About IP Zones

An IP Zone enables admins to define network perimeters around a set of IPs. Admins can added both gateway IPs and proxy IPs to IP Zones.

IPs can be added to an IP Zone as:

  • single IPs
  • IP ranges
  • using CIDR notation
  • proxy IPs added as trusted proxies

Trusted proxies are used for determining the request’s client IP and are not blocked by Okta ThreatInsight. When adding untrusted proxies to a zone add them as gateways.

IP Zones Evaluation

When determining whether a request is from inside or outside of an IP Zone, consider the IP chain. The IP chain is the IPs of all the network hops between the originating request and Okta. The following table explains IP Chain processing for one or multiple IPs in an IP chain.

IP Chain Type Description
IP chain contains one IP

The request is considered to be within a zone if the IP is contained within any of the defined gateways for that zone.

IP chain contains more than one IP

If the final IP in the chain, the one directly connecting to Okta, is within any of the defined gateways or proxies for the zone.

  • If it is a defined gateway, the request is from within that zone.
  • If the IP is a defined proxy, then the process repeats for the previous IP in the chain, the one directly connecting to the proxy.

IP chain processing repeats until either we have a matching gateway IP, in which case the request is from within the zone, or we have checked at least 5 IPs in the chain, in which case the request is not from within the zone.

IP Zone example

IP Chain Gateway Proxy Is the request from inside the zone?
1.1.1.1 1.1.1.1 Empty Y
1.1.1.1 1.1.1.1 2.2.2.2 Y
1.1.1.1 Empty Empty N
1.1.1.1 Empty 1.1.1.1 N
 
1.1.1.1, 2.2.2.2 2.2.2.2 Empty Y
1.1.1.1, 2.2.2.2 2.2.2.2 3.3.3.3 Y
1.1.1.1, 2.2.2.2 1.1.1.1 2.2.2.2 Y
1.1.1.1, 2.2.2.2 Empty Empty N
1.1.1.1, 2.2.2.2 Empty 1.1.1.1 N
1.1.1.1, 2.2.2.2 Empty 2.2.2.2 N
1.1.1.1, 2.2.2.2 2.2.2.2 1.1.1.1 Y

Related topics

About Dynamic Zones

Create an IP Zone