New Portnox Cloud back-end IP ranges

In this topic, you will learn about the new Portnox Cloud back-end IP ranges and where to add them to keep your Portnox Cloud services running without disruption.

Portnox is updating its IP address structure as part of ongoing improvements to its Azure-based infrastructure. This update reduces the total number of IP addresses you need to configure on the hardware, software, and services that communicate with Portnox Cloud.

The new Portnox Cloud IP ranges are:

Region	First IP – Last IP	CIDR notation	Network/Netmask notation	Wildcard mask notation (Cisco ACL)
United States	`20.85.190.232` – `20.85.190.239`	`20.85.190.232/29`	`20.85.190.232/255.255.255.248`	`20.85.190.232 0.0.0.7`
EMEA	`20.67.6.144` – `20.67.6.151`	`20.67.6.144/29`	`20.67.6.144/255.255.255.248`	`20.67.6.144 0.0.0.7`

Note:

The table above shows the same IP ranges in different notations for your convenience. All columns in each row refer to exactly the same IP range. These notations are intended for firewall configuration only – not for routing or subnetting. Do not treat the first and last IP addresses as a gateway or broadcast address.

The new IP ranges are already active. Portnox is gradually migrating services to use them. If you do not add the new IP ranges where you previously added older Portnox Cloud IP ranges, your services will be disrupted. Adding the new IP ranges will immediately resolve any disruption.

The checklist below covers the most common places where you may have previously configured Portnox IP addresses. Work through the steps that apply to the Portnox Cloud services you use, and confirm that the new IP ranges are included in each location.

Check any firewall software or hardware that limits Internet access for client devices that use Portnox AgentP – whether configured on the devices themselves or managed centrally.
For more information, see: How to set up the firewall for AgentP to connect to Cloud.
Check any firewall software or hardware that limits Internet access for your Portnox Docker containers.
For more information, see: How to set up the firewall for Portnox Docker containers to connect to Portnox Cloud.
Check any firewall software or hardware that limits Internet access for your Portnox local RADIUS servers.
For more information, see: How to set up the firewall for the local RADIUS instance to connect to Portnox Cloud.
Check any firewall software or hardware that limits Internet access for your Portnox local TACACS+ servers.
For more information, see: How to set up the firewall for the local TACACS+ instance to connect to Portnox Cloud.
Check any firewall software or hardware that limits Internet access for your Portnox LDAP Broker installations.
For more information, see: How to check if the LDAP Broker connects to the cloud.
If you use Okta as an authentication repository, or use Okta for RADIUS MFA, add the Portnox IP ranges as trusted in Okta.
For more information, see: Integrate with Okta and Use Okta for RADIUS MFA.
If you configured Entra ID to bypass MFA for Portnox services, update the IP addresses listed in Entra ID as allowed.
For more information, see: Bypass multi-factor authentication in Entra ID.
Check the configuration of your SIEM solutions to confirm they accept events from the new Portnox Cloud IP ranges.

For more information, see: Integrating with SIEM platforms.

If you use Microsoft Sentinel, see the required security rules.

If you use Rapid7 InsightIDR, see the required security rules.

If you use Datadog with Syslog, see the required security rules.

If you use Datadog with Syslog and TLS, see the required security rules.
Check any other firewall software, hardware, or services not listed above where you previously restricted access to specific Portnox Cloud IP addresses, and add the new IP ranges.
Optional: Verify connectivity using example IPs from the new ranges:
- Windows:
  
  Type the following commands in PowerShell:
  - For the United States region:
```
tnc 20.85.190.232 -port 443 ; tnc 20.85.190.232 -port 8081
```
  - For the EMEA region:
```
tnc 20.67.6.144 -port 443 ; tnc 20.67.6.144 -port 8081
```
  Expected result: TcpTestSucceeded : True
- macOS/Linux:
  
  Type the following commands in a Terminal window:
  - For the United States region:
```
nc -zv 20.85.190.232 443 ; nc -zv 20.85.190.232 8081
```
  - For the EMEA region:
```
nc -zv 20.67.6.144 443 ; nc -zv 20.67.6.144 8081
```
  Expected result: Connection to ip_address port_number port [tcp/protocol] succeeded!