Blocklist network zones
Admins can block access to their Okta org to IP addresses coming from network zones, IP zones, and dynamic zones.
Network zones contain a list of IP addresses, and dynamic zones contain a list of locations, ASNs, or IP types.
Okta doesn't allow blocklisted IP addresses to access any of your org's URLs. Okta blocks these requests before any type of policy evaluation occurs.
HealthInsight task recommendation
Configure network blocklisting to deny access from known malicious IP addresses or locations from your Okta org.
| Okta recommends |
Block any known untrusted IP addresses, locations, or proxy servers to limit access to your org. If your org uses IP Trust for network zones, Okta also recommends blocking any IP addresses that are identified as a Tor anonymizer proxy. Only add IP addresses or locations that aren't associated with legitimate user activity. |
| Security impact |
Moderate |
| End-user impact |
Low Legitimate users within your org see no change in behavior. Clients connecting from blocked network zones see a 403 (access denied) error. |
Block specific IP addresses
Block specific IP addresses to deny access to your Okta org.
- In the Admin Console, go to .
- In the list of zones, click Edit for the BlockedIpZone network zone.
- Select Block access from IPs matching conditions listed in this zone.
- Click Save.
Block IP addresses in a dynamic zone
Block IP addresses in a dynamic zone from accessing your Okta org.
- In the Admin Console, go to .
- Click Add Zone > Dynamic Zone.
- Define a location or proxy type.
- Select Block access from IPs matching conditions listed in this zone.
- Click Save.
Block Tor anonymizer proxy IP addresses
Block IP addresses identified as a Tor anonymizer proxy from accessing your Okta org.
- In the Admin Console, go to .
- Click Add Zone > Dynamic Zone.
- Select Tor anonymizer proxy for IP Type.
- Select Block access from IPs matching conditions listed in this zone.
- Click Save.