About Dynamic Zones

Dynamic Zones allows admins to define network perimeters around location, IP Type and Autonomous System Number (ASN).

Location

A location is defined as either a country or a country and region. If a country is included without a region, the entire country is considered. One location, multiple locations or no location can be specified for a Dynamic Zone. If no location is defined for a Dynamic Zone, all locations are considered to be within that Dynamic Zone. A single Dynamic Zone cannot include two locations that contain each other, such as US and California, US. The location is determined based on the IP of the request using MaxMind.

An update to the universal ISO standard for region codes and country codes has resulted in some discrepancies between new codes for China and the codes that are displayed in Okta. As a result, we recommend updating your region codes for China by editing any affected Dynamic Zone to prevent any issues.

For issues with location accuracy, contact MaxMind directly. See MaxMind. Some examples of valid locations are:

Location Entry
Country

US

Country and Region (enter as one per line)

California, US

Quebec, CA

IP Type

The IP Type determines if the request is from a proxy and if so, which type of proxy the request is from. The IP Type is determined based on the IP of the request using Neustar. For issues with IP Type accuracy, contact Neustar directly. See Neustar. Define one IP Type for a Dynamic Zone.

IP Type Description
Any

All IP Types are considered to be within the Dynamic Zone.

Any proxy

Requests coming from any anonymizing proxy, including Tors and non-Tors, are considered to be within the Dynamic Zone.

Tor anonymizer proxy

Requests coming from Tor anonymizing proxies are considered to be within the Dynamic Zone.

Not Tor anonymizer proxy

Requests coming from non-Tor anonymizing proxies are considered to be within the Dynamic Zone.

ASN

ASN are used to uniquely identify each network on the Internet. Internet Service Providers can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable. One ASN, multiple ASNs or no ASNs can be defined for a Network Zone. If no ASN is provided, all ASNs are considered to be within the Dynamic Zone.

Since the ASN represents an entire network of IP addresses, specifying an ASN can help you reduce overhead as an alternative to entering a list of multiple IP addresses. Use the ASN Lookup link in the Admin Console to obtain the ASN for a given IP address. For an example of an ASN Lookup, see DNSChecker. The ASN is determined based on the IP of the request using Neustar. For issues with ASN accuracy, contact Neustar directly.

Dynamic Zone evaluation

When a Dynamic Zone is included in a policy, Okta verifies if the Dynamic Zone configuration (geolocation, IP Type, or ASN) matches the location, proxy type and ASN of the IP where the request originates.

The following applies when the IP chain of the request contains one IP:

  • Okta resolves the location, proxy type, or ASN for that IP and compares it with the Dynamic Zone configuration (location, proxy type or ASN) to determine if the request is from within that Dynamic Zone.

The following applies when the IP chain of the request contains more than one IP:

  • Okta attempts to identify the client IP where the request originated as described next in Identifying the Originating Client IP.

Identifying the Originating Client IP

In order to identify the originating client IP for the request, the IP chain of the request is considered and compared with all the proxy IPs defined in all the IP zones for that org.

  • If the IP address to the very right of the IP chain is not defined as a proxy, it is marked as the client IP.
  • If the IP address to the very right of the IP chain is a proxy IP, evaluation of the next IP address to the left takes place until an IP that is not a proxy is discovered. This IP will be marked as the client IP.
  • Once the client IP is determined, the geo-location, proxy type and ASN for that IP is resolved and compared with the configured geo-location, proxy type, and ASN for that zone to verify if they match. If a match takes place, the request is considered to be from inside that zone.

Dynamic Zone Evaluation example

IP Chain All proxies defined for the org Client IP where the request originated
1.1.1.1 Empty 1.1.1.1
1.1.1.1 1.1.1.1 1.1.1.1
1.1.1.1 2.2.2.2 1.1.1.1
 
1.1.1.1, 2.2.2.2 Empty 2.2.2.2
1.1.1.1, 2.2.2.2 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2 3.3.3.3 2.2.2.2
1.1.1.1, 2.2.2.2 1.1.1.1 2.2.2.2
1.1.1.1, 2.2.2.2, 3.3.3.3 3.3.3.3, 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2, 3.3.3.3 3.3.3.3 2.2.2.2
1.1.1.1, 2.2.2.2, 3.3.3.3 4.4.4.4 3.3.3.3

Related topics

About Network Zones

Create a Dynamic Zone

About IP Zones

Define geolocation for a Dynamic Zone

Define IP Types for a Dynamic Zone

Define ASN for a Dynamic Zone