IP zones
An IP zone lets you define network perimeters around a set of IP addresses. It can contain IP addresses for both gateway servers and trusted proxy servers, and you can add them using individual IP addresses, IP ranges, or classless inter-domain routing (CIDR) notation.
Trusted proxies
Trusted proxies are used for determining the request's client IP address. Okta ThreatInsight doesn't block them. If a user changes their IP address during a session and the resulting IP address is in a trusted proxy, the System Log doesn't record a user.session.context.change event. See View System Log events for Identity Threat Protection.
If you add any untrusted proxies to an IP zone, add them as gateways.
IP zone evaluation
When determining whether a request is from inside or outside of an IP zone, consider the IP chain. The IP chain is the IPs of all the network hops between the originating request and Okta. The following table explains IP chain processing for one or multiple IPs in an IP chain.
| IP Chain Type | Description |
| IP chain contains one IP |
The request is considered to be within a zone if the IP is contained within any of the defined gateways for that zone. |
| IP chain contains more than one IP |
If the final IP in the chain, the one directly connecting to Okta, is within any of the defined gateways or proxies for the IP zone.
|
To ensure that Okta considers traffic as coming from a trusted zone, the gateway IP and the proxy IP both need to be in the same zone. If these two IP addresses are in different zones, requests aren't considered as coming from a trusted zone.
IP chain processing repeats until:
- A matching Gateway IP is found, in which case the request is from within the network zone or
- Five IPs in the chain are checked, in which case the request isn't from within the IP zone.
IP zone example
| IP Chain | Gateway | Proxy | Is the Request From Inside the Zone? |
| 1.1.1.1 | 1.1.1.1 | Empty | Y |
| 1.1.1.1 | 1.1.1.1 | 2.2.2.2 | Y |
| 1.1.1.1 | Empty | Empty | N |
| 1.1.1.1 | Empty | 1.1.1.1 | N |
| 1.1.1.1, 2.2.2.2 | 2.2.2.2 | Empty | Y |
| 1.1.1.1, 2.2.2.2 | 2.2.2.2 | 3.3.3.3 | Y |
| 1.1.1.1, 2.2.2.2 | 1.1.1.1 | 2.2.2.2 | Y |
| 1.1.1.1, 2.2.2.2 | Empty | Empty | N |
| 1.1.1.1, 2.2.2.2 | Empty | 1.1.1.1 | N |
| 1.1.1.1, 2.2.2.2 | Empty | 2.2.2.2 | N |
| 1.1.1.1, 2.2.2.2 | 2.2.2.2 | 1.1.1.1 | Y |