Skip to content

Restrict Where Collectors Can Connect From

Every collector reaches out to GridNMS over an outbound connection, authenticated with a credential issued when you register it. The IP allowlist adds a second, independent layer on top of that credential: you can restrict connections to only the IP addresses or ranges you specify, account-wide.

This is defense in depth. A collector’s credential alone is usually enough — the allowlist matters if you want an extra guarantee that a connection can only ever come from your own networks, even if a credential were ever exposed.

Go to Configure → Collectors. In the summary bar at the top of the page, click IP Allowlist (shield icon).

The panel shows a running count of active rules and, when there are none, a clear note that all IPs are currently allowed — so you always know which state you’re in before making a change.

  • No rules = allow all. With an empty allowlist, collectors can connect from any IP, exactly as before you touched this setting. Nothing changes for your existing collectors until you add a rule.
  • One or more active rules = restricted. As soon as you add and enable a rule, only connections from a matching IP are accepted. Any connection attempt from an IP outside every active rule is refused.
  • Rules apply to the whole account, not to one collector at a time — if you run collectors at several sites, make sure your allowlist covers every site’s egress IP before you rely on it.
  1. Open the IP Allowlist panel from Configure → Collectors.
  2. Enter an IP address (e.g. 203.0.113.4) or a CIDR range (e.g. 203.0.113.0/24) — this should be the address your collector’s network egresses through, not the collector’s internal/private IP.
  3. Optionally add a label so you remember what the rule is for (e.g. “HQ office egress” or “Boston branch firewall”).
  4. Click Add.

Each rule has a toggle so you can temporarily disable it without deleting it — useful if you’re troubleshooting and want to quickly fall back to allow-all for that rule without losing the CIDR you entered. Use the X button to remove a rule for good.

Only account administrators can view and change the IP allowlist — it’s a security setting for the whole account, not something delegated to individual sites.

  • Networks & Sites — a related but different setting: which devices a collector is allowed to monitor, not which IPs it’s allowed to connect from.
  • Getting the Real Source IP — background on how GridNMS sees a collector’s connecting IP.
  • Monitoring Your Collectors — check collector status if a connection is unexpectedly refused after adding a rule.