Cloud SWG behavior changes when individual subscriptions change status
Article ID: 276347
Updated On:
Products
Issue/Introduction
Cloud Secure Web Gateway (Cloud SWG) accounts often include multiple separate subscriptions. As each serial number includes an individual expiration date it is common for accounts to have one or more subscriptions become disabled or deleted while others remain active.
In order to set expectations the categories of Cloud SWG subscriptions are listed in the table below along with the behavior change which occurs if its state transitions to DISABLED. Some behavior changes depending on the presence or absence of other active subscriptions.
|
Disabled CloudSWG product types |
Behavior if no compensating subscription is present |
Compensating subscriptions: When present and active, these prevent behavior change. |
|---|---|---|
|
Base products required for Cloud SWG data flow: Web Security, CASB, Web Protection, or Network Protection |
End-user traffic through Cloud SWG is stopped |
Web Security, CASB, Web Protection, or Network Protection |
|
MA-Advanced |
Sandboxing of suspicious sample files stops |
Network Protection |
|
Hosted Reporting |
Maximum log retention period reduced to 100 days; Upload of on-prem Proxy logs no longer permitted. |
Network Protection |
|
CFS-Standard |
Full traffic flow restricted to Web-Ports and explicit proxy only. CFS policy and UI disabled. |
Web Protection or Network Protection |
|
CFS-Advanced |
Cloud Firewall rules with application detection do not match, no application detection logging |
|
|
Self Managed Cert |
TLS/SSL interception reverts to use service provided root certificate |
|
|
Geo_and Risk |
Policy based on Geo or Risk values do not match |
Web Protection or Network Protection |
|
Isolation - both Selective and Full |
Isolation rules disabled and UI disabled. |
Web Protection (custom rules disabled) or Network Protection |
The following table details changes in behavior and stored configuration data when subscriptions are DELETED. Some changes depend on the presence or absence of other active subscriptions.
|
Deleted CloudSWG product types |
Behavior if no compensating product is present |
Compensating products When present and active, it prevents behavior change. |
|---|---|---|
|
Based products required for Cloud SWG data flow: Web Security, CASB, Web Protection, or Network Protection |
Cloud SWG configuration data scheduled for deletion. |
Web Security, CASB, Web Protection, or Network Protection |
|
CFS-Standard |
CFS policy rules deleted |
Web Protection or Network Protection |
|
CFS-Advanced |
CFS policy rules deleted |
CFS-Standard, Web Protection or Network Protection |
|
Isolation - both Selective and Full |
Isolation policy rules deleted |
Web Protection or Network Protection |
In general all data deletion is permanent and customers must act during the time period of disablement to recover without a need for reconfiguration.
Environment
Cloud Security Web Gateway (formerly known as WSS or Web Security Service)
Resolution
If a subscription is disabled unexpectedly, request a review of contracts and correction of product licensing data as appropriate.
Feedback
