IP Exempt zone
Early Access release. See Enable self-service features.
Use this feature to allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI. Your global session policy and authentication policies remain applicable and may prevent access.
When you enable this feature, Okta creates a zone called DefaultExemptIpZone. Gateway IPs that you add to this zone always have access to Okta resources. You can add gateway IPs directly from the System Log event or by editing the zone.
For example, you've configured an enhanced dynamic network zone as a blocklist to block traffic from some IP service categories. However, you still need to allow traffic from one or more specific IPs that are a part of a blocked IP service category. Add those IPs to the DefaultExemptIpZone to allow traffic from those IP addresses.
You can't add trusted proxy IPs to this zone or delete the zone.
All blocklisted IPs in an IP chain must be included in this zone for Okta to allow access.
IP exempt zone evaluation
The following table lists examples of how Okta evaluates your blocklisted IPs against those in the exempt list and allows or denies access.
| IP chain | Blocklisted IPs | IPs in DefaultExemptIpZone | Result |
|---|---|---|---|
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | Empty | Empty | Allow |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | Empty | 1.1.1.1 | Allow |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 1.1.1.1, 2.2.2.2 | 1.1.1.1, 2.2.2.2 | Allow |
| 1..1.1.0, 1.1.1.1, 2.2.2.2, 3.3.3.3 | 1.1.1.1 | 1.1.1.1 | Allow |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 1.1.1.1 | Empty | Block |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 2.2.2.2 | Empty | Block |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 1.1.1.1, 2.2.2.2 | 1.1.1.1 | Block |