Create a dynamic zone
Create a dynamic zone that defines network perimeters by location, IP type, and autonomous system number (ASN). You can use dynamic zones in policies to restrict authentication or enforce a higher level of assurance.
-
In the Admin Console, go to .
- In the Add Zone dropdown, select Dynamic Zone.
- In the Zone Name field, enter a name for the zone.
- Optional. Select Block access from IPs matching conditions listed in this zone to prevent matching IPs from accessing Okta. This includes IP addresses that appear in IP chains.
- In IP Type, define a proxy type or leave this option cleared to ignore any proxy.
-
Any: Ignores all proxy types. Define at least one of the following items: Locations, ISP ASNs.
-
Any proxy: Considers clients that use a Tor anonymizer proxy or a non-Tor anonymizer proxy type.
-
Tor anonymizer proxy: Considers clients that use a Tor anonymizer proxy.
-
Not Tor anonymizer proxy: Considers clients that use non-Tor proxy types.
- In Locations, add up to 75 locations by selecting the correct region name from the list.
-
Optional. Select State/Region for the selected location.
Optional. For China region codes, browse for any entries that display a regional character code for China instead of the region name. For example, CN-33.
- In ISP ASNs, add up to 75 ASNs separated by either a comma or new line.
-
In ISP ASNs, use the ASN lookup tool to retrieve the ASN.
-
Enter the ASN to include it as part of the dynamic zone.
-
To blocklist ASNs, select the Block access from IPs matching conditions listed in this zone option.
- Click Save.
The accuracy of Tor proxy detection depends on a third-party vendor, which is used to identify IP addresses that use Tor. The proxy type is only used to evaluate if a proxy is Tor or not. If a proxy is cleared, it isn't evaluated.