Allow/restrict IP addresses

One way to make Log360 and its integrated components more secure is by allowing or restricting inbound connections to specific IPs or IP ranges. This adds an additional layer of security by allowing connection from only trusted sources and blocking unwanted and malicious traffic.

The IP restriction can be applied for the entire product, specific URLs within the product, or APIs.

Controlling access to the product

1. Navigate to Admin → Administration → Logon Settings.
2. Click the Allow/Restrict IPs tab.
3. Under the Actions column, click the [] icon to enable IP restriction.



4. In the pop-up that appears, select the Allowed IPs or the Restricted IPs option.
5. Based on your requirements, enter the desired IP addresses.
   • Adding multiple IP ranges: Click [] icon if you want to allow or restrict access to multiple IP address ranges.
   • Allow/restrict individual IPs: Click Add Individual IPs if you want to allow or restrict access to individual IP addresses. You can add multiple individual IP addresses by separating the values using comma.
6. Refer to the Appendix for more information.



7. Finally, click Save to save the settings.
8. If you have changed the 3rd party reverse proxy settings of Log360 or any of its integrated components for which you are enabling IP-based restriction, then:
   • Add the following line to the server.xml file (default location: <InstallationDirectory>/conf/server.xml).
9. <Valve className="org.apache.catalina.valves.RemoteIpValve"
   internalProxies="192\.168\.0\.10|192\.168\.0\.11"
   trustedProxies="172\.168\.0\.10|176\.168\.0\.11" />
   • Edit the values of internalProxies and trustedProxies as per your environment.
   • Enter IP address while specifying the values for internalProxies and trustedProxies, and use the vertical bar (|) character to enter multiple values.
   • Restart for the changes to take effect.
   • Repeat these steps for the integrated components as well.

Controlling access to APIs and product URLs

1. Navigate to Admin → Administration → Logon Settings.
2. Click the Allow/Restrict IPs tab.
3. Under the Actions column, click the [] icon to enable IP restriction.



4. In the pop-up that appears, check the Enable API/URL Access for Selected IPs box.



5. Enter the API/Product URLs in the box provided.
6. Sample URL paths: /Admin.do, /Configuration.do, /Dashboard.do
   Sample API paths: /RestAPI/WC/Integration, /RestAPI/WC/LogonSettings

Note:

• Use * as a wildcard character to restrict access to a broader range of APIs or URLs. For example, use /RestAPI/WC/.* to restrict all API calls that start with /RestAPI/WC/.
• The API/URL path should start with /. For example, /Admin.do and /RestAPI/WC/.
• Enter only the path of the API or URL. For example, if the entire product URL is https:testserver:8095/Admin.do, then enter only /Admin.do.
• Only alphanumeric characters (A-Z, a-z, 0-9) and the following special characters are allowed: period (.), forward slash (/), and asterisk (*).
7. Enter the IP addresses as per your requirement. Click [] icon if you want to allow access to multiple IP address ranges.
8. Finally, click Save to save the settings.
9. If any changes are made to 3rd party reverse proxy for Log360, or any of its integrated components, then:
   • Add the following line to the server.xml file (default location: <InstallationDirectory>/conf/server.xml).
10. <Valve className="org.apache.catalina.valves.RemoteIpValve"
    internalProxies="192\.168\.0\.10|192\.168\.0\.11"
    trustedProxies="172\.168\.0\.10|176\.168\.0\.11" />
    • Edit the values of internalProxies and trustedProxies as per your environment.
    • Enter IP address while specifying the values for internalProxies and trustedProxies, and use the vertical bar (|) character to enter multiple values.
    • Restart Log360 for the changes to take effect.
    • Repeat these steps for the integrated components as well.

Note:

• The purpose of configuring InternalProxies and TrustedProxies is to determine which IP addresses are regarded as internal or trusted. By configuring these settings, organizations can improve their network security by controlling the access and use of IP addresses within their network.
• InternalProxies are IP addresses that are trusted and from within the organization network. These IP addresses are typically used by internal services, such as printers and servers.
• TrustedProxies are IP addresses that are external to the network but still maintain a high level of trust and reliability. These IP addresses are typically associated with external services like websites and databases.

Managing IP restriction

You can also make the following changes to this setting:

• Disable/enable IP-based restriction: Use the icon under the Actions column to enable or disable IP-based restriction. [] icon means IP-based restriction is enabled for a component and [] icon means IP-based restriction is disabled.
• Edit IP-based restriction settings: Click [] icon to add, delete, or edit the IP ranges and individual IP addresses.
• Summary details: Click the link under the Allow/Restrict IPs column to view the IPs that are allowed or restricted from accessing a component.

Appendix

• Use * as wildcard character: Individual IP addresses can include wildcard characters, so that all addresses within a certain class of address will be restricted. For example, denying access to address 192.168.2.* would restrict access to all addresses within that subnet.
• You can also enter hostname instead of IP addresses.
• You can allow or restrict only IPv4 addresses. IPv6 is not supported.
• The Remote Integrated Child Components (RICC) server IP address cannot be restricted in Log360
• The implementation of IP restriction for forward proxy is not supported.
• After initially configuring IP Restriction or Reverse Proxy in Log360, manual restart of the child products is necessary.
• When the child products are installed remotely and the Reverse Proxy is set up in Log360, manually add the parent product server's IP as an internal proxy in the child product. Following this, manually restart the child products.