Network Zones

The Okta Network Zones API provides operations to manage Zones in your organization. There are two usage Zone types: Policy Network Zones and Blocklist Network Zones. Policy Network Zones are used to guide policy decisions. Blocklist Network Zones are used to deny access from certain IP addresses, locations, proxy types, or Autonomous System Numbers (ASNs) before policy evaluation.

A default system Policy Network Zone is provided in your Okta org. You can use the Network Zones API to modify the default Policy Network Zone or to create a custom Policy or Blocklist Network Zone. When you create your custom Zone, you can specify if the Zone is an IP Zone or a Dynamic Zone. An IP Zone allows you to define network perimeters around a set of IPs, whereas a Dynamic Zone allows you to define network perimeters around location, IP type, and ASNs.

List all Network Zones
OAuth 2.0: okta.networkZones.read

Lists all network zones with pagination. A subset of zones can be returned that match a supported filter expression or query.

This operation requires URL encoding. For example, filter=(id eq "nzoul0wf9jyb8xwZm0g3" or id eq "nzoul1MxmGN18NDQT0g3") is encoded as filter=%28id+eq+%22nzoul0wf9jyb8xwZm0g3%22+or+id+eq+%22nzoul1MxmGN18NDQT0g3%22%29.

Okta supports filtering on the id and usage properties. See Filtering for more information on the expressions that are used in filtering.

Request
query Parameters
after
string

Specifies the pagination cursor for the next page of network zones

limit
integer <int32>
Default: -1

Specifies the number of results for a page

filter
string

Filters zones by usage or id expression

Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/zones
Request samples 
Response samples 
application/json
[
  • {
    • "asns": [
      ],
    • "created": "2019-08-24T14:15:22Z",
    • "gateways": [
      ],
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "locations": [
      ],
    • "name": "newNetworkZone",
    • "proxies": [
      ],
    • "proxyType": "ANY",
    • "status": "ACTIVE",
    • "system": true,
    • "type": "IP",
    • "usage": "BLOCKLIST",
    • "_links": {
      }
    }
]
Create a Network Zone
OAuth 2.0: okta.networkZones.manage
Creates a new network zone.


    

  • At least one of either the gateways attribute or proxies attribute must be defined when creating a Network Zone.
    • 

  • At least one of the following attributes must be defined: proxyType, locations, or asns.
    • 



Request 
Request Body schema: application/json
asns
Array of strings  <= 75 
Format of each array value: a string representation of an ASN numeric value


 
Array of objects (NetworkZoneAddress) 
IP addresses (range or CIDR form) of this Zone.
The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone.


 
 Array 
type
string (NetworkZoneAddressType) 
 Enum: "CIDR" "RANGE"  
value
string
 
Array of objects (NetworkZoneLocation)   <= 75 
The geolocations of this Zone


 
 Array 
country
string
Format of the country value: length 2 ISO-3166-1 country code.
Do not use continent codes as they are treated as generic codes for undesignated countries.


 
region
string
Format of the region value (optional): region code ISO-3166-2 appended to country code (countryCode-regionCode), or null if empty.
Do not use continent codes as they are treated as generic codes for undesignated regions.


 
name
string
Unique name for this Zone. Maximum of 128 characters.


 
Array of objects (NetworkZoneAddress) 
IP address (range or CIDR form) that are allowed to forward a request from gateway addresses.
These proxies are automatically trusted by Threat Insights, and used to identify the client IP of a request.
The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone.


 
 Array 
type
string (NetworkZoneAddressType) 
 Enum: "CIDR" "RANGE"  
value
string
 
proxyType
string
One of: "" or null (when not specified), Any (meaning any proxy), Tor, or NotTorAnonymizer


 
status
string (NetworkZoneStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
Indicates if this is a system Network Zone. For admin-created zones, this is always false.
The system IP Policy Network Zone (LegacyIpZone) is included by default in your Okta org. Notice that system=true for the LegacyIpZone object. Admin users can modify the name of this default system Zone and can add up to 5000 gateway or proxy IP entries.


 
type
string (NetworkZoneType) 
 Enum: "DYNAMIC" "IP"  
usage
string (NetworkZoneUsage) 
 Enum: "BLOCKLIST" "POLICY"  
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/zones
Request samples 
application/json
{
  • "asns": [
    • 23457
    ],
  • "gateways": [
    • "1.2.3.4/24"
    ],
  • "locations": [
    • {
      }
    ],
  • "name": "newNetworkZone",
  • "proxies": [
    • "1.2.3.4/24"
    ],
  • "proxyType": "ANY",
  • "status": "ACTIVE",
  • "system": true,
  • "type": "IP",
  • "usage": "BLOCKLIST"
}
Response samples 
application/json
{
  • "asns": [
    • 23457
    ],
  • "created": "2019-08-24T14:15:22Z",
  • "gateways": [
    • "1.2.3.4/24"
    ],
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "locations": [
    • {
      }
    ],
  • "name": "newNetworkZone",
  • "proxies": [
    • "1.2.3.4/24"
    ],
  • "proxyType": "ANY",
  • "status": "ACTIVE",
  • "system": true,
  • "type": "IP",
  • "usage": "BLOCKLIST",
  • "_links": {
    • "self": {
      }
    }
}
Retrieve a Network Zone
OAuth 2.0: okta.networkZones.read
Retrieves a network zone by zoneId


Request 
path Parameters
zoneId
required
string
id of the Network Zone


 
 Example:  z00lr2rLjZdNsG61P0f3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/zones/{zoneId}
Request samples 
Response samples 
application/json
{
  • "asns": [
    • 23457
    ],
  • "created": "2019-08-24T14:15:22Z",
  • "gateways": [
    • "1.2.3.4/24"
    ],
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "locations": [
    • {
      }
    ],
  • "name": "newNetworkZone",
  • "proxies": [
    • "1.2.3.4/24"
    ],
  • "proxyType": "ANY",
  • "status": "ACTIVE",
  • "system": true,
  • "type": "IP",
  • "usage": "BLOCKLIST",
  • "_links": {
    • "self": {
      }
    }
}
Replace a Network Zone
OAuth 2.0: okta.networkZones.manage
Replaces a network zone by zoneId. The replaced network zone type must be the same as the existing type.
You may replace the usage (POLICY, BLOCKLIST) of a network zone by updating the usage attribute.


