Enhanced dynamic zones
Use enhanced dynamic zones to define the IP service categories, locations, and Autonomous System Numbers (ASNs) that are blocked or allowed in a zone. IP service categories include proxies, VPNs, and anonymizers.
You can configure an enhanced dynamic zone as a blocklist, where all IP service category types, locations, and ASNs that you add to the zone are blocked before authentication.
Blocking traffic before authentication prevents attackers from accessing your Okta sign-in and registration pages if the attempt is initiated from an IP or network identified in your network zone.
You can also configure an enhanced dynamic zone for use in a policy. When a zone is used in a policy, it defines the conditions that must be met when users sign in.
Your org has a default enhanced dynamic zone that includes all anonymizing proxies. You can't delete or rename this zone, and you can't add locations or ASNs to it. The DefaultEnhancedDynamicZone is in an inactive state by default. Activate it to block all anonymizing proxies.
When an enhanced dynamic zone is used as a blocklist, a security.request.blocked event appears in the System Log.
If you disable this feature, Okta recommends that you first remove any enhanced dynamic zones from your policy rules.
IP service category
An IP service category is a classification of IPs based on how the IP is used. IP service categories include VPNs, proxies, anonymizers, Tor, and more. They're used to obfuscate the source of a request. For a list of IP service categories that Okta supports, see Supported IP service categories.
Location
A location is either a country or a country and region. If you don't include a region, the entire country is considered. You can include or exclude a single location, multiple locations, or no location in an enhanced dynamic zone.
When the location isn't defined, all locations are considered to be within that dynamic zone. A single enhanced dynamic zone can't include two locations that contain each other, such as the US and California.
Continents aren't used as region definitions. The Europe (EU) and Asia/Pacific (AP) codes are used only if you don't select a country code. To include all the countries in Europe or in Asia/Pacific, choose each individual country. If you choose Europe or Asia/Pacific and don't specify individual countries, the geolocation provider returns only requests from countries that don't have a designated country code. Used alone, Europe and Asia/Pacific are treated as generic codes for undesignated regions.
In the System Log, each location (country or a country and region) appears on a separate line. The following table lists some examples of valid locations.
Location | System Log entry |
Country | US |
Country and region |
California, US Quebec, CA |
In India, the universal ISO standard for region codes and country code has changed. The update resulted in discrepancies between the new codes and the codes that are displayed in Okta. To prevent issues, edit any affected enhanced dynamic zones.
Autonomous system number
ASNs are used to uniquely identify each network on the internet. Internet service providers (ISPs) can apply to obtain one or multiple ASNs assigned to them. While an ISP name can change, their assigned ASN is reserved and immutable. One ASN, multiple ASNs, or no ASNs can be defined for a network zone. If no ASN is provided, all ASNs are considered to be within the enhanced dynamic zone.
Because the ASN represents an entire network of IP addresses, specifying an ASN can help you reduce overhead as an alternative to entering a list of multiple IP addresses. You can use online ASN lookup tools to find the ASN for a given IP address. For an example of an ASN lookup tool, see DNSChecker.
Enhanced dynamic zone evaluation
Okta verifies whether the enhanced dynamic zone configuration matches the location, IP service categories, and ASN of the IP where the request originates.
If the IP chain of the request contains more than one IP address, Okta attempts to identify the client IP where the request originated.
Enhanced dynamic zone evaluation example
IP chain | All proxies defined for the org | Client IP where the request originated |
1.1.1.1 | Empty | 1.1.1.1 |
1.1.1.1 | 1.1.1.1 | 1.1.1.1 |
1.1.1.1 | 2.2.2.2 | 1.1.1.1 |
1.1.1.1, 2.2.2.2 | Empty | 2.2.2.2 |
1.1.1.1, 2.2.2.2 | 2.2.2.2 | 1.1.1.1 |
1.1.1.1, 2.2.2.2 | 3.3.3.3 | 2.2.2.2 |
1.1.1.1, 2.2.2.2 | 1.1.1.1 | 2.2.2.2 |
1.1.1.1, 2.2.2.2, 3.3.3.3 | 3.3.3.3, 2.2.2.2 | 1.1.1.1 |
1.1.1.1, 2.2.2.2, 3.3.3.3 | 3.3.3.3 | 2.2.2.2 |
1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 | 4.4.4.4 | 3.3.3.3 |
Originating client IP evaluation
To identify the originating client IP for the request, the IP chain of the request is evaluated and compared to all proxy IPs defined in all IP zones for that org.
- If the IP address to the right of the IP chain isn't defined as a proxy, it's marked as the client IP.
- If the IP address to the right of the IP chain is a proxy IP, evaluation of the next IP address to the left takes place until an IP that isn't a proxy is discovered. This IP is marked as the client IP.
- After the client IP is determined, the geolocation, IP service category, and ASN for that IP are resolved and compared with the configured geolocation, IP service category, and ASN values for that zone. If the values match, the request comes from inside that zone.