getAnpProvisioningStatus — Managing the SiteLock Firewall & CDN activation process

The getAnpProvisioningStatus method provides the current provisioning and configuration state of the SiteLock Firewall & CDN for a site. This method is used to monitor domain validation, DNS readiness, and overall activation progress. It supports apex domains, standard subdomains, and subdomains treated as apex domains.

The method returns one of the following states:

ready
pending-domain-validation
pending-dns
pending-retry
error

Provisioning flow overview

The Firewall & CDN provisioning process differs depending on whether the site uses SSL.

Non-SSL sites don’t require domain ownership verification.
SSL-enabled sites require domain ownership verification before the DNS switchover.

DNS records returned by getAnpProvisioningStatus must only be applied when the site is in the appropriate state.

DNS record behavior by domain type

The DNS records returned by this method depend on the domain type.

Domain type	DNS records returned
Apex domain	Two A records and one CNAME record
Subdomain	One CNAME record
Subdomain treated as apex	Two A records and one CNAME record

Domain type

DNS records returned

Apex domain

Two A records and one CNAME record

Subdomain

One CNAME record

Subdomain treated as apex

Two A records and one CNAME record

A subdomain is treated as an apex domain only if it has SOA record.

Non-SSL sites

Non-SSL sites don’t require domain ownership verification.

Provisioning flow:

provisionAddon returns the A and/or CNAME records required for activation.
The partner or site owner adds the returned DNS records.
The partner periodically calls getAnpProvisioningStatus.
When the state changes to ready, the Firewall & CDN is fully active.

Non-SSL site provisioning flow

`provisionAddon`
    |
    |-- Returns A/CNAME records
    |
Partner or user updates DNS
    |
`getAnpProvisioningStatus`
    |
    |-- state: `pending-dns`
    |
    |-- state: `ready`

SSL-enabled sites

SSL-enabled sites require domain ownership verification before the DNS switchover. Partners are strongly encouraged to automate DNS updates to ensure a seamless experience.

Domain ownership verification

During provisioning, a TXT or CNAME record is returned for domain ownership verification.

Both provisionAddon and getAnpProvisioningStatus return the TXT or CNAME record. The provisionAddon method provides it during the initial subscription provisioning, while getAnpProvisioningStatus can be called at any time afterward to retrieve the latest provisioning details.
TXT or CNAME records rotate every 30 days. If the TXT or CNAME record is not set within 30 days, a new record is issued on day 31.

Once the TXT or CNAME record is added to DNS:

Call getAnpProvisioningStatus to initiate domain ownership verification.
Verification is non-blocking and may take up to 24 hours.

If the state remains pending-domain-validation for more than 36 hours, contact SiteLock Partner Support.

While the state is pending-domain-validation, any A and/or CNAME records returned in the response are informational only and must not be applied at this stage.

Pending domain validation

While verification is in progress:

The state remains pending-domain-validation.
The response includes the TXT or CNAME record being verified.
New A and/or CNAME values may be returned for reference only.

DNS records must not be updated until the state changes to pending-dns.

Pending DNS update

When domain ownership verification completes, the state changes to pending-dns.

At this stage:

The response includes dns_new_cname.
For apex domains and subdomains treated as apex, dns_new_a is also returned.
For SSL-enabled sites, both cert_detected and cert_installed must be 1 before DNS updates are applied.

The partner or site owner must update the site’s DNS records with new records returned by SiteLock.

Activation completion

After DNS records are updated:

Periodically call getAnpProvisioningStatus.
Activation is non-blocking and may take up to 24 hours.
When the state changes to ready, the Firewall & CDN is fully active.

Traffic and reporting data may take up to an additional 24 hours to appear in the SiteLock Dashboard.

SSL-enabled site provisioning flow

`provisionAddon`
    |
    |-- Returns TXT or CNAME record
    |
Partner or user adds TXT or CNAME record to DNS
    |
    |-- DNS propagation
    |
`getAnpProvisioningStatus`
    |
    |-- state: `pending-domain-validation`
    |
    |-- TXT or CNAME record verified
    |
    |-- state: `pending-dns`
    |   (A/CNAME records must now be applied)
    |
Partner or user updates A/CNAME records
    |
`getAnpProvisioningStatus`
    |
    |-- state: `ready`

Pending retry state

The pending-retry state indicates a temporary condition that prevents provisioning from completing.

