Validating IP Addresses in an Access Request

SecureChange Requester This topic is intended for SecureChange handlers who are responsible for processing change requests.

IPv4 Address Validation

When an Access Request ticket is created and when it is handled, a validation is performed on the source and destination IP addresses to ensure that only continuous subnets are used.

For the standard CIDR format masks (/0 through /32 or the full netmask that correlates to its matching CIDR format) the valid IP addresses are those for which a logical AND of the respective bits of the IP address and the netmask returns the bits of the address octet.

Example: logical AND truth table

For the IP address a.b.c.d/w.x.y.z, the validation checks that the logical AND returns the following:

Validation

Result

a AND w

a

b AND x

b

c AND y

c

d AND z

d

Non Default Port Addresses

For Palo Alto Panorama devices, you can enter applications in an access request using the default port for the application, the non-default port for the application, or any ports.

  • To use the default ports, type or select the name of the application. Secure change displays the name of the application with (application-default) written after the name, for example Facebook (application-default)

  • To use a non default port, after the name of the application, type the name of the required ports in brackets. Multiple ports should be separated with a comma, for example Facebook (TCP 100, TCP 101, HTTP)

    Non default ports can be a protocol and port, for example TCP 80, or a predefined service, for example HTTPS

  • To use open access for the application across all protocols and ports, after the name of the application type (any), for example Facebook (any)