FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
Article Id 249500



This article provides information about troubleshooting client-side when using FortiPAM.








For FortiPAM, after the user configures the required secrets, FortiClient uses three processes to launch the native application and start the video recording service; 1) FortiVRS with session ID: 0, 2) FortiVRS with the user session, and 3) FortiTCS.


1) FortiVRS with session ID: 0:

- Responsible for saving and dropping ZTNA rules for each secret request.

- Responsible for managing FortiVRS[X] daemons.

- Responsible for uploading Video and Meta-data files to FortiPAM.


2) FortiVRS with user session:

- Responsible for Starting Applications in the user session.

- Responsible for Recording Videos of the Application.

- Responsible for Recording Key and Mouse Meta Data of the launched secret.


3) FortiTCS:

- Daemon of the ZTNA feature, responsible for TCP forwarding. 

- Creates a local proxy responsible for forwarding TCP traffic.




Issue 1: Error indicating contacting issue with FortiClient.



Ensure that FortiClient is running along with these 3 daemons:​

- FortiTCS in session 0.

- FortiVRS in session 0.

- FortiVRS in user session [X].




Issue 2: Error indicating start program issue.




Ensure that the secret the user is trying to launch is installed on the client machine with the environment variable set. 


Issue 3: pam json information error.




This is caused by ztna.config file being tampered with by the user. To recover from this, delete the ztna.config file and try again.


Issue 4: Http port mismatch between FortiPAM and FortiClient.


Both FortiPAM and FortiVRS must use the same HTTP Port. To check if there's a mismatch:

- On the FortiPAM Server, look for the value of the Client Port under System/Settings:




- On the Client Machine, look for this log statement in fortivrs_session_0_1.log:




If there is a mismatch, change the port on the PAM server as shown above.


Issue 5: Secret suddenly could not reach the host.

One possible cause is the FortiClient no longer has a connection to the EMS server.

Although ZTNA tunnels/rules may still be created, without an EMS connection it would fail to reach the host. Check the EMS server connection, EMS related info can be found in the Forticlient community .


Client-side logs/traces.


fortitcs/fortivrs traces:

Go to the FortiClient installation directory, then under \logs\trace\. For what each file is responsible for, refer to the background section.



ZTNA config file:

Go to C:\Users\Public\FortiClient\ztna\




Recorded video and metadata files:

Go to Windows Temp Directory: