- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2019 08:20 AM
Our Chief Security Officer has asked if ServiceNow has a way to force API calls are only received from designated IP addresses.
As a use case, we would like to only allow servers within our local network to be able to make API calls to our ServiceNow instances.
While I know this can be accomplished if we set our whole instance to only allow access to reserved IPs, that's not an option for us. We can't do this for the entire instance because we have other use cases that need access from outside the local network, such as mobile and telecommuting.
Has anyone found a way to limit API calls from certain IP addresses?
Solved! Go to Solution.
- Labels:
-
Integrations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2019 09:11 PM
You will have loads of issues if you try this.
Many parts of SN now use REST calls from the browser to get data from authenticated users.
Many integrations you likely have may call Servicenow direclty and not via a mid server where you'd need to maintain the list of these IPs as well.
If you really want to lock down access to specific IP ranges there this;
However it sounds more like you want to deny specific API calls and not all sessions. Rate Limit Rules sounds more like what you want but thats by named user, users with named roles, or all users. Not IP Addresses.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2019 09:11 PM
You will have loads of issues if you try this.
Many parts of SN now use REST calls from the browser to get data from authenticated users.
Many integrations you likely have may call Servicenow direclty and not via a mid server where you'd need to maintain the list of these IPs as well.
If you really want to lock down access to specific IP ranges there this;
However it sounds more like you want to deny specific API calls and not all sessions. Rate Limit Rules sounds more like what you want but thats by named user, users with named roles, or all users. Not IP Addresses.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-22-2019 07:41 AM
Thank you for the great feedback. You are correct that we don't want to limit IP addresses since this will have to be done for the entire instance, and that would limit our user's experience outside our local network. I do like the idea of Rate Limits, which would help with DOS attacks from a compromised account.
