<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
A Dynamic Network Zone Will Block an Internal Service IP
Sep 26, 2025
Administration
Okta Identity Engine
Overview

This article addresses the situation in which an internal tool is used with an IP from one of the blocked countries configured via network zones in Okta. The tool needs to be unblocked, while the rest of the country should continue to be blocked.

Applies To
  • Network Zones
  • Authentication Policies
Solution

To work around this issue, there are 2 options:

  • Use sign-on/authentication policies to allow or restrict access to certain network zones.

    1. Remove the targeted country from the Dynamic Blocking Zones.

    2. Gather the IPs that need to be allowed and create a new IP network zone with them.

    3. Create a sign-on policy rule that is set to allow access to the new IP zone.

    4. Create a dynamic network zone that is set NOT to block the country that should be blocked.

    5. Create another sign-on policy rule that includes the new dynamic zone and set it to deny if the IP matches that zone.

    6. Make sure that the priority of the two new sign-on policy rules is in order as follows:

      1. First sign-on policy rule with the IP zone that allows the IP.

      2. The second sign-on policy rule with the dynamic zone denies access to the country that should be blocked.

    7. (Optional) If the issue is not related to the IP location, create a dynamic zone that will block access to the specific country regions without blocking the IP region.

Results: The sign-on policy will now dictate which IPs are allowed or denied, rather than the network zone blocking the IPs immediately. The first sign-on policy rule will be evaluated first and will allow the internal service IP that was configured in the first network zone if the client matches that IP. If it does not match the second sign-on policy rule will be evaluated and will deny the user if their IP falls within the countries that were defined in the second network zone.

 

  • Add the IPs to the IP exempt list (which by default is called DefaultExemptIpZone). 
    1. Go to Security > Networks.
    2. Edit the IP exempt list and add the IPs/Gateways (please note that currently there is a limit of a maximum of 150 gateways that can be added to that Zone)

Results: This allows traffic from specific gateway IPs irrespective of Network Zones, Blocks, and ThreatInsight. 

Recommended content

Still looking for help?
Loading
A Dynamic Network Zone Will Block an Internal Service IP