Create a dynamic zone

Create a dynamic zone that defines network perimeters for location, IP Type, and ASN to deny authentication or enforce higher level of assurance.

See About dynamic zones for more information on location, IP Type and ASN.

Create a dynamic zone:

  1. In the Admin Console, go to Security > Networks.

  2. In the Add Zone dropdown, select Dynamic Zone.
  3. In the Zone Name field, enter a name for the zone.
  4. Optional. Select Block access from IPs matching conditions listed in this zone to prevent matching IPs from accessing Okta.
  5. In IP Type, define a proxy type, from Any, TorAnonymizer, or NotTorAnonymizer, or leave proxy unchecked to ignore any proxy.
    • Any: Ignores all proxy types. If selected, at least one of the following must be defined: Locations, ISP ASNs.

    • Any proxy: Considers clients that use a Tor anonymizer proxy or a non-Tor anonymizer proxy type.

    • Tor anonymizer proxy: Considers clients that use a Tor anonymizer proxy.

    • Not Tor anonymizer proxy: Considers clients that use non-Tor proxy types.

    The accuracy of Tor proxy detection is dependent on a third party vendor, which is used to identify IP addresses that use Tor. The proxy type is only used to evaluate if a proxy is Tor or not. If a proxy is unchecked, it will simply not be evaluated.

  6. In Locations, add up to 75 locations by selecting the correct region name from the list.
    • Optional. Select State/Region for the selected location.

      Optional. For China region codes, browse for any entries that display a regional character code for China instead of the region name. For example, CN-33.

  7. In ISP ASNs, add up to 75 ASNs separated by either a comma or new line.
    • In ISP ASNs, use the ASN Lookup tool to retrieve the ASN.

    • Enter the ASN to include it as part of the dynamic zone.

    • To apply block list to ASNs, select the Block access from IPs matching conditions listed in this zone option.

  8. Click Save.

Selecting Block access from IPs matching conditions listed in this zone will cause all requests, with an IP chain containing an IP matching the conditions of the zone, to be blocked from accessing Okta.

Related topics

About dynamic zones

Manage network zones