Jackie Liu

Firewall Rule: Global Traffic Management - SiteShield ACL

Blog Post created by Jackie Liu Employee on Apr 21, 2017

This blog post will introduce the Global Traffic Management - SiteShield (GTM-SS) firewall rule.




GTM customers who also use SiteShield have to maintain two sets of IP ACLs at their origin firewall; one set with GTM
Liveness Agent (servermonitor) IPs and the other with SiteShield parent IP CIDRs. The combined set usually amounts to more than a couple of hundred IPs. Some customers' origins have a hard limit on the number ACL entries, for example, 200 entries maximum.


This ACL limitation naturally creates a problem, so Akamai trimmed down the GTM Liveness Agent IPs and built a new firewall alert service called "Global Traffic Management - Siteshield" to accommodate the situation. Customers who have GTM and SiteShield will have the ability to subscribe to this service, and it will populate the list for customers to ACL at their firewalls.




The Integration

When such ACL limitation issues occur, the Akamai account teams will open a request ticket with the engineering team to restrict the GTM domain in question to the GTM-SiteShield servermonitor pool (note this is NOT the same set of CIDRs that are in the customer’s Site Shield map).




  1. Once the servermonitor pool is restricted, you CANNOT use the “Test the liveness of servers from all targets above” link in the GTM Liveness Test UI, as it does not take into account the restricted servermonitor pool. Instead, refer to the Monitor -> Traffic Management -> Errors report to ensure that liveness tests are all succeeding.
  2. This servermonitor pool customization can only be done on the GTM domain level, meaning all properties under the domain-in-question will use the GTM-SS list.




What is this list? Is it just a trimmed down GTM list?

It’s a new list which helps to solve the issue of certain customer ACL Limitations. E.g., Amazon does only allow 200 ACL entries.

What is the difference between this list and the other GTM list?

This new list which will only be available for the customer using SS and GTM does use SS Parent Regions IPs also for GTM Agents. This result into a reduction of IP which needs to be added to the Customer ACL.