<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Dynamic/IP Zone Blocking Does Not Work - Sign In Page Still Accessible
Aug 20, 2025
Administration
Okta Classic Engine
Okta Identity Engine
Overview

After enabling the option Block access from IPs matching conditions listed in this zone inside a configured Dynamic Zone or IP Zone in Okta, the expected behavior is that anyone who tries to access the Sign-in Page of that org will be blocked, and instead of the widget, the following error is received.

403 error 

The goal of this knowledge article is to explain why the Sign-in Page would still be accessible from a blocked network zone instead of throwing a 403 error.

Applies To

 

  • Okta Classic Engine
  • Okta Identity Engine
  • Network Zones
Cause

Okta, as a cloud company, uses AWS EC2 with Elastic IPs. Elastic IP addresses are dynamic addresses allocated to Okta's AWS account and are Okta's until they are released. Okta's IP addresses are available from Okta IP range allowlist which is updated as new EIPs are needed or released to ensure customers always have access to Okta's current list of IPs. This file is referenced in our online production documentation at: Okta IP addresses.

 

The Sign-in Page that a specific Okta org uses can be hosted at multiple addresses. When a client accesses the Sign-in Page, the traffic is routed to the best available address at the time. Regarding a Network Zone Block, it can take up to 15 or even 30 minutes in some cases for the blocking rule to fully propagate to all the addresses at which the sign-in page can be located. What happens when the login page is refreshed multiple times is that sometimes, the user will be routed to an address where the blocking rule has not propagated yet, thus allowing the user to see the page. However, the authentication will not be successful even if the login page is accessible by a user in a blocked zone. 

Solution

This is expected behavior. The solution is to wait 15-30 minutes for the firewall blocking rule to fully propagate to all Okta addresses.

The propagation is fully completed when a user in a blocked zone is consistently denied access to the login page.

 

Related References

 

 

Recommended content

Still looking for help?
Loading
Dynamic/IP Zone Blocking Does Not Work - Sign In Page Still Accessible