---
title: Adding network range rules
description: Add a network range rule to examine a request and determine whether to grant access to a target site based on whether the IP address falls within a specified range, using Classless Inter-Domain Routing notation.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_network_range_rules
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_network_range_rules.html
revdate: February 6, 2023
section_ids:
  steps: Steps
  choose-from: Choose from:
---

# Adding network range rules

Add a network range rule to examine a request and determine whether to grant access to a target site based on whether the IP address falls within a specified range, using Classless Inter-Domain Routing notation.

## Steps

1. Click **Access**, then go to **Rules > Rules**.

2. Click **[icon: plus, set=fa]Add Rule**.

3. In the **Name** field, enter a unique name, up to 64 characters long.

   Special characters and spaces are allowed.

4. From the **Type** list, select **Network Range**.

5. In the **Network Range** field, enter a network range value, such as `127.0.0.1/8`.

   PingAccess supports IPv4 addresses.

6. Select **Negate** if when a match is found, access is not allowed.

7. If you want to override source address handling defined in the **HTTP Requests** configuration, click **Show Advanced Settings** and perform the following steps:

   1. Click **Override Request IP Source Configuration**.

   2. In the **Headers** field, enter the headers used to define the source IP address to use.

   3. Select the **Header Value Location** to use when multiple addresses are present in the specified header.

      Valid values are `Last` (the default) and `First`.

   4. Click **Fall Back to Last Hop IP** to determine if, when the specified **Headers** are not present, PingAccess should return a `Forbidden` result or if it should use the address of the previous hop as the source to make policy decisions.

   5. To configure rejection handling, select a rejection handling method:

      ### Choose from:

      * If you select **Default**, use the **Rejection Handler** list to select an existing [rejection handler](pa_rejection_handlers.html) that defines whether to display an error template or redirect to a URL.

      * If you select **Basic**, you can customize an error message to display as part of the default error page rendered in the end-user's browser if rule evaluation fails. This page is among the templates you can modify with your own branding or other information. If you select **Basic**, provide the following:

        1. In the **Error Response Code** field, enter the HTTP status response code to send if rule evaluation fails.

           The default is `403`.

        2. In the **Error Response Status Message** field, enter the HTTP status response message to send if rule evaluation fails.

           The default is `Forbidden`.

        3. In the **Error Response Template File** field, enter the HTML template page for customizing the error message that displays if rule evaluation fails.

           This template file is located in the `<PA_HOME>/conf/template/` directory.

        4. In the **Error Response Content Type** list, select the type of content for the error response.

           This lets the client properly display the response.

8. Click **Save**.