Enhanced dynamic zones
Enhanced dynamic zones define the IP service categories, locations, and Autonomous System Numbers (ASNs) that are blocked or allowed in a zone. IP service categories include proxies, VPNs, and anonymizers.
Enhanced dynamic zones can help with the following use cases.
-
Configure an enhanced dynamic zone as a blocklist, where all of its IP service category types, locations, and ASNs are blocked before authentication. Blocking traffic before authentication prevents attackers from accessing your Okta sign-in and registration pages.
-
Configure an enhanced dynamic zone to use in a policy. When used in a policy, the enhanced dynamic zone defines the conditions that must be met for users to sign in.
Okta also provides a DefaultEnhancedDynamicZone that includes all anonymizing proxies. It's inactive by default, so you need to activate it to start blocking these proxies. You can't delete, rename, or add locations or this zone.
When an enhanced dynamic zone is used as a blocklist, a security.request.blocked event appears in the System Log. If the event appears for an IP zone or IP service category that shouldn't be blocked, see Unblock false positives in System Log.
IP service category
An IP service category is a classification based on how the IP is used. IP service categories obfuscate the source of a request, and can include VPNs, proxies, anonymizers, and Tor. See Supported IP service categories for the complete list.
Location
Locations let you include or exclude IP addresses from a country (for example, US) or a specific region in a country (for example, California, US). Each location (country or a country and region) appears on a separate line in the System Log.
-
If you don't include a region, the entire country is considered to be within the enhanced dynamic zone.
-
A single enhanced dynamic zone can't include two locations that contain each other, such as US and California, US.
-
If you don't define a location, all locations are considered to be within the enhanced dynamic zone.
Review these additional location considerations:
-
Continents aren't used as region definitions.
-
To include all the countries in Europe (EU) or in Asia/Pacific (AP), you must choose each individual country.
-
If you choose EU or AP and don't specify individual countries, the geolocation provider returns only requests from countries that don't have a designated country code. Used alone, EU and AP are treated as generic codes for undesignated regions.
-
In India, the universal ISO standard for region codes and country code has changed. The update resulted in discrepancies between the new codes and the codes that are displayed in Okta. To prevent issues, edit any affected enhanced dynamic zones.
Locations are determined based on the IP address of the request using MaxMind as the geolocation provider. To learn about issues with location accuracy or information about how country and region codes are used, see MaxMind and GeoIP Legacy Codes.
Autonomous System Numbers
ASNs are used to uniquely identify each network on the internet. Internet service providers (ISPs) can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable.
You can include one or more ASNs in an enhanced dynamic zone. Because the ASN represents an entire network of IP addresses, specifying an ASN is an efficient alternative to entering a list of multiple IP addresses. If you don't define at least one, all ASNs are considered to be within the enhanced dynamic zone.
Online ASN lookup tools can help you find the ASN for a given IP address (for an example, see DNSChecker).
Enhanced dynamic zone evaluation
Okta verifies whether the enhanced dynamic zone configuration matches the location, IP service categories, and ASN of the IP where the request originates. If the IP chain of the request contains more than one IP address, Okta compares the chain to all proxy IPs defined in all IP zones for that org.
- If the IP address to the right of the IP chain isn't defined as a proxy, it's marked as the client IP.
- If the IP address to the right of the IP chain is a proxy IP, evaluation of the next IP address to the left occurs. This process repeats until an IP that isn't a proxy is discovered. This IP is marked as the client IP.
- After the client IP is determined, the geolocation, IP service category, and ASN for that IP are resolved. Then, they're compared with the configured geolocation, IP service category, and ASN values for that zone. If the values match, the request comes from inside that zone.
Conditions in a single enhanced dynamic zone are combined using AND logic. For example, consider a zone with these conditions:
- IP service category: ALL_PROXIES_VPN
- Location: New Zealand
- ISP ASN: 15169
This zone only blocks requests that are a combination of a proxy VPN from New Zealand and ISP ASNs 15169. To block requests that are a proxy VPN or from New Zealand, you must create two separate zones (one for each condition).
| IP chain | All proxies defined for the org | Client IP where the request originated |
| 1.1.1.1 | Empty | 1.1.1.1 |
| 1.1.1.1 | 1.1.1.1 | 1.1.1.1 |
| 1.1.1.1 | 2.2.2.2 | 1.1.1.1 |
| 1.1.1.1, 2.2.2.2 | Empty | 2.2.2.2 |
| 1.1.1.1, 2.2.2.2 | 2.2.2.2 | 1.1.1.1 |
| 1.1.1.1, 2.2.2.2 | 3.3.3.3 | 2.2.2.2 |
| 1.1.1.1, 2.2.2.2 | 1.1.1.1 | 2.2.2.2 |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 3.3.3.3, 2.2.2.2 | 1.1.1.1 |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 3.3.3.3 | 2.2.2.2 |
| 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 | 4.4.4.4 | 3.3.3.3 |