You experience an issue where an SWG that is configured with separate WAN/LAN and Management ports is unable to connect to Symantec Threatcenter when the SWG service is disabled. When the service is enabled the connection to Threatcenter is successful.
When the SWG service is disabled the SWG WAN/LAN interface is disabled. If the SWG DNS server(s) reside on the WAN/LAN network the SWG is not be able to communicate with them properly when the WAN/LAN interface is disabled.
To resolve this issue please add a static route to at least one DNS server and set the gateway as the Management port default gateway.
For example, for an SWG with the following configuration:
Management Port Default Gateway - 192.168.1.1
DNS Server IP - 10.0.0.2
You would create a static route with the following properties:
Destination - 10.0.0.2
Netmask - 255.255.255.255
Gateway - 192.168.1.1
This static route enables the SWG to communicate properly with the DNS servers when the SWG service is disabled.
An alternative solution would be to configure a secondary DNS IP which resides on the Management network.
SWG has separate WAN/LAN and Management ports connected. SWG DNS server(s) reside on the same subnet as the WAN/LAN.