Create an impossible-to-travel policy
The Impossible Travel feature helps to improve the security level and blocks suspicious login attempts when FortiToken Cloud detects an unusual login request far away from a reasonable geographical location, for example, a login request from Russia for a device used by an employee who is living in the United States. In that case, FTC will block it. FTC is able to identify suspicious sign-in attempts based on distance and time elapsed between two subsequent user sign-in attempts. The default is 500 miles per hour. Bear in mind that the user IP must be supported by FortiProducts.
To enable the Impossible-Travel feature in an adaptive authentication policy:
-
From the side menu, select Adaptive Auth > Policy.
-
Select Add Policy.
-
Specify the policy name.
For Action, select Enforce MFA/Block.
-
For Filters, select Location Filter.
-
For Location Filter, select the countries or regions for normal login location.
-
Select the Impossible Travel button to enable it.
-
For Schedule, select a desired schedule set.
-
Click Confirm.
-
Add the new policy into a profile, and be sure to select the same action (Enforce MFA/Block).
-
Add the new profile into any auth client (including FortiProducts and web apps) and any Realms whose users are going to login from the specified locations.