Cloud SWG (formerly WSS) Ingress and Egress IP addresses

search cancel

Cloud SWG (formerly WSS) Ingress and Egress IP addresses

book

Article ID: 167174

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

What are the IP addresses used to connect to the Symantec Cloud SWG?
What are the data center names and locations?
What are the Cloud SWG IP addresses and ranges that have to be permitted on firewalls?
What is a Localization Zone and where are they located?
What are the Cloud SWG ingress and egress IP subnet ranges?
What are the IP addresses used by integrated services, such as Web Isolation?

Resolution

Best Practices based on Connection Type (Access Method)
IP Addresses for Cloud SWG-Integrated Services
Cloud SWG ingress and egress IP addresses
POP Types
- Dedicated IP Sites

Best Practices based on Connection Type (Access Method)

IPsec

For fault tolerance, fixed site backup connections must have IPsec tunnels to a physically separate compute region relative to your primary site, as well as:

Only IPsec connections should redirect traffic to an IP address. All other connections should use Cloud SWG data center hostnames.
IPsec connections are only accepted by the IPsec specific ingress IP addresses in the table below.
IPsec configurations should have dead peer detection (DPD) enabled and a tunnel monitor (ie, IPSLA) configured.
IPsec phase 1 lifetime should be 24 hours, and phase 2 lifetime should be four hours.
- IKEv2 FQDN phase 2 lifetime should be 50 minutes.
IPsec backup tunnels should never point to the same "compute POP" (data center) that the primary tunnel is going to.

Explicit over IPsec

Explicit traffic redirection within an IPsec tunnel to Cloud SWG should always point to ep.threatpulse.net:80 . For additional information, please see the online documentation.

Explicit and Proxy Forwarding

For optimal performance and fault tolerance, explicit traffic should be redirected to proxy.threatpulse.net:8080. This hostname automatically resolves to the nearest Cloud SWG data center based on the geo-location of the client's DNS resolver. In the event of an outage (including planned maintenance), users will be automatically redirected to the nearest available data center.

Should the need to avoid geo-location services with explicit exist, the following Cloud SWG explicit IP addresses indicate the hosts an admin can point to for explicit or proxy forwarded traffic.

SEP Web and Cloud Access Protection

Explicit Mode (Pac File): For optimal performance and fault tolerance, explicit traffic should be redirected to sep-wtr.threatpulse.net:8080. This hostname automatically resolves to the nearest Cloud SWG data center based on the geo-location of the client's DNS resolver. No manual configuration is required.
Tunnel Mode: Nearest data center selection is performed automatically by the agent based on the geo-location of the end user's public egress IP address. No manual configuration is required.

WSS Agent

Nearest data center selection is performed automatically by the agent based on the geo-location of the end user's public egress IP address. No manual configuration is required. It is imperative that firewalls allow traffic between the agents and the Cloud SWG Ingress and egress ranges specified below.

IP Addresses for Cloud SWG-Integrated Services

Web Isolation: The egress IPs used for Web Isolation sessions triggered by Cloud SWG policy will differ from the list below and are documented here: Web Isolation Cloud Ingress and Egress IP Addresses.

Cloud SWG Portal
portal.threatpulse.com	35.245.151.224 34.82.146.64
Cloud Traffic Controller (CTC)
Primary: ctc.threatpulse.com Secondary: ctc-uat.threatpulse.com Note: Use the secondary CTC endpoint service to route a subset of traffic from a different egress IP address. See Test Agent Traffic From a New Egress IP Address.	Primary: 130.211.30.2 Secondary: 34.110.245.218
Auth Manager
auth.threatpulse.com	35.245.151.226 34.82.146.65
PAC File Management Service
pfms.wss.symantec.com	34.120.17.44

Cloud SWG ingress and egress IP addresses

Note: The "ingress ranges" in the third column are also the Cloud SWG "egress ranges".

