Blocklist network zones
Admins can deny access from your Okta tenant by blocking a Network Zone such as an IP zone or a dynamic zone. IP zones contain a list of IP addresses while dynamic zones contain a list of locations, ASNs, or IP types. If a network zone is blocklisted, clients from these blocked network zones can't access any URL for the org and requests are automatically blocked prior to any type of policy evaluation.
HealthInsight task recommendation
Configure network blocklisting to deny access from known malicious IP addresses or locations from your Okta org.
Okta recommends |
Block any known untrusted IPs, locations, or proxy servers to limit access to your org. If your org uses IP Trust for network zones, Okta also recommends to block any IPs that are identified as a Tor anonymizer proxy. Only add IP addresses or locations that are not associated with legitimate user activity. |
Security impact |
Moderate |
End-user impact |
Low Legitimate users within your org will see no change in behavior. Clients connecting from blocked network zones will see a 403 (access denied) error. |
Block specific IP addresses
Block specific IP addresses to deny access to your Okta org.
- In the Admin Console, go to Security > Networks.
- In the list of existing zones, click Edit for the BlockedIpZone network zone.
- To block the zone, select Block access from IPs matching conditions listed in this zone.
- Click Save to continue.
Block a dynamic zone
Block a Dynamic Zone from accessing your Okta org.
- In the Admin Console, go to Security > Networks.
- Click Add Zone > Dynamic Zone to create a new dynamic zone.
- Define a location or proxy type.
- To block the zone, select Block access from IPs matching conditions listed in this zone.
- Click Save to continue.
Block IPs identified as a Tor anonymizer proxy
Block IPs identified as a Tor anonymizer proxy from accessing your Okta org.
- In the Admin Console, go to Security > Networks.
- Click Add Zone > Dynamic Zone to create a new dynamic zone.
- Select Tor anonymizer proxy for IP Type.
- To block the zone, select Block access from IPs matching conditions listed in this zone.
- Click Save to continue.