Blocklist network zones

Admins can block IP addresses from network zones, IP zones, and dynamic zones from accessing their Okta org.

Network zones contain a list of IP addresses, and dynamic zones contain a list of locations, ASNs, or IP types.

Okta doesn't allow blocklisted IP addresses to access any of your org's URLs. Okta blocks these requests before any type of policy evaluation occurs.

HealthInsight task recommendation

Configure network blocklisting to deny access from known malicious IP addresses or locations from your Okta org.

Okta recommends

Block any known untrusted IP addresses, locations, or proxy servers to limit access to your org. If your org uses IP Trust for network zones, Okta also recommends blocking any IP addresses that are identified as a Tor anonymizer proxy.

Only add IP addresses or locations that aren't associated with legitimate user activity.

Security impact

Moderate

End-user impact

Low

Legitimate users within your org see no change in behavior. Clients connecting from blocked network zones see a 403 (access denied) error.

If you've enabled the IP exempt zone feature and added IP addresses to it, traffic from those IPs may still be allowed even if you blocklist an IP using one of the following methods. See IP exempt zone evaluation.

Block specific IP addresses

Block specific IP addresses to deny access to your Okta org.

  1. In the Admin Console, go to SecurityNetworks.
  2. In the list of zones, click Edit for the BlockedIpZone network zone.
  3. Select Block access from IPs matching conditions listed in this zone.
  4. Click Save.

Block IP addresses in a dynamic zone

Block IP addresses in a dynamic zone from accessing your Okta org.

  1. In the Admin Console, go to SecurityNetworks.
  2. Click Add ZoneDynamic Zone.
  3. Define a location or proxy type.
  4. Select Block access from IPs matching conditions listed in this zone.
  5. Click Save.

Block Tor anonymizer proxy IP addresses

Block IP addresses identified as a Tor anonymizer proxy from accessing your Okta org.

  1. In the Admin Console, go to SecurityNetworks.
  2. Click Add ZoneDynamic Zone.
  3. Select Tor anonymizer proxy for IP Type.
  4. Select Block access from IPs matching conditions listed in this zone.
  5. Click Save.

Block IP service categories

Block IP service categories in an enhanced network zone from accessing your Okta org.

  1. In the Admin Console, go to SecurityNetworks.
  2. Select Add zoneEnhanced Dynamic Zone. The Add Enhanced Dynamic Zone dialog opens.
  3. Select one or more IP service categories.
  4. Select Block access from IPs matching conditions.
  5. Click Save.

Related topics

HealthInsight tasks and recommendations

Network zones

General Security

Blocklist proxies with high sign-in failure rates