About dynamic zones
Dynamic zones allow you to define network perimeters based on location, IP address type, and autonomous system number (ASN).
A location is defined as either a country or a country and region. If a country is included without a region, the entire country is considered. You can specify a single location, multiple locations, or no location for a dynamic zone. If no location is defined for a dynamic zone, all locations are considered to be within that dynamic zone. A single dynamic zone can't include two locations that contain each other, such as US and California, US.
Continents are not intended to be used as region definitions. The Europe (EU) and Asia/Pacific (AP) codes are only used if you have not selected a specific country code. If you want to include all of the countries in Europe or in Asia/Pacific, you should choose all of those countries individually. If you choose Europe or Asia/Pacific and do not specify individual countries, only requests from countries that do not have a designated country code are returned as a match by the geolocation provider. Used alone, Europe and Asia/Pacific are treated as generic codes for undesignated regions rather than inclusive of the countries they contain.
Locations are determined based on the IP of the request using MaxMind as the geolocation provider. For issues with location accuracy or information about how country and region codes are used, see MaxMind and GeoIP Legacy Codes. Some examples of valid locations are:
|Country and Region (enter as one per line)||
An update to the universal ISO standard for region codes and country codes has resulted in some discrepancies between new codes for China and the codes that are displayed in Okta. As a result, we recommend updating your region codes for China by editing any affected dynamic zone to prevent any issues.
The IP Type determines if the request is from a proxy and if so, which type of proxy the request is from. The IP Type is determined based on the IP of the request using Neustar. For issues with IP Type accuracy, contact Neustar directly. See Neustar. Define one IP Type for a dynamic zone.
All IP Types are considered to be within the dynamic zone.
Requests coming from any anonymizing proxy, including Tors and non-Tors, are considered to be within the dynamic zone.
|Tor anonymizer proxy||
Requests coming from Tor anonymizing proxies are considered to be within the dynamic zone.
|Not Tor anonymizer proxy||
Requests coming from non-Tor anonymizing proxies are considered to be within the dynamic zone.
ASN are used to uniquely identify each network on the internet. Internet Service Providers can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable. One ASN, multiple ASNs or no ASNs can be defined for a network zone. If no ASN is provided, all ASNs are considered to be within the dynamic zone.
Since the ASN represents an entire network of IP addresses, specifying an ASN can help you reduce overhead as an alternative to entering a list of multiple IP addresses. You can use online ASN lookup tools to find the ASN for a given IP address. For an example of an ASN Lookup tool, see DNSChecker.
When a dynamic zone is included in a policy, Okta verifies whether the dynamic zone configuration (geolocation, IP Type, or ASN) matches the location, proxy type and ASN of the IP where the request originates.
The following applies when the IP chain of the request contains one IP:
- Okta resolves the location, proxy type, or ASN for that IP and compares it with the dynamic zone configuration (location, proxy type or ASN) to determine if the request is from within that dynamic zone.
The following applies when the IP chain of the request contains more than one IP:
- Okta attempts to identify the client IP where the request originated as described next in Identifying the Originating Client IP.
In order to identify the originating client IP for the request, the IP chain of the request is considered and compared with all the proxy IPs defined in all the IP zones for that org.
- If the IP address to the very right of the IP chain isn't defined as a proxy, it is marked as the client IP.
- If the IP address to the very right of the IP chain is a proxy IP, evaluation of the next IP address to the left takes place until an IP that isn't a proxy is discovered. This IP will be marked as the client IP.
- Once the client IP is determined, the geolocation, proxy type and ASN for that IP is resolved and compared with the configured geolocation, proxy type, and ASN for that zone to verify if they match. If a match takes place, the request is considered to be from inside that zone.
Dynamic zone Evaluation example
|IP Chain||All proxies defined for the org||Client IP where the request originated|
|184.108.40.206, 220.127.116.11, 18.104.22.168||22.214.171.124, 126.96.36.199||188.8.131.52|
|184.108.40.206, 220.127.116.11, 18.104.22.168||22.214.171.124||126.96.36.199|
|188.8.131.52, 184.108.40.206, 220.127.116.11||18.104.22.168||22.214.171.124|