Setup zones to secure your network
Contents
- Define Autonomous System Figures (ASNs) for any Dynamic Zone
- Define IP Types for any Dynamic Zone
- Delete a Network Zone
- Blacklist a Network Zone
- Define a Network Zone for IWA
- Produce a Proxy IP Report
- Edit a Legacy Network Zone
- Add IPs to some Network Zone in the System Log
- Delete a Network Zone
- Blacklist a Network Zone
- Define a Network Zone for IWA
- Produce a Proxy IP Report
- Edit a Legacy Network Zone
- Add IPs to some Network Zone in the System Log
- Give a Network Zone to Sign-On Policies
- Zak Downtown – Zones (Lyrics)
Define Autonomous System Figures (ASNs) for any Dynamic Zone
It is really an Early AccessEarly Access (EA) features are opt-in features that you could check out inside your org by asking Okta Support to allow them. Furthermore, the characteristics page within the Okta Admin Console (Settings > Features) enables Super Admins to allow and disable some EA features themselves. feature. To allow it, please contact Okta Support.
ASN (Autonomous System Figures) are utilized to distinctively identify each network on the web. Isps can use to acquire one or multiple ASNs allotted to them. While an ISP name can alter, their assigned ASN is reserved and immutable.
This selection adds support for ASNs for Dynamic Zone configuration, which could included in sign up and MFA policies, applicationAn abbreviation of application. Basically, it’s a web-based site accustomed to perform a variety of specific tasks, and needs authentication from finish users by logging into websites. sign up policies, Virtual private network settings, and IWA.
The admin dashboard syslog specifies any IP addresses which have been recognized as suspicious. These IPs could be joined around the public ASN lookup to recognize their corresponding ASN. When configuring rules for Dynamic Zones, you are able to specify an ASN to become blacklisted. Because the ASN represents a whole network of IP addresses, blacklisting an ASN is a great alternative in lessening overhead in comparison with indicating a summary of mulitple IP addresses.
User Role | User Impact |
Okta Admin | Can also add one or multiple ASNs when designing or editing an engaged zone in their sign up policy. |
Finish User | According to sign up policies, users might be denied login, motivated for MFA, or get a 403 error in case the ASN connected using their ISP is considered suspicious. |
To include an ASN to some Dynamic Zone:
- Navigate to Security > Systems.
-
Produce a new Dynamic Zone or edit a current one.
-
Navigate to ISP ASNs.
-
Make use of the ASN Lookup tool to retrieve the ASN.
- Go into the ASN to incorporate included in the dynamic zone.
- To blacklist ASNs, check Blacklist access from IPs matching conditions indexed by this zone.
-
Click Save in order to save your changes.
- Verify the Dynamic Zone is connected using the sign up policy of your liking.
Define IP Types for any Dynamic Zone
The IP Type setting checks and determines if your client utilizes a proxy and the kind of proxy if your are identified.
The next settings are for sale to define an IP type for any Dynamic Zone:
- Any: Ignores all proxy types. If selected, a minumum of one from the following should be defined: Locations, ISP ASNs
- Any proxy: Views clients which use a Tor anonymizer proxy or perhaps a non-Tor anonymizer proxy type.
- Tor anonymizer proxy: Views clients which use a Tor anonymizer proxy.
- Not Tor anonymizer proxy: Views clients which use non-Tor proxy types.
Delete a Network Zone
When an IP or Location Zone is deleted, all rules which use the deleted zone may take a hit.
- When the zone to delete may be the only focus any rule, you can’t delete the zone and get an error message. Edit the rule to utilize a different zone then carry out the deletion again.
- When the zone to delete isn’t the only focus any rule you are able to delete the zone. The zone is taken away all the guidelines where it’s specified.
Blacklist a Network Zone
Both IP Zones and Dynamic Zones can blacklisted. If your zone is blacklisted, clients from blacklisted zones cannot access any URL for that org and demands are instantly blocked just before any kind of policy evaluation.
To blacklist a network zone:
- In the admin console, navigate to Security > Systems.
- Within the listing of existing zones, click Edit for that zone you want to change.
