Network zones FAQ
The network zones FAQ is a resource that provides useful information and common questions about network zones.
How are IP addresses counted as part of the network zone's IP limit?
A single Gateway IP address is counted as one item, but can contain multiple IPs.
How is the IP range counted in a CIDR notation?
One CIDR notation IP range is considered as one item.
How can I add countries in Europe or Asia/Pacific to a dynamic zone?
You can define locations for dynamic zones using either country codes or a country and region code. If a country is included without a region, the entire country is considered part of the zone. If you want to include all of the countries in Europe or in Asia/Pacific, select all of those countries individually.
Continents aren't used as region definitions. The Europe (EU) and Asia/Pacific (AP) codes are only used if you haven't selected a specific country code. If you choose Europe or Asia/Pacific and don't specify individual countries, only requests from countries that don't have a designated country code are returned as a match by the geolocation provider. Used alone, Europe and Asia/Pacific are treated as generic codes for undesignated regions rather than inclusive of the countries they contain.
If I'm using Okta ThreatInsight or network zones and I've configured a proxy for my network traffic, will I get and block the actual end user's IP instead of the IP of the sign-in page?
Okta blocks the end user's IP if the following conditions are true:
- End-user IP is included inside the XFF header sent to Okta.
- Customer proxy isn't configured as a trusted proxy. See About Okta ThreatInsight.
I'm using an enhanced dynamic zone. How can I tell if traffic is coming from a proxy IP?
Orgs using enhanced dynamic zones should rely on isProxy.tunnels in the System Log to determine if traffic is coming from a proxy instead of isProxy directly.