
end

 

  1. Configure Web-Proxy Global on FortiPAM.

     

config web-proxy global
    set proxy-fqdn "10.56.244.59"  <-- This IP should be the same as the one used in the VIP in FortiGate.
end

 

Note 3: If using an FQDN that is resolved to the public IP of the VIP, the above IP can be replaced with it.

 

  1. It is possible to access the Targets as follows.

     

 

Target 1.jpg

 

output.jpg
Labels:
124
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.