<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta DefaultExemptIpZone Feature vs ThreatInsight Exclude IP Zones
Mar 18, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Overview

This article explains some key differences between the Okta zone DefaultExemptIpZone, created with the IP except zone feature, and the ThreatInsight Exclude IP zones.

Applies To
  • IP zone
  • Okta Classic Engine
Cause

 

 

Solution

The DefaultExemptIpZone zone is created by the IP exempt zone feature.

Okta will automatically allow traffic from the IPs added to this zone, and those IPs will not be evaluated by Okta ThreatInsight. 

 

The ThreatInsight Exclude IP zones field accepts any Network Zone and prevents those IP addresses from being evaluated by ThreatInsight.

Okta ThreatInsight settings

The DefaultExemptIpZone zone will automatically allowlist the IP addresses added to it without the zone needing to be added to the Okta ThreatInsight settings. Both the Exempt Zones and the DefaultExemptIpZone zone will prevent ThreatInsight from evaluating the listed IP addresses during log-in. Gateway IPs  added to DefaultExemptIpZone always have access to Okta resources, offering a bypass to IP and ASN session binding based on the client IP.

 

For more information, please kindly refer to the following documents:

     

    Related References

    Recommended content

    Still looking for help?
    Loading
    Okta DefaultExemptIpZone Feature vs ThreatInsight Exclude IP Zones