Manage network zones

As a super admin or org admin, you can manage network zones using the edit, block, delete, and deactivate settings.

When you edit a network zone, wait approximately 60 seconds for the change to propagate across all servers and take effect.

Add a network zone

You can add several types of network zones:

To implement multiple network zones, including Dynamic Zones, you must enable Adaptive MFA.

Edit a network zone

Policies and rules are updated automatically when you change the network zone settings.

  1. In the Admin Console, go to SecurityNetworks.
  2. Select one of the existing network zones and click the pencil icon.
  3. Configure any of the fields.
  4. Click Save.

If you've enabled the IP exempt zone feature, you can add IPs to the DefaultExemptIpZone. Adding IPs to this zones allows traffic from these IPs irrespective of any conflicting network zones and Okta ThreatInsight configurations. To understand how Okta evaluates IPs in this zone, see Enhanced dynamic zones.

Block client IPs from accessing a network zone

A blocked network zone prevents client IPs from accessing any URL for the org and requests are automatically blocked before any type of policy evaluation. Admins can restrict access from IP zones that contain a list of IP addresses. They can restrict access from dynamic zones that contain a list of locations, ASNs, or IP types.

  1. In the Admin Console, go to SecurityNetworks.
  2. In the list of existing network zones, click the pencil icon beside the network zone you wish to modify.
  3. To block the network zone, select Block access from IPs matching conditions listed in this zone.
  4. Click Save.

If you've enabled the IP exempt zone feature and added IP addresses to it, traffic from those IPs may still be allowed even if you blocklist an IP. See IP exempt zone evaluation.

Delete a network zone

When a network zone is deleted, all rules that use the deleted zone are affected.

If the network zone you want to delete is the only zone in any rule, you can't delete the zone. Edit the rule to use a different zone, then perform the deletion again.

If the network zone you want to delete isn't the only zone in any rule, you can delete the zone. The zone is removed from all the rules where it appears.

If the network zone that you want to delete is active and is used by other rules, including rules in Okta Classic Engine for customers who upgraded to Okta Identity Engine, make the network zone inactive before you attempt to delete it.

  1. In the Admin Console, go to SecurityNetworks.
  2. In the list of existing zones, click the x next to the zone that you want to delete.
  3. In the Delete Zone dialog, click OK.

Deactivate a network zone

When a network zone is deactivated, Global Session Policies and authentication policy rules that use the deactivated network zone are affected.

  1. In the Admin Console, go to SecurityNetworks.
  2. In the list of network zone, click Active beside the network zone you want to deactivate and select Inactive.

Related topics

IP zones

Dynamic zones

Enhanced dynamic zones