This article explains how to bypass network zones using IP-based exemption support, which allows blocking network zones while permitting specific connections from trusted IP addresses.

• Enhanced Dynamic Network Zone
• Block IP Service Categories

The Enhanced Dynamic Zone is called DefaultExemptIpZone and can be found by following the steps below:

1. In the Okta Admin Console, navigate to the Security tab.
2. Open the Networks tab.
3. Look for DefaultExemptIpZone.

To exempt an IP, follow the steps listed below:

1. The IP to be exempt can be added from that section by editing the DefaultExemptIpZone Network Zone:

2. Otherwise, add the IP directly from the System logs by clicking the three dots and then the Add to Zone button near the IP required to exempt:

3. Add it as DefaultExemptIpZone and save.

NOTE: Adding an IP to the DefaultExemptIpZone only allows those IPs to bypass network-based restrictions, such as blocklists or Okta ThreatInsight blocks. However, users connecting from these IPs must still meet all other policy requirements, including authentication factors and session controls.

Related References

• Enhanced dynamic zones
• IP Exempt zone
• Add IPs to a network zone from the System Log