- To blacklist the zone, select Blacklist access from IPs matching conditions within this zone.
- Click Save to carry on.
Note: Two network zones are produced automatically once the Multiple Network Zones feature is enabled. One of these can be used as blacklisting IPs.
Define a Network Zone for IWA
When looking for IWA logins, Okta checks the login comes from the configured zones. You are able to edit the configuration and select any preferred zones, or choose All Zones while you do in policies.
When an IWA agentAn application representative is a light-weight program that runs like a service outdoors of Okta. It is normally installed behind a firewall and enables Okta to tunnel communication between an on-premises service and Okta’s cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For instance, users can install multiple Active Directory agents to make sure that the combination is robust and highly available across geographic locations. is configured, the Ip from the client is put into the LegacyIPZone. The LegacyIPZone may be the only zone configured automatically, as observed in the next screenshot:
Note: You are able to define as much as 20 network zones in IWA network zones.
Produce a Proxy IP Report
A study of proxy IP addresses could be generated that will help you identify which proxies could be configured in IP zones. This post is utilized by Okta to properly find out the client IP in which the request originated. The proxy report lists all proxy IP addresses which have been used to connect with your Okta org, including proxies that might or might not be reliable.
Note: Because of the possibility that some proxy IP addresses might be malicious, make sure that any IP you set like a reliable proxy is reliable.
To acquire a list out of your dashboard, navigate to Reports > Proxies. To learn more, make reference to Reports.
Edit a Legacy Network Zone
For those who have already defined Public Gateway IP Addresses, the details are migrated to some zone named LegacyIpZone. You can’t delete this zone, however, you can edit it.
For existing rules, LegacyIpZone maintains the prior settings. This zone continues to be active and could be utilized in new assignments.
Note: You are able to define no more than 5000 legacy network zones.
Add IPs to some Network Zone in the System Log
Define Autonomous System Figures (ASNs) for any Dynamic Zone
It is really an Early AccessEarly Access (EA) features are opt-in features that you could check out inside your org by asking Okta Support to allow them. Furthermore, the characteristics page within the Okta Admin Console (Settings > Features) enables Super Admins to allow and disable some EA features themselves. feature. To allow it, please contact Okta Support.
ASN (Autonomous System Figures) are utilized to distinctively identify each network on the web. Isps can use to acquire one or multiple ASNs allotted to them. While an ISP name can alter, their assigned ASN is reserved and immutable.
This selection adds support for ASNs for Dynamic Zone configuration, which could included in sign up and MFA policies, applicationAn abbreviation of application. Basically, it’s a web-based site accustomed to perform a variety of specific tasks, and needs authentication from finish users by logging into websites. sign up policies, Virtual private network settings, and IWA.
The admin dashboard syslog specifies any IP addresses which have been recognized as suspicious. These IPs could be joined around the public ASN lookup to recognize their corresponding ASN. When configuring rules for Dynamic Zones, you are able to specify an ASN to become blacklisted. Because the ASN represents a whole network of IP addresses, blacklisting an ASN is a great alternative in lessening overhead in comparison with indicating a summary of mulitple IP addresses.
User Role | User Impact |
Okta Admin | Can also add one or multiple ASNs when designing or editing an engaged zone in their sign up policy. |
Finish User | According to sign up policies, users might be denied login, motivated for MFA, or get a 403 error in case the ASN connected using their ISP is considered suspicious. |
To include an ASN to some Dynamic Zone:
- Navigate to Security > Systems.
-
Produce a new Dynamic Zone or edit a current one.
-
Navigate to ISP ASNs.
-
Make use of the ASN Lookup tool to retrieve the ASN.
- Go into the ASN to incorporate included in the dynamic zone.
- To blacklist ASNs, check Blacklist access from IPs matching conditions indexed by this zone.
-
Click Save in order to save your changes.
- Verify the Dynamic Zone is connected using the sign up policy of your liking.
Define IP Types for any Dynamic Zone
The IP Type setting checks and determines if your client utilizes a proxy and the kind of proxy if your are identified.
