Restrict Where Collectors Can Connect From
Every collector reaches out to GridNMS over an outbound connection, authenticated with a credential issued when you register it. The IP allowlist adds a second, independent layer on top of that credential: you can restrict connections to only the IP addresses or ranges you specify, account-wide.
This is defense in depth. A collector’s credential alone is usually enough — the allowlist matters if you want an extra guarantee that a connection can only ever come from your own networks, even if a credential were ever exposed.
Where to find it
Section titled “Where to find it”Go to Configure → Collectors. In the summary bar at the top of the page, click IP Allowlist (shield icon).
The panel shows a running count of active rules and, when there are none, a clear note that all IPs are currently allowed — so you always know which state you’re in before making a change.
How it works
Section titled “How it works”- No rules = allow all. With an empty allowlist, collectors can connect from any IP, exactly as before you touched this setting. Nothing changes for your existing collectors until you add a rule.
- One or more active rules = restricted. As soon as you add and enable a rule, only connections from a matching IP are accepted. Any connection attempt from an IP outside every active rule is refused.
- Rules apply to the whole account, not to one collector at a time — if you run collectors at several sites, make sure your allowlist covers every site’s egress IP before you rely on it.
Add a rule
Section titled “Add a rule”- Open the IP Allowlist panel from Configure → Collectors.
- Enter an IP address (e.g.
203.0.113.4) or a CIDR range (e.g.203.0.113.0/24) — this should be the address your collector’s network egresses through, not the collector’s internal/private IP. - Optionally add a label so you remember what the rule is for (e.g. “HQ office egress” or “Boston branch firewall”).
- Click Add.
Turn a rule on or off, or remove it
Section titled “Turn a rule on or off, or remove it”Each rule has a toggle so you can temporarily disable it without deleting it — useful if you’re troubleshooting and want to quickly fall back to allow-all for that rule without losing the CIDR you entered. Use the X button to remove a rule for good.
Who can manage it
Section titled “Who can manage it”Only account administrators can view and change the IP allowlist — it’s a security setting for the whole account, not something delegated to individual sites.
Related pages
Section titled “Related pages”- Networks & Sites — a related but different setting: which devices a collector is allowed to monitor, not which IPs it’s allowed to connect from.
- Getting the Real Source IP — background on how GridNMS sees a collector’s connecting IP.
- Monitoring Your Collectors — check collector status if a connection is unexpectedly refused after adding a rule.