Location (codename)	Compute region	Ingress IP address (IPsec and trans-proxy)	Ingress and egress ranges for other access methods and for auth connector
AMERICAS
Buenos Aires, Argentina (GARBA1) Localization zone	Sao Paulo, Brazil	34.95.226.164	34.95.226.0/24
Columbia, South Carolina (GUSCO1) Dedicated IP site	Columbia, South Carolina	168.149.137.164	168.149.135.0/24 168.149.137.0/24 168.149.138.0/24 168.149.139.0/24 168.149.140.0/24 168.149.141.0/24
Des Moines, Iowa (GUSDM1) Dedicated IP site	Des Moines, Iowa	199.247.42.164	199.247.32.0/24 199.247.33.0/24 199.247.42.0/24 199.247.43.0/24 199.247.44.0/24 199.247.45.0/24 199.116.168.0/24 199.116.169.0/24 199.116.170.0/24 199.116.171.0/24 199.116.173.0/24 148.64.31.0/24
Las Vegas, Nevada (GUSLV1)	Las Vegas, Nevada	168.149.133.164	168.149.133.0/24 168.149.160.0/24
Los Angeles, California (GUSLA1) Dedicated IP site	Los Angeles, California	199.19.248.164	148.64.18.0/24 199.19.248.0/24
Mexico City, Mexico (GMXMC1) Localization zone	Los Angeles, California	170.176.246.164	170.176.246.0/24
Montreal, Canada (GCAMO1) Dedicated IP site	Montreal, Canada	199.19.253.164	199.19.253.0/24 148.64.21.0/24
Portland, Oregon (GUSPO1)	Portland, Oregon	170.176.241.164	170.176.241.0/24 168.149.164.0/24 148.64.16.0/24
Sao Paulo, Brazil (GBRSP1) Dedicated IP site	Sao Paulo, Brazil	34.95.130.164	34.95.130.0/24 34.95.146.0/24
Toronto, Canada (GCATO2)	Toronto, Canada	168.149.130.164	168.149.130.0/24 168.149.131.0/24
Washington, DC (GUSAS1)	Washington, DC	170.176.240.164	168.149.142.0/24 168.149.143.0/24 168.149.144.0/24 168.149.145.0/24 168.149.146.0/24 168.149.151.0/24 168.149.152.0/24 168.149.153.0/24 168.149.157.0/24 170.176.240.0/24
APAC
Auckland, New Zealand (GNZAU1) Localization zone	Sydney, Australia	168.149.170.164	168.149.170.0/24
Bangkok, Thailand (GTHBA11) Localization zone	Singapore	-	168.149.179.64/27
Beijing, China (ACNBJ2)	Beijing, China	52.131.103.144	52.131.103.144/28 52.131.113.48/28 52.131.113.80/28 52.131.113.128/28 52.131.113.144/28 52.131.113.176/28 52.131.113.192/28 52.131.113.208/28 52.131.113.224/28 52.131.113.240/28 52.131.114.0/28 52.131.114.16/28 52.131.114.32/28 52.131.114.48/28
Delhi, India (GINDE1) Dedicated IP site	Delhi, India	168.149.182.164	168.149.182.0/24 168.149.183.0/24 168.149.184.0/24 168.149.185.0/24 168.149.186.0/24 168.149.187.0/24 168.149.188.0/24 168.149.189.0/24
Hanoi, Vietnam (GVNHA11) Localization zone	Singapore	-	168.149.179.96/27
Hong Kong (GCNHK1)	Hong Kong	103.246.38.164	103.246.38.0/24
Islamabad, Pakistan (GPKIS) Localization zone	Zurich, Switzerland	-	34.65.98.0/24
Jakarta, Indonesia (GIDJK11)	Jakarta, Indonesia	-	168.149.180.0/24
Kuala Lumpur, Malaysia (GMYKL11) Localization zone	Singapore	-	168.149.179.0/26
Manila, Philippines (GPHMA11) Localization zone	Jakarta, Indonesia	-	168.149.181.0/25
Melbourne, Australia (GAUME1)	Melbourne, Australia	168.149.190.164	168.149.190.0/24 168.149.191.0/24 34.129.99.0/24
