Dynamic zones

Use dynamic zones to define network perimeters based on location, IP address type, and Autonomous System Number (ASN).

Location

Locations let you include or exclude IP addresses from a country (for example, US) or a specific region in a country (for example, California, US). Each location (country or a country and region) appears on a separate line in the System Log.

  • If you don't include a region, the entire country is considered to be within the enhanced dynamic zone.

  • A single enhanced dynamic zone can't include two locations that contain each other, such as US and California, US.

  • If you don't define a location, all locations are considered to be within the enhanced dynamic zone.

Review these additional location considerations:

  • Continents aren't used as region definitions.

  • To include all the countries in Europe (EU) or in Asia/Pacific (AP), you must choose each individual country.

  • If you choose EU or AP and don't specify individual countries, the geolocation provider returns only requests from countries that don't have a designated country code. Used alone, EU and AP are treated as generic codes for undesignated regions.

  • In India, the universal ISO standard for region codes and country code has changed. The update resulted in discrepancies between the new codes and the codes that are displayed in Okta. To prevent issues, edit any affected dynamic zones.

Locations are determined based on the IP address of the request using MaxMind as the geolocation provider. To learn about issues with location accuracy or information about how country and region codes are used, see MaxMind and GeoIP Legacy Codes.

IP address type

The IP address type is based on the IP of the request. It determines if the request is from a proxy. Define one IP type for a dynamic zone.

  • Any: All IP types are considered to be within the dynamic zone.

  • Any proxy: Requests that come from any anonymizing proxy, including Tor and non-Tor, are considered to be within the dynamic zone.

  • Tor anonymizer proxy: Requests that come from Tor anonymizing proxies are considered to be within the dynamic zone.

  • Not Tor anonymizer proxy: Requests that come from non-Tor anonymizing proxies are considered to be within the dynamic zone.

For issues with IP type accuracy, contact your Okta representative.

Autonomous System Number

ASNs are used to uniquely identify each network on the internet. Internet service providers (ISPs) can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable.

You can include one or more ASNs in an enhanced dynamic zone. Because the ASN represents an entire network of IP addresses, specifying an ASN is an efficient alternative to entering a list of multiple IP addresses. If you don't define at least one, all ASNs are considered to be within the enhanced dynamic zone.

Online ASN lookup tools can help you find the ASN for a given IP address (for an example, see DNS Checker).

Dynamic zone evaluation

Okta verifies whether the dynamic zone configuration matches the location, proxy type, and ASN of the IP where the request originates.

  • Okta compares both the location and proxy type with the ASN conditions to determine if there's a match.
  • If the IP chain of the request contains one IP address, Okta resolves the location, proxy type, or ASN. Okta compares these values to the dynamic zone configuration to determine if the request came from that dynamic zone.
  • If the IP chain of the request contains more than one IP address, Okta attempts to identify the client IP where the request originated.

Conditions in a single dynamic zone are combined using AND logic. For example, consider an IP zone with these conditions:

  • IP type: Any zone
  • Location: New Zealand
  • ISP ASN: 15169

This zone only blocks requests that are a combination of a proxy from New Zealand and ISP ASN 15169. To block requests that are any proxy or from New Zealand, you must create two separate zones (one for each condition).

Dynamic zone evaluation

The IP chain of the request is evaluated and compared to all proxy IPs defined in all IP zones for that org.

  • If the IP address to the right of the IP chain isn't defined as a proxy, it's marked as the client IP.
  • If the IP address to the right of the IP chain is a proxy IP, evaluation of the next IP address to the left occurs. This process repeats until an IP that isn't a proxy is discovered. This IP is marked as the client IP.
  • After the client IP is determined, the geolocation, proxy type, and ASN for that IP are resolved. Then, they're compared with the configured geolocation, proxy type, and ASN values for that zone. If the values match, the request comes from inside that zone.
IP Chain All proxies defined for the org Client IP where the request originated
1.1.1.1 Empty 1.1.1.1
1.1.1.1 1.1.1.1 1.1.1.1
1.1.1.1 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2 Empty 2.2.2.2
1.1.1.1, 2.2.2.2 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2 3.3.3.3 2.2.2.2
1.1.1.1, 2.2.2.2 1.1.1.1 2.2.2.2
1.1.1.1, 2.2.2.2, 3.3.3.3 3.3.3.3, 2.2.2.2 1.1.1.1
1.1.1.1, 2.2.2.2, 3.3.3.3 3.3.3.3 2.2.2.2
1.1.1.1, 2.2.2.2, 3.3.3.3 4.4.4.4 3.3.3.3

Related topics

Create a dynamic zone

Enhanced dynamic zones