Configure collection level security

Background

This article discusses how to apply IP restricted access to a Funnelback collection

The access_restriction collection.cfg setting is used to configure the IP whitelist for collection access.

The syntax for this setting differs for Modern UI vs Classic UI. When a collection is secured this needs to be taken into account to ensure that the collection is fully secured.

Funnelback 15.0 and newer

In Funnelback 15.0 and newer a collection only needs to be secured for the Modern UI as the Classic UI was removed.

Access restrictions for the Modern UI must specify IP addresses in CIDR format.

collection.cfg
# Modern UI IP whitelist syntax
access_restriction=144.53.226.35/32,144.53.237.15/32,144.53.226.17/32,144.53.237.150/32,127.0.0.1/32,10.7.6.0/24,10.7.6.0/32,10.7.14.0/24,103.15.168.1/32,150.101.184.206/32,150.101.157.243/32,202.9.95.97/32

Funnelback 11.0 to 14.2

In order to secure Funnelback security in versions 11.0 - 14.2 collection level security must be applied for both Modern UI and Classic UI - even if only one of the interfaces is used by the search. This ensures that anyone who tries to access the search by either interface will have the access restriction applied.

When applying the IP address restriction is is vital to specify the IP addresses so that the CIDR format addresses for the Modern UI appear before the addresses for Classic UI. This is because the Modern UI requires all addresses to be in CIDR format and will stop processing the IP address list when it encounters an address that is not in this format.

Classic UI applies the restrictions as substring matches of the patterns compared against the user’s IP address.

collection.cfg
# Secure for both Modern UI and Classic UI
access_restriction=144.53.226.35/32,144.53.237.15/32,144.53.226.17/32,144.53.237.150/32,127.0.0.1/32,10.7.6.0/24,10.7.6.0/32,10.7.14.0/24,103.15.168.1/32,150.101.184.206/32,150.101.157.243/32,202.9.95.97/32,144.53.226.35,144.53.237.15,144.53.226.17,144.53.237.150,127.0.0.1,10.7.6.,10.7.14.,103.15.168.1,150.101.184.206,150.101.157.243,202.9.95.97

Note: The Modern UI will report a misconfiguration error when a valid IP is not found due to the Classic UI-style patterns. This can be ignored so long as the Classic UI patterns appear after the Modern UI patterns

> Sorry, your machine does not have access to COLLECTION_NAME.
> access_restriction in this collection's collection.cfg is misconfigured, IP ranges must be in CIDR format

Funnelback 10.1.2 and earlier

Funnelback 10.1.2 and earlier uses only the Classic UI. Addresses used for access restriction are matched as substrings against the user’s IP address.

collection.cfg
# Classic UI IP whitelist syntax
access_restriction=144.53.226.35,144.53.237.15,144.53.226.17,144.53.237.150,127.0.0.1,10.7.6.,10.7.14.,103.15.168.1,150.101.184.206,150.101.157.243,202.9.95.97