Fortanix SaaS IP Whitelisting

1.0 Introduction

Fortanix SaaS is an internet-connected service that can interface with other internet-connected clients and services. This article elaborates on how these connections should be made and what security measures to take. It also describes the IP ranges associated with the Fortanix SaaS service.

DISCLAIMER

Fortanix aims to announce new IPs through the URL https://ip-ranges.fortanix.com/ip-ranges at least 30 days before using them. In addition, for web clients, the IPs from Fortanix service providers are included that may not adhere to this advance notice period.

2.0 Security Best Practices

The following best practices outline the key strategies to safeguard against potential threats:

  • Ensure the use of Transport Layer Security (TLS) with global Public Key Infrastructure (PKI), as Fortanix server certificates are issued by common public certificate authorities (CAs).

  • Use host-based access control solely as a defense-in-depth mechanism. The source and destination Internet Protocol (IP) addresses cannot generally be trusted on the Internet.

  • Use the Fortanix IP ranges JSON to ingest the IPs into the infrastructure to implement host-based access control. No other notice will be provided by Fortanix when changing IPs.

3.0 Fortanix IP Ranges JSON

The syntax of ip-ranges.fortanix.com is as follows:

{
  "last_updated": "20240523T192951Z",
  "prefixes": [
    {
      "region": "NA1",
      "direction": "outbound",
      "ip_prefix": "38.142.247.36/32"
    },
    {
      "region": "NA1",
      "direction": "outbound",
      "ip_prefix": "184.105.12.116/32"
    },
    {
      "region": "NA1",
      "direction": "outbound",
      "ip_prefix": "38.122.67.228/32"
    },
    {
      "region": "NA1",
      "consumers": [
        "api",
        "web"
      ],
      "direction": "inbound",
      "ip_prefix": "45.60.173.253/32"
    },
    
    ..
    
     ],
  "prefixes_v6": [
    {
      "region": "GLOBAL",
      "consumers": [
        "web"
      ],
      "direction": "inbound",
      "ipv6_prefix": "2600:9000:3000::/36"
    },

Where,

  • last_updated refers to the publication time, and timestamp in ISO 8601 format.

  • prefixes / ip_prefix refers to the IP prefixes for the IPv4 address ranges.

  • prefixes_v6 / ipv6_prefix refers to the IP prefixes for the IPv6 address ranges.

  • consumers -

    • api - this is applicable when the user interacts with Fortanix systems by making requests to its API (Application Programming Interface).

    • web - this is applicable when the user interacts with Fortanix systems through a web browser interface, using a front-end graphical user interface (GUI).

  • direction -

    • inbound: The traffic from customer clients to Fortanix.

    • outbound: Host-Based.

  • region refers to the:

    • Fortanix region or Global: All regions use a common global CloudFront Content Delivery Network (CDN) to serve user interface (UI) artifacts. The IPs associated with that service are embedded in this JSON under the GLOBAL region designation.

    • This document describes the IP ranges associated with the Fortanix SaaS service. This is exposed as five distinct clusters (distinguished by the .region field). While they all have the same functionality, they are completely independent, and account information and data are not shared across region boundaries.

REGIONS

LOCATIONS

SERVICES

NA1

US datacenters

DSM SaaS

NA2

US Azure regions

CCM

EU1

Europe datacenters

DSM SaaS

EU2

Europe Azure regions

Armor, Key Insight, IAM

APAC1

Asia Pacific datacenters

DSM SaaS

UK1

United Kingdom datacenters

DSM SaaS

U1

Australia datacenters

DSM SaaS

NOTE

This is only a sample API snippet. To get the latest Fortanix SaaS IP API ranges, refer to the URL https://ip-ranges.fortanix.com/.

4.0 Inbound Connectivity

4.1 API Clients

Ensure to use a Server Name Indication (SNI) enabled client and establish connection with the appropriate API hostname while using client certificates or mutual Transport Layer Security (TLS).

Refer to the designated Fully Qualified Domain Names (FQDNs) for establishing connections to the respective Fortanix services and their corresponding regions.

4.1.1 Host-Based Access Control

It is recommended to use the Domain Name System (DNS).

If the customer’s firewall cannot use the DNS-based filtering option, use IP address for each region of the service being accessed, and retrieve the inbound IP addresses from the ip-ranges.json file, considering the option to filter for prefixes designated for API consumers.

4.2 Web Clients

Similar to API clients, web clients should include *.fortanix.com, *.smartkey.io, and all elements specified in the Content Security Policy (CSP) on any page within those domains.

4.2.1 Host-Based Access Control

It is recommended to use the Domain Name System (DNS).

Internet Protocol (IP): for each region of the service, you are connecting to, look up the inbound IP addresses for that region as well as the GLOBAL region. This only covers IPs for *.fortanix.com, *.smartkey.io, not any other domains that may be listed in the CSP.

5.0 Outbound Connectivity

Outbound connections to customer infrastructure are initiated using the Fortanix IPs for the following Fortanix product features:

  • Externally linked groups.

  • LDAP Single Sign-On (SSO) integration.

  • Plugin external Hypertext Transfer Protocol (HTTP) calls.

  • Audit log forwarding.

In addition, common Internet infrastructure components such as Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP), Online Certificate Status Protocol (OCSP), and Certificate Revocation List (CRL) may be utilized to facilitate these services.