About Dynamic Zones

Dynamic Zones enable admins to define network perimeters around location, IP type and Autonomous System Number (ASN).

This topic contains information about:

Location

A location is defined as either a country or a country and region. If a country is included without a region, the entire country is considered. One location, multiple locations or no location can be specified for a zone. If no location is defined for a zone, all locations are considered to be within that zone. A single zone cannot contain two locations that contain each other such as US and California, US. The location is determined based on the IP of the request using MaxMind. For issues with location accuracy, contact MaxMind directly. Some examples of valid locations are:

Location Entry
Country

US

Country and Region (enter as one per line)

California, US

Quebec, CA

IP Type

The IP Type determines if the request is from a proxy and if so, what type of proxy the request is from. One IP type can be defined for a zone. The IP type is determined based on the IP of the request using Neustar. For issues with IP type accuracy, contact Neustar directly. The following IP types can be defined in a zone:

IP Type Description
Any

All IP types are considered to be within the zone.

Any proxy

Requests coming from any anonymizing proxy, including Tors and non-Tors, are considered to be within the zone.

Tor anonymizer proxy

Requests coming from Tor anonymizing proxies are considered to be within the zone.

Not Tor anonymizer proxy

Requests coming from non-Tor anonymizing proxies are considered to be within the zone.

ASN

ASN are used to uniquely identify each network on the Internet. Internet Service Providers can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable. One ASN, multiple ASNs or no ASNs can be defined for a zone. If no ASN is provided all ASNs are considered to be within the zone. Since the ASN represents an entire network of IP addresses, specifying an ASN can help you reduce overhead as an alternative to entering a list of multiple IP addresses. Use the ASN Lookup link in the Admin Console to obtain the ASN for a given IP address. The ASN is determined based on the IP of the request using Neustar. For issues with ASN accuracy, contact Neustar directly.

Dynamic Zone Evaluation

When a Dynamic Zone is included in a policy, Okta verifies if the Dynamic Zone configuration (geolocation, IP type, or ASN) matches the location, proxy type and ASN of the IP where the request originates.

The following applies when the IP chain of the request contains one IP:

  • Okta resolves the location, proxy type, or ASN for that IP and compares it with the dynamic zone configuration (location, proxy type or ASN) to determine if the request is from within that zone.

The following applies when the IP chain of the request contains more than one IP:

  • Okta attempts to identify the client IP where the request originated as described in the following section.
  • Delete this text and replace it with your own content.

Identify the Originating Client IP

In order to identify the originating client IP for the request, the IP of the request is considered and compared with all the proxy IPs defined in all the IP zones for that org.

  • If the IP address to the very right of the IP chain is not defined as a proxy, it is marked as the client IP.
  • If the IP address to the very right of the IP chain is a proxy IP, evaluation of the next IP address to the left takes place until an IP that is not a proxy is discovered. This IP will be marked as the client IP.

After the client IP is determined, the geolocation, proxy type and ASN for that IP is resolved and compared with the configured geolocation, proxy type, and ASN for that zone to verify if they match. If a match takes place, the request is considered to be from inside that zone.

Dynamic Zone example

IP Chain All proxies defined for the org Client IP where the request originated
1.1.1.1 Empty 1.1.1.1
1.1.1.1 1.1.1.1 1.1.1.1
1.1.1.1 2.2.2.2 1.1.1.1
 
1.1.1.1, 2.2.2.2 Empty 2.2.2.2
1.1.1.1, 2.2.2.2 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2 3.3.3.3 2.2.2.2
1.1.1.1, 2.2.2.2 1.1.1.1 2.2.2.2
1.1.1.1, 2.2.2.2, 3.3.3.3 3.3.3.3, 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2, 3.3.3.3 3.3.3.3 2.2.2.2
1.1.1.1, 2.2.2.2, 3.3.3.3 4.4.4.4 3.3.3.3

Related topics

About Network Zones

About IP Zones