Loading
Manage Users and Data Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Restrict Login IP Addresses in Profiles

            You are here:

            1. Salesforce Help
            2. Docs
            3. Manage Users and Data Access

            Restrict Login IP Addresses in Profiles

            To control login access at the user level, specify the ranges of allowed IP addresses on a user’s profile. When you define IP address restrictions for a profile, a login from any other IP address is denied.

            Required Editions

            Available in: Salesforce Classic and Lightning Experience
            Available in: all editions
            User Permissions Needed
            To view login IP ranges: View Setup and Configuration
            To edit and delete login IP ranges: Manage Profiles and Permission Sets

            How you restrict the range of valid IP addresses on a profile depends on your Salesforce edition.

            • In Enterprise, Performance, Unlimited, or Developer Edition, manage valid IP addresses in profiles.
            • In Group or Personal Edition, from Setup, manage valid IP addresses on the Session Settings page.
            • In Professional Edition, the location of IP ranges depends on whether "Edit Profiles & Page Layouts" is enabled as an add-on feature. With that feature, you can specify login IP ranges for individual profiles. Without the "Edit Profiles & Page Layouts" feature, you can define trusted IP ranges only at the org level on the Network Access Setup page.

            Also, these login restrictions don’t apply to sites hosted on Experience Delivery. Manage valid IP addresses for sites hosted on Experience Delivery with Custom Firewall Rule Expressions instead.

            As of Winter ’26, Salesforce enforces limits for login IP ranges for a specific profile. The limit depends on the IP address type—either IPv4 or IPv6. You can’t add login IP ranges that exceed the limit for your IP range type. If your trusted IP ranges already exceeded the limit before this change, Salesforce can challenge users for device activation even if they’re within their profile’s login IP range. If a user is outside of the range, Salesforce blocks the login entirely. For more information, see Device Activation.

            Here are the limits for IPv4 and IPv6 addresses. If you use IPv4-mapped IPv6 addresses, the IPv4 limit applies.

            IP Address Type Limit
            IPv4 16,777,216
            IPv6 2^99 (2 to the power of 99)

            When calculating the total number of IP addresses, Salesforce doesn’t count private IP addresses in this range: 10.0.0.0 to 10.255.255.255. For more information on private IP addresses, see RFC 1918 from the Internet Engineering Task Force. To make sure that private IP addresses are excluded, add them as a separate range entry.

            Note
            Note If you already exceeded the limit before Spring ’26, you can’t edit your ranges to include private IP ranges.

            Restrict Login IP Addresses in Profiles

            To restrict user logins based on IP ranges, specify at least one allowed IP address range for each profile. When one or more login IP ranges exists on a profile, a login from any other IP address is denied.

            1. From Setup, in the Quick Find box, enter Profiles, and then select Profiles.
            2. To restrict the IP addresses for this profile, add the allowed IP ranges.
              1. Add an allowed IP range.
                • In the enhanced profile user interface, click Login IP Ranges, and then click Add IP ranges.
                • In the original profile user interface, scroll down to the Login IP Ranges related list, and then click New.
                Note
                Note Partner User profiles are limited to five IP addresses. To increase this limit, contact Salesforce.
              2. Specify the allowed login IP addresses for the profile.

                Enter a valid IP address in the IP Start Address field and a matching or higher-numbered IP address in the IP End Address field.

                To allow logins from a single IP address, enter the same address in both fields.

                A range can include either IPv4, IPv4-mapped IPv6 addresses, or IPv6 addresses. An IP address range can’t include multiple types of addresses. For example, ranges like 255.255.255.255 to ::1:0:0:0 and :: to ::1:0:0:0 aren’t allowed.

                • The range of IPv4 addresses is 0.0.0.0 to 255.255.255.255.
                • The range of publicly accessible IPv6 addresses is ::1:0:0:0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
                • IPv4-mapped IPv6 addresses allow an IPv6-enabled application to communicate with IPv4-only devices. To accomplish this configuration, the IPv4 address is embedded in the IPv6 address format. These addresses are represented as IPv4 addresses in the Salesforce user interface and in API.

                  The syntax for an IPv4-mapped IPv6 address is ::ffff:a.b.c.d, where a.b.c.d is the decimal representation of the IPv4 address. For example, the IPv4-mapped IPv6 address of 192.0.2.128 is ::ffff:192.0.2.128. So, the range of IPv4-mapped IPv6 addresses is ::ffff:0.0.0.0 to ::ffff:255.255.255.255.

                Important
                Important To prevent user access issues, add login IP ranges with IPv6 addresses only to profiles with at least one login IP range with IPv4 addresses.
              3. Optionally enter a description for the range.
                If you maintain multiple ranges, use the Description field to provide details, such as which part of your network corresponds to this range.
              4. To allow users with this profile to log in from more IP addresses, add another range.
              5. Save your changes.
            3. To delete a Login IP range, click Delete.
              To allow a group of users to log in from any IP address, delete all Login IP ranges on the users’ profile.
            Note
            Note Cache settings on static resources are set to private when accessed via a Salesforce Site with a guest user profile that has restrictions based on IP range or login hours. Sites with guest user profile restrictions cache static resources only within the browser. Also, if a previously unrestricted site becomes restricted, it can take up to 45 days for the static resources to expire from the Salesforce cache and any intermediate caches.

            Apply Profile Login IP Restrictions to Page Requests

            You can use profile login IP ranges to further restrict access to Salesforce. With this option, those login IP ranges are enforced on each page request, including requests from client applications. Otherwise, login IP ranges are enforced only when a user logs in.

            1. In Setup, in the Quick Find box, enter Session Settings, and then select Session Settings.
            2. Select Enforce login IP ranges on every request and save your changes.
              This setting affects only user profiles with login IP restrictions.

            Prepare for IPv6 Support for Profile Login IP Ranges

            Today, IPv6 is supported only for the Salesforce Content Delivery Network (CDN) for Experience Cloud sites. But Salesforce is working behind the scenes to fully support IPv6. There’s no specific target date for full IPv6 support. Salesforce plans to roll out IPv6 support in stages. Watch the release notes for announcements about the specific timing for each phase.

            When Salesforce supports IPv6 for your org, IPv4 allowlists remain active and users can only log in via an IPv4 or IPv6 address that their profile allows. To ensure uninterrupted access for your users, for each profile with a login IP range with IPv4 addresses, add one or more login IP ranges with those users’ IPv6 addresses.

            Here are some considerations as you add IPv6 allowlists to your profiles.

            • If no login IP ranges exist on a profile, users with that profile can log in to Salesforce from any IP address. Profile login IP ranges aren’t required. However, profiles with one or more login IP ranges can require updates for IPv6.
            • You can add a login IP range with IPv6 addresses today, but logins via those addresses are permitted only when Salesforce supports IPv6.
            • There’s no correlation between an IPv6 address and an IPv4 address. To determine your users’ IPv6 addresses, work with your network team.
            • Until Salesforce fully supports IPv6, if a profile includes login IP ranges, verify that at least one IPv4 range exists on the profile. If one or more login IP ranges exists on a profile, a login from any other IP address is denied. Thus, if a profile’s login IP ranges include only IPv6 addresses, users with that profile can't access Salesforce until IPv6 is supported in your org for the feature that the user is accessing.
            Note
            Note If you use IP allowlists on Hyperforce, consider a preferred alternative such as implementing mTLS or allowing domains.

            See Also

             
            Loading
            Salesforce Help | Article