Blocklist Network Zones

Admins can deny access from your Okta tenant, by blocking a Network Zone such as an IP Zone or Dynamic Zone. IP Zones contain a list of IP addresses while Dynamic Zones contain a list of locations, ASNs, or IP types. If a Network Zone is blocklisted, clients from these blocked Network Zones cannot access any URL for the org and requests are automatically blocked prior to any type of policy evaluation.

HealthInsight task recommendation

Configure network blocklisting to deny access from known malicious IP addresses or locations from your Okta tenant.

Okta recommends

Block any known untrusted IPs, locations, or proxy servers to limit access to your org. If your org uses IP Trust for Network Zones, Okta also recommends to block any IPs that are identified as a Tor anonymizer proxy.

Only add IP addresses or locations that are not associated with legitimate user activity.
Security impact

Moderate
End-user impact

Low

Legitimate users within your org will see no change in behavior. Clients connecting from blocked Network Zones will see a 403 (access denied) error.

Block specific IP addresses

Block specific IP addresses to deny access to your Okta tenant.

  1. From the Admin Console, navigate to Security > Networks
  2. In the list of existing zones, click Edit for the BlockedIpZone Network Zone.
  3. To block the zone, select Block access from IPs matching conditions listed in this zone.
  4. Click Save to continue.

Block a Dynamic Zone

Block a Dynamic Zone from accessing your Okta tenant.

  1. From the Admin Console, navigate to Security > Networks
  2. Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
  3. Define a location or proxy type.
  4. To block the zone, select Block access from IPs matching conditions listed in this zone.

    Blacklisting an IP zone from the admin console.

  5. Click Save to continue.

Block IPs identified as a Tor anonymizer proxy

Block IPs identified as a Tor anonymizer proxy.

  1. From the Admin Console, navigate to Security > Networks
  2. Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
  3. Select Tor anonymizer proxy for IP Type.
  4. To block the zone, select Block access from IPs matching conditions listed in this zone.
  5. Click Save to continue.

Related topics

HealthInsight tasks and recommendations

About Network Zones

General Security

Blocklist proxies with high sign-in failure rates