Differences Between the Okta DefaultExemptIpZone Feature and ThreatInsight Exclude IP Zones
Last Updated:
Overview
The Okta DefaultExemptIpZone feature automatically allows traffic from specific IP addresses and bypasses Okta ThreatInsight evaluation. In contrast, ThreatInsight Exclude IP zones accept any Network Zone to prevent ThreatInsight from evaluating those specific IP addresses.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- IP Zones
- Okta ThreatInsight
Cause
Solution
What are the differences between the DefaultExemptIpZone and ThreatInsight Exclude IP zones?
The IP exempt zone feature creates the DefaultExemptIpZone zone. Okta automatically allows traffic from the IP addresses within this zone, and Okta ThreatInsight does not evaluate these IP addresses.
The ThreatInsight Exclude IP zones field accepts any Network Zone and prevents ThreatInsight from evaluating those IP addresses.
Configure the ThreatInsight Exclude IP zones by navigating to the Okta ThreatInsight settings in the Admin Console and adding the desired Network Zones to the exempt list.
The DefaultExemptIpZone zone automatically allows the included IP addresses without requiring the addition of the zone to the Okta ThreatInsight settings. Both the Exempt Zones and the DefaultExemptIpZone zone prevent ThreatInsight from evaluating the listed IP addresses during log-in. Gateway IP addresses within the DefaultExemptIpZone always have access to Okta resources, offering a bypass to IP and Autonomous System Number (ASN) session binding based on the client IP address.
