About Dynamic Zones
Dynamic Zones enable admins to define network perimeters around location, IP Type and Autonomous System Number (ASN).
A location is defined as either a country or a country and region. If a country is included without a region, the entire country is considered. One location, multiple locations or no location can be specified for a Dynamic Zone. If no location is defined for a Dynamic Zone, all locations are considered to be within that Dynamic Zone. A single Dynamic Zone cannot include two locations that contain each other, such as US and California, US. The location is determined based on the IP of the request using MaxMind. For issues with location accuracy, contact MaxMind directly. Some examples of valid locations are:
|Country and Region (enter as one per line)||
The IP Type determines if the request is from a proxy and if so, which type of proxy the request is from. The IP Type is determined based on the IP of the request using Neustar. For issues with IP Type accuracy, contact Neustar directly. Define one IP Type for a Dynamic Zone.
All IP Types are considered to be within the Dynamic Zone.
Requests coming from any anonymizing proxy, including Tors and non-Tors, are considered to be within the Dynamic Zone.
|Tor anonymizer proxy||
Requests coming from Tor anonymizing proxies are considered to be within the Dynamic Zone.
|Not Tor anonymizer proxy||
Requests coming from non-Tor anonymizing proxies are considered to be within the Dynamic Zone.
ASN are used to uniquely identify each network on the Internet. Internet Service Providers can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable. One ASN, multiple ASNs or no ASNs can be defined for a Network Zone. If no ASN is provided, all ASNs are considered to be within the Dynamic Zone.
Since the ASN represents an entire network of IP addresses, specifying an ASN can help you reduce overhead as an alternative to entering a list of multiple IP addresses. Use the ASN Lookup link in the Admin Console to obtain the ASN for a given IP address. The ASN is determined based on the IP of the request using Neustar. For issues with ASN accuracy, contact Neustar directly.
When a Dynamic Zone is included in a policy, Okta verifies if the Dynamic Zone configuration (geolocation, IP Type, or ASN) matches the location, proxy type and ASN of the IP where the request originates.
The following applies when the IP chain of the request contains one IP:
- Okta resolves the location, proxy type, or ASN for that IP and compares it with the Dynamic Zone configuration (location, proxy type or ASN) to determine if the request is from within that Dynamic Zone.
The following applies when the IP chain of the request contains more than one IP:
- Okta attempts to identify the client IP where the request originated as described in the following section.
In order to identify the originating client IP for the request, the IP of the request is considered and compared with all the proxy IPs defined in all the IP Zones for that org.
- If the IP address to the very right of the IP chain is not defined as a proxy, it is marked as the client IP.
- If the IP address to the very right of the IP chain is a Proxy IP, evaluation of the next IP address to the left takes place until an IP that is not a proxy is discovered. This IP is marked as the client IP.
After the client IP is determined, the geolocation, proxy type and ASN for that IP is resolved and compared with the configured geolocation, proxy type, and ASN for that Dynamic Zone to verify if they match. If a match takes place, the request is considered to be from inside that Dynamic Zone.
Dynamic Zone example
|IP chain||All Proxies Defined for the org||Client IP Where the Request Originated|
|220.127.116.11, 18.104.22.168, 22.214.171.124||126.96.36.199, 188.8.131.52||184.108.40.206|
|220.127.116.11, 18.104.22.168, 22.214.171.124||126.96.36.199||188.8.131.52|
|184.108.40.206, 220.127.116.11, 18.104.22.168||22.214.171.124||126.96.36.199|