The Access Gateway (OAG) Monitoring REST API endpoint (/basic_status) returns the following HTTP error response:

403 Forbidden

• Okta Access Gateway (OAG)
• REST API Monitoring
• Okta Identity Engine (OIE)
• Okta Classic Engine

• The client IP address is not included in the list of allowed IPs.
• The IP address in the X-Forwarded-For header is not included in the list of allowed IPs.

If an IP address is passed in an X-Forwarded-For header (for example, by a load balancer), the originating IP address is considered the "real IP" and must be allowed. The load balancer's IP address would not need to be in the allowed list.

To resolve the issue dollow the steps below:

1. If there is a load balancer in front of OAG, check the configuration to see if it is passing the client IP address in an X-Forwarded-For header.
2. Ensure that the IP address is included in the allowed IP list.
   1. SSH to the OAG admin node.
   2. Select 4 - Monitoring.
   3. Select 5 - Configure REST APIs.
   4. Select 3 - Manage allowed IPs.
   5. If necessary, add the client IP address or the IP address passed in the X-Forwarded-For header.

Related References

• Manage REST API Monitoring
• Basic REST API Monitoring