Fortanix SaaS IP Whitelisting

  • Updated on Jul 16, 2025
  • Published on Oct 14, 2024
  • 5 minute(s) read
Prev Next

1.0 Introduction

Fortanix SaaS is an internet-connected service that can interface with other internet-connected clients and services. This article elaborates on how these connections should be made and what security measures to take. It also describes the IP ranges associated with the Fortanix SaaS service.

DISCLAIMER

Fortanix aims to announce new IPs through the URL https://ip-ranges.fortanix.com/ip-ranges at least 30 days before using them. In addition, for web clients, the IPs from Fortanix service providers are included that may not adhere to this advance notice period.

2.0 Security Best Practices

The following best practices outline the key strategies to safeguard against potential threats:

  • Ensure the use of Transport Layer Security (TLS) with global Public Key Infrastructure (PKI), as Fortanix server certificates are issued by common public certificate authorities (CAs).

  • Use host-based access control solely as a defense-in-depth mechanism. The source and destination Internet Protocol (IP) addresses cannot generally be trusted on the Internet.

  • Use the Fortanix IP ranges JSON to ingest the IPs into the infrastructure to implement host-based access control. No other notice will be provided by Fortanix when changing IPs.

3.0 Fortanix IP Ranges JSON

NOTE

The latest Fortanix SaaS IP API ranges are available at https://ip-ranges.fortanix.com/.

The following are the descriptions of the fields:

  • last_updated refers to the publication time and timestamp in ISO 8601 format.

  • prefixes / ip_prefix refers to the IP prefixes for the IPv4 address ranges.

  • prefixes_v6 / ipv6_prefix refers to the IP prefixes for the IPv6 address ranges.

  • consumers -

    • api - This is applicable when the user interacts with Fortanix systems by making requests to its API (Application Programming Interface).

    • web - This is applicable when using the Fortanix service through its browser user interface (UI).

  • direction -

    • inbound: The traffic from customer clients to Fortanix.

    • outbound: Host-Based.

  • region refers to the:

    • Fortanix region or Global: All regions use a common global CloudFront Content Delivery Network (CDN) to serve UI artifacts. The IPs associated with that service are embedded in this JSON under the GLOBAL region designation.

    • This document describes the IP ranges associated with the Fortanix SaaS service. This is exposed as five distinct clusters (distinguished by the .region field). While they all have the same functionality, they are completely independent, and account information and data are not shared across regional boundaries.

NOTE

The Fortanix Armor services have now been moved out of Azure Cloud datacenters. The following table provides the post-migration details, which are applicable from July 28th, 2025.

REGIONS

LOCATIONS

SERVICES

NA1

US datacenters

DSM SaaS

EU1

Europe datacenters

DSM SaaS

GLOBAL

Europe datacenters

Armor, Key Insight, IAM, CCM

APAC1

Asia Pacific datacenters

DSM SaaS

UK1

United Kingdom datacenters

DSM SaaS

AU1

Australia datacenters

DSM SaaS

3.1 Examples

The syntax of ip-ranges.fortanix.com is as follows:

NOTE

This is only a sample API snippet.

  • If services in REG1 need to connect to your network, you must allow inbound traffic from the IPv4 address 192.0.2.3/32.

    {
    "last_updated":"20250627T151623Z",
    "prefixes": [
        {
            "region": "REG1",
            "direction": "outbound",
            "ip_prefix": "192.0.2.3/32"
        },
    ]
}

  • If API or browser consumers in your network need to reach services in REG1, you must allow outbound traffic to the IPv4 address 192.0.2.0/24. 

    {
    "last_updated":"20250627T151623Z",
    "prefixes": [
        {
            "region": "REG1",
            "consumers": [
                "api",
                "web"
            ],
            "direction": "inbound",
            "ip_prefix": "192.0.2.0/24"
        },
    ]
}

  • If any of the Fortanix services need to connect to your network, you must allow inbound traffic from the IPv4 address 198.51.100.15/32. This traffic will not appear before August 1, 2025.

    {
    "last_updated":"20250627T151623Z",
    "prefixes": [
        {
            "region": "GLOBAL",
            "direction": "outbound",
            "valid_after": "20250801T000000Z",
            "ip_prefix": "198.51.100.15/32"
        },
    ]
}

  • Regardless of the target service or region, if API or browser consumers in your network need to reach Fortanix, you must allow outbound traffic to the IPv4 address 203.0.113.42/32.   

    {
    "last_updated":"20250627T151623Z",
    "prefixes": [
        {
            "region": "GLOBAL",
            "consumers": [
                "api",
                "web"
            ],
            "direction": "inbound",
            "ip_prefix": "203.0.113.42/32"
        },
    ]
}

  • If browser consumers in your network need to access any of the Fortanix platforms, you must allow outbound traffic to the IPv4 address 198.51.100.21/32. This is required only for browsers accessing Fortanix services. API only consumers do not need to reach this IP address. 

    {
    "last_updated":"20250627T151623Z",
    "prefixes": [
        {
            "region": "GLOBAL",
            "consumers": [
                "web"
            ],
            "direction": "inbound",
            "ip_prefix": "198.51.100.21/32"
        },
    ]
}

  • To allow inbound traffic to the IPv6 address 2600:9000:3000::/36   

    {
    "last_updated":"20250627T151623Z",
    "prefixes_v6": [
        {
            "region": "GLOBAL",
            "consumers": [
                "web"
            ],
            "direction": "inbound",
            "ipv6_prefix": "2600:9000:3000::/36"
        },
    ]
}

4.0 Inbound Connectivity

4.1 API Clients

Ensure to use a Server Name Indication (SNI) enabled client and establish connection with the appropriate API hostname while using client certificates or mutual Transport Layer Security (TLS).

Refer to the designated Fully Qualified Domain Names (FQDNs) for establishing connections to the respective Fortanix services and their corresponding regions.

4.1.1 Host-Based Access Control

It is recommended to use the Domain Name System (DNS).

If the customer’s firewall cannot use the DNS-based filtering option, use IP address for each region of the service being accessed, and retrieve the inbound IP addresses from the ip-ranges.json file, considering the option to filter for prefixes designated for API consumers.

4.2 Web Clients

Similar to API clients, web clients should include *.fortanix.com, *.smartkey.io, and all elements specified in the Content Security Policy (CSP) on any page within those domains.

4.2.1 Host-Based Access Control

It is recommended to use the Domain Name System (DNS).

Internet Protocol (IP): for each region of the service, you are connecting to, look up the inbound IP addresses for that region as well as the GLOBAL region. This only covers IPs for *.fortanix.com, *.smartkey.io, not any other domains that may be listed in the CSP.

5.0 Outbound Connectivity

Outbound connections to customer infrastructure are initiated using the Fortanix IPs for the following Fortanix product features:

  • Externally linked groups.

  • LDAP Single Sign-On (SSO) integration.

  • Plugin external Hypertext Transfer Protocol (HTTP) calls.

  • Audit log forwarding.

In addition, common Internet infrastructure components such as Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP), Online Certificate Status Protocol (OCSP), and Certificate Revocation List (CRL) may be utilized to facilitate these services.