Define allowed ServiceNow internal IP addresses [Updated in Security Center 1.3 and 1.5]

  • Release version: Yokohama
  • Updated January 26, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Define allowed ServiceNow internal IP addresses [Updated in Security Center 1.3 and 1.5]

    This configuration guides ServiceNow customers on how to control and restrict the IP addresses allowed to make inbound and outbound connections to their instances. It focuses on using theglide.ip.authenticate.strictsystem property to enforce a stricter IP allow list, thereby enhancing security by limiting access to essential ServiceNow internal IP ranges only.

    Show full answer Show less

    Key Features

    • glide.ip.authenticate.strict Property: When set to true, it enforces a more restrictive IP allow list than the default, replacing the broader default IP ranges with a strict set of allowed IP ranges.
    • Handling Self-Hosted Instances: If the instance is self-hosted, the strict IP allow list is replaced by the ranges defined in glide.ip.authenticate.allow.secured.selfhostedlist. If not strict, it uses glide.ip.authenticate.allow.selfhostedlist.
    • Automatic Maintenance: The property glide.ip.authenticate.allow.secured contains ServiceNow data center and secure VPN IPs used when strict mode is enabled. This list is maintained and deployed automatically by ServiceNow, requiring no customer action.
    • Custom IP Allow Lists: Customers can extend allowed IPs using glide.custom.ip.authenticate.allow and glide.custom.ip.outbound.authenticate.allow system properties, or dynamically via the IP Address Access Controls [ipaccess] table.
    • IP Format Flexibility: Allowed IPs can be specified as single IPs, ranges, or CIDR notation, providing flexible configuration options.
    • Enforcement: The glide.ip.authenticate.strict property is a no database override, meaning it cannot be changed or overridden beyond setting it to true or false.

    Key Outcomes

    • Improved Security: Enabling strict IP authentication reduces the risk of unauthorized or unnecessary access from non-essential ServiceNow personnel (e.g., sales or support staff), enhancing control over privileged access.
    • No Functional Impact: Restricting access primarily affects non-essential internal users who generally do not require instance access. Essential access can still be granted on a case-by-case basis through the IP Address Access Controls table.
    • Maintained by ServiceNow: Core IP allow lists for data centers and secure VPNs are managed and updated automatically by ServiceNow, minimizing customer maintenance efforts.
    • Security Risk Mitigation: This setting addresses a Medium-severity risk (CVSS 4.3) by limiting exposure to insider threats and misconfigurations.

    Use the glide.ip.authenticate.strict property to specify IP ranges that can make inbound connections on an instance.

    Use the glide.ip.authenticate.strict property to reduce the scope of the IP allow list of an instance and restrict the IP addresses that ServiceNow personnel can use to make inbound/outbound connections to an instance. The exact IP ranges removed from the IP allow list by this property may be adjusted over time as the ServiceNow internal network changes. When set to true, glide.ip.authenticate.strict always guarantees an IP allow list that is equal to or more restrictive than the default.

    When glide.ip.authenticate.strict is set to true:
    A strict list of ServiceNow IP ranges replaces the default IP allow lists for inbound and outbound requests. This IP allow list, which starts with a more restrictive predefined set of allowed IP ranges, is replaced by the property glide.ip.authenticate.allow.secured.self_hosted_list if the instance is self-hosted.
    When glide.ip.authenticate.strict is set to false:
    The default IP allow list is used which contains a wider set of ServiceNow IP ranges. The default IP allow list is replaced by the contents of glide.ip.authenticate.allow.self_hosted_list if the instance is self-hosted.
    Note:
    The glide.ip.authenticate.allow.secured property contains the ServiceNow data center and secure VPN IP ranges used when glide.ip.authenticate.strict is set to true. This property is maintained and deployed automatically by ServiceNow. Customers do not need to configure it. The only customer action required by this hardening setting is to set glide.ip.authenticate.strict to true.
    Note:
    Regardless of the value of glide.ip.authenticate.strict or if the instance is self-hosted, the allow list includes IP addresses in the glide.custom.ip.authenticate.allow and glide.custom.ip.outbound.authenticate.allow system properties, if defined.

    All IP list properties share the same format, which is a comma separated range of IP addresses in IPv4 or IPv6 format. IP ranges are specified using a hyphen (10.0.10.14-10.0.10.19), using CIDR notation (10.0.10.0/24), or consist of a single IP address (10.0.10.5). At runtime, you can make additions to the IP allow list by adding entries to the IP Address Access Controls [ip_access] table. To restrict all inbound access to a defined set of IP addresses, add a deny-all entry to the [ip_access] table and then add the specific IP addresses or ranges that you want to allow.

    Warning:
    The value for this property is a no DB override. It can't be altered or overridden.

    More information

    Attribute Description
    Configuration name
    • glide.ip.authenticate.strict
    • glide.ip.authenticate.allow.secured
    Configuration type System Properties (/sys_properties_list.do)
    Data type
    • Boolean
    • String
    Recommended value
    • true
    • Managed by ServiceNow. Contains ServiceNow data center and secure VPN IP ranges. This value is deployed automatically and cannot be modified by customers.
    Default value
    • false
    • <empty>
    Fallback value
    • false
    • <empty>
    Category Architecture, design, and threat modeling
    Security risk
    • Severity score: 4.3
    • CVSS score: Medium
    • Security Risk Details: Broader access increases the risk of unauthorized or unnecessary access to the instance by non-essential internal users, such as support or sales staff, and reduces control over privileged access. Enforcing strict IP authentication limits connectivity to essential infrastructure, strengthening security and reducing exposure to insider threats or misconfiguration.
    Functional impact This should have no functional impact. It may restrict non-essential ServiceNow personal from accessing an instance. However, these are individuals that do not generally require access to such instances. If access is required, you can grant it on a case by case basis using the IP Address Access Controls [ip_access] table.
    Dependencies and prerequisites None

    To learn more about adding or creating a system property, see Add a system property.