Define allowed ServiceNow internal IP addresses [Updated in Security Center 1.3 and 1.5]

  • Release version: Zurich
  • Updated January 26, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Define allowed ServiceNow internal IP addresses [Updated in Security Center 1.3 and 1.5]

    This update introduces theglide.ip.authenticate.strictsystem property, which allows ServiceNow customers to enforce stricter IP address restrictions for inbound and outbound connections to their instances. This feature is designed to limit access to only essential ServiceNow internal IP ranges, thereby enhancing security by reducing the scope of the IP allow list and controlling privileged access.

    Show full answer Show less

    Key Features

    • Strict IP Allow List: When glide.ip.authenticate.strict is set to true, a predefined, more restrictive set of ServiceNow internal IP ranges replaces the default allow list for inbound and outbound requests.
    • Self-Hosted Instances: For self-hosted instances, the strict IP allow list is replaced by the glide.ip.authenticate.allow.secured.selfhostedlist property when strict mode is enabled.
    • Default Behavior: If glide.ip.authenticate.strict is set to false, the instance uses the default wider IP allow list, or the self-hosted list if applicable.
    • Automatic Maintenance: The property glide.ip.authenticate.allow.secured contains ServiceNow data center and secure VPN IP ranges and is maintained automatically by ServiceNow, requiring no customer configuration.
    • Custom IP Allow Lists: Customers can define additional allowed IPs using glide.custom.ip.authenticate.allow and glide.custom.ip.outbound.authenticate.allow system properties or by adding entries to the IP Address Access Controls [ipaccess] table.
    • IP Format Support: IP addresses and ranges can be specified using single IPs, hyphenated ranges, or CIDR notation, supporting both IPv4 and IPv6 formats.
    • Access Control: To restrict inbound access strictly, customers can add a deny-all entry in the [ipaccess] table and then explicitly allow specific IP addresses or ranges.
    • Immutable Setting: The glide.ip.authenticate.strict property is a no DB override, meaning it cannot be altered or overridden by customers beyond setting it to true or false.

    Key Outcomes

    • Enhanced Security: Enabling strict IP authentication limits connectivity to essential ServiceNow infrastructure, reducing the risk of unauthorized or unnecessary access by non-essential internal users such as support or sales staff.
    • Controlled Access: Customers gain greater control over privileged access to their instances, minimizing exposure to insider threats or misconfigurations.
    • Minimal Functional Impact: This change should not impact normal functionality but may restrict non-essential ServiceNow personnel from accessing the instance. Access can still be granted selectively via the [ipaccess] table.
    • No Additional Dependencies: This setting requires no prerequisite configurations and is managed primarily through the glide.ip.authenticate.strict system property.

    Use the glide.ip.authenticate.strict property to specify IP ranges that can make inbound connections on an instance.

    Use the glide.ip.authenticate.strict property to reduce the scope of the IP allow list of an instance and restrict the IP addresses that ServiceNow personnel can use to make inbound/outbound connections to an instance. The exact IP ranges removed from the IP allow list by this property may be adjusted over time as the ServiceNow internal network changes. When set to true, glide.ip.authenticate.strict always guarantees an IP allow list that is equal to or more restrictive than the default.

    When glide.ip.authenticate.strict is set to true:
    A strict list of ServiceNow IP ranges replaces the default IP allow lists for inbound and outbound requests. This IP allow list, which starts with a more restrictive predefined set of allowed IP ranges, is replaced by the property glide.ip.authenticate.allow.secured.self_hosted_list if the instance is self-hosted.
    When glide.ip.authenticate.strict is set to false:
    The default IP allow list is used which contains a wider set of ServiceNow IP ranges. The default IP allow list is replaced by the contents of glide.ip.authenticate.allow.self_hosted_list if the instance is self-hosted.
    Note:
    The glide.ip.authenticate.allow.secured property contains the ServiceNow data center and secure VPN IP ranges used when glide.ip.authenticate.strict is set to true. This property is maintained and deployed automatically by ServiceNow. Customers do not need to configure it. The only customer action required by this hardening setting is to set glide.ip.authenticate.strict to true.
    Note:
    Regardless of the value of glide.ip.authenticate.strict or if the instance is self-hosted, the allow list includes IP addresses in the glide.custom.ip.authenticate.allow and glide.custom.ip.outbound.authenticate.allow system properties, if defined.

    All IP list properties share the same format, which is a comma separated range of IP addresses in IPv4 or IPv6 format. IP ranges are specified using a hyphen (10.0.10.14-10.0.10.19), using CIDR notation (10.0.10.0/24), or consist of a single IP address (10.0.10.5). At runtime, you can make additions to the IP allow list by adding entries to the IP Address Access Controls [ip_access] table. To restrict all inbound access to a defined set of IP addresses, add a deny-all entry to the [ip_access] table and then add the specific IP addresses or ranges that you want to allow.

    Warning:
    The value for this property is a no DB override. It can't be altered or overridden.

    More information

    Attribute Description
    Configuration name
    • glide.ip.authenticate.strict
    • glide.ip.authenticate.allow.secured
    Configuration type System Properties (/sys_properties_list.do)
    Data type
    • Boolean
    • String
    Recommended value
    • true
    • Managed by ServiceNow. Contains ServiceNow data center and secure VPN IP ranges. This value is deployed automatically and cannot be modified by customers.
    Default value
    • false
    • <empty>
    Fallback value
    • false
    • <empty>
    Category Architecture, design, and threat modeling
    Security risk
    • Severity score: 4.3
    • CVSS score: Medium
    • Security Risk Details: Broader access increases the risk of unauthorized or unnecessary access to the instance by non-essential internal users, such as support or sales staff, and reduces control over privileged access. Enforcing strict IP authentication limits connectivity to essential infrastructure, strengthening security and reducing exposure to insider threats or misconfiguration.
    Functional impact This should have no functional impact. It may restrict non-essential ServiceNow personal from accessing an instance. However, these are individuals that do not generally require access to such instances. If access is required, you can grant it on a case by case basis using the IP Address Access Controls [ip_access] table.
    Dependencies and prerequisites None

    To learn more about adding or creating a system property, see Add a system property.