Blocklist network zones
Admins can block IP addresses from network zones, IP zones, and dynamic zones from accessing their Okta org.
Network zones contain a list of IP addresses, and dynamic zones contain a list of locations, ASNs, or IP types.
Okta doesn't allow blocklisted IP addresses to access any of your org's URLs. Okta blocks these requests before any type of policy evaluation occurs.
HealthInsight task recommendation
Configure network blocklisting to deny access from known malicious IP addresses or locations from your Okta org.
Okta recommends |
Block any known untrusted IP addresses, locations, or proxy servers to limit access to your org. If your org uses IP Trust for network zones, Okta also recommends blocking any IP addresses that are identified as a Tor anonymizer proxy. Only add IP addresses or locations that aren't associated with legitimate user activity. |
Security impact |
Moderate |
End-user impact |
Low Legitimate users within your org see no change in behavior. Clients connecting from blocked network zones see a 403 (access denied) error. |
If you've enabled the IP exempt zone feature and added IP addresses to it, traffic from those IPs may still be allowed even if you blocklist an IP using one of the following methods. See IP exempt zone evaluation.
Block specific IP addresses
Block specific IP addresses to deny access to your Okta org.
- In the Admin Console, go to .
- In the list of zones, click Edit for the BlockedIpZone network zone.
- Select Block access from IPs matching conditions listed in this zone.
- Click Save.
Block IP addresses in a dynamic zone
Block IP addresses in a dynamic zone from accessing your Okta org.
- In the Admin Console, go to .
- Click .
- Define a location or proxy type.
- Select Block access from IPs matching conditions listed in this zone.
- Click Save.
Block Tor anonymizer proxy IP addresses
Block IP addresses identified as a Tor anonymizer proxy from accessing your Okta org.
- In the Admin Console, go to .
- Click .
- Select Tor anonymizer proxy for IP Type.
- Select Block access from IPs matching conditions listed in this zone.
- Click Save.
Block IP service categories
Block IP service categories in an enhanced network zone from accessing your Okta org.
- In the Admin Console, go to .
- Select Add Enhanced Dynamic Zone dialog opens. . The
- Select one or more IP service categories.
- Select Block access from IPs matching conditions.
- Click Save.