If this setting is disabled, the IP range filter is only enforced for the login operation. Apps included in the Org and accessed after login may make requests from IPs outside the allowed ranges.
Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Enforce login IP ranges on every request".
Time to fix