Define allowed ServiceNow internal IP addresses [Updated in Security Center 1.3 and 1.5]

Use the glide.ip.authenticate.strict property to specify IP ranges that can make inbound connections on an instance.

Prevent unnecessary exposure of instance access to wider group of people using the glide.ip.authenticate.strict and glide.ip.authenticate.allow.secured system properties.

When the glide.ip.authenticate.strict system property is set to true, internal ServiceNow personnel and systems can only make inbound connections to your instance from essential IP ranges. This limits ServiceNow's visibility to essential internal infrastructure on your instance, and prevents access by broader ServiceNow personnel such as support and sales staff via corporate networks. The glide.ip.authenticate.allow.secured system property grants internal ServiceNow inbound connections, including regular authenticated access and unauthenticated diagnostic pages.

If not set to true, then a broader ServiceNow internal IP range defined in the glide.ip.authenticate.allow property is used to grant these internal ServiceNow inbound connections.

Ensure the glide.ip.authenticate.allow.secured system property contains only trusted values and that the property glide.ip.authenticate.strict is set to true.

Warning: The value for this property is a no DB override. It can't be altered or overridden.

More information

AttributeDescription
Property name glide.ip.authenticate.strict
Configuration type System Properties (/sys_properties_list.do)
Category Architecture, design, and threat modeling
Purpose Allows ServiceNow employees to access the instance only through secured set of IP ranges
Recommended value true
Security risk rating 4.3
Functional impact

(Low) If this property is not enabled, ServiceNow employees can access the customer's instance through all the IP ranges. Enabling the property restricts access to a secure set of IP ranges (Secure VPN, DC).

Note: If you set this property to true, the ServiceNow AI Platform uses a more restrictive glide.ip.authenticate.allow.secured property instead of the Performance Monitoring IP restriction (glide.ip.authenticate.allow.secured) property for a set of IP ranges that can access the instance.
Security risk (Low) Unnecessary exposure of instance access to wider group of people.
Reference IP range based authentication
Note: A deny all rule is needed to be added into IP access control to restrict access from any IP's not added into IP access control. All required allowed IP's are then needed to be added into IP access control.