Block IPs using REST API Access PoliciesIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } How to configure REST API access policies so that they can block certain IP addresses. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } N/A Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } These are the steps to implement a simple allow policy for certain IPs : 1) Go to System Web Services > API Access policies > REST API Access Policy 2) Set the name and API type you want to use and set other fields based on your requirements. 3) Create an Inbound Authentication Profile. Here, select 'Create standard HTTP authentication profile'. 4) Set the name and select the 'Type' of authentication you are using. Basic Auth -> This is for API access policies using Username and Password present in the sys_user table.OAuth -> This is for integrations using OAuth as the authentication method. This can either be configured for all inbound OAuth integrations or for a particular Application Registry. You can select the application registry in the 'OAuth Entity' field.ID Token -> If you pass the access token in the header "Authorization" as value "Bearer <token>", then this will be treated as ID token.Certificate-Based -> Authentication using a certificate in the sys_certificate table is Certificate-based authentication. After this, you have to configure an authentication policy. This policy is where you can configure the conditions i.e. allow/deny for your Inbound REST calls. 5) So, create a new Authentication policy, give it a name and save. Once you save, you will see 2 related list tabs : Policy Input: In simple terms, what to check?Policy Conditions: Based on the Policy input, how should I act? 6) So first, click on New for the Policy Input. You can select IP filter, Role-based or Group-based. For our implementation, we will select 'IP filter'. 7) You can add an IP Address range, or you can configure a Network IP based on your requirement. Add any number of IP ranges you require and then submit. Now that we have selected the 'what to check', we have to configure "what to do with it". For a sample case scenario, I decide that I only want to allow a certain bunch of IPs. 8) So I will create a new Policy Condition and set the Filter condition as <my_policy_input_name> is true Now our setup is complete. Now, backtrack and check the flow: Rest API access policy -> Authentication Profile > Authentication Policy > Policy Input and Policy Condition Now you can test this via POSTMAN or any external tool. You will get a 401 - Not authorized error. Note: Internal ServiceNow IPs (i.e. in an eBonding use case etc) are not blocked using this method, to implement that, use IP address allowlist. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Please go through the product documentation for details on each field in the implementation.