Fortinet black logo

Admin Guide

Home FortiToken Cloud Admin Guide

Control risky conditions

Copy Link
Copy Doc ID 0a6c5280-a080-11ee-8673-fa163e15d75b:877274
Download PDF

Control risky conditions

Adaptive Authentication

You can bypass OTP verification of MFA under certain “safer” conditions and deny such attempts under some otherwise “risky” conditions. You can pre-configure OTP verification of MFA based on trusted subnet/geo-location and time of day/day of week. For more details about how to configure it, go to Adaptive authentication.

Create adaptive authentication policy

  1. From the main menu, click Adaptive Auth > Policy to open the Policy page.

  2. On top of the page, click Add Policy to open the Add New Policy dialog.

  3. Make the desired entries and/or selections.

  4. Click Confirm.

Create adaptive authentication profile

  1. Click Adaptive Auth > Profile to open the Profile page.

  2. On top of the page, click Add Profile to open the Add New Profile dialog.

  3. Make the entries and/or selections.

  4. Click Save.

Apply adaptive authentication profile to an auth client

  1. From the main menu, click Auth Clients > FortiProducts.

  2. Highlight the auth client of interest and click the Edit button to open the Edit Client dialog.

  3. Select an adaptive auth profile.

  4. Click OK.

Apply adaptive authentication profile to a realm

  1. From the main menu, click Settings > Realm.

  2. Ensure that the General Setting tab is selected.

  3. Select an adaptive auth profile.

  4. Click Apply Changes.

Last login

The Last Login feature enables you to let end-users use trusted IPs or subnets to log in by bypassing the MFA requirement within a specified time period.

To enable the Last Login feature in Adaptive Authentication Policy:

  1. Add the new policy by click Add Policy in Adaptive Auth > Policy page.

  2. Specify a unique name and select Bypass MFA in Action section, and select Subnet Filter.

  3. Enter the IP or subset in Subnets section, and click Enter to confirm (Note: The IP or Subnet must be supported by the FortiProducts).

  4. Click Last Login and specify a reasonable MFA Interval time period (Note: The range of this period is from 1 to 72 hours.)

  5. Select a schedule configuration set in Schedule section

  6. Click confirm.

  7. Add the newly created policy to a profile and select the same action, i.e., Bypass MFA.

  8. Apply the newly created profile to any auth clients (including FortiProducts and Web Apps) and any realms whose users are going to use those trusted IPs or Subnets.

Impossible travel

The Impossible Travel feature enables FTC to detect and block suspicious login attempts. Upon detecting a login request coming far away from the normal geographical location, for example, a login request from Russia for a device used by an employee who is based in the United States, FTC will block it. Using this feature, FTC can effectively identify suspicious sign-in attempts based on the distance and time elapsed between two subsequent user sign-in attempts. The feature works with IP addresses in the format that FortiProducts support.

To enable the Impossible Travel feature in Adaptive Authentication Policy:

  1. Add the new policy by clicking Add Policy in Adaptive Auth > Policy page.

  2. Give a unique name and select Enforce MFA/Block in the Action section, and select Location Filter.

  3. Enter the Countries or Regions for normal login location, and click Enter.

  4. Click the Impossible Travel button to enable it.

  5. select a schedule configuration set in the Schedule section.

  6. Click Confirm.

  7. Add the policy to any profile. Be sure to select the same action, .i.e., Enforce MFA/Block.

  8. Apply the profile to any Auth Clients (including FortiProducts and Web Apps) and any Realms whose users are going to log in from those locations.

Previous
Next

Control risky conditions

Adaptive Authentication

You can bypass OTP verification of MFA under certain “safer” conditions and deny such attempts under some otherwise “risky” conditions. You can pre-configure OTP verification of MFA based on trusted subnet/geo-location and time of day/day of week. For more details about how to configure it, go to Adaptive authentication.

Create adaptive authentication policy

  1. From the main menu, click Adaptive Auth > Policy to open the Policy page.

  2. On top of the page, click Add Policy to open the Add New Policy dialog.

  3. Make the desired entries and/or selections.

  4. Click Confirm.

Create adaptive authentication profile

  1. Click Adaptive Auth > Profile to open the Profile page.

  2. On top of the page, click Add Profile to open the Add New Profile dialog.

  3. Make the entries and/or selections.

  4. Click Save.

Apply adaptive authentication profile to an auth client

  1. From the main menu, click Auth Clients > FortiProducts.

  2. Highlight the auth client of interest and click the Edit button to open the Edit Client dialog.

  3. Select an adaptive auth profile.

  4. Click OK.

Apply adaptive authentication profile to a realm

  1. From the main menu, click Settings > Realm.

  2. Ensure that the General Setting tab is selected.

  3. Select an adaptive auth profile.

  4. Click Apply Changes.

Last login

The Last Login feature enables you to let end-users use trusted IPs or subnets to log in by bypassing the MFA requirement within a specified time period.

To enable the Last Login feature in Adaptive Authentication Policy:

  1. Add the new policy by click Add Policy in Adaptive Auth > Policy page.

  2. Specify a unique name and select Bypass MFA in Action section, and select Subnet Filter.

  3. Enter the IP or subset in Subnets section, and click Enter to confirm (Note: The IP or Subnet must be supported by the FortiProducts).

  4. Click Last Login and specify a reasonable MFA Interval time period (Note: The range of this period is from 1 to 72 hours.)

  5. Select a schedule configuration set in Schedule section

  6. Click confirm.

  7. Add the newly created policy to a profile and select the same action, i.e., Bypass MFA.

  8. Apply the newly created profile to any auth clients (including FortiProducts and Web Apps) and any realms whose users are going to use those trusted IPs or Subnets.

Impossible travel

The Impossible Travel feature enables FTC to detect and block suspicious login attempts. Upon detecting a login request coming far away from the normal geographical location, for example, a login request from Russia for a device used by an employee who is based in the United States, FTC will block it. Using this feature, FTC can effectively identify suspicious sign-in attempts based on the distance and time elapsed between two subsequent user sign-in attempts. The feature works with IP addresses in the format that FortiProducts support.

To enable the Impossible Travel feature in Adaptive Authentication Policy:

  1. Add the new policy by clicking Add Policy in Adaptive Auth > Policy page.

  2. Give a unique name and select Enforce MFA/Block in the Action section, and select Location Filter.

  3. Enter the Countries or Regions for normal login location, and click Enter.

  4. Click the Impossible Travel button to enable it.

  5. select a schedule configuration set in the Schedule section.

  6. Click Confirm.

  7. Add the policy to any profile. Be sure to select the same action, .i.e., Enforce MFA/Block.

  8. Apply the profile to any Auth Clients (including FortiProducts and Web Apps) and any Realms whose users are going to log in from those locations.

Previous
Next