Block list Network Zones
Admins can deny access from your Okta tenant, by block listing a Network Zone such as an IP Zone or Dynamic Zone. IP Zones contain a list of IP addresses while Dynamic Zones contain a list of locations, ASNs, or IP types. If a Network Zone is block listed, clients from block listed zones cannot access any URL for the org and requests are automatically blocked prior to any type of policy evaluation.

Note
Okta is focused on the adoption of inclusive language and communication. Some long-standing industry terminology and expressions have been updated as part of this initiative. In this topic,
- blacklist is now referred to as block list
- blacklisting is now referred to as block listing
- blacklisted is now referred to as block listed
HealthInsight task recommendation
Configure network block listing to deny access from known malicious IP addresses or locations from your Okta tenant.
Okta recommends |
Block list any known untrusted IPs, locations, or proxy servers to limit access to your org. If your org uses IP Trust for Network Zones, Okta also recommends block listing any IPs that are identified as a Tor anonymizer proxy. Only add IP addresses or locations that are not associated with legitimate user activity. |
Security impact |
Moderate |
End-user impact |
Low Legitimate users within your org will see no change in behavior. Clients connecting from block listed Network Zones will see a 403 (access denied) error. |
Block list specific IP addresses
Block list specific IP addresses to deny access to your Okta tenant.
- From the Admin Console, navigate to Security > Networks
- In the list of existing zones, click Edit for the BlockedIpZone Network Zone.
- To block list the zone, select Block access from IPs matching conditions listed in this zone.
- Click Save to continue.
Block list a Dynamic Zone
Block list a Dynamic Zone from accessing your Okta tenant.
- From the Admin Console, navigate to Security > Networks
- Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
- Define a location or proxy type.
- To block list the zone, select Block access from IPs matching conditions listed in this zone.
- Click Save to continue.
Block list IPs identified as a Tor anonymizer proxy
Block list IPs identified as a Tor anonymizer proxy.
- From the Admin Console, navigate to Security > Networks
- Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
- Select Tor anonymizer proxy for IP Type.
- To block list the zone, select Block access from IPs matching conditions listed in this zone.
- Click Save to continue.