Although Okta allows blocklisting of Dynamic Zones and allowlisting IPs through various Network Zones, it does not support allowlisting an IP address that belongs to a country already blocked by a Dynamic Zone and shows the following error:

 403 Access Forbidden: You don't have permission to access this page. 

• Network Zones
• Allowlist IP addresses
• Blocklist IP addresses
• Okta Identity Engine (OIE)

• Okta does not allow blocklisted IP addresses to access any of the org's URLs. Okta blocks these requests before any policy evaluation occurs.
• Clients connecting from blocked network zones see a 403 Access Denied error.
• Okta will prioritize the blocklist over the allowlist in Network zones.

Related References

• Blocklisting an IP address
• Allowlisting an IP Address
• Network Zones
• Dynamic zones