Web Security Service Announcement - Washington, DC Data Center Migration
Scheduled Maintenance Report for Symantec Web Security Service
Completed
The scheduled maintenance has been completed.
Posted May 20, 2020 - 00:00 UTC
In progress
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Posted May 19, 2020 - 23:59 UTC
Scheduled
As part of the previously announced final phase of WSS migration to Google Cloud Platform (GCP), a new WSS POP will be deployed in Washington, DC on May 19, 2020. The new site will be designated Washington, DC (GUSAS).

Impact
No impact to WSS traffic is expected during the maintenance window.

At the conclusion of the maintenance, all Unified Agent, WSSA, and Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR) and proxy forwarding destined to the Washington, DC (IAD2) POP will be processed in the new GCP Washington, DC (GUSAS) site. The IP addresses for sep-wtr.threatpulse.net, proxy.threatpulse.net, and ep.threatpulse.net for Washington, DC traffic will also change as a part of this migration as described in more detail in the Required Action section below.

IPsec traffic will not be moved to the Washington, DC (GUSAS) site as part of this maintenance. After the conclusion of this maintenance, the new Washington DC (GUSAS) POP will be formally announced by Broadcom as available for IPsec traffic from customers via the same channels as this announcement. The old Washington, DC (IAD2) POP will remain open for IPsec traffic in parallel with the new Washington, DC (GUSAS) POP through May 31, 2020. Washington, DC (IAD2) will be permanently retired from service on June 1, 2020.

The ingress IP address for IPsec access for Washington, DC (GUSAS) will be:

170.176.240.164 (New address, change may be required)

The ingress IP addresses for all other access methods for Washington, DC (GUSAS) will be:

170.176.240.164 (New ingress address, change may be required)
168.149.146.164 (New ingress address, change may be required)

The egress network IP ranges for Washington, DC (GUSAS) will be:

170.176.240.0/24 (New range, change may be required)
168.149.146.0/24 (New range, change may be required)

Required Action
If end user connectivity to WSS is regulated by stringent firewall rules, those firewall rules should be adjusted to allow traffic to pass to the ingress and egress IP networks listed above prior to the maintenance window. In addition, any third party application provider who regulates connections by source IP should be updated to accept connections from the ingress and egress IP networks listed above to ensure WSS traffic passes unencumbered.

IPsec: Customers must migrate their IPsec tunnels for IPsec and transproxy access from the ingress IP address of Washington, DC (IAD2) to the ingress IP address of Washington, DC (GUSAS) between May 20, 2020 and May 31, 2020.

Unified Agent and WSS Agent: Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Symantec to the nearest alternate site during the maintenance window.

Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR): The underlying IP address for sep-wtr.threatpulse.net will be updated as part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Symantec to the nearest alternate site during the maintenance window.

Explicit proxy and proxy forwarding: The underlying IP address for proxy.threatpulse.net will change as a part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customers directing traffic to proxy.threatpulse.net will be automatically redirected by Symantec to the nearest alternate site during the maintenance window..

Explicit over IPsec (“trans-proxy”): The underlying IP address for ep.threatpulse.net will change as part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customers that use explicit proxy through IPsec to ep.threatpulse.net should take the same action as IPsec customers and bring up their secondary tunnel during the maintenance.

Others: Any customer, regardless of connection method, with a configuration pointing to a specific site or IP address must manually failover to a secondary site during the migration window to avoid an outage.

Please visit these KB articles for a full list of IP networks used by WSS:
Worldwide data center IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH242979
Authentication IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH240889

Questions?
Please visit this KB article for additional details on the Web Security Service Migration to Google Cloud Platform: https://knowledge.broadcom.com/external/article?legacyId=tech257356

If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security

For real time updates and status visit and subscribe to Broadcom Service Status: https://wss.status.broadcom.com
Posted May 12, 2020 - 22:03 UTC
This scheduled maintenance affected: Data Centers - Americas (Washington, DC (GUSAS), Washington D.C. (IAD2)).