Network Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Published: Jan 31, 2018   -   Updated: Jun 22, 2018





The Network page allows admins to identify their network perimeter to Okta. Public Gateway IP addresses and IP Zones allow Okta to gate certain features to on or off premises impacts. Any IP address that is not included in the list is considered off network, and subject to any off-network security policies you might create.

Note: IP Zones supersedes the Public Gateway IP Addresses feature.

IP Zones

Okta offers authentication whitelisting and blacklisting based on zones. Zones are set of IP address ranges, a single IP address, or geolocations defined by an admin. Zones are used in policies, application sign in rules, VPN Notifications, and Integrated Windows Authentication (IWA). If a zone definition is updated, any policy or rule that uses it is automatically updated to the new specification.

Zones replace the earlier concept of Public Gateway IPs in which you could only specify one set of IP addresses. The terms on network and off network are replaced by in zone and not in zone.

Setting up Zones

A zone can either define IP addresses or geographical locations. You can set up to 100 zones. Each zone can contain up to 150 specifications.

The following table describes specifications for IP address zones.

Public Gateway IP Addresses – enter one per line or separate by commas. For ranges, either use a hyphen to separate the range, or use CIDR notation.,

Trusted Proxy IP addresses – same format as above–

Note: The Gateway IP field must be populated in order for the Zone to be evaluated properly.

If you have the Geolocations feature enabled, you can also use geographical specifications. The following table describes specifications for geographic location zones.

A countryUS
A country and a region– enter one per line

California, US

Québec, CA

You cannot define a country as a specification and then add another specification that defines a region within that country. The following combination of specifications is valid:

Québec, CA
Bayern, DE

The following combination of specifications is invalid:

California, US

Note: You cannot specify cities or IPv6 addresses.

Entering Zones

Use the Security > Networks > Add Zone button for new zones. Use the Edit or Delete icons next to existing zones to change or remove them. If you have a legacy zone, you cannot edit or delete it.

Using Zones


When entering rules for sign-on policies, under Security > Authentication, specify zone information from the selection shown below.


Choices for the location are Anywhere, In zone, and Not in zone.

After selecting In zone or Not in zone, the following zone selection options appear.


If you check All Zones, all of your defined zones are selected, and the box below it is no longer visible, as shown below.


If you do not check All Zones, you can begin typing a zone name in the Zones box. A dropdown list appears that contains all existing zones that contain the text you entered anywhere in the zone name. You can choose any number of zones. The following example shows a search for all zones that contain the letter t. In this case, only one zone is found. You still must select it to make it active.


VPN Notifications

When entering rules for VPN notifications, you cannot list specific zones for these notifications; you can specify Inside Any Zones or Outside All Zones.

Note: You can jump to the Zone setup screens anytime by choosing the Network link shown above.


When evaluating IWA logins, Okta checks that the login is from the configured zones. You can edit the configuration and choose any desired zones, or choose All Zones as you do in policies.

When an IWA agent is configured, the IP address of the client is added to the LegacyIPZone. The LegacyIPZone is the only zone configured by default, as shown below.


Note: You can define up to 20 network zones in IWA network zones.

Deleting Zones

When an IP or Location Zone is deleted, all rules that use the deleted zone are affected.

  • If the zone to delete is the only zone in any rule, you cannot delete the zone and receive an error message. Edit the rule to use a different zone then perform the deletion again.
  • If the zone to delete is not the only zone in any rule you can delete the zone. The zone is removed from all the rules where it is specified.

Legacy Zone

If you have already defined Public Gateway IP Addresses, the information is migrated to a zone named LegacyIpZone. You cannot delete this zone, but you can edit it.

For existing rules, LegacyIpZone retains the previous settings. This zone is still active and can be used in new assignments.

Note: You can define a maximum of 5000 legacy network zones.

Blacklist an Entire Zone

Entire zones can be marked as blacklisted. Clients from these zones cannot access any URL for the org. To mark a zone as blacklisted, check Blacklist access from IPs listed in this zones in the Add IP Zone screen.

Note: Two network zones are created by default when the Multiple Network Zones feature is enabled. One of them can be used for blacklisting IPs. Creating multiple network zones is currently an EA feature; contact Okta support to enable it.

Dynamic Zones

A dynamic zone defines both a location and a proxy. The zone can be blacklisted or whitelisted.

You can define a location, or use any location.

You can define a proxy type, from Any, TorAnonymizer, or NotTorAnonymizer, or leave proxy unchecked to ignore any proxy.


Public Gateway IP Addresses (Superseded by IP Zones)

To set these IP addresses,

  1. Click Edit in the Gateway Settings section.
  2. Enter the appropriate IP addresses (see the Okta features that use Public Gateway IPs, below).
  3. Note: Separate IPs and IP ranges with a newline or comma, and separate IPs in a range with a dash.
  4. Click Save.

Okta Features Using Public Gateway IPs

Desktop SSO – Prevents the SSO redirect (to the IWA site) from occurring when accessed off premises.

Multifactor Authentication – Permits an admin to require MFA only when the system is accessed off premises.

App Sign On Policies – Permits denial of access to certain applications when accessed off premises.

Support for Trusted Proxies

To specify trusted proxies, use see Setting up Zones in the IP Zones section, above.