<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
Allowlist an IP Address Blocked by Network Zone
Okta Classic Engine
Okta Identity Engine
Network Zone
Overview

This article explains how to bypass network zones using IP-based exemption support, which allows blocking network zones while permitting specific connections from trusted IP addresses.

Applies To
  • Enhanced Dynamic Network Zone
  • Block IP Service Categories
Solution

The Enhanced Dynamic Zone is called DefaultExemptIpZone and can be found by following the steps below:

  1. In the Okta Admin Console, navigate to the Security tab.
  2. Open the Networks tab.
  3. Look for DefaultExemptIpZone.

DefaultExemptIpZone

 

To exempt an IP, follow the steps listed below:

  1. The IP to be exempt can be added from that section by editing the DefaultExemptIpZone Network Zone:

Gateway IPs

  1. Otherwise, add the IP directly from the System logs by clicking the three dots and then the Add to Zone button near the IP required to exempt:

IP address

  1. Add it as DefaultExemptIpZone and save.

Add IP to Zone

NOTE: Adding an IP to the DefaultExemptIpZone only allows those IPs to bypass network-based restrictions, such as blocklists or Okta ThreatInsight blocks. However, users connecting from these IPs must still meet all other policy requirements, including authentication factors and session controls.

Related References

Loading
Allowlist an IP Address Blocked by Network Zone