Enabling and Creating IP Address Rules
You can limit access to your company’s NetSuite account by entering IP address rules. Only computers with IP addresses that match those you have entered will be permitted to access your NetSuite account. For example, you may want employees logging in to your NetSuite account from a trusted location as an additional requirement.
Be aware of the following:
-
To further secure the user login process, two-factor authentication is the preferred alternative to restricting access by IP address. For more information, see Two-Factor Authentication (2FA).
Consider using 2FA instead.
-
NetSuite does not support traffic routed through a split-tunnel Virtual Private Network (VPN) to control user access to NetSuite. For more information, see VPN Configuration for User Access to NetSuite.
-
IP Address Rules are effective after successful login. The rules do not prevent a password reset or the login flow.
IP addresses were designed primarily to serve host identification and addressing, not as a second factor for user authentication. Consider the following precautions.
-
Only public IPv4 addresses can be used. Private IPv4 addresses cannot be used outside of your private network.
-
IPv6 addresses are not supported.
-
Make sure that you are the only owner of the public IPv4 address and that it is not shared among multiple ISP clients.
With the increasing number of network devices, it is difficult to determine the IPv4 address of the client reliably. Increased scarcity of IPv4 addresses is leading ISPs to use Carrier-Grade NAT (CGN), Large-Scale NAT (LSN), and shorter Dynamic Host Configuration Protocol (DHCP) lease times. The client IPv4 address is not usually designated to one client, nor is it static.
-
Any IP packet can be spoofed and the source-address modified or crafted.
-
Any IP address being rented to you cannot be treated as a reliable authentication factor.
New users with roles that have IP address restrictions enabled are prompted to set up security questions. When you apply IP address restrictions, users are not prompted to answer security questions when logging in to NetSuite or when changing roles. These IP address-restricted users are only asked their security questions if they forget their passwords. See Setting Up Security Questions for more information.
SOAP web services, SAML Single Sign-on, and OpenID Connect Single Sign-on also respect IP Address restriction rules.
SuiteAnalytics Connect access to NetSuite does not respect IP address restriction rules. Users may be able to access NetSuite data through SuiteAnalytics Connect from IP addresses that they cannot use to access the NetSuite application directly.
Two-factor authentication is the preferred alternative to restricting access by IP address. For more information, see Two-Factor Authentication (2FA). However, if you still want to restrict access to your NetSuite account by employing IP address rules, see the following sections:
The IP address rules can be also applied in sandbox account.