Web Security Service Announcement - New Washington, DC (GUSAS) Data Center
Scheduled Maintenance Report for Symantec Web Security Service
Completed
The scheduled maintenance has been completed.
Posted Jun 01, 2020 - 00:00 UTC
In progress
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Posted May 31, 2020 - 23:59 UTC
Scheduled
As part of the previously announced final phase of WSS migration to Google Cloud Platform (GCP), the Broadcom Web Security Service Team is pleased to announce a new data center in Washington, DC (designated GUSAS) which will replace the current Washington, DC (IAD2) data center. This new data center is available now.

The ingress IP address for IPsec access for Washington, DC (GUSAS) is:

170.176.240.164 (New address, change may be required)

The ingress IP addresses for all other access methods for Washington, DC (GUSAS) is:

170.176.240.164 (New ingress address, change may be required)
168.149.146.164 (New ingress address, change may be required)

The egress network IP ranges for Washington, DC (GUSAS) is:

170.176.240.0/24 (New range, change may be required)
168.149.146.0/24 (New range, change may be required)

All Unified Agent, WSSA, and Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR) and proxy forwarding traffic destined to the Washington, DC (IAD2) POP is now processed in the new GCP Washington, DC (GUSAS) site. The IP addresses for sep-wtr.threatpulse.net, proxy.threatpulse.net, and ep.threatpulse.net for Washington, DC traffic also changed as a part of this migration as described in more detail in the Required Action section below.

IPsec traffic has not been moved to the Washington, DC (GUSAS) site. The old Washington, DC (IAD2) site will remain open for IPsec traffic in parallel with the new Washington, DC (GUSAS) site through May 31, 2020. Washington, DC (IAD2) will be permanently retired from service on June 1, 2020.

Required Action
If end user connectivity to WSS is regulated by stringent firewall rules, those firewall rules should be adjusted to allow traffic to pass to the ingress and egress IP networks listed above prior to the maintenance window. In addition, any third party application provider who regulates connections by source IP should be updated to accept connections from the ingress and egress IP networks listed above to ensure WSS traffic passes unencumbered.

IPsec: Customers must migrate their IPsec tunnels for IPsec and transproxy access from the ingress IP address of Washington, DC (IAD2) to the ingress IP address of Washington, DC (GUSAS) between May 20, 2020 and May 31, 2020.

Unified Agent and WSS Agent: Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Symantec to the nearest alternate site during the maintenance window.

Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR): The underlying IP address for sep-wtr.threatpulse.net changed as part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Symantec to the nearest alternate site during the maintenance window.

Explicit proxy and proxy forwarding: The underlying IP address for proxy.threatpulse.net changed as a part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customers directing traffic to proxy.threatpulse.net will be automatically redirected by Symantec to the nearest alternate site during the maintenance window..

Explicit over IPsec (“trans-proxy”): The underlying IP address for ep.threatpulse.net changed as part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customers that use explicit proxy through IPsec to ep.threatpulse.net should take the same action as IPsec customers and bring up their secondary tunnel during the maintenance.

Others: Any customer, regardless of connection method, with a configuration pointing to a specific site or IP address must manually failover to a secondary site during the migration window to avoid an outage.

Please visit these KB articles for a full list of IP networks used by WSS:
Worldwide data center IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH242979
Authentication IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH240889

Questions?
Please visit this KB article for additional details on the Web Security Service Migration to Google Cloud Platform: https://knowledge.broadcom.com/external/article?legacyId=tech257356

If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security

For real time updates and status visit and subscribe to Broadcom Service Status: https://wss.status.broadcom.com
Posted May 20, 2020 - 05:12 UTC
This scheduled maintenance affected: Data Centers - Americas (Washington, DC (GUSAS)).