Blacklist network zones

To deny access from your Okta tenant, you can blacklist a network zone such as an IP zone or dynamic zone. IP zones contain a list of IP addresses. Dynamic zones contain a list of locations, ASNs, or IP types.

If a network zone is blacklisted, clients from blacklisted zones cannot access any URL for the orgThe Okta container that represents a real-world organization. and requests are automatically blocked prior to any type of policy evaluation.

 

HealthInsight: Why is this task recommended?


This a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Configure network blacklisting to deny access from known malicious IP addresses or locations from your Okta tenant.

Security impact: Moderate

End-user impact: Low

Okta recommends: Blacklist any known untrusted IPs, locations, or proxy servers to limit access to your org. If your org uses IP Trust for Network Zones, Okta also recommends blacklisting any IPs that are identified as a Tor Anonymizer Proxy.

 

End-user experience and impact


Legitimate users within your org will see no change in behavior. Clients connecting from blacklisted network zones will see a 403 (access denied) error.

Note: Only add IP addresses or locations that are not associated with legitimate user activity.

 

Procedure


From the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, navigate to Security > Networks.

 

To blacklist specific IP addresses:

  1. In the list of existing zones, click Edit for the BlockedIpZone Network Zone.
  2. To blacklist the zone, select Blacklist access from IPs matching conditions in this zone.
  3. Click Save to continue.

 

To blacklist a Dynamic Zone:

  1. Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
  2. Define a location or proxy type.
  3. To blacklist the zone, select Blacklist access from IPs matching conditions in this zone.

    Blacklisting an IP zone from the admin console.

  4. Click Save to continue.

 

To blacklist IPs identified as a Tor Anonymizer Proxy:

  1. Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
  2. Select Tor anonymizer proxy for IP Type.
  3. To blacklist the zone, select Blacklist access from IPs matching conditions in this zone.
  4. Click Save to continue.

 

Related topics


 

 

 

Top