Network zones FAQs

The network zones FAQs is a resource that provides useful information and common questions about network zones.

How are IP addresses counted as part of the network zone's IP limit?

A single Gateway IP address is counted as one item, but can contain multiple IPs.

How is the IP range counted in a CIDR notation?

One CIDR notation IP range is considered as one item.

How can I add countries in Europe or Asia/Pacific to a dynamic zone?

You can define locations for dynamic zones using either country codes or a country and region code. If a country is included without a region, the entire country is considered part of the zone. If you want to include all of the countries in Europe or in Asia/Pacific, select all of those countries individually.

Continents aren't used as region definitions. The Europe (EU) and Asia/Pacific (AP) codes are only used if you haven't selected a specific country code. If you choose Europe or Asia/Pacific and don't specify individual countries, only requests from countries that don't have a designated country code are returned as a match by the geolocation provider. Used alone, Europe and Asia/Pacific are treated as generic codes for undesignated regions rather than inclusive of the countries they contain.

If I'm using Okta ThreatInsight or network zones and I've configured a proxy for my network traffic, will I get and block the actual end user’s IP instead of the IP of the sign-in page?

Okta blocks the end user's IP if the following conditions are true:

  • End-user IP is included inside the XFF header sent to Okta.
  • Customer proxy isn't configured as a trusted proxy. See About Okta ThreatInsight.

Related topics

Dynamic zones

IP zones