IP zones
IP zones define network perimeters around a set of IP addresses. IP zones contain gateways and trusted proxies.
-
A gateway is an IP address that a request must pass through to gain access. When you add a gateway to your IP zone, a request's IP address must match the gateway to be considered within zone. Use gateways if you want to require IP addresses to match a zone exactly.
-
A trusted proxy is an intermediate server that provides information about a requesting client's IP address. Okta ThreatInsight doesn't block trusted proxies. The System Log doesn't record a user.session.context.change event if a user moves to an IP address in a trusted proxy. Keep in mind that it's your responsibility to designate which proxies are trusted. If you don't trust a proxy, add it to your zone as a gateway.
Default IP zones
You can create your own IP zones using individual IP addresses, IP ranges, or classless inter-domain routing (CIDR) notation. Okta also provides three default IP zones to support specific use cases.
-
The BlockedIpZone blocks all traffic from the IP addresses or IP address ranges you specify.
-
The LegacyIpZone is primarily reserved for authentication using Integrated Windows Authentication (IWA) agents. You can also use this zone for IdP routing rules. See Create a network zone for IWA and Use zones in routing rules.
-
The DefaultExemptIpZone allows traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI. See IP exempt zone.
IP zone evaluation
Okta uses the IP chain to determine whether a request is from inside or outside an IP zone. The IP chain contains the IP addresses of all the network hops between the originating request and Okta.
-
If the IP chain contains a single IP that matches a defined gateway, the request is inside the zone.
-
If the IP chain has multiple IPs, but the last IP before Okta matches a defined gateway, the request is inside the zone.
-
If the IP chain has multiple IPs and the last one is a defined proxy, the system checks backwards through the chain until it finds a matching gateway IP. Then, the request is considered to be inside the zone. If it checks five IPs and finds no matching gateway, the request is considered outside the zone.
This table illustrates IP chain evaluation.
| IP chain | Gateway | Proxy | Request evaluation |
| 1.1.1.1 | 1.1.1.1 | Empty | In zone |
| 1.1.1.1 | 1.1.1.1 | 2.2.2.2 | In zone |
| 1.1.1.1 | Empty | Empty | Out of zone |
| 1.1.1.1 | Empty | 1.1.1.1 | Out of zone |
| 1.1.1.1, 2.2.2.2 | 2.2.2.2 | Empty | In zone |
| 1.1.1.1, 2.2.2.2 | 2.2.2.2 | 3.3.3.3 | In zone |
| 1.1.1.1, 2.2.2.2 | 1.1.1.1 | 2.2.2.2 | In zone |
| 1.1.1.1, 2.2.2.2 | Empty | Empty | Out of zone |
| 1.1.1.1, 2.2.2.2 | Empty | 1.1.1.1 | Out of zone |
| 1.1.1.1, 2.2.2.2 | Empty | 2.2.2.2 | Out of zone |
| 1.1.1.1, 2.2.2.2 | 2.2.2.2 | 1.1.1.1 | In zone |
Traffic is considered to come from a trusted zone only when the gateway IP and the proxy IP are in the same zone.