Common reasons include:

DNS propagation delays
The domain is not fully configured with the hosting provider
Missing IP assignments in DNS

Retry behavior:

Free Firewall & CDN products retry up to 50 times at 6-hour intervals.
Paid Firewall & CDN products continue retrying until the partner calls deleteAddon.
The partner can call getAnpProvisioningStatus again to check the current provisioning status.

Ready state

When the state is ready:

The Firewall & CDN is fully configured.
Traffic is routed according to the configured DNS.
Firewall & CDN data becomes available in the SiteLock Dashboard.

Error state

The error state indicates a condition requiring manual intervention.

The common error types are:

Site Not Found (SNF) — The site doesn’t exist in the system.
ANP Addon Not Found (ANF) — The site doesn’t have an active Firewall & CDN subscription.

Partners should validate site configuration and subscription status before retrying. After addressing the issue, the partner can call getAnpProvisioningStatus again to check if the error has been resolved.

API endpoint:

https://api.sitelock.com/v1/partner

Example request

SiteLockOnlineRequest: This element is used to delineate the full API request.
- authentication: The partner’s username, password, and branding.
  - username: The partner’s API username.
  - password: The partner’s API password.
- getAnpProvisioningStatus: The method name.
  - site_id: [attribute] - The ID of the site.

Example request

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <getAnpProvisioningStatus site_id="10900"/>
</SiteLockOnlineRequest>

Response format

The following are the various possible responses from getAnpProvisioningStatus.

Example success response

SiteLockOnlineResponse: This element is used to delineate the full API response.
- getAnpProvisioningStatus: The method name
  - dns_info: The information about the TXT or CNAME record used for domain ownership verification.
    
    records: The TXT or CNAME record currently found in DNS.
    
    record: The details of the TXT or CNAME record found in DNS.
    
    domain: The domain for which the record was found.
    
    status: The status of the record found in DNS.
    
    type: The type of record found in DNS.
    
    request: The TXT or CNAME record that SiteLock is currently verifying.
    
    data: The value of the TXT or CNAME record that SiteLock is verifying.
    
    type: The type of record that SiteLock is verifying.
  - dns_new_a: The new A records to be applied to the domain.
  - dns_new_cname: The new CNAME record to be applied to the domain.
  - dns_ssl_verify: The TXT or CNAME record details for SSL domain ownership verification.
    
    dns_record_domain: The domain for which the TXT or CNAME record is being verified.
    
    dns_record_type: The type of record being verified.
    
    dns_record_value: The value of the TXT or CNAME record being verified.
  - original_dns: The original DNS records for reference.
    
    orig_a_rec: The original A records for the domain.
  - site_id: The ID of the site.
  - ssl: The information about the SSL certificate status for the site.
    
    cert_detected: Indicates whether an SSL certificate was detected.
    
    cert_from: Indicates the source of the SSL certificate.
    
    cert_installed: Indicates whether the SSL certificate is installed and active.
    
    network_ssl_cert_exp_date: The expiration date of the SSL certificate provided by SiteLock, if applicable.
  - state: The current provisioning state of the Firewall & CDN for the site.
  - traffic_routing: Indicates whether traffic is currently being routed through the Firewall & CDN.
  - waf_dns_manager: Indicates who manages the DNS for the Firewall & CDN.

Awaiting domain ownership verification for SSL sites (pending-domain-validation)

A response with the following elements is returned when the site uses SSL and domain ownership hasn’t yet been verified.

Don’t update A & CNAME DNS records until the state is pending-dns.

Example unverified domain ownership response

<SiteLockOnlineResponse>
    <getAnpProvisioningStatus>
        <dns_info>
            <records>
                <record>
                    <domain>example.com</domain>
                    <status>TXT Record(s) were found - but none match what we are looking for.</status>
                    <type>TXT</type>
                    <type>CNAME</type>
                </record>
            </records>
            <request>
                <data>globalsign-domain-verification=VIYIM3EFP0APXADXY9D2MM4NHEXEGJNU2</data>
                <type>TXT</type>
                <type>CNAME</type>
            </request>
        </dns_info>
        <dns_new_a>45.60.23.58,45.60.25.58</dns_new_a>
        <dns_new_cname>123b45e6.sitelockcdn.net</dns_new_cname>
        <dns_ssl_verify>
            <dns_record_domain>example.com</dns_record_domain>
            <dns_record_type>TXT</dns_record_type>
            <dns_record_type>CNAME</dns_record_type>
            <dns_record_value>globalsign-domain-verification=VIYIM3EFP0APXADXY9D2MM4NHEXEGJNU2</dns_record_value>
        </dns_ssl_verify>
        <original_dns>
            <orig_a_rec>123.123.123.123,122.122.122.122</orig_a_rec>
        </original_dns>
        <site_id>123456789</site_id>
        <ssl>
            <cert_detected>1</cert_detected>
            <cert_installed>0</cert_installed>
            <waf_ssl_validation_method>CNAME</waf_ssl_validation_method>
        </ssl>
        <state>pending-domain-validation</state>
        <traffic_routing>0</traffic_routing>
        <waf_dns_manager>partner</waf_dns_manager>
    </getAnpProvisioningStatus>
</SiteLockOnlineResponse>

