Teams and Businesses

Create firewall rules in 1Password Business

Learn how use firewall rules to restrict where your team can access 1Password.

With 1Password Business, you can restrict where your team can access 1Password. Create rules to allow, report, or deny sign-in attempts from certain locations or IP addresses.

You can adjust your team’s firewall policies if you’re an owner, administrator, or part of a group with the Manage Settings permission.

To create firewall rules, sign in to your account on, click Policies in the sidebar, then click Manage on the Firewall policy.

The firewall icon

Create firewall rules

Choose to allow, report, or deny access by default, then add rules for exceptions. Rules are applied in order and stop when one matches.

A group of firewall rules that deny access from anonymous IPs, allow access from Canada, and report access from all other locations and IP addresses.

To create a new firewall rule, click Add Rule. Then:

  • Select Country or Continent and start typing to find the one you want.
  • Select IP Address and enter an IP address or CIDR range.
  • Or select Anonymous IP and remove the types that you don’t want to filter.

You can add multiple values to Country, Continent, and IP Address rules, and you can add as many rules as you want. For each rule, choose Allow, Report, or Deny. If you choose Report, team members can still sign in to 1Password; details will be added to your sign-in attempts report.

To reorder your firewall rules, click or to the left of a rule. To delete a rule, click .

When you’re done, click Save.


If a team member has already signed in to a 1Password app on their device, they’ll have access to their local data even when they’re blocked by firewall rules. However, they won’t have access to any new changes until they’re in an allowed location.

If a team member has 1Password unlocked when you create or modify a firewall rule, the rule will be applied the next time they unlock 1Password.

For even more control, choose which 1Password apps can access each vault.

About IP addresses and anonymous IPs

To cover a range of IP addresses, enter a Classless Inter-Domain Routing (CIDR) range, like Β Learn more about CIDR.

Anonymous IP detection is based on information from the MaxMind database . There are four types of anonymous IPs:

  • Tor: IP addresses where Tor traffic appears to come from.
  • Public VPNs: IP addresses registered to VPN services which hide someone’s true IP address.
  • Public Proxies: Proxies that are available for free and publicly posted.
  • Cloud Providers: IP addresses associated with hosting services that can be used as anonymizers.

Firewall rule examples

To only allow access from Canada:

Country: Canadaβœ… Allow
All other locations and IP addresses❌ Deny

To deny access from public VPNs even when they’re in Canada, but allow all other access from Canada and only Canada:

Anonymous IP: Public VPNs❌ Deny
Country: Canadaβœ… Allow
All other locations and IP addresses❌ Deny

To only allow access from the office:

IP Address:βœ… Allow
All other locations and IP addresses❌ Deny

To allow access from the office, report access from Canada, and deny all other access:

IP Address:βœ… Allow
Country: CanadaπŸ“„ Report
All other locations and IP addresses❌ Deny

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.