Okta must be configured with Network Zones defined to block anonymized proxies according to organizationally defined policy.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279692	SRG-APP-000039	OKTA-APP-003243	SV-279692r1155075_rule	2025-11-19	1

Description
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Working with the organizational CSSP, the ISSM should obtain a list of known anonymizer proxies that exist on the commercial internet. If this is not available from the CSSP, then the Okta-provided "Enhanced dynamic zone blocklist" should be activated.

Description

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Working with the organizational CSSP, the ISSM should obtain a list of known anonymizer proxies that exist on the commercial internet. If this is not available from the CSSP, then the Okta-provided "Enhanced dynamic zone blocklist" should be activated.

ℹ️ Check
From the Admin Console: 1. Select the "Security" menu, and then click the "Networks' item. 2. If the CSSP has provided a list of anonymizers to block, verify the "IP Block list" is configured with them. a. Click the pencil icon next to IP Block list. b. Verify the "Gateway IPs" section contains all of the IP ranges in the provided list. 3. If the CSSP is not able to provide a list, then implement the Okta managed list. a. Verify the "Enhanced dynamic zone blocklist" is set to "Active". If Network Zones are not configured to block anonymous proxies, this is a finding.

ℹ️ Check

From the Admin Console: 1. Select the "Security" menu, and then click the "Networks' item. 2. If the CSSP has provided a list of anonymizers to block, verify the "IP Block list" is configured with them. a. Click the pencil icon next to IP Block list. b. Verify the "Gateway IPs" section contains all of the IP ranges in the provided list. 3. If the CSSP is not able to provide a list, then implement the Okta managed list. a. Verify the "Enhanced dynamic zone blocklist" is set to "Active". If Network Zones are not configured to block anonymous proxies, this is a finding.

✔️ Fix
From the Admin Console: 1. Select the "Security" menu, and then click the "Networks" item. 2. If the CSSP has provided a list of anonymizers to block, add the IP ranges to the "IP Block list". a. Click the pencil icon next to IP Block list. b. Add the IP ranges to the "Gateway IPs" section and click "Save". 3. If the CSSP is not able to provide a list, then implement the Okta managed list. a. Set the "Enhanced dynamic zone blocklist" to "Active".

✔️ Fix

From the Admin Console: 1. Select the "Security" menu, and then click the "Networks" item. 2. If the CSSP has provided a list of anonymizers to block, add the IP ranges to the "IP Block list". a. Click the pencil icon next to IP Block list. b. Add the IP ranges to the "Gateway IPs" section and click "Save". 3. If the CSSP is not able to provide a list, then implement the Okta managed list. a. Set the "Enhanced dynamic zone blocklist" to "Active".