IP Range Based Authentication

Using IP range based authentication, you can control access by IP address and block access to a specific address or range of addresses that you suspect belong to malicious individuals

More detail from the ServiceNow Documentation

Often companies use IP Range Based Authentication to restrict access to ServiceNow to only within their internal network. Although this is a powerful security restriction, it does limit the functionality of ServiceNow. Mobile usage and remote usage won’t be possible unless users login into your network via VPN.

IP Range Based Authentication or “IP Address Access Control” is installed by default on new ServiceNow instances using New York.

This article documents a process to setup IP Range based authentication to your ServiceNow instance.

STEP 1: GATHER Allowed IP ranges

Gather a list of ip addresses to allow on your ServiceNow instance. By default IP Address Access Control is empty, meaning that there are no restrictions on access to your instance.

Personal External IP Address

First thing I do is find my own external ip address, and use that as first to allow.

  1. Open internet browser

  2. Go to

  3. Google what is my ip address

  4. Result is displayed

Please note that the system won't let you lock yourself out, so if you try to add a rule such that your current address would be locked out, the system warns you and refuses your insert.

Company IP Range

Ask your network admin what range of ip addresses your company uses.

Vendor IP Range

Also consider is any integrations used outside of your company. You may have to look at the Transaction Log to see what IP address the integration is using. You may have to also contact the outside vendor for this IP Address range. This isn’t always so easy if the vendor doesn’t exactly know what IP range they have.

Contractor IP Range

If you have contractors that work at home without an vpn, you’ll want to add their IP addresses or get them on the vpn.

ServiceNow Instances

Look up all the ServiceNow instances used at your organization and their IP address. To ensure that IP Address Access Control does not cause update sets to fail, add the target instance as an exception on the source instance.

Viewing IP and datacenter information HI Service Portal

  1. Navigate to

  2. Click Service Catalog

  3. Search for Instance Management

  4. click on My IP Information

STEP 2: Allow IP Addresses

Using the IP Addresses you gathered in Step 1, add them to the ServiceNow allow ranges

Allow IP Address

  1. Login as an admin

  2. Navigate to System Security > IP Address Access Control to see a list of your IP access controls.

  3. Click New

    Type: Allow

    Range Start: (Example)

    Range End: (Example)

  4. Click Submit

  5. Repeat for the ranges needed.

STEP 3: Deny All

After you have entered all the allowed ip addresses, block all others not listed.

Allow rules always supersede deny rules. So if an address is both allowed (by one rule) and denied (by a second rule) it is, in fact, allowed.

Deny all

  1. Login as an admin

  2. Navigate to System Security > IP Address Access Control to see a list of your IP access controls.
    Type: Deny
    Range Start:
    Range End:

  3. Click Submit

Note that you can deactivate the Deny All entry if troubleshooting a 403 error.

STEP 4: Find denied IP Addresses

A user whose access is restricted based on an access rule gets a 403 error on their browser.

You may have missed some allowed IP addresses in step 2. Checking in the node log allows you to see any ip addresses that are receiving the 403 error.

How to check the Node Log

  1. Login as an admin

  2. Navigate to System Logs > Utilities > Node Log File Browser..

  3. Browse the logs by criteria, such as time period and message.

  4. You can also download log files when you know which log you are looking for, by navigating to System Logs > Utilities > Node Log File Download.

    Log entries for blocked IP address appear as follows:

    2015-10-21 18:37:43 (175) http-30 WARNING *** WARNING *** Security restricted: Access restricted ( not authorized)

  5. Follow the steps listed in Step 2 to add allowed ip addresses as needed.