Configure IP allow lists using Splunk Web

IP allow lists control which IP addresses on your network have access to specified features in your Splunk Cloud Platform deployment. You can use the IP allow list management page in Splunk Web to add IP subnets to allow lists and manage access to Splunk Cloud Platform features in a self-service manner without assistance from Splunk Support.

You can also manage access to Splunk Cloud Platform features programmatically using the Admin Config Service (ACS) API. For more information, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.

Requirements

To configure IP allow lists using Splunk Web, you must:

• Have Splunk Cloud Platform version 8.2.2201 or higher.
• Hold a role that has the edit_ip_allow_list capability, including inherited roles. The sc_admin role has this capability by default.
• Enable token authentication. See Enable or disable token authentication.
• SAML users must enable a scripted authentication extension. See: Configure authentication extensions to interface with your SAML IdP.
• Enable automatic UI updates. See Enable automatic UI updates.

IP allow list management is not currently supported on AWS GovCloud or FedRAMP environments.

Enable automatic UI updates

Before you can access the IP allow list management page in Splunk Web, you must enable automatic UI updates for your deployment. After you enable automatic UI updates, you can access the IP allow list management page in Splunk Web under Settings > Server settings. For more information, see Enable automatic UI updates.

Determine IP allow list use case

Splunk Cloud Platform supports several common IP allow list use cases. In each case, the IP allow list controls access to a particular Splunk Cloud Platform feature, for example Search head API access, HEC access for ingestion, and so on.

IP allow list management supports the following IP allow list use cases:

Add or remove subnets from IP allow lists

The IP allow list management page let you add or remove subnets from IP allow lists for specified Splunk Cloud Platform features. You can add or remove one or more IP subnets for multiple different features in a single page update. You must click save for any changes that you make to the page to propagate through the system.

Add subnets to IP allow lists

To add a subnet to an IP allow list:

1. In Splunk Web, click Settings > Server settings > IP allow list.
2. If token authentication is already enabled, skip this step. If token authentication is not enabled, click Go to tokens page and enable token authentication. Once token authentication is enabled, return to the IP allow list management page and refresh the page.
3. Select the tab of the feature to which you wish to grant access. For example, click the "Search head UI access" tab to grant access to the search head UI.
4. Click Add IP subnet.
5. Enter the subnet using CIDR notation. For example 192.0.0.0/24
6. Optionally, click Add IP subnet to add more subnets.
7. Click Save.
   This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.

Remove subnets from IP allow lists

To delete a subnet from an IP allow list:

1. Select the tab for the feature from which you wish to revoke access.
2. Click X to delete the existing subnet.
3. Click Save.
   This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.

You cannot delete the final IP subnet on the allow list for a feature. This is a safety measure that prevents inadvertently revoking all access to a feature. To delete the final subnet on an IP allow list, you must contact Splunk Support.

Changes can take up to 15 mins or more to propagate through the system.