Configure IP allow lists using Splunk Web
IP allow lists control which IP addresses on your network have access to specified features in your Splunk Cloud Platform deployment. You can use the IP allow list management page in Splunk Web to add IP subnets to allow lists and manage access to Splunk Cloud Platform features in a self-service manner without assistance from Splunk Support.
Alternatively, you can configure IP allow lists programmatically using the Admin Config Service (ACS) API. For more information, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.
Requirements
To configure IP allow lists using Splunk Web, you must:
- Have Splunk Cloud Platform version 8.2.2201 or higher.
- Hold a role that has the
edit_ip_allow_list
capability, including inherited roles. Thesc_admin
role has this capability by default. - Enable token authentication. See Enable or disable token authentication.
SAML users must enable a scripted authentication extension for proper authentication of IP allow list operations in Splunk Web. For more information, see Configure authentication tokens to interface with your SAML IdP.
The Splunk Web UI supports configuring IP allow lists on the primary search head (sh1) or search head cluster (shc1) only. It does not support configuring IP allow lists on additional search heads, including premium search heads. You can configure IP allow lists on additional search heads and premium search heads using the ACS API directly. For more information, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.
Determine IP allow list use case
Splunk Cloud Platform supports several common IP allow list use cases. In each case, the IP allow list controls access to a particular Splunk Cloud Platform feature, for example Search head API access, HEC access for ingestion, and so on.
IP allow list management supports the following IP allow list use cases:
Use Case | Description |
---|---|
Search head API access | Grants access for customer subnets to Splunk search head api (applies to automated interfaces) |
HEC access for ingestion | Allows customer's environment to send HTTP data to Splunk indexers. |
Indexer ingestion | Allows subnets that include UF or HF to send data to Splunk indexers. |
Search head UI access | Grant explicit access to search head UI in regulated customer environments. |
IDM UI access | Grant explicit access to IDM UI in regulated customer environments. |
IDM API | Grant access for add-ons that require an API. (Allows add-ons to send data to Splunk Cloud Platform.) |
IP allow list rules apply to the entire Splunk Cloud Platform deployment stack, not just to individual components. For example, any subnet that you add to "Search head API access" allow list will have access to the entire search head tier, including all individual search heads and search head clusters. Likewise, any forwarder whose subnet you add to the "Indexer ingestion" allow list will have access to all indexers.
Add or remove subnets from IP allow lists
The IP allow list management page lets you add or remove subnets from IP allow lists for specified Splunk Cloud Platform features. You can add or remove one or more IP subnets for multiple different features in a single page update. You must click save for any changes that you make to the page to propagate through the system.
Add subnets to IP allow lists
To add a subnet to an IP allow list:
- In Splunk Web, click Settings > Server settings > IP allow list.
- If token authentication is not enabled, click Go to tokens page and enable token authentication. Once token authentication is enabled, return to the IP allow list management page and refresh the page.
- Select the tab of the feature to which you wish to grant access. For example, click the "Search head UI access" tab to grant access to the search head UI.
- Click Add IP subnet.
- Enter the subnet using CIDR notation. For example 192.0.0.0/24
- Optionally, click Add IP subnet to add more subnets.
- Click Save.
This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.
Remove subnets from IP allow lists
To delete a subnet from an IP allow list:
- Select the tab for the feature from which you wish to revoke access.
- Click X to delete the existing subnet.
- Click Save.
This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.
You cannot delete the final IP subnet on the allow list for a feature. This is a safety measure that prevents inadvertently revoking all access to a feature. To delete the final subnet on an IP allow list, you must contact Splunk Support.
Changes can take up to 15 mins or more to propagate through the system.
If your deployment uses SAML authentication, and you receive a "Could not find ACS endpoint" error message when configuring IP allow lists in the UI, make sure you have enabled the appropriate scripted authentication extension for your SAML IdP. A scripted authentication extension is required for SAML users to properly authenticate IP allow list operations in Splunk Web.
For more information, see Configure authentication extensions to interface with your SAML IdP.
For help troubleshooting scripted authentication extensions, see Troubleshoot problems with authentication extensions.
Upgrade your Forwarders | Configure Dashboards Trusted Domains List |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!