Define allowed ServiceNow internal IP addresses [Updated in Security Center 1.3 and 1.5]

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the glide.ip.authenticate.strict property to specify IP ranges that can make inbound connections on an instance.

    If glide.ip.authenticate.strict is set to true, then internal ServiceNow personelle and systems can only make inbound connections to the instance from essential IP ranges. This limit's ServiceNow's visibility into the instance to essential internal infrastructure, and prevents access by broader ServiceNow personelle such as support and sales staff via corporate networks.

    When set to true, the glide.ip.authenticate.allow property is used to grant internal ServiceNow inbound connections. If not set to true, then a broader ServiceNow internal IP range as defined in glide.ip.authenticate.allow is used to grant internal ServiceNow inbound connections.

    Ensure the property glide.ip.authenticate.allow.secured contains only trusted values and that the property glide.ip.authenticate.strict is set to true.

    Warning:
    The value for this property is a no DB override. It can't be altered or overridden.

    More information

    Attribute Description
    Property name glide.ip.authenticate.strict
    Configuration type System Properties (/sys_properties_list.do)
    Category Architecture, design, and threat modeling
    Purpose Allows ServiceNow employees to access the instance only through secured set of IP ranges
    Recommended value true
    Security risk rating 4.3
    Functional impact

    (Low) If this property is not enabled, ServiceNow employees can access the customer's instance through all the IP ranges. Enabling the property restricts access to a secure set of IP ranges (Secure VPN, DC).

    Note:
    If you set this property to true, the ServiceNow AI Platform uses a more restrictive glide.ip.authenticate.allow.secured property instead of the Performance Monitoring IP restriction (glide.ip.authenticate.allow.secured) property for a set of IP ranges that can access the instance.
    Security risk (Low) Unnecessary exposure of instance access to wider group of people.
    Reference IP range based authentication
    Note:
    A deny all rule is needed to be added into IP access control to restrict access from any IP's not added into IP access control. All required allowed IP's are then needed to be added into IP access control.