<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008epHEVCA2Okta Classic EngineAuthenticationAnswered2023-01-12T21:47:34.000Z2023-01-11T23:24:46.000Z2023-01-12T21:47:34.000Z

AlisonM.55943 (Customer) asked a question.

January 11, 2023 at 11:24 PM
Blacklist Network Zone

We're currently experiencing issues with user accounts being locked out due to access attempts from other countries using invalid credentials. We would like to block these attempts based on the location, rather than having them come through as invalid credentials. We want the solution to apply across all applications.

 

Under the Authentication section, we are already using a Whitelist Network Zone, so sign-on is only allowed from our Dynamic White List. However, this isn't stopping the account lockouts.

 

I noticed that our "All - Dynamic Blacklist" network zone is inactive. If I change that to active, and add every country except the ones we want, will this achieve what we want (ie will it block the attempt to sign into an application before the credentials are entered, to stop the invalid credential errors)? Do I need to also add a new policy under the Authentication section using this Blacklist, or is it automatically used by default?

 

Requirement: Block attempts to access Okta based on location, across all applications for both modern and legacy authentication requests, to prevent accounts being locked out due to "invalid credentials" (denial of service attack).

 

 

  • 5 answers
  • 746 views

  • DonF.81354 (Customer)

    Great question! No, you do not need to add this to a sign-on/password policy. Once you define it and turn it on, it is in effect.

     

    From Okta: " If a network zone is blocklisted, clients from these blocked network zones can't access any URL for the org and requests are automatically blocked prior to any type of policy evaluation."

     

    Source: Blocklist Network Zones

    Expand Post
    Selected as Best

  • DonF.81354 (Customer)

    Hi! Thanks for your question.

     

    The Dynamic blocklist, assuming it is on, will deny logins from the host nations specified, yes. I have this running currently, IP Type: Any and a list of Locations, zone type "Dynamic Block List".

     

    I do think this will help to meet your need. Please do let us know if you have any questions or concerns.

     

    Thanks!!

     

     

     

    Expand Post

    • AlisonM.55943 (Customer)

      Thanks for the quick reply, Don!

       

      Did you have to add a policy in the Authentication section using that network zone? Or is it automatically applied system wide?

      • DonF.81354 (Customer)

        Great question! No, you do not need to add this to a sign-on/password policy. Once you define it and turn it on, it is in effect.

         

        From Okta: " If a network zone is blocklisted, clients from these blocked network zones can't access any URL for the org and requests are automatically blocked prior to any type of policy evaluation."

         

        Source: Blocklist Network Zones

        Expand Post
        Selected as Best
This question is closed.
Loading
Blacklist Network Zone