Blocklist network zones

Admins can block access to their Okta org to IP addresses coming from network zones, IP zones, and dynamic zones.

Network zones contain a list of IP addresses, and dynamic zones contain a list of locations, ASNs, or IP types.

Okta doesn't allow blocklisted IP addresses to access any of your org's URLs. Okta blocks these requests before any type of policy evaluation occurs.

HealthInsight task recommendation

Configure network blocklisting to deny access from known malicious IP addresses or locations from your Okta org.

Okta recommends

Block any known untrusted IP addresses, locations, or proxy servers to limit access to your org. If your org uses IP Trust for network zones, Okta also recommends blocking any IP addresses that are identified as a Tor anonymizer proxy.

Only add IP addresses or locations that aren't associated with legitimate user activity.

Security impact

Moderate

End-user impact

Low

Legitimate users within your org see no change in behavior. Clients connecting from blocked network zones see a 403 (access denied) error.

Block specific IP addresses

Block specific IP addresses to deny access to your Okta org.

  1. In the Admin Console, go to SecurityNetworks.
  2. In the list of zones, click Edit for the BlockedIpZone network zone.
  3. Select Block access from IPs matching conditions listed in this zone.
  4. Click Save.

Block IP addresses in a dynamic zone

Block IP addresses in a dynamic zone from accessing your Okta org.

  1. In the Admin Console, go to SecurityNetworks.
  2. Click Add ZoneDynamic Zone.
  3. Define a location or proxy type.
  4. Select Block access from IPs matching conditions listed in this zone.
  5. Click Save.

Block Tor anonymizer proxy IP addresses

Block IP addresses identified as a Tor anonymizer proxy from accessing your Okta org.

  1. In the Admin Console, go to SecurityNetworks.
  2. Click Add ZoneDynamic Zone.
  3. Select Tor anonymizer proxy for IP Type.
  4. Select Block access from IPs matching conditions listed in this zone.
  5. Click Save.

Related topics

HealthInsight tasks and recommendations

Network zones

General Security

Blocklist proxies with high sign-in failure rates