Network Security

A network zone is a security perimeter used to limit or restrict access to a network based on a single IP address, one or more IP address ranges, or a list of geolocations. Network zones are defined and maintained by admins who wish to improve and strengthen network security for their organization and users.

 

Overview


To access network configuration, navigate to Security > Networks from the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console.

Before getting started, note the following about network zones:

 

Note: Okta uses Maxmind as a geolocation data provider and Neustar as a trusted IP data provider. If you observe any issues with location or IP accuracy, please contact Maxmind or Neustar directly.


Zone Types


  1. IP Zones: A type of zone where the network perimeter is defined by IP addresses.
  2. Dynamic Zones: A type of zone where the network perimeter is defined by one or more of the following:

IP Zone Evaluation


Once an IP Zone is included in a policy, Okta verifies if the IP chain of the request matches the gateways and proxies configured in the zone.

The following applies when the IP chain of the request contains one IP:

  • If the IP is defined as a gateway in particular zone, Okta considers the request to be from within that zone.

 

The following applies when the IP chain of the request contains more than one IP:

Gateway Evaluation
  • If the IP address to the very right of the IP chain is defined as a gateway for that zone, the request is considered to be from inside that zone.
  • If the IP address to the very right of the IP chain is not defined as a gateway or a proxy for that zone, the request is considered not to be from inside that zone.

Proxy Evaluation
  • If the IP address to the very right of the IP chain is not defined as a gateway, but is defined as a proxy, the IP to the left of the proxy is then verified and the process repeats.
  • If this IP is a gateway IP, the request is considered to be from inside that zone.
  • If it is not a gateway IP or a proxy, the IP address is not considered a match and the request is considered not to be from inside that zone.

 

 This process of matching continues until one of the following is found:

  • An IP in the chain is a gateway (in which case the request is considered from within the zone).

  • An IP in the chain is neither a gateway nor a proxy (in which case the request is considered not to be from within the zone).


Dynamic Zone Evaluation


When a dynamic zone is included in a policy, Okta verifies if the dynamic zone configuration (geolocation, IP type, or ASN) matches the location, proxy type and ASN of the IP where the request originates.

 

The following applies when the IP chain of the request contains one IP:

  • Okta resolves the location, proxy type, or ASN for that IP and compares it with the dynamic zone configuration (location, proxy type or ASN) to determine if the request is from within that zone.

The following applies when the IP chain of the request contains more than one IP:

Identifying the Originating Client IP

In order to identify the originating client IP for the request, the IP chain of the request is considered and compared with all the proxy IPs defined in all the IP zones for that org.

  • If the IP address to the very right of the IP chain is not defined as a proxy, it is marked as the client IP.
  • If the IP address to the very right of the IP chain is a proxy IP, evaluation of the next IP address to the left takes place until an IP that is not a proxy is discovered. This IP will be marked as the client IP.
  • Once the client IP is determined, the geo-location, proxy type and ASN for that IP is resolved and compared with the configured geo-location, proxy type, and ASN for that zone to verify if they match. If a match takes place, the request is considered to be from inside that zone.

 

 

Procedures

Configure an IP Zone


To create and configure an IP Zone:

  1. Navigate to Security > Networks.
  2. Click Add Zone > IP Zone.
  3. Enter a name for the zone. This is a required field.
  4. Enter the desired Gateway IP addresses and Proxy IP addresses. Separate IPs and IP ranges with a newline or comma and separate IPs in a range with a dash.
  5. Optional: Select Blacklist access from IPs listed in this zone to prevent matching IPs from accessing Okta.
  6. Click Save.

The following table describes specifications for IP Zones:

Item Sample

Public Gateway IP addresses

Enter as one per line or separate by commas.

For ranges, either use a hyphen to separate the range, or use CIDR notation.

1.2.3.4, 1.2.3.6-1.2.3.7

192.168.0.0/24

Proxy IP addresses

Enter as one per line or separate by commas.

For ranges, either use a hyphen to separate the range, or use CIDR notation.

1.2.3.11–1.2.3.14

A request is within an IP Zone if the public IP of the address falls within range of the configured gateway IP addresses. If the request is via a proxy, configure the IP address as a proxy IP. Okta will trust the proxy IP address and attempt to match the client IP with the configured gateway IP addresses.

Note: To configure an IP Zone for blacklisting requests, configure the blacklisted gateway IPs. Proxy IP addresses do not need to be specified.


Configure a Dynamic Zone


One of two features must be enabled before a dynamic zone can be created: Geolocation for Network Zones or IP Trust for Network Zones.

To create and configure a Dynamic Zone:

  1. Navigate to Security > Networks.
  2. Click Add Zone > Dynamic Zone.
  3. Define a location or use any location.
  4. Define a proxy type, from Any, TorAnonymizer, or NotTorAnonymizer, or leave proxy unchecked to ignore any proxy.
  5. Note: The accuracy of Tor proxy detection is dependent on a third party vendor, which is used to identify IP addresses that use Tor. The proxy type is only used to evaluate if a proxy is Tor or not. If a proxy is unchecked, it will simply not be evaluated. The proxy IP address may be used for resolving an end user's location if it's present in the IP chain.

  6. Click Save.

Once created, Dynamic Zones may be defined by one or more of the following specifications:

 

Define Geolocation for a Dynamic Zone

If the Geolocation for Network Zones feature is enabled, you can also use geographical specifications when configuring the zone. The following table describes specifications for geographic location zones:

Location Entry
Country US
Country and Region (enter as one per line)

California, US

Québec, CA

 

 

Define Autonomous System Numbers (ASNs) for a Dynamic Zone

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.

