Update your firewall with the latest IP addresses

To maintain optimal performance, Site Shield maps are updated periodically. Check the map status page for an update, get a new list of IP addresses, and update your firewall.

Keeping the map up to date ensures that map capacity is sized appropriately and improves the security of your origin.

📘

If you use SureRoute, you'll also get a new SureRoute map when you accept the new Site Shield map. Both map names remain the same.

  1. Go to > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.

    In the Notification status column of each map with a new set of addresses, you can see the Update firewall message.

  2. Click the name of the map you want to edit.

  3. On the map status page, the three columns in Address changes section show the differences between the old and new lists:

    • Added. New addresses that should be included in the firewall’s allow list before acknowledging the map proposal.
    • Removed. Addresses that should be removed from the firewall’s allow list.
    • Unchanged. Addresses that should be retained in the firewall’s current allow list.
      The Complete List box shows all IP addresses for the new map.

      📘

      If the Stable CIDR feature is enabled for your Site Shield map, some of the entries listed in the Removed column may still be in use if an overlapping entry in the Added column supersedes them.

      This is why it's important to process the removals and additions at the same time when updating your origin firewall ACL. You can add the Added CIDR ranges to your existing ACL before deleting the removed IP ranges. Or, you can replace the ACL with the full list of proposed CIDRs to avoid a partial denial of service. This is different from when Site Shield maps don't have Stable CIDRs, where entries in the Removed column are removed right away and can be deleted from your firewall at any time.

      Some IP ranges from the current map could be retained and listed in the proposed IP ranges. This is a transient change for safety measures. The IP ranges will be updated once the Stable CIDR proposal is acknowledged and subsequently, traffic will be confined to the final Supernet IP ranges. A new proposal will be sent after a few days, confirming the IP ranges that can be safely removed from the allow list of the firewall.

  4. In the Update firewall whitelist box, click one of the links:

    • Copy addresses below to copy the addresses to the clipboard.
    • Export them as CSV to get a CSV file with the complete list.
  5. Optional: Click Current addresses to display the current IP address list for the map.

  6. Go to your firewall and edit the settings to allow the addresses to access your origin server.

  7. Optional: Delete the addresses in the Removed section of the firewall allow list seven days after acknowledging the map proposal to use the Site Shield rollback feature without making additional changes to your origin firewalls.

  8. Return to the map status page and enter YES in the field.

  9. Click Yes, I updated my firewall.
    You get the Success! message and the map is updated.

Roll back to previous CIDRs

📘

By using the rollback functionality you explicitly inform Akamai that you want to switch back to the previously activated CIDR list. Before you enter YES in the rollback confirmation field, ensure that your firewall has the respective CIDR ranges allowed. Performing this task prematurely could result in dropping traffic to your application.

In some cases, after a list of proposed CIDRs was acknowledged, it may be necessary to switch back to a previously used set of addresses, for example, when:

  • A new list of CIDRs was acknowledged by mistake
  • Origin firewall access-control list doesn’t match newly acknowledged CIDRs and cannot be modified at this time

To roll back the addresses, perform these actions:

  1. Go to > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.

  2. Click the name of the map where you need to roll back the addresses.

  3. Expand the Roll back addresses section.
    You can see CIDRs sets acknowledged in the last seven days with additional details such as when a given set was last active and the user who acknowledged it.
    Click ▶ next to an acknowledged date to see the addresses included in the map.

  4. Select a set you want to roll back to.
    Make sure all of the CIDRs in the chosen set are allowed through your origin firewall.

  5. Go back to Site Shield and enter YES in the field.

  6. Click Roll back addresses and click Continue.
    You get the Success! message and the map is updated.

Compare the CIDRs lists

Before you roll back the CIDRs, make sure that the addresses you want to go back to match the addresses allowed through your origin firewall.

  1. Go to > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.

  2. Click the name of your map.

  3. Expand the Roll back addresses section.
    Click ▶ next to an acknowledged date to see the addresses included in the map.

  4. On the right, click and click one of the links:

    • Copy to clipboard.
    • Export to CSV.
  5. Go to your firewall and make sure the addresses you copied can access your origin server.