Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure IP allow lists using Splunk Web

IP allow lists control which IP addresses on your network have access to specified features in your Splunk Cloud Platform deployment. You can use the IP allow list management page in Splunk Web to add IP subnets to allow lists and manage access to Splunk Cloud Platform features in a self-service manner without assistance from Splunk Support.

Alternatively, you can configure IP allow lists programmatically using the Admin Config Service (ACS) API. For more information, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.

Requirements

To configure IP allow lists using Splunk Web, you must:

  • Have Splunk Cloud Platform version 8.2.2201 or higher.
  • Hold a role that has the edit_ip_allow_list capability, including inherited roles. The sc_admin role has this capability by default.
  • Enable token authentication. See Enable or disable token authentication.

SAML users must enable a scripted authentication extension for proper authentication of IP allow list operations in Splunk Web. For more information, see Configure authentication tokens to interface with your SAML IdP.


Determine IP allow list use case

Splunk Cloud Platform supports several common IP allow list use cases. In each case, the IP allow list controls access to a particular Splunk Cloud Platform feature, for example Search head API access, HEC access for ingestion, and so on.

IP allow list management supports the following IP allow list use cases:

Use Case Description
Search head API access Grants access for customer subnets to Splunk search head api (applies to automated interfaces)
HEC access for ingestion Allows customer's environment to send HTTP data to Splunk indexers.
Indexer ingestion Allows subnets that include UF or HF to send data to Splunk indexers.
Search head UI access Grant explicit access to search head UI in regulated customer environments.
IDM UI access Grant explicit access to IDM UI in regulated customer environments.
IDM API Grant access for add-ons that require an API. (Allows add-ons to send data to Splunk Cloud Platform.)

IP allow list rules apply to the entire Splunk Cloud Platform deployment stack, not just to individual components. For example, any subnet that you add to "Search head API access" allow list will have access to the entire search head tier, including all individual search heads and search head clusters. Likewise, any forwarder whose subnet you add to the "Indexer ingestion" allow list will have access to all indexers.

Add or remove subnets from IP allow lists

The IP allow list management page lets you add or remove subnets from IP allow lists for specified Splunk Cloud Platform features. You can add or remove one or more IP subnets for multiple different features in a single page update. You must click save for any changes that you make to the page to propagate through the system.

Add subnets to IP allow lists

To add a subnet to an IP allow list:

  1. In Splunk Web, click Settings > Server settings > IP allow list.
  2. If token authentication is not enabled, click Go to tokens page and enable token authentication. Once token authentication is enabled, return to the IP allow list management page and refresh the page.
  3. Select the tab of the feature to which you wish to grant access. For example, click the "Search head UI access" tab to grant access to the search head UI.
  4. Click Add IP subnet.
  5. Enter the subnet using CIDR notation. For example 192.0.0.0/24
  6. Optionally, click Add IP subnet to add more subnets.
  7. Click Save.
    This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.

Remove subnets from IP allow lists

To delete a subnet from an IP allow list:

  1. Select the tab for the feature from which you wish to revoke access.
  2. Click X to delete the existing subnet.
  3. Click Save.
    This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.

You cannot delete the final IP subnet on the allow list for a feature. This is a safety measure that prevents inadvertently revoking all access to a feature. To delete the final subnet on an IP allow list, you must contact Splunk Support.

Changes can take up to 15 mins or more to propagate through the system.

Troubleshoot authentication related errors

If your deployment uses SAML authentication, and you receive a "Could not find ACS endpoint" error message when configuring IP allow lists in the UI, make sure you have enabled the appropriate scripted authentication extension for your SAML IdP. A scripted authentication extension is required for SAML users to properly authenticate IP allow list operations in Splunk Web.

For more information, see Configure authentication extensions to interface with your SAML IdP.

For help troubleshooting scripted authentication extensions, see Troubleshoot problems with authentication extensions.

Last modified on 31 January, 2024
PREVIOUS
Upgrade your Forwarders
  NEXT
Configure Dashboards Trusted Domains List

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters