Block list Network Zones

Admins can deny access from your Okta tenant, by block listing a Network Zone such as an IP Zone or Dynamic Zone. IP Zones contain a list of IP addresses while Dynamic Zones contain a list of locations, ASNs, or IP types. If a Network Zone is block listed, clients from block listed zones cannot access any URL for the org and requests are automatically blocked prior to any type of policy evaluation.

Note

Note

Okta is focused on the adoption of inclusive language and communication. Some long-standing industry terminology and expressions have been updated as part of this initiative. In this topic,

  • blacklist is now referred to as block list
  • blacklisting is now referred to as block listing
  • blacklisted is now referred to as block listed

HealthInsight task recommendation

Configure network block listing to deny access from known malicious IP addresses or locations from your Okta tenant.

Okta recommends

Block list any known untrusted IPs, locations, or proxy servers to limit access to your org. If your org uses IP Trust for Network Zones, Okta also recommends block listing any IPs that are identified as a Tor anonymizer proxy.

Only add IP addresses or locations that are not associated with legitimate user activity.

Security impact

Moderate

End-user impact

Low

Legitimate users within your org will see no change in behavior. Clients connecting from block listed Network Zones will see a 403 (access denied) error.

Block list specific IP addresses

Block list specific IP addresses to deny access to your Okta tenant.

  1. From the Admin Console, navigate to Security > Networks
  2. In the list of existing zones, click Edit for the BlockedIpZone Network Zone.
  3. To block list the zone, select Block access from IPs matching conditions listed in this zone.
  4. Click Save to continue.

Block list a Dynamic Zone

Block list a Dynamic Zone from accessing your Okta tenant.

  1. From the Admin Console, navigate to Security > Networks
  2. Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
  3. Define a location or proxy type.
  4. To block list the zone, select Block access from IPs matching conditions listed in this zone.

    Blacklisting an IP zone from the admin console.

  5. Click Save to continue.

Block list IPs identified as a Tor anonymizer proxy

Block list IPs identified as a Tor anonymizer proxy.

  1. From the Admin Console, navigate to Security > Networks
  2. Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
  3. Select Tor anonymizer proxy for IP Type.
  4. To block list the zone, select Block access from IPs matching conditions listed in this zone.
  5. Click Save to continue.

Related topics

HealthInsight tasks and recommendations

About Network Zones

General Security

Block list proxies with high sign-in failure rates