Dynamic zones
Use dynamic zones to define network perimeters based on location, IP address type, and autonomous system number (ASN).
Location
A location is either a country or a country and region. If you don't include a region, the entire country is considered. You can specify a single location, multiple locations, or no location for a dynamic zone.
When the location isn't defined, all locations are considered to be within that dynamic zone. A single dynamic zone can't include two locations that contain each other, such as United States and California.
Continents aren't used as region definitions. The Europe (EU) and Asia/Pacific (AP) codes are used only if you don't select a country code. To include all the countries in Europe or in Asia/Pacific, choose each individual country. If you choose Europe or Asia/Pacific and don't specify individual countries, the geolocation provider returns only requests from countries that don't have a designated country code. Used alone, Europe and Asia/Pacific are treated as generic codes for undesignated regions.
Locations are determined based on the IP address of the request using MaxMind as the geolocation provider. To learn about issues with location accuracy or information about how country and region codes are used, see MaxMind and GeoIP Legacy Codes.
In the System Log, each location (country or a country and region) appears on a separate line. The following table lists some examples of valid locations.
Location | System Log entry |
Country |
US |
Country and region |
California, US Quebec, CA |
In China, the universal ISO standard for region codes and country code changed. The update resulted in discrepancies between the new codes and the codes that are displayed in Okta. To prevent issues, edit any affected dynamic zones.
IP address type
The IP type determines if the request is from a proxy and if so, which type of proxy the request is from. The IP type is determined based on the IP of the request using Neustar. Define one IP type for a dynamic zone.
For issues with IP type accuracy, contact your Okta representative.
IP Type | Description |
Any |
All IP types are considered to be within the dynamic zone. |
Any proxy |
Requests that come from any anonymizing proxy, including Tors and non-Tors, are considered to be within the dynamic zone. |
Tor anonymizer proxy |
Requests that come from Tor anonymizing proxies are considered to be within the dynamic zone. |
Not Tor anonymizer proxy |
Requests that come from non-Tor anonymizing proxies are considered to be within the dynamic zone. |
Autonomous system number
Autonomous system numbers (ASN) are used to uniquely identify each network on the internet. Internet service providers (ISP) can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable. One ASN, multiple ASNs, or no ASNs can be defined for a network zone. If no ASN is provided, all ASNs are considered to be within the dynamic zone.
Since the ASN represents an entire network of IP addresses, specifying an ASN can help you reduce overhead as an alternative to entering a list of multiple IP addresses. You can use online ASN lookup tools to find the ASN for a given IP address. For an example of an ASN lookup tool, see DNSChecker.
Dynamic zone evaluation
Okta verifies whether the dynamic zone configuration matches the location, proxy type, and ASN of the IP where the request originates.
- Okta compares both the location and proxy type with the ASN conditions to determine if there's a match.
- If the IP chain of the request contains one IP address, Okta resolves the location, proxy type, or ASN. Okta compares these values to the dynamic zone configuration to determine if the request came from that dynamic zone.
- If the IP chain of the request contains more than one IP address, Okta attempts to identify the client IP where the request originated.
How to identify the originating client IP
To identify the originating client IP for the request, the IP chain of the request is evaluated and compared to all proxy IPs defined in all IP zones for that org.
- If the IP address to the right of the IP chain isn't defined as a proxy, it's marked as the client IP.
- If the IP address to the right of the IP chain is a proxy IP, evaluation of the next IP address to the left takes place until an IP that isn't a proxy is discovered. This IP is marked as the client IP.
- After the client IP is determined, the geolocation, proxy type, and ASN for that IP are resolved and compared with the configured geolocation, proxy type, and ASN values for that zone. If the values match, the request comes from inside that zone.
Dynamic zone evaluation example
IP Chain | All proxies defined for the org | Client IP where the request originated |
1.1.1.1 | Empty | 1.1.1.1 |
1.1.1.1 | 1.1.1.1 | 1.1.1.1 |
1.1.1.1 | 2.2.2.2 | 1.1.1.1 |
1.1.1.1, 2.2.2.2 | Empty | 2.2.2.2 |
1.1.1.1, 2.2.2.2 | 2.2.2.2 | 1.1.1.1 |
1.1.1.1, 2.2.2.2 | 3.3.3.3 | 2.2.2.2 |
1.1.1.1, 2.2.2.2 | 1.1.1.1 | 2.2.2.2 |
1.1.1.1, 2.2.2.2, 3.3.3.3 | 3.3.3.3, 2.2.2.2 | 1.1.1.1 |
1.1.1.1, 2.2.2.2, 3.3.3.3 | 3.3.3.3 | 2.2.2.2 |
1.1.1.1, 2.2.2.2, 3.3.3.3 | 4.4.4.4 | 3.3.3.3 |
Related topics
Define geolocation for a dynamic zone