On This Page
Validating IP Addresses in an Access Request
This topic is intended for SecureChange handlers who are responsible for processing change requests. |
IPv4 Address Validation
When an Access Request ticket is created and when it is handled, a validation is performed on the source and destination IP addresses to ensure that only continuous subnets are used.
For the standard CIDR format masks (/0 through /32 or the full netmask that correlates to its matching CIDR format) the valid IP addresses are those for which a logical AND of the respective bits of the IP address and the netmask returns the bits of the address octet.
Example: logical AND truth table
For the IP address a.b.c.d/w.x.y.z, the validation checks that the logical AND returns the following:
Validation |
Result |
---|---|
a AND w |
a |
b AND x |
b |
c AND y |
c |
d AND z |
d |
Non Default Port Addresses
For Palo Alto Panorama devices, you can enter applications in an access request using the default port for the application, the non-default port for the application, or any ports.
-
To use the default ports, type or select the name of the application. Secure change displays the name of the application with (application-default) written after the name, for example
Facebook
(application-default)
-
To use a non default port, after the name of the application, type the name of the required ports in brackets. Multiple ports should be separated with a comma, for example
Facebook
(TCP 100, TCP 101, HTTP)
Non default ports can be a protocol and port, for example TCP 80, or a predefined service, for example HTTPS
-
To use open access for the application across all protocols and ports, after the name of the application type (any), for example
Facebook
(any)
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague