About Dynamic Zones

Dynamic Zones allow you to define network perimeters based on location, IP address type, and autonomous system number (ASN).

Location

A location is defined as either a country or a country and region. If a country is included without a region, the entire country is considered. You can specify a single location, multiple locations, or no locationor a Dynamic Zone. If no location is defined for a Dynamic Zone, all locations are considered to be within that Dynamic Zone. A single Dynamic Zone cannot include two locations that contain each other, such as US and California, US.

You should note that continents are not intended to be used as region definitions. The Europe and Asia/Pacific codes are only used if you have not selected a specific country code. If you want to include all of the countries in Europe or in Asia/Pacific, you should choose all of those countries individually. If you choose Europe or Asia/Pacific and do not specify individual countries, only requests from countries that do not have a designated country code are returned as a match by the geolocation provider. Used alone, Europe and Asia/Pacific are treated as generic codes for undesignated regions rather than inclusive of the countries they contain.

The location is determined based on the IP of the request using MaxMind as the geolocation provider.

An update to the universal ISO standard for region codes and country codes has resulted in some discrepancies between new codes for China and the codes that are displayed in Okta. As a result, we recommend updating your region codes for China by editing any affected Dynamic Zone to prevent any issues.

For issues with location accuracy, contact MaxMind directly. See MaxMind. Some examples of valid locations are:

Location Entry
Country

US

Country and Region (enter as one per line)

California, US

Quebec, CA

IP Type

The IP Type determines if the request is from a proxy and if so, which type of proxy the request is from. The IP Type is determined based on the IP of the request using Neustar. For issues with IP Type accuracy, contact Neustar directly. See Neustar. Define one IP Type for a Dynamic Zone.

IP Type Description
Any

All IP Types are considered to be within the Dynamic Zone.

Any proxy

Requests coming from any anonymizing proxy, including Tors and non-Tors, are considered to be within the Dynamic Zone.

Tor anonymizer proxy

Requests coming from Tor anonymizing proxies are considered to be within the Dynamic Zone.

Not Tor anonymizer proxy

Requests coming from non-Tor anonymizing proxies are considered to be within the Dynamic Zone.

ASN

ASN are used to uniquely identify each network on the Internet. Internet Service Providers can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable. One ASN, multiple ASNs or no ASNs can be defined for a Network Zone. If no ASN is provided, all ASNs are considered to be within the Dynamic Zone.

Since the ASN represents an entire network of IP addresses, specifying an ASN can help you reduce overhead as an alternative to entering a list of multiple IP addresses. You can use online ASN lookup tools to find the ASN for a given IP address. For an example of an ASN Lookup tool, see DNSChecker.

Dynamic Zone evaluation

When a Dynamic Zone is included in a policy, Okta verifies if the Dynamic Zone configuration (geolocation, IP Type, or ASN) matches the location, proxy type and ASN of the IP where the request originates.

The following applies when the IP chain of the request contains one IP:

  • Okta resolves the location, proxy type, or ASN for that IP and compares it with the Dynamic Zone configuration (location, proxy type or ASN) to determine if the request is from within that Dynamic Zone.

The following applies when the IP chain of the request contains more than one IP:

  • Okta attempts to identify the client IP where the request originated as described next in Identifying the Originating Client IP.

Identifying the Originating Client IP

In order to identify the originating client IP for the request, the IP chain of the request is considered and compared with all the proxy IPs defined in all the IP zones for that org.

  • If the IP address to the very right of the IP chain is not defined as a proxy, it is marked as the client IP.
  • If the IP address to the very right of the IP chain is a proxy IP, evaluation of the next IP address to the left takes place until an IP that is not a proxy is discovered. This IP will be marked as the client IP.
  • Once the client IP is determined, the geo-location, proxy type and ASN for that IP is resolved and compared with the configured geo-location, proxy type, and ASN for that zone to verify if they match. If a match takes place, the request is considered to be from inside that zone.

Dynamic Zone Evaluation example

IP Chain All proxies defined for the org Client IP where the request originated
1.1.1.1 Empty 1.1.1.1
1.1.1.1 1.1.1.1 1.1.1.1
1.1.1.1 2.2.2.2 1.1.1.1
 
1.1.1.1, 2.2.2.2 Empty 2.2.2.2
1.1.1.1, 2.2.2.2 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2 3.3.3.3 2.2.2.2
1.1.1.1, 2.2.2.2 1.1.1.1 2.2.2.2
1.1.1.1, 2.2.2.2, 3.3.3.3 3.3.3.3, 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2, 3.3.3.3 3.3.3.3 2.2.2.2
1.1.1.1, 2.2.2.2, 3.3.3.3 4.4.4.4 3.3.3.3

Related topics

About Network Zones

Create a Dynamic Zone

Define geolocation for a Dynamic Zone

Define IP Types for a Dynamic Zone

Define ASN for a Dynamic Zone