ASN (Autonomous System Numbers) are used to uniquely identify each network on the Internet. Internet Service Providers can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable.

This feature adds support for ASNs for Dynamic Zone configuration, which can used as part of sign on and MFA policies, appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. sign on policies, VPN settings, and IWA.

The admin dashboard syslog specifies any IP addresses that have been identified as suspicious. These IPs can be entered on the public ASN lookup to identify their corresponding ASN. When configuring rules for Dynamic Zones, you can specify an ASN to be blacklisted. Since the ASN represents an entire network of IP addresses, blacklisting an ASN is a good alternative in reducing overhead when compared to specifying a list of mulitple IP addresses.


User Role User Impact
Okta Admin Can add one or multiple ASNs when creating or editing a dynamic zone as part of their sign on policy.
End User Based on sign on policies, users may be denied login, prompted for MFA, or receive a 403 error in the event the ASN associated with their ISP is deemed suspicious.


To add an ASN to a Dynamic Zone:

  1. Navigate to Security > Networks.
  2. Create a new Dynamic Zone or edit an existing one.

  3. Navigate to ISP ASNs.

  4. Use the ASN Lookup tool to retrieve the ASN.

  5. Enter the ASN to include as part of the dynamic zone.
  6. To blacklist ASNs, check Blacklist access from IPs matching conditions listed in this zone.
  7. Click Save to save your changes.

  8. Verify that the Dynamic Zone is associated with the sign on policy of your choice.
  9. Adding ASNs to a Dynamic Zone

 

Define IP Types for a Dynamic Zone

The IP Type setting checks and determines if a client uses a proxy and the type of proxy if one is identified.

The following settings are available to define an IP type for a Dynamic Zone:

  • Any: Ignores all proxy types. If selected, at least one of the following must be defined: Locations, ISP ASNs
  • Any proxy: Considers clients that use a Tor anonymizer proxy or a non-Tor anonymizer proxy type.
  • Tor anonymizer proxy: Considers clients that use a Tor anonymizer proxy.
  • Not Tor anonymizer proxy: Considers clients that use non-Tor proxy types.

Delete a Network Zone


When an IP or Location Zone is deleted, all rules that use the deleted zone are affected.

  • If the zone to delete is the only zone in any rule, you cannot delete the zone and receive an error message. Edit the rule to use a different zone then perform the deletion again.
  • If the zone to delete is not the only zone in any rule you can delete the zone. The zone is removed from all the rules where it is specified.

Blacklist a Network Zone


Both IP Zones and Dynamic Zones can blacklisted. If a zone is blacklisted, clients from blacklisted zones cannot access any URL for the org and requests are automatically blocked prior to any type of policy evaluation.

To blacklist a network zone:

  1. From the admin console, navigate to Security > Networks.
  2. In the list of existing zones, click Edit for the zone you wish to modify.
  3. To blacklist the zone, select Blacklist access from IPs matching conditions in this zone.
  4. Click Save to continue.

Note: Two network zones are created by default when the Multiple Network Zones feature is enabled. One of them can be used for blacklisting IPs.


Define a Network Zone for IWA


When evaluating IWA logins, Okta checks that the login is from the configured zones. You can edit the configuration and choose any desired zones, or choose All Zones as you do in policies.

When an IWA agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. is configured, the IP address of the client is added to the LegacyIPZone. The LegacyIPZone is the only zone configured by default, as seen in the following screenshot:

Note: You can define up to 20 network zones in IWA network zones.


Generate a Proxy IP Report


A report of proxy IP addresses can be generated to help you identify which proxies can be configured in IP zones. This information is used by Okta to correctly identify the client IP where the request originated. The proxy report lists all proxy IP addresses that have been used to connect to your Okta org, including proxies that may or may not be trusted.

Note: Due to the possibility that some proxy IP addresses may potentially be malicious, ensure that any IP you add as a trusted proxy is trustworthy.

To obtain a list from your dashboard, navigate to ReportsProxies. For more information, refer to Reports.


Edit a Legacy Network Zone


If you have already defined Public Gateway IP Addresses, the information is migrated to a zone named LegacyIpZone. You cannot delete this zone, but you can edit it.

For existing rules, LegacyIpZone retains the previous settings. This zone is still active and can be used in new assignments.

Note: You can define a maximum of 5000 legacy network zones.


Add IPs to a Network Zone from the System Log


It is possible to add an IP address that appears in a System Log event to an existing Network Zone. This saves you time, eliminating the need to copy the IP address and navigate to the Network menu. You must have Super or Org admin permissions to do this.

To add an IP address to a network zone while viewing the System Log:

  1. Locate the event and IP address in the System Log.
  2. Click on the More icon ( ) and Add to zone.
  3. In the Add to IP zone dialog fill the following:
    • Add to zone — Select which network zone to add the IP address to.
    • IP type — Select from Proxy or Gateway.
  4. Click Save.

Add a Network Zone to Sign-On Policies


Navigate to Security > Authentication to entering rules for sign-on policies based on a specified network zone.

 

If a User is located: Select one of the following: Anywhere, In zone, or Not in zone.

 

If you check All Zones, all of your defined zones are selected, and the box below it is no longer visible.

 

If you do not check All Zones, type a zone name in the Zones box. A dropdown list appears that contains all existing zones that contain the text you entered anywhere in the zone name.

Choose any number of zones. The following example shows a search for all zones that contain the letter t. In this case, only one zone is found. You still must select it to make it active.

 

 

 

 

 

 

Top