Upcoming Scheduled Maintenance Notice: May 2020 Google Cloud Platform Migrations
Scheduled for May 31, 23:59 UTC  -  Jun 1, 00:00 UTC
Scheduled
Service Announcement
Following the successful migration of the first 34 sites of the previously announced migration to Google Cloud Platform (GCP), the remaining ten WSS sites will be migrated to GCP during the month of May 2020. This will be the final phase of the migration.

The KB article linked below lists the date and times for each migration along with details on the ingress IP addresses and egress IP network ranges that will be used in each new site.

VIsit this KB article for the list of sites, the site migration schedule & associated IP addresses: https://knowledge.broadcom.com/external/article/189993/service-announcement-site-migration-sch.html

Impact
Expect each site to be completely unavailable during its scheduled maintenance window.

At the conclusion of each maintenance window, all WSS traffic for the site will be processed according to one of two scenarios as shown in the table in the KB article referenced above and described in detail below.

Scenario 1 Sites
At the conclusion of the maintenance window, all WSS traffic for these sites will be processed in the new GCP-based POP.

To minimize customer effort, Symantec will migrate POPs in this scenario by “lift-and-shifting” their IP addresses from the current POP to the new GCP-based POP. The ingress IP for IPsec and transproxy access for sites in this scenario remains unchanged, thus customers will not need to change their IPsec tunnels to access the new GCP-based capacity.

Every site in this scenario will have new ingress IP addresses for non-IPsec/transproxy access methods, and many sites will also have new egress IP network ranges. These new IP addresses and ranges have been highlighted in bold text in the table above to identify them. Be sure to carefully review the Required Action section below for additional critical instructions.

Scenario 2 Site
One remaining POP, Washington, DC (GUSAS), will be built as a completely new site on new ingress IP addresses and egress IP network ranges during its maintenance window. These new IP addresses and ranges have been highlighted in bold text in the table above to identify them.

The old Washington, DC (IAD2) POP will remain open for IPsec traffic in parallel with the new Washington, DC (GUSAS) POP through May 31, 2020. Washington, DC (IAD2) will be permanently retired from service on June 1, 2020. Customers must migrate their IPsec tunnels for IPsec and transproxy access from the ingress IP address of Washington, DC (IAD2) to the ingress IP address of Washington, DC (GUSAS) between May 17, 2020, and May 31, 2020.

Traffic from Unified Agent, WSS Agent, Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR), Explicit proxy, and proxy forwarding destined to Washington, DC (IAD2) will be moved by Broadcom WSS Ops to Washington, DC (GUSAS) at the end of the scheduled maintenance. Be sure to carefully review the Required Action section below for additional critical instructions.

Required Action
If end user connectivity to WSS is regulated by stringent firewall rules, those firewall rules should be adjusted to allow traffic to pass to the ingress and egress IP networks listed above prior to the maintenance window. In addition, any third party application provider who regulates connections by source IP should be updated to accept connections from the ingress and egress IP networks listed above to ensure WSS traffic passes unencumbered.

IPsec: Customers should bring up their secondary tunnel prior during the maintenance window.

Explicit over IPsec (“trans-proxy”): The underlying IP address for ep.threatpulse.net will NOT change as part of this migration. Customers that use explicit proxy through IPsec to ep.threatpulse.net should take the same action as IPsec customers and bring up their secondary tunnel during the maintenance.

The access methods below all require firewall changes. The following use cases demonstrate why these access methods require firewall changes:

Use case 1 - Connectivity: Users using the Unified-Agent or WSS Agent (“Agent”) or explicit access methods may all be coming from the same IP address, and if your firewall is not allowing TCP/UDP 443 (for Agent traffic) or TCP 8080 (for Explicit and SEP-WTR traffic) to the new ingress IP addresses above, connectivity will fail.

Use case 2 - Group-based policies and authentication: Even in the case where users may be roaming and not coming from the same location, group based policies could fail if the auth connector cannot communicate with these new egress IP addresses.

It is imperative that the firewall allows access to these ingress and egress IP addresses to avoid problems.

Unified Agent and WSS Agent: Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window.

Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR): The underlying IP address for sep-wtr.threatpulse.net will change as part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window. If customers are referencing the current data center ingress IP address directly (e.g., via a PAC file), please change to reference the sep-wtr.threatpulse.net domain name instead.

Explicit proxy and proxy forwarding: The underlying IP address for proxy.threatpulse.net will change as a part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customers directing traffic to proxy.threatpulse.net will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window. If customers are referencing the current data center ingress IP address directly (e.g., via a PAC file), please change to reference the proxy.threatpulse.net domain name instead.

Others: Any customer, regardless of connection method, with a configuration pointing to a specific site or IP address must manually failover to a secondary site during the migration window to avoid an outage.

Please visit these KB articles for a full list of IP networks used by WSS:
Worldwide data center IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH242979
Authentication / egress IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH240889

Questions?
Please visit this KB article for additional details on the Web Security Service Migration to Google Cloud Platform: https://knowledge.broadcom.com/external/article?legacyId=tech257356

If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security

For real time updates and status visit and subscribe to Broadcom Service Status: https://wss.status.broadcom.com
Posted May 02, 2020 - 03:19 UTC
This scheduled maintenance affects: Data Centers - Europe, Middle East & Africa (Amsterdam (GNLAM), Amsterdam East (AMS5), Frankfurt (GDEFR), Frankfurt (FRA3), Middlesex (GGBLO), Middlesex (LHR1), Munich (GDEMU), Munich (MUC1), Stockholm (BMA2), Stockholm (GSESK)), Data Centers - Americas (Chicago (GUSCH), Chicago (ORD2), Dallas (GUSDA), Dallas/Fort Worth (DFW3), New York (GUSSA), New York (EWR2), Washington, DC (GUSAS), Washington D.C. (IAD2)), and Data Centers - Asia Pacific (Tokyo (GJPTK), Tokyo (HND4)).