Magento 2 Security Scan Blocked by Akamai? A Comprehensive Whitelisting Guide

The Indispensable Role of the Adobe Security Scan Tool for Magento 2

In the dynamic world of e-commerce, maintaining a secure online store is not just a best practice—it's a fundamental requirement. For Magento 2 merchants, whether running Adobe Commerce or Magento Open Source, the Adobe Security Scan tool is an invaluable, free resource. This powerful tool proactively identifies potential vulnerabilities, outdated software, and security risks within your Magento installation, helping you safeguard sensitive customer data and maintain PCI DSS compliance.

Regular security scans are crucial for several reasons:

• Early Detection: Identify weaknesses before they can be exploited by malicious actors.
• Compliance: Help meet industry standards and regulatory requirements.
• Peace of Mind: Ensure your store is robust against common threats, protecting your brand reputation.
• Proactive Maintenance: Stay informed about necessary updates and patches for your Magento core, extensions, and themes.

However, the very tools designed to protect your site can sometimes encounter unexpected roadblocks, especially when integrated with advanced infrastructure.

When Security Tools Clash: Akamai and the 403 Forbidden Error

Modern e-commerce platforms, particularly high-traffic Magento 2 stores, often leverage Content Delivery Networks (CDNs) and Web Application Firewalls (WAFs) like Akamai. Akamai provides robust protection against DDoS attacks, bot traffic, and various web exploits, while also enhancing site performance. Its protective mechanisms are designed to filter out suspicious or unknown traffic, ensuring only legitimate users and bots access your server.

This protective stance, while essential, can sometimes lead to a conflict with legitimate security scanners. As highlighted in a recent Magento GitHub issue (#40551), a Magento merchant encountered a critical problem: their Adobe Security Scan tool was unable to reach their website's base URL, returning a 403 Forbidden error. The scan details explicitly pointed to Akamai blocking the tool's access, stating: "Security Scan Tool was unable to reach the base URL. Response code received: 403. Please check that 52.87.98.44 is not blocked at 80 and 443 ports."

The core of the problem lies in Akamai's default behavior. The Adobe Security Scan tool operates by crawling your website, much like a search engine bot. Without explicit instructions, Akamai's WAF might interpret this automated behavior as potentially malicious or unwanted bot activity, leading to the 403 Forbidden response. This scenario effectively blinds the merchant to their store's security posture, leaving potential vulnerabilities undiscovered.

The Solution: Whitelisting Adobe Security Scan IPs in Akamai

The immediate and most effective solution to this common challenge is to whitelist the specific IP addresses, domains, or user agents used by the Adobe Security Scan tool within your Akamai configuration. This tells Akamai to explicitly allow traffic originating from these known, trusted sources.

Fortunately, Adobe provides a comprehensive list of these necessary details. As demonstrated by the quick resolution in the GitHub thread, a community expert pointed directly to the Adobe Experience League Knowledge Base, which contains the required information.

Step-by-Step Whitelisting Guide (Conceptual)

While the exact steps may vary slightly depending on your specific Akamai configuration and control panel version, the general process involves:

1. Access Your Akamai Control Panel: Log in to your Akamai account.
2. Navigate to Security Settings: Locate the section related to your Web Application Firewall (WAF) rules, security policies, or access control lists (ACLs).
3. Identify Whitelisting Options: Look for options to create an "allow list," "whitelist," or "exception rule" for IP addresses or user agents.
4. Add Adobe Security Scan Details: Refer to the official Adobe Knowledge Base article (linked above) for the most current list of IP addresses, domains, and user agents used by the Adobe Security Scan tool. Add these to your allow list.
5. Save and Deploy Changes: Ensure you save your changes and deploy them to your Akamai configuration. This might involve a propagation period.
6. Test the Scan: Once changes are propagated, re-run the Adobe Security Scan tool to confirm it can now successfully access your Magento 2 store.

It's crucial to always refer to the official Adobe documentation for the most up-to-date list of IPs, as these can occasionally change. Regular review of your WAF rules is also a good practice.

Beyond Akamai: General Best Practices for Magento Security Scans

The lesson learned from the Akamai blocking scenario extends beyond just one CDN/WAF provider. If your Magento 2 store uses other WAFs like Cloudflare, Sucuri, or even custom server-level firewalls, you might encounter similar blocking issues. Always consult the documentation for your specific security infrastructure and the security scanning tool you are using.

Key best practices include:

• Document Whitelisted IPs: Maintain a clear record of all whitelisted IPs and the reasons for their inclusion.
• Regularly Review Rules: Periodically audit your WAF and firewall rules to ensure they are current and effective.
• Test in Staging: Whenever possible, test new security configurations or scan tools in a staging environment before applying them to your live Magento production site.
• Stay Informed: Keep abreast of updates from Adobe Commerce and your security vendors regarding IP changes or new security features.

For merchants undergoing a Magento 1 to Magento 2 migration or any significant platform upgrade, proactive security configuration, including WAF setup and scanner whitelisting, should be a non-negotiable part of the project plan.

Shopping Mover's Perspective: Security in Magento Migrations

At Shopping Mover, we understand that security is paramount, especially during and after a Magento migration. A successful migration isn't just about moving data and code; it's about establishing a more secure, performant, and scalable foundation for your e-commerce business. Issues like the Adobe Security Scan being blocked by Akamai highlight the intricate interplay between your Magento application and its surrounding infrastructure.

Our expertise in Magento migrations includes:

• Pre-Migration Security Audits: Identifying existing vulnerabilities and planning for enhanced security in Magento 2.
• WAF and CDN Configuration: Guiding you through optimal setup of Akamai, Cloudflare, or other WAFs to protect your new Magento 2 store.
• Post-Migration Security Checks: Ensuring all security tools, including the Adobe Security Scan, function correctly on your migrated platform.
• Performance and Scalability: Balancing robust security with the need for a fast and responsive user experience.

Don't let security blind spots compromise your Magento 2 store. Proactive configuration and continuous monitoring are your best defense.

Conclusion

The Adobe Security Scan tool is a critical asset for any Magento 2 merchant committed to maintaining a secure online presence. While advanced WAFs like Akamai offer essential protection, understanding how to properly configure them to allow legitimate security scans is vital. By whitelisting the Adobe Security Scan tool's IP addresses, you ensure that your store remains continuously monitored for vulnerabilities, safeguarding your business and your customers.

If you're navigating complex Magento security configurations, planning a migration, or simply need expert advice on optimizing your e-commerce platform, don't hesitate to contact Shopping Mover. We're here to help you build a secure, high-performing Magento store.