Mumbai, India (GINMU1) Dedicated IP site	Mumbai, India	148.64.4.164	148.64.1.0/24 148.64.4.0/24 148.64.5.0/24 148.64.7.0/24 148.64.12.0/24 148.64.13.0/24 168.149.165.0/24 168.149.166.0/24 168.149.167.0/24 168.149.168.0/24 168.149.169.0/24 168.149.172.0/24 168.149.173.0/24 168.149.174.0/24
Osaka, Japan (GJPOS1)	Osaka, Japan	98.158.245.164	98.158.245.0/24 98.158.246.0/24 103.9.96.0/24 103.9.97.0/24
Seoul, South Korea (GKRSE1)	Seoul, South Korea	168.149.154.164	168.149.154.0/24
Shanghai, China (ACNSH2)	Shanghai, China	40.72.119.208	40.72.119.208/28 40.72.119.224/28 52.130.200.0/28 52.130.200.16/28 52.130.200.48/28 52.130.200.64/28 52.130.200.96/28 52.130.200.128/28 52.130.200.144/28 52.130.200.176/28 52.130.200.192/28 52.130.200.208/28 52.130.200.224/28 52.130.200.240/28
Singapore (GSGRS1) Dedicated IP site	Singapore	103.246.37.164	103.246.37.0/24 148.64.3.0/24 168.149.178.0/24 168.149.150.0/24
Sydney, Australia (GAUSY1) Dedicated IP site	Sydney, Australia	103.246.36.164	103.246.36.0/24 170.176.245.0/24 148.64.2.0/24
Taipei, Taiwan (GTWTA1)	Taipei, Taiwan	168.149.155.164	168.149.155.0/24
Tokyo, Japan (GJPTK1) Dedicated IP site	Tokyo, Japan	223.29.216.164	223.29.216.0/24 223.29.217.0/24 223.29.218.0/24 223.29.219.0/24
EUROPE AND THE MIDDLE EAST
Abu Dhabi, UAE (GAEAD1) Localization zone	Mumbai, India	168.149.175.164	168.149.175.0/24
Amsterdam, the Netherlands (GNLAM1) Dedicated IP site	Amsterdam, the Netherlands	98.158.252.164	98.158.252.0/24
Ankara, Turkey (GTRAN1) Localization zone	Zurich, Switzerland	46.235.158.192	46.235.158.192/26
Athens, Greece (GGRAT11) Localization zone	Frankfurt, Germany	-	46.235.156.128/27
Brussels, Belgium (GBEBR11)	Brussels, Belgium	-	46.235.155.0/24 148.64.25.0/24
Bucharest, Romania (GROBU1) Localization zone	Frankfurt, Germany	168.149.148.164	168.149.148.0/24
Copenhagen, Denmark (GDKCP1) Localization zone	Amsterdam, the Netherlands	148.64.14.164	148.64.14.0/24
Dover, England (GGBDO1) Localization zone Dedicated IP site	Brussels, Belgium	148.64.24.164	148.64.24.0/24 109.68.59.0/24 109.68.60.0/24 109.68.61.0/24 109.68.62.0/24 170.176.242.0/24
Dubai, UAE (GAEDX1) Localization zone	Zurich, Switzerland	-	34.65.98.0/24
Dublin, Ireland (GIEDU1) Localization zone	London, England	148.64.15.164	148.64.15.0/24
Frankfurt, Germany (GDEFR1) Dedicated IP site	Frankfurt, Germany	199.247.38.164	199.247.34.0/24 199.247.38.0/24 199.247.39.0/24 199.247.40.0/24 199.247.41.0/24
Helsinki, Finland (GFIHE1)	Helsinki, Finland	168.149.149.164	168.149.149.0/24
Lisbon, Portugal (GPTLI11) Localization zone	Zurich, Switzerland	-	46.235.158.96/27
London, England (GGBLO1) Dedicated IP site	London, England	148.64.26.164	148.64.9.0/24 148.64.26.0/24 148.64.27.0/24 148.64.28.0/24 148.64.29.0/24 148.64.30.0/24 46.235.154.0/24
Madrid, Spain (GESMA1) Localization zone Dedicated IP site	Zurich, Switzerland	185.180.48.164	185.180.48.0/24 185.180.51.0/24
Milan, Italy (GITMI1) Localization zone	Frankfurt, Germany	46.235.159.164	46.235.159.0/24 148.64.10.0/24
Nicosia, Cyprus (GCYNI11) Localization zone	Frankfurt, Germany		46.235.156.64/27
Oslo, Norway (GNOOS1) Localization zone	Helsinki, Finland	109.68.63.164	109.68.63.0/24
