Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
Hi everybody.
We are using this amazing tool for years but nowadays it's time to reinforce administrators access securitization.
We are planning to deploy a PAM too (Privileged Access Management) that allows assets access management with centralized credentials that can be automatic rotated without the need to be known by the IT team. Also provides sessions log and even recording.
But we don't want to loose the interface (connections windows tabs) and (huge) assets database that we already have (PAM tool isn't so friendly)
Having a look at the command line, it seems that we can launch connections from it and we only need the Rocket RD app to be already open. But I'm not able to pass also the credentials (from PAM tool)
So my suggestion is to improve de command line to allow this, and even launch connections without app opened.
Thanks in advance.
Regards.
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
Can you tell use the PAM system you are using??? We have already some integrated
Regards/Gruss
Oliver
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
(21-09-2023, 09:39 AM)DevOma Wrote: Can you tell use the PAM system you are using??? We have already some integrated
FortiPAM. But not yet deployed, just evaluating its adoption.
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
OK - but to use a PAM system and then call another app with username / password to connect is perhaps not the ideal way :-) Normally the PAM solution will provide a gateway / jump server to connect to destination - so you need to set some special attributes (like port, Load Balancer or whatever) - let me know what fields do you like to use via Command line - I think it should be no big issue to implement...
Regards/Gruss
Oliver
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
Ok, let me check with manufacturer in order to tell you accurate information.
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
Hello again. I've been discussing with manufacturer and it seems I've been not so clear.
I'd like to continue using Rocket as a common Windows interface (in tab way) for all my administrator assets but without having credentials stored in. Those will be managed directly and only by FortiPAM and they will be pass them to Rocket when I invoke any asset connections from there. That will force us to have all the assets twice inventoried (Rocket and FortiPAM), but maybe an import/export interface would help.
Rocket command line call will be added to FortiPAM as a possible connection (like RDP, SSH and so) in a similar way as Rocket do, so when we enter FortiPAM Gateway with our personal credentials, we will see all our available assets and, clicking on them, FortiPAM will launch Rocket client with the name of the asset and the needed credentials. Connection type would be desirable as well.
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
Thanks for the update - best way would be full integration - if FortiPAM has an API to access the data it would be possible to sync data into RRD (like all the systems) - and then use the API to get access to the server (most PAM solutions use a gateway server to redirect to destination) - we have implemented this for other solutions and doing at the moment for Cyberark environment.
Of course in a first step it would be possible to extend command line to use it - but we will also have a look at FortiPAM for a full integration - in the next weeks - currently some other tasks need to be done!
Regards/Gruss
Oliver
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
FortiPAM seems to have no API for 3rd party integration :-(
So let's continue on cmdline needs - it would be also possible if you just want to use UI for your connections to use CommandLine like "QuickConncect" - that would allow you not to save computers in 2 applications - you could specify the Default Connection Properties how you would like and then just open new connections by command line - question is: What properties do FortiPAM use to connect to destination systems? Most PAM systems use a proxy server - if not we can add command line options for Destination, user name, password, protocol and port - can you clariry if that would work? Then we can implement these command line options... If it uses Proxy we need the fields that need to bet set...
Regards/Gruss
Oliver
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
Ok, it would be helpful to have the same command line options as "Quickconnect", all you mention as a basis (maybe also any 'External app' already configured in RRD)
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
Hi again.
Finally I've got access to the FortiPAM API from the manufacturer (FortiNet).
Unfortunately, I can't share it, no document download available and the only way is to schedule a remote session showing you the API documentation and geting what you need.
Are you interested in it?
Regards.
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
I would like to see official document or web page that describes how to use the API - only a remote session is not a good way to share knowledge about that - if FortiNet do now allow to see it public I don't think we should implement - can change without any notification, increase our efforts
Regards/Gruss
Oliver
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
(16-11-2023, 02:31 PM)DevOma Wrote: I would like to see official document or web page that describes how to use the API - only a remote session is not a good way to share knowledge about that - if FortiNet do now allow to see it public I don't think we should implement - can change without any notification, increase our efforts
Hello. Fortinet has just told me that you can register at FortiNET FNDN ( https://fndn.fortinet.net/) filling fbonilla@fortinet.com as the main contact and jduran@fortinet.com as the support contact.
Provide me with the regstered email address in order to advice those people.
The direct url for PAM API is https://fndn.fortinet.net/index.php?/for...-fortipam/#
Regards.
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
Ok, granted to Oliver Mahr
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
I will have a look in the next days
Regards/Gruss
Oliver
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
Ok I had a first quick look at the API - and I don't know if we can go on with it - looks powerful but also complicated - so many different types to get informations via API
What are your expectations? Normally we would get objects like folder structure, secrets via API and sync it to our application - but I can't find these calls - you can configure everything via API but that's not what we need for integration
Regards/Gruss
Oliver
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
It should be perfect for me continue using Rocket as our main servers operation tool, having the secrets and grants managed with FortiPAM.
If is it complex right now and we need to wait several releases, no problem from my side. But I need to know if it's possible and what limitations has Forti API to acomplish with this to let them know.
Meanwhile, I can start using FortiPAM with the first approach: launching Rocket from the command line with the asset name and credentials.
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
Ok - we have always the problem that we want to support a wide range of tools - but without being an expert in each 3rd party tool :-) PAM tools are always a bit more complex - the easiest way of syncing data would be to get a folder / secret structure - then we could sync these - some other integrations for PAM tools allow us to get a list of servers that a user has access - and grant the access via API (because users don't know any passwords for remote systems anymore)
As I had a first look into API documentation - I can see that everything is handled in own categories like Switches, Gateways, and so on - but I can't see any workflows for getting allowed remote systems - how to get access...
Currently we have some other implementation we need to go on first - perhaps we can have a deeper look into the system and API in Q1/24
Regards/Gruss
Oliver
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
Ok, thanks.
Regarding beta version for command line (RocketRD2023_Patch8_Beta3_x64_Setup.zip), I'm not able to download it. Maybe the link is timed-out (I have problems with this portal notifications). Could you please send it to me again?
Posts: 11,103
Threads: 100
Joined: Aug 2006
Reputation:
202
Posts: 23
Threads: 6
Joined: Sep 2014
Reputation:
0
Ok, I'll test it.
On the other hand, Fortinet support tells me that they can help you with the integration, giving you API integration samples, if you tell them what functions specifically you need.
|