Awaiting DNS changes (pending-dns)

A response with the following elements will be returned when the Firewall & CDN is ready for the partner or the site owner to reconfigure DNS settings.

Example pending-dns response

<SiteLockOnlineResponse>
    <getAnpProvisioningStatus>
        <dns_new_a>107.154.149.145,107.154.153.145</dns_new_a>
        <dns_new_cname>123ab23.sitelockcdn.net</dns_new_cname>
        <original_dns>
            <orig_a_rec>123.123.123.123,122.122.122.122</orig_a_rec>
        </original_dns>
        <site_id>123456789</site_id>
        <ssl>
            <cert_detected>1</cert_detected>
            <cert_from>network</cert_from>
            <cert_installed>1</cert_installed>
            <network_ssl_cert_exp_date>2025-05-12</network_ssl_cert_exp_date>
        </ssl>
        <state>pending-dns</state>
        <traffic_routing>0</traffic_routing>
        <waf_dns_manager>partner</waf_dns_manager>
    </getAnpProvisioningStatus>
</SiteLockOnlineResponse>

Pending retry (pending-retry)

The following response is returned when a temporary condition exists that prevented the Firewall & CDN provisioning from completing. This response indicates the provisioning request will be retried until complete or unable to continue.

Example retrying response

<SiteLockOnlineResponse>
    <getAnpProvisioningStatus>
        <site_id>10900</site_id>
        <state>pending-retry</state>
    </getAnpProvisioningStatus>
</SiteLockOnlineResponse>

The following are typical reasons for the automatic pending-retry status:

Allowing for DNS propagation time.
If the hosting was purchased from the partner along with the Firewall & CDN, but the domain/site hasn’t been configured yet.
If the domain was added to the hosting, but the IP addresses haven’t been assigned to the domain in the DNS system yet.

SiteLock will eventually stop retrying if the Firewall & CDN subscription is a free product. Currently, retries cease after 50 attempts, with attempts made 6 hours apart. Provision retries continue on paid Firewall & CDN products until the partner makes a request to deleteAddon.

The following response indicates the Firewall & CDN is fully configured.

Example configured Firewall & CDN response

<SiteLockOnlineResponse>
    <getAnpProvisioningStatus>
        <site_id>10900</site_id>
        <state>ready</state>
        <waf_dns_manager>partner</waf_dns_manager>
    </getAnpProvisioningStatus>
</SiteLockOnlineResponse>

Example error response

Some errors require manual intervention. The partner or user should examine the site/domain configuration to determine the specific issue.

<SiteLockOnlineResponse>
    <getAnpProvisioningStatus>
        <site_id>10900</site_id>
        <state>error</state>
    </getAnpProvisioningStatus>
</SiteLockOnlineResponse>

Data Error: Bad Site

This error indicates the provisioning process couldn’t find any information about the existence of the site (note the code element).

Example non-existent site error

<SiteLockOnlineResponse>
    <getAnpProvisioningStatus>
        <code>SNF</code>
        <message>Site Not Found</message>
        <site_id>10900</site_id>
        <state>error</state>
    </getAnpProvisioningStatus>
</SiteLockOnlineResponse>

Data Error: Site with no WAF

This error indicates that a partner API request was made on a site that doesn’t have an active Firewall & CDN addon subscription (note the code element).

Example inactive Firewall & CDN add-on error

<SiteLockOnlineResponse>
    <getAnpProvisioningStatus>
        <code>ANF</code>
        <message>ANP Addon Not Found</message>
        <site_id>10900</site_id>
        <state>error</state>
    </getAnpProvisioningStatus>
</SiteLockOnlineResponse>