Paris, France (GFRPA1) Localization zone Dedicated IP site	Brussels, Belgium	46.235.153.164	46.235.153.0/24 148.64.19.0/24 168.149.163.0/24
Riyadh, Saudi Arabia (GSARI1) Localization Zone	Mumbai, India	148.64.6.1	148.64.6.0/26
Stockholm, Sweden (GSESK1) Localization zone	Helsinki, Finland	199.247.35.164	199.247.35.0/24
Tel Aviv, Israel (GILTA2)	Tel Aviv, Israel	198.135.125.164	198.135.125.0/24
Valletta, Malta (GMTVA11) Localization zone	Frankfurt, Germany	-	46.235.156.160/27
Vienna, Austria (GATVI11) Localization zone	Frankfurt, Germany	-	46.235.156.32/27
Warsaw, Poland (GPOWA1)	Warsaw, Poland	103.9.99.164	103.9.99.0/24
Zurich, Switzerland (GCHZU1)	Zurich, Switzerland	148.64.11.164	148.64.11.0/24
AFRICA
Abuja, Nigeria (GNGAB11) Localization zone	Zurich, Switzerland	-	46.235.158.64/27
Accra, Ghana (GGHAC11) Localization zone	Zurich, Switzerland	-	46.235.158.0/27
Algiers, Algeria (GDZAL11) Localization zone	Frankfurt, Germany	-	46.235.156.0/27
Cairo, Egypt (GEGCA11) Localization zone	Frankfurt, Germany	-	46.235.156.96/27
Dakar, Senegal (GSNDA11) Localization zone	Zurich, Switzerland	-	46.235.158.128/27
Gaborone, Botswana (GBWGA11) Localization zone	London, England	-	109.68.57.32/27
Harare, Zimbabwe (GZWHA11) Localization zone	London, England	-	109.68.56.0/27
Johannesburg, South Africa (GZAJB1) Localization zone	London, England	109.68.58.164	109.68.58.0/24
Lilongwe, Malawi (GMWLI11) Localization zone	London, England	-	109.68.57.96/27
Luanda, Angola (GAOLU11) Localization zone	London, England	-	109.68.57.0/27
Lusaka, Zambia (GZMLU11) Localization zone	London, England	-	109.68.57.224/27
Maputo, Mozambique (GMZMA11) Localization zone	London, England	-	109.68.57.160/27
Nairobi, Kenya (GKENA11) Localization zone	London, England	-	109.68.57.64/27
Port Louis, Mauritius (GMUPL11) Localization zone	London, England	-	109.68.57.128/27
Rabat, Morocco (GMARA11) Localization zone	Zurich, Switzerland	-	46.235.158.32/27
Tunis, Tunesia (GTNTU11) Localization zone	Frankfurt, Germany	-	46.235.156.192/27
Windhoek, Namibia (GNAWI11) Localization zone	London, England	-	109.68.57.192/27

POP Types

Compute POP - Otherwise known as a data center, a point of presence that contains physical compute infrastructure.

Localization Zones - Provide an improved user experience by localizing content requests for countries where there is no Cloud SWG compute POP.

Dedicated IP Sites

The Dedicated IPs feature is a cloud-native solution where Broadcom provides tenant-dedicated IPs in Cloud SWG data centers. The sites that host dedicated IPs are denoted in the table above with the "Dedicated IP sites" label below the site location and codename.

Additional Information

The Cloud SWG service now has a service points URL that can be used to retrieve our IP address space for all hosts, including the Portal, authentication, PFMS, CTC and so forth. The service points URL is https://servicepoints.threatpulse.com/ and is a JSON formatted document. Please note that the auth connector (aka bcca.exe) connects to IP addresses within the egress IP address range.

Feedback

thumb_up Yes

thumb_down No