This article explains how to use network zones IP-based exemption functionality to block network zones while permitting specific connections from trusted IP addresses.

• Enhanced Dynamic Network Zone
• Block IP Service Categories
• IP Reputation

The Enhanced Dynamic Zone is called DefaultExemptIpZone and can be found by following the steps below:

1. In the Okta Admin Console, navigate to the Security tab.
2. Open the Networks tab.
3. Look for DefaultExemptIpZone.

To exempt an IP, follow the steps listed below:

1. The IP to be exempt can be added from that section by editing the DefaultExemptIpZone Network Zone:

2. Otherwise, add the IP directly from the System logs by clicking the three dots and then the Add to Zone button near the IP required to exempt:

3. Add it as DefaultExemptIpZone and save.

NOTE:
Adding an IP to the DefaultExemptIpZone allows only those IPs to be excluded from network-based restrictions, such as blocklists or OKTA ThreatInsight blocks. However, users connecting from these IPs must still meet all other policy requirements, including authentication factors and session controls.

Related References

• Enhanced dynamic zones
• IP Exempt zone
• Add IPs to a network zone from the System Log