On This Page
Validating IP Addresses in an Access Request
This topic is intended for SecureChange handlers who are responsible for processing change requests. |
IPv4 Address Validation
When an Access Request ticket is created and when it is handled, a validation is performed on the source and destination IP addresses to ensure that only continuous subnets are used.
For the standard CIDR format masks (/0 through /32 or the full netmask that correlates to its matching CIDR format) the valid IP addresses are those for which a logical AND of the respective bits of the IP address and the netmask returns the bits of the address octet.
Example: logical AND truth table
For the IP address a.b.c.d/w.x.y.z, the validation checks that the logical AND returns the following:
Validation |
Result |
---|---|
a AND w |
a |
b AND x |
b |
c AND y |
c |
d AND z |
d |
Non Default Port Addresses
For Palo Alto Panorama devices, you can enter applications in an access request using the default port for the application, the non-default port for the application, or any ports.
-
To use the default ports, type or select the name of the application. Secure change displays the name of the application with (application-default) written after the name, for example
Facebook
(application-default)
-
To use a non default port, after the name of the application, type the name of the required ports in brackets. Multiple ports should be separated with a comma, for example
Facebook
(TCP 100, TCP 101, HTTP)
Non default ports can be a protocol and port, for example TCP 80, or a predefined service, for example HTTPS
-
To use open access for the application across all protocols and ports, after the name of the application type (any), for example
Facebook
(any)