This article describes how to Okta evaluates the IP Address while using an IP Zone in a Policy.
- IP Zones
Once an IP Zone is included in a policy, Okta verifies if the IP chain of the request matches the gateways and proxies configured in the IP zone.
The following applies when the IP chain of the request contains one IP:
-
If the IP is defined as a gateway in a particular zone, Okta considers the request to be from within that zone.
The following applies when the IP chain of the request contains more than one IP:
| Gateway Evaluation | If the IP address to the very right of the IP chain is defined as a gateway for that zone, the request is considered to be from inside that zone. If the IP address to the very right of the IP chain is not defined as a gateway or a proxy for that zone, the request is considered not to be from inside that zone. |
| Proxy Evaluation | If the IP address to the very right of the IP chain is not defined as a gateway but is defined as a proxy, the IP to the left of the proxy is then verified, and the process repeats. If this IP is a gateway IP, the request is considered to be from inside that zone. If it is not a gateway IP or a proxy, the IP address is not considered a match, and the request is considered not to be from inside that zone. |
This process of matching continues until one of the following is found:
-
An IP in the chain is a gateway (in which case the request is considered from within the zone).
-
An IP in the chain is neither a gateway nor a proxy (in which case, the request is considered not to be from within the zone).
