Location Filter

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Location filter criteria can be used as filter input for users based on the user location.

    Location filter is a filter criteria that the admins can use while crafting the authentication policies based on the physical location of the device.

    Note:
    • Location filter is available with Zero Trust Access feature. For more information, see Zero Trust Access (ZTA).
    • The instance should be on ADCv2. If the instance isn’t on ADCv2, then user location information won’t be available.

    The location filter criteria enable you to perform the following:

    • Act as policy input act for policy conditions to verify and meet the requirements for authentication.
    • Provide an ability to create adaptive authentication policies based on the country.
    • Allow or not allow instance access to a given geography.
    • Use the geo location-based pre-authentication or post authentication policy to:
      • Prevent access from sanctioned countries, outside of a tight privacy-controlled region, company discretion.
      • Allow access to areas only within applicable privacy region and company discretion.
      • Configure country-based allow list for authentication.

    Use cases

    Following are some of the use case for using location filter criteria for Adaptive Authentication:

    • Block access to the instance from a country.
    • Allow access to the instance only from a particular country.
    • Enforce step-up authentication or MFA to log in based on country.
    • Reduce or limit roles for the user based on the country.
    • Location Filter criteria can be used for MFA, Zero Trust Access (ZTA), Pre-authenication context, and Post authentication context.

    Location Identification

    The location services for identifying the location of the user are provided by a third-party service - MaxMind.

    The location of the user is identified through the VPN, from the x-forwarded-for header. In case if there’s no header populated by the service, then only the VPN IP (location) is displayed as the user location.

    Note:
    If there are incorrect locations displayed after the location filter configuration, see the KB article to troubleshoot.