Update your firewall with the latest IP addresses

To maintain optimal performance, Site Shield maps are updated periodically. Check the map status page for an update, get a new list of IP addresses, and update your firewall.

Keeping the map up to date ensures that map capacity is sized appropriately and improves the security of your origin.

📘

If you use SureRoute, you'll also get a new SureRoute map when you accept the new Site Shield map. Both map names remain the same.

  1. Go to > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.

    In the Notification status column of each map with a new set of addresses, you can see the Update firewall message.

  2. Click the name of the map you want to edit.

  3. On the map status page, the three columns in Address changes section show the differences between the old and new lists:

    • Added. Add these addresses to your firewall’s allow list.
    • Removed. Remove these addresses from your firewall’s allow list.
    • Unchanged. Keep these addresses in your firewall’s allow list.
      The Complete List box shows all IP addresses for the new map.
  4. In the Update firewall whitelist box, click one of the links:

    • Copy addresses below to copy the addresses to the clipboard.
    • Export them as CSV to get a CSV file with the complete list.
  5. Optional: Click Current addresses to display the current IP address list for the map.

  6. Go to your firewall and edit the settings to allow the addresses to access your origin server.

📘

Ensure that you leave the existing Site Shield ACL in place for at least a week before they are removed from the allow list.

  1. Return to the map status page and enter YES in the field.
  2. Click Yes, I updated my firewall.
    You get the Success! message and the map is updated.

Roll back to previous CIDRs

📘

By using the rollback functionality you explicitly inform Akamai that you want to switch back to the previously activated CIDR list. Before you enter YES in the rollback confirmation field, ensure that your firewall has the respective CIDR ranges allowed. Performing this task prematurely could result in dropping traffic to your application.

In some cases, after a list of proposed CIDRs was acknowledged, it may be necessary to switch back to a previously used set of addresses, for example, when:

  • A new list of CIDRs was acknowledged by mistake
  • Origin firewall access-control list doesn’t match newly acknowledged CIDRs and cannot be modified at this time

To roll back the addresses, perform these actions:

  1. Go to > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.

  2. Click the name of the map where you need to roll back the addresses.

  3. Expand the Roll back addresses section.
    You can see CIDRs sets acknowledged in the last seven days with additional details such as when a given set was last active and the user who acknowledged it.
    Click ▶ next to an acknowledged date to see the addresses included in the map.

  4. Select a set you want to roll back to.
    Make sure all of the CIDRs in the chosen set are allowed through your origin firewall.

  5. Go back to Site Shield and enter YES in the field.

  6. Click Roll back addresses and click Continue.
    You get the Success! message and the map is updated.

Compare the CIDRs lists

Before you roll back the CIDRs, make sure that the addresses you want to go back to match the addresses allowed through your origin firewall.

  1. Go to > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.

  2. Click the name of your map.

  3. Expand the Roll back addresses section.
    Click ▶ next to an acknowledged date to see the addresses included in the map.

  4. On the right, click and click one of the links:

    • Copy to clipboard.
    • Export to CSV.
  5. Go to your firewall and make sure the addresses you copied can access your origin server.