Reduce the Scope of the IP Allow List for an Instance

  • Release version: Australia
  • Updated May 15, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Reduce the Scope of the IP Allow List for an Instance

    This feature enables ServiceNow customers to restrict and harden the IP allow list for their instance by configuring theglide.ip.authenticate.strictsystem property. When enabled, this property narrows the set of IP addresses that can make inbound and outbound connections to the instance, ensuring tighter security controls over who can access the environment.

    Show full answer Show less

    Key Features

    • Strict IP Allow List: Setting glide.ip.authenticate.strict to true replaces the default IP allow list with a more restrictive set of ServiceNow IP ranges, reducing exposure to broader access.
    • Self-Hosted Instances: For self-hosted instances, a separate property (glide.ip.authenticate.allow.secured.selfhostedlist) governs the allowed IP ranges when strict mode is enabled.
    • Automatic Maintenance: The property glide.ip.authenticate.allow.secured, which contains ServiceNow data center and secure VPN IP ranges, is automatically maintained by ServiceNow and cannot be modified by customers.
    • Custom IP Addresses: Customers can define additional IP addresses or ranges via glide.custom.ip.authenticate.allow and glide.custom.ip.outbound.authenticate.allow properties, and dynamically manage access through the IP Address Access Controls [ipaccess] table.
    • IP Address Formats Supported: IP ranges can be specified as single IPs, hyphenated ranges, or CIDR notations, supporting both IPv4 and IPv6 formats.
    • Deny-All Approach: To restrict inbound access strictly, customers can add a deny-all entry in the [ipaccess] table and explicitly allow only certain IP addresses or ranges.
    • Immutable Setting: The glide.ip.authenticate.strict property is a no DB override, meaning it cannot be altered or overridden by customers once set.

    Key Outcomes

    • Enhanced Security: Enforcing a strict IP allow list limits access to essential infrastructure, reducing risks from unauthorized internal or external access.
    • Reduced Insider Threats: Restricting IP addresses prevents unnecessary access by non-essential ServiceNow personnel such as support or sales staff.
    • Minimal Functional Impact: This setting should not affect typical instance functionality but may restrict some ServiceNow internal access, which can be granted individually as needed.
    • Controlled Access Management: Customers retain the ability to manage specific IP access exceptions via the [ipaccess] table, facilitating flexible, case-by-case access control.

    Practical Considerations

    • No dependencies or prerequisites are needed to enable this property.
    • Customers only need to set glide.ip.authenticate.strict to true to activate the stricter allow list.
    • Automatic updates to the ServiceNow IP ranges used in strict mode are handled by ServiceNow, requiring no customer intervention.

    Use the glide.ip.authenticate.strict property to specify IP ranges that can make inbound connections on an instance.

    Use the glide.ip.authenticate.strict property to reduce the scope of the IP allow list of an instance and restrict the IP addresses that ServiceNow personnel can use to make inbound/outbound connections to an instance. The exact IP ranges removed from the IP allow list by this property may be adjusted over time as the ServiceNow internal network changes. When set to true, glide.ip.authenticate.strict always guarantees an IP allow list that is equal to or more restrictive than the default.

    When glide.ip.authenticate.strict is set to true:
    A strict list of ServiceNow IP ranges replaces the default IP allow lists for inbound and outbound requests. This IP allow list, which starts with a more restrictive predefined set of allowed IP ranges, is replaced by the property glide.ip.authenticate.allow.secured.self_hosted_list if the instance is self-hosted.
    When glide.ip.authenticate.strict is set to false:
    The default IP allow list is used which contains a wider set of ServiceNow IP ranges. The default IP allow list is replaced by the contents of glide.ip.authenticate.allow.self_hosted_list if the instance is self-hosted.
    Note:
    The glide.ip.authenticate.allow.secured property contains the ServiceNow data center and secure VPN IP ranges used when glide.ip.authenticate.strict is set to true. This property is maintained and deployed automatically by ServiceNow. Customers do not need to configure it. The only customer action required by this hardening setting is to set glide.ip.authenticate.strict to true.
    Note:
    Regardless of the value of glide.ip.authenticate.strict or if the instance is self-hosted, the allow list includes IP addresses in the glide.custom.ip.authenticate.allow and glide.custom.ip.outbound.authenticate.allow system properties, if defined.

    All IP list properties share the same format, which is a comma separated range of IP addresses in IPv4 or IPv6 format. IP ranges are specified using a hyphen (10.0.10.14-10.0.10.19), using CIDR notation (10.0.10.0/24), or consist of a single IP address (10.0.10.5). At runtime, you can make additions to the IP allow list by adding entries to the IP Address Access Controls [ip_access] table. To restrict all inbound access to a defined set of IP addresses, add a deny-all entry to the [ip_access] table and then add the specific IP addresses or ranges that you want to allow.

    Warning:
    The value for this property is a no DB override. It can't be altered or overridden.

    More information

    Attribute Description
    Configuration name
    • glide.ip.authenticate.strict
    • glide.ip.authenticate.allow.secured
    Configuration type System Properties (/sys_properties_list.do)
    Data type
    • Boolean
    • String
    Recommended value
    • true
    • Managed by ServiceNow. Contains ServiceNow data center and secure VPN IP ranges. This value is deployed automatically and cannot be modified by customers.
    Default value
    • false
    • <empty>
    Fallback value
    • false
    • <empty>
    Category Architecture, design, and threat modeling
    Security risk
    • Severity score: 4.3
    • CVSS score: Medium
    • Security Risk Details: Broader access increases the risk of unauthorized or unnecessary access to the instance by non-essential internal users, such as support or sales staff, and reduces control over privileged access. Enforcing strict IP authentication limits connectivity to essential infrastructure, strengthening security and reducing exposure to insider threats or misconfiguration.
    Functional impact This should have no functional impact. It may restrict non-essential ServiceNow personal from accessing an instance. However, these are individuals that do not generally require access to such instances. If access is required, you can grant it on a case by case basis using the IP Address Access Controls [ip_access] table.
    Dependencies and prerequisites None

    To learn more about adding or creating a system property, see Add a system property.