Create an IP zone
Create an IP zone that defines network perimeters around a set of IP addresses. An IP zone is made up of gateway and proxy IP addresses.
Follow these guidelines as you create zones:
- Configure at least one gateway or proxy in an IP zone.
- You can add up to 1000 IPs, IP ranges, or CIDRs to a single blocked zone.
- You can add up to 25,000 IPs, IP ranges, or CIDRs across all IP zones.
- You can add up to 150 gateway IPs, proxy IPs, IP ranges, or CIDRs to a non-blocked zone.
Before you begin
If your org uses a web application firewall (WAF) like Cloudflare, Zscaler, or Fastly, you must configure it to pass the original client's IP address.
-
Configure X-Forwarded-For (XFF) HTTP headers on the WAF, so that the original client's IP address is appended to the XFF header in the HTTP request. This creates a chain of IP addresses, with the first IP being the real client. This ensures that Okta can see the full IP chain and use the client's IP in its bot detection model.
-
Configure WAF's IPs as trusted proxies in Okta. This allows Okta to ignore the WAF's IP and instead look at the first IP address in the XFF header to determine the true source of the request.
Start this task
-
In the Admin Console, go to .
- From the Add Zone dialog, select IP Zone.
- In the Zone Name field, enter a name for the IP zone.
- Optional. Select Block access from IPs matching conditions listed in this zone to prevent matching IPs from accessing Okta. This includes IP addresses found in the zone and IP chains.
- Enter the Gateway IP addresses and Trusted Proxy IP addresses. Separate IP addresses and ranges with a new line or comma. You can add single IP addresses, IP ranges, or use CIDR notation.
- Click Save.
When you edit a network zone, wait approximately 60 seconds for the change to propagate across all servers and take effect.