The next settings are for sale to define an IP type for any Dynamic Zone:
- Any: Ignores all proxy types. If selected, a minumum of one from the following should be defined: Locations, ISP ASNs
- Any proxy: Views clients which use a Tor anonymizer proxy or perhaps a non-Tor anonymizer proxy type.
- Tor anonymizer proxy: Views clients which use a Tor anonymizer proxy.
- Not Tor anonymizer proxy: Views clients which use non-Tor proxy types.
Delete a Network Zone
When an IP or Location Zone is deleted, all rules which use the deleted zone may take a hit.
- When the zone to delete may be the only focus any rule, you can’t delete the zone and get an error message. Edit the rule to utilize a different zone then carry out the deletion again.
- When the zone to delete isn’t the only focus any rule you are able to delete the zone. The zone is taken away all the guidelines where it’s specified.
Blacklist a Network Zone
Both IP Zones and Dynamic Zones can blacklisted. If your zone is blacklisted, clients from blacklisted zones cannot access any URL for that org and demands are instantly blocked just before any kind of policy evaluation.
To blacklist a network zone:
- In the admin console, navigate to Security > Systems.
- Within the listing of existing zones, click Edit for that zone you want to change.
- To blacklist the zone, select Blacklist access from IPs matching conditions within this zone.
- Click Save to carry on.
Note: Two network zones are produced automatically once the Multiple Network Zones feature is enabled. One of these can be used as blacklisting IPs.
Define a Network Zone for IWA
When looking for IWA logins, Okta checks the login comes from the configured zones. You are able to edit the configuration and select any preferred zones, or choose All Zones while you do in policies.
When an IWA agentAn application representative is a light-weight program that runs like a service outdoors of Okta. It is normally installed behind a firewall and enables Okta to tunnel communication between an on-premises service and Okta’s cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For instance, users can install multiple Active Directory agents to make sure that the combination is robust and highly available across geographic locations. is configured, the Ip from the client is put into the LegacyIPZone. The LegacyIPZone may be the only zone configured automatically, as observed in the next screenshot:
Note: You are able to define as much as 20 network zones in IWA network zones.
Produce a Proxy IP Report
A study of proxy IP addresses could be generated that will help you identify which proxies could be configured in IP zones. This post is utilized by Okta to properly find out the client IP in which the request originated. The proxy report lists all proxy IP addresses which have been used to connect with your Okta org, including proxies that might or might not be reliable.
Note: Because of the possibility that some proxy IP addresses might be malicious, make sure that any IP you set like a reliable proxy is reliable.
To acquire a list out of your dashboard, navigate to Reports > Proxies. To learn more, make reference to Reports.
Edit a Legacy Network Zone
For those who have already defined Public Gateway IP Addresses, the details are migrated to some zone named LegacyIpZone. You can’t delete this zone, however, you can edit it.
For existing rules, LegacyIpZone maintains the prior settings. This zone continues to be active and could be utilized in new assignments.
Note: You are able to define no more than 5000 legacy network zones.
Add IPs to some Network Zone in the System Log
You’ll be able to add an Ip that seems inside a System Log event for an existing Network Zone. This protects you time, eliminating the necessity to copy the Ip and visit the Network menu. You’ll want Super or Org admin permissions to get this done.
To include an Ip to some network zone while viewing the machine Log:
- Locate the big event and Ip within the System Log.
- Click the More icon ( ) and Increase zone.
- Within the Increase IP zone dialog fill the next:
- Increase zone — Decide which network zone to include the Ip to.
- IP type — Pick from Proxy or Gateway.
- Click Save.
Give a Network Zone to Sign-On Policies
Navigate to Security > Authentication to entering rules for sign-on policies with different specified network zone.
If your User is situated: Select among the following: Anywhere, In zone, or Not in zone.
Should you check All Zones, all your defined zones are selected, and also the box below it’s no longer visible.
If you don’t check All Zones, type a zone name within the Zones box. A dropdown list seems which contains all existing zones which contain the written text you joined any place in the zone name.
Choose a variety of zones. The next example shows searching for those zones which contain the letter t. Within this situation, just one zone is located. You must still select it to really make it active.
Top
Resourse: https://help.okta.com/en/prod/Content/Topics/Security/