> ## Documentation Index > Fetch the complete documentation index at: https://docs.planasonix.com/llms.txt > Use this file to discover all available pages before exploring further. # IP whitelisting > Restrict platform access to approved IP addresses. **IP whitelisting** limits who can reach the Planasonix web application and, when enabled for your contract, certain **API** and **agent** ingress paths to addresses you trust. Misconfiguration can lock out every administrator, so treat changes as **production changes** with a tested recovery path. ## Adding IP ranges Organization admins maintain the allowlist under **Settings → IP whitelisting**. Collect **office NAT** public IPs, **VPN concentrator** pools, and **cloud NAT** ranges used by automation that calls Planasonix. Include **IPv6** if your workforce uses it. Add each range in **CIDR notation** (for example `203.0.113.0/24` or `2001:db8::/32`). Single hosts use `/32` (IPv4) or `/128` (IPv6). Give each entry a **name** and **ticket reference** so future admins know why it exists and when to remove it. Use **report-only** or **staging workspace** modes if your tenant offers them; otherwise add ranges **before** removing old access. ### CIDR notation CIDR expresses an address **prefix**: the number after `/` is the **routing mask** size. | Example | Meaning | | ------------------ | --------------------------------------------------------- | | `198.51.100.17/32` | Exactly one IPv4 address | | `198.51.100.0/24` | 256 addresses from `198.51.100.0` to `198.51.100.255` | | `2001:db8:1::/48` | An IPv6 site prefix (size depends on your RIR allocation) | Prefer **aggregating** adjacent office subnets into one `/23` or `/22` only when you control the full block; do not over-allow neighboring tenants in shared carrier-NAT environments. ## IP recovery flow for lockouts If nobody can log in: 1. **Use a registered break-glass path** – Many enterprises keep an **out-of-band admin VPN** or **corporate device** on an allowlisted carrier IP. Connect through that path and fix the list. 2. **Contact Planasonix support** – Verify your identity per your support contract. Support can apply a **temporary bypass** or **scheduled maintenance window** that disables enforcement long enough for you to correct CIDRs. 3. **Emergency contact** – Ensure **two** people hold credentials for the recovery VPN and that HR offboarding updates the break-glass runbook. Do not rely on a single home ISP IP; residential addresses change without notice. Use VPN or Zero Trust clients that map to stable corporate egress. ## Best practices IP allowlists complement [SSO](/settings/sso) and [session policy](/settings/session-policy); they are not a substitute for MFA or device compliance. If your plan supports split policies, put **CI/CD** automation on its own CIDR set so rotating office IPs does not break nightly jobs. Some third-party tools call Planasonix on your behalf. Either **proxy** those calls through your allowlisted egress or add **minimal** vendor egress ranges and review them quarterly. Remove stale entries tied to closed offices or decommissioned NAT gateways. Overgrown lists defeat the purpose of the control. Pipeline **agents** and **SSH bastions** may need distinct allowlisting on the **destination** side. This page covers access **to** Planasonix; database firewalls are configured in each connection or cloud console. ## Related topics Idle timeout and concurrent session rules. Resolve login failures after policy changes.