sfw/fix
Reference #18 high

Akamai "Access Denied — Reference #18..." (Kona WAF block)

Akamai's edge WAF or Bot Manager rejected the request with a 403 and a Reference #18 error ID.

What you see

Access Denied
You don't have permission to access "http://www.example.com/" on this server.
Reference #18.7a1d2c17.1718409600.3f9b21e

What’s actually happening

Some or all visitors get a bare 403 page served by Akamai, not your origin. The page carries a Reference # that starts with 18, and the rest of the site logs show no matching hit because the request died at the edge. Often it's intermittent: one network or IP range is blocked while others load fine. The reference string changes on every retry.

Common causes

  • A Kona/App & API Protector WAF rule matched the request (SQLi, XSS, or command-injection signature firing on a legitimate payload)
  • Bot Manager classified the client as automated — scrapers, monitoring agents, or an aggressive SDK
  • Rate controls tripped because one IP or NAT egress sent too many requests in a short window
  • Low IP reputation: the visitor's address sits in Akamai's Client Reputation list for prior abuse
  • An overly broad custom rule or network-list block (geo or ASN) catching real users

How to fix it

  1. Decode the reference number on the origin sideThe 18 prefix means ERR_ACCESS_DENIED — a security-product denial. Paste the full Reference # into Akamai Control Center under Security > Events (or use Edge Diagnostics > Error Translator). It maps the ID to the exact rule, policy, and request that triggered the block.
  2. Tune the offending rule instead of disabling the whole policyIf it's a false positive on a WAF signature, set that specific rule to alert-only or add an exception scoped to the URL/parameter. Don't switch the entire security configuration off — you'll expose the origin.
  3. Adjust rate and bot thresholds for legitimate trafficFor shared-NAT offices or API clients hitting rate controls, raise the threshold or add the source CIDR to an allowlisted network list. For Bot Manager, reclassify known-good user agents (Pingdom, your own crawler) as allowed bots.
  4. Tell blocked visitors to switch networksA visitor with no origin access just needs a clean IP: turn off a VPN, switch from corporate wifi to cellular, or reboot the router for a new DHCP lease. The block is keyed to their address, not their browser.
  5. Dispute a Client Reputation listingIf a visitor's IP is flagged in Akamai's reputation feed despite being clean, the site owner can open a case with Akamai support referencing the ID to get the address re-scored.

Stop it recurring

Run new WAF and Bot Manager policies in alert-only mode for a week and review the events before enforcing, so false positives surface before they block real users.

Related errors

Cisco Umbrella / OpenDNS "This site is blocked" (DNS-layer category block)

high

A network's Umbrella or OpenDNS resolver classified the domain and returned its block page instead of the site.

Blocked by Project Honey Pot http:BL (DNS blacklist)

medium

A site security plugin queried Project Honey Pot's http:BL and blocked the visitor's IP as a flagged threat.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.

IP listed on Spamhaus blocklist (DNSBL)

high

Your sending IP is on a Spamhaus DNSBL as a spam source or compromised host, so receiving mail servers reject your messages.