Request 
path Parameters
zoneId
required
string
id of the Network Zone


 
 Example:  z00lr2rLjZdNsG61P0f3
Request Body schema: application/json
asns
Array of strings  <= 75 
Format of each array value: a string representation of an ASN numeric value


 
Array of objects (NetworkZoneAddress) 
IP addresses (range or CIDR form) of this Zone.
The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone.


 
 Array 
type
string (NetworkZoneAddressType) 
 Enum: "CIDR" "RANGE"  
value
string
 
Array of objects (NetworkZoneLocation)   <= 75 
The geolocations of this Zone


 
 Array 
country
string
Format of the country value: length 2 ISO-3166-1 country code.
Do not use continent codes as they are treated as generic codes for undesignated countries.


 
region
string
Format of the region value (optional): region code ISO-3166-2 appended to country code (countryCode-regionCode), or null if empty.
Do not use continent codes as they are treated as generic codes for undesignated regions.


 
name
string
Unique name for this Zone. Maximum of 128 characters.


 
Array of objects (NetworkZoneAddress) 
IP address (range or CIDR form) that are allowed to forward a request from gateway addresses.
These proxies are automatically trusted by Threat Insights, and used to identify the client IP of a request.
The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone.


 
 Array 
type
string (NetworkZoneAddressType) 
 Enum: "CIDR" "RANGE"  
value
string
 
proxyType
string
One of: "" or null (when not specified), Any (meaning any proxy), Tor, or NotTorAnonymizer


 
status
string (NetworkZoneStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
Indicates if this is a system Network Zone. For admin-created zones, this is always false.
The system IP Policy Network Zone (LegacyIpZone) is included by default in your Okta org. Notice that system=true for the LegacyIpZone object. Admin users can modify the name of this default system Zone and can add up to 5000 gateway or proxy IP entries.


 
type
string (NetworkZoneType) 
 Enum: "DYNAMIC" "IP"  
usage
string (NetworkZoneUsage) 
 Enum: "BLOCKLIST" "POLICY"  
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/zones/{zoneId}
Request samples 
application/json
{
  • "asns": [
    • 23457
    ],
  • "gateways": [
    • "1.2.3.4/24"
    ],
  • "locations": [
    • {
      }
    ],
  • "name": "newNetworkZone",
  • "proxies": [
    • "1.2.3.4/24"
    ],
  • "proxyType": "ANY",
  • "status": "ACTIVE",
  • "system": true,
  • "type": "IP",
  • "usage": "BLOCKLIST"
}
Response samples 
application/json
{
  • "asns": [
    • 23457
    ],
  • "created": "2019-08-24T14:15:22Z",
  • "gateways": [
    • "1.2.3.4/24"
    ],
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "locations": [
    • {
      }
    ],
  • "name": "newNetworkZone",
  • "proxies": [
    • "1.2.3.4/24"
    ],
  • "proxyType": "ANY",
  • "status": "ACTIVE",
  • "system": true,
  • "type": "IP",
  • "usage": "BLOCKLIST",
  • "_links": {
    • "self": {
      }
    }
}
Delete a Network Zone
OAuth 2.0: okta.networkZones.manage
Deletes network zone by zoneId


Request 
path Parameters
zoneId
required
string
id of the Network Zone


 
 Example:  z00lr2rLjZdNsG61P0f3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/zones/{zoneId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Activate a Network Zone
OAuth 2.0: okta.networkZones.manage
Activates a network zone by zoneId


Request 
path Parameters
zoneId
required
string
id of the Network Zone


 
 Example:  z00lr2rLjZdNsG61P0f3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/zones/{zoneId}/lifecycle/activate
Request samples 
Response samples 
application/json
{
  • "asns": [
    • 23457
    ],
  • "created": "2019-08-24T14:15:22Z",
  • "gateways": [
    • "1.2.3.4/24"
    ],
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "locations": [
    • {
      }
    ],
  • "name": "newNetworkZone",
  • "proxies": [
    • "1.2.3.4/24"
    ],
  • "proxyType": "ANY",
  • "status": "ACTIVE",
  • "system": true,
  • "type": "IP",
  • "usage": "BLOCKLIST",
  • "_links": {
    • "self": {
      }
    }
}
Deactivate a Network Zone
OAuth 2.0: okta.networkZones.manage
Deactivates a network zone by zoneId


Request 
path Parameters
zoneId
required
string
id of the Network Zone


 
 Example:  z00lr2rLjZdNsG61P0f3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/zones/{zoneId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{
  • "asns": [
    • 23457
    ],
  • "created": "2019-08-24T14:15:22Z",
  • "gateways": [
    • "1.2.3.4/24"
    ],
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "locations": [
    • {
      }
    ],
  • "name": "newNetworkZone",
  • "proxies": [
    • "1.2.3.4/24"
    ],
  • "proxyType": "ANY",
  • "status": "ACTIVE",
  • "system": true,
  • "type": "IP",
  • "usage": "BLOCKLIST",
  • "_links": {
    • "self": {
      }
    }
}