1.0 Introduction
Fortanix SaaS is an internet-connected service that can interface with other internet-connected clients and services. This article elaborates on how these connections should be made and what security measures to take. It also describes the IP ranges associated with the Fortanix SaaS service.
DISCLAIMER
Fortanix aims to announce new IPs through the URL https://ip-ranges.fortanix.com/ip-ranges at least 30 days before using them. In addition, for web clients, the IPs from Fortanix service providers are included that may not adhere to this advance notice period.
2.0 Security Best Practices
The following best practices outline the key strategies to safeguard against potential threats:
Ensure the use of Transport Layer Security (TLS) with global Public Key Infrastructure (PKI), as Fortanix server certificates are issued by common public certificate authorities (CAs).
Use host-based access control solely as a defense-in-depth mechanism. The source and destination Internet Protocol (IP) addresses cannot generally be trusted on the Internet.
Use the Fortanix IP ranges JSON to ingest the IPs into the infrastructure to implement host-based access control. No other notice will be provided by Fortanix when changing IPs.
3.0 Fortanix IP Ranges JSON
The syntax of ip-ranges.fortanix.com is as follows:
{
"last_updated": "20240523T192951Z",
"prefixes": [
{
"region": "NA1",
"direction": "outbound",
"ip_prefix": "38.142.247.36/32"
},
{
"region": "NA1",
"direction": "outbound",
"ip_prefix": "184.105.12.116/32"
},
{
"region": "NA1",
"direction": "outbound",
"ip_prefix": "38.122.67.228/32"
},
{
"region": "NA1",
"consumers": [
"api",
"web"
],
"direction": "inbound",
"ip_prefix": "45.60.173.253/32"
},
..
],
"prefixes_v6": [
{
"region": "GLOBAL",
"consumers": [
"web"
],
"direction": "inbound",
"ipv6_prefix": "2600:9000:3000::/36"
},
Where,
last_updated
refers to the publication time, and timestamp in ISO 8601 format.prefixes / ip_prefix
refers to the IP prefixes for the IPv4 address ranges.prefixes_v6 / ipv6_prefix
refers to the IP prefixes for the IPv6 address ranges.consumers
-api
- this is applicable when the user interacts with Fortanix systems by making requests to its API (Application Programming Interface).web
- this is applicable when the user interacts with Fortanix systems through a web browser interface, using a front-end graphical user interface (GUI).
direction
-inbound
: The traffic from customer clients to Fortanix.outbound
: Host-Based.
region
refers to the:Fortanix region or Global: All regions use a common global CloudFront Content Delivery Network (CDN) to serve user interface (UI) artifacts. The IPs associated with that service are embedded in this JSON under the
GLOBAL
region designation.This document describes the IP ranges associated with the Fortanix SaaS service. This is exposed as five distinct clusters (distinguished by the
.region
field). While they all have the same functionality, they are completely independent, and account information and data are not shared across region boundaries.
REGIONS | LOCATIONS | SERVICES |
---|---|---|
NA1 | US datacenters | DSM SaaS |
NA2 | US Azure regions | CCM |
EU1 | Europe datacenters | DSM SaaS |
EU2 | Europe Azure regions | Armor, Key Insight, IAM |
APAC1 | Asia Pacific datacenters | DSM SaaS |
UK1 | United Kingdom datacenters | DSM SaaS |
U1 | Australia datacenters | DSM SaaS |
NOTE
This is only a sample API snippet. To get the latest Fortanix SaaS IP API ranges, refer to the URL https://ip-ranges.fortanix.com/.
4.0 Inbound Connectivity
4.1 API Clients
Ensure to use a Server Name Indication (SNI) enabled client and establish connection with the appropriate API hostname while using client certificates or mutual Transport Layer Security (TLS).
Refer to the designated Fully Qualified Domain Names (FQDNs) for establishing connections to the respective Fortanix services and their corresponding regions.
4.1.1 Host-Based Access Control
It is recommended to use the Domain Name System (DNS).
If the customer’s firewall cannot use the DNS-based filtering option, use IP address for each region of the service being accessed, and retrieve the inbound IP addresses from the ip-ranges.json file
, considering the option to filter for prefixes designated for API consumers.
4.2 Web Clients
Similar to API clients, web clients should include *.fortanix.com
, *.smartkey.io
, and all elements specified in the Content Security Policy (CSP) on any page within those domains.
4.2.1 Host-Based Access Control
It is recommended to use the Domain Name System (DNS).
Internet Protocol (IP): for each region of the service, you are connecting to, look up the inbound IP addresses for that region as well as the GLOBAL region. This only covers IPs for *.fortanix.com
, *.smartkey.io
, not any other domains that may be listed in the CSP.
5.0 Outbound Connectivity
Outbound connections to customer infrastructure are initiated using the Fortanix IPs for the following Fortanix product features:
Externally linked groups.
LDAP Single Sign-On (SSO) integration.
Plugin external Hypertext Transfer Protocol (HTTP) calls.
Audit log forwarding.
In addition, common Internet infrastructure components such as Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP), Online Certificate Status Protocol (OCSP), and Certificate Revocation List (CRL) may be utilized to facilitate these services.