/ 01
FortiOS session recording across the fabric
Every CLI session — FortiGate, FortiSwitch, FortiAP, FortiAnalyzer — recorded with full context. VDOM transitions captured. Searchable text across all sessions.
Fortinet dominates the SMB and mid-market firewall segment, with the Security Fabric extending into switches, wireless, analytics, and EDR. Innovexus brokers SSH and console sessions to every FortiOS-based device — no agent, no FortiManager dependency, no Fabric-side custom integration. Vault, rotation, and session recording work across the Fortinet stack.
Innovexus is agentless from the Fortinet device perspective. Connection via standard SSH (preferred) and console. Anything that authenticates against TACACS+, RADIUS, or local FortiOS users is in scope.
Most Fortinet fleets are running through Innovexus within 1–2 business days. The integration uses standard FortiOS AAA — local users, TACACS+, or RADIUS — without requiring FortiManager or fabric-specific tooling.
Pull the existing FortiOS local admin credentials (typically `admin` plus any operator-class users). Vault them. The Innovexus pod takes over as source of truth; rotation runs on schedule.
Add the Innovexus pod's outbound IP to your `trusted hosts` configuration on FortiGate admin profiles, and to FortiManager/FortiAnalyzer trusted hosts. Existing TACACS+/RADIUS authentication continues to operate at the device level.
Map your FortiOS admin profiles (`super_admin`, custom profiles with VDOM-scoped permissions) to Innovexus role definitions. Engineers see only devices and admin profiles their role permits.
Session recording captures the full FortiOS CLI experience including config-mode commands, batch edits, and policy commits. Configuration drift collection uses `show full-configuration` for complete baseline storage.
Engineers log into Innovexus with their FIDO2 hardware key, click into a Fortinet device, and the brokered SSH session opens with the assigned admin profile. Recording, audit, and credential lifecycle operate automatically.
Every CLI session — FortiGate, FortiSwitch, FortiAP, FortiAnalyzer — recorded with full context. VDOM transitions captured. Searchable text across all sessions.
Local admin credentials, TACACS+ shared secrets, RADIUS keys, and FortiToken seed values all rotate on schedule. Rotation respects FortiOS's commit model and trusted-hosts configuration.
Trusted-hosts configuration ensures Fortinet devices accept management only from the Innovexus pod IP. Lost engineer endpoints cannot connect directly.
Full-configuration baseline collection. Drift detected outside approved sessions fires an alert. VDOM-aware diff for multi-tenant FortiGate deployments.
Fortinet's strongest segment is mid-market and MSP. Innovexus pricing fits that segment by design — Operations $199/mo for SMB-scale fleets, Professional $499/mo for typical mid-market.
Network monitoring (link state, throughput, FortiGate session table health) and security operations (FortiGate log forwarding, threat correlation) alongside PAM. Same console, one tier price.
Direct, sourced answers about how Innovexus integrates with this vendor's platforms.
No. The integration is direct via SSH using FortiOS's standard AAA primitives. FortiManager, FortiAnalyzer, and FortiCloud are not dependencies. If you run FortiManager for orchestration, Innovexus runs alongside it — we handle privileged human and vendor access; FortiManager handles policy distribution and provisioning.
VDOM-aware. Engineers are mapped to specific VDOMs through their Innovexus role; brokered sessions land in the correct VDOM context based on the engineer's assigned admin profile. Configuration drift collection runs per-VDOM, with diffs scoped to the VDOM the engineer has access to. Multi-tenant FortiGate deployments (MSP-style) work cleanly.
Innovexus uses FIDO2 hardware authentication at its own platform login (YubiKey or equivalent). FortiToken or FortiAuthenticator can continue to handle MFA at the FortiGate device level for emergency direct access; the brokered-session path through Innovexus uses platform-level FIDO2 instead. Both can co-exist.
Yes. The vault rotates `admin` on schedule. Rotation uses the FortiOS commit model — the new password is applied via SSH and confirmed before the rotation is recorded as complete. If a device is unreachable at rotation time, the device stays on the prior password and rotation retries on the next scheduled cycle. NOC alert fires for devices stuck on prior credentials beyond a configurable threshold.
FortiPAM is Fortinet's newer dedicated PAM product (released 2023, expanded in 2024-2025). For Fortinet-only environments standardising on the Security Fabric, FortiPAM is a credible choice with native fabric integration. Innovexus differentiates on multi-vendor support (FortiGate alongside Cisco, Juniper, Arista, etc., on one platform), bundled NOC + SOC workspaces beyond pure PAM, per-tenant pod isolation, and published flat pricing. If you're Fortinet-exclusive, FortiPAM may fit better; if you're multi-vendor or want NOC/SOC bundled, Innovexus fits.
Yes, in two directions. Outbound: Innovexus forwards its session and audit logs to FortiAnalyzer (or any SIEM) via syslog and webhook. Inbound: Innovexus's SOC workspace ingests FortiGate threat-event logs from FortiAnalyzer for correlation alongside privileged-session events. The unified audit trail benefits SOC investigation when a threat event correlates to a recent privileged session.
Vault FortiGate admin credentials, allowlist the pod IP via trusted-hosts, point engineers at it. First brokered session within an hour. 5-day trial, no card required.