The Network Access Rules page allows you to limit the IP addresses from which specific users can log in, based on those users’ security policies. Each rule can apply to either a single IP address or an IP range. You cannot create a rule that would lock you out. For any security policy that is not part of a network access rule, users can log in from any IP address.

Network access rules apply across all Vaults in a multi-Vault domain. You must be a Domain Admin to modify these settings.

Accessing Network Access Rules

To see or modify network access rules, go to Admin > Settings > Network Access Rules.

Creating & Editing Network Access Rules

To create or edit a network access rule:

  1. Click Create for a new rule or click into a rule’s details and click Edit to modify an existing rule.
  2. Enter a Name to help you identify the rule.
  3. Enter a Start IP Address and End IP Address. These can be IPv4 or IPv6 addresses, but both values must use the same version. If there’s a single allowed address, enter the same value in both fields.
  4. In the Security Settings field, select one or more security policies. Users with these security policies will only be able to access Vault from the IP range selected in this rule and other rules that apply to their security policy. If a single security policy is selected for two rules, users with that policy will be able to access Vault from both IP ranges.
  5. Click Save.

Login Error Messaging

When users enter their login details and try to proceed from a disallowed IP address, they see the message “Network Access not within range” or a similar error.

Limits & Restrictions

  • Network access rules are not applied for users authenticating via SSO-enabled security policies.
  • You cannot apply network access rules to cross-domain users. Cross-domain security policies will not appear for selection when configuring a rule.