Hosted Reporting SCP Key Change
search cancel

Hosted Reporting SCP Key Change

book

Article ID: 277815

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Symantec is making an update that will affect all Hosted Reporting customers. As part of a continuous program to improve the security posture of Symantec services and products, several outdated TLS ciphers are being removed from the secure upload service. 

This requires that the Server Key associated with the service be rotated, and all customers must trust a new Server Key on their Edge SWG (ProxySG) devices or in scripts. The process is manual, but you can complete it at any time in advance of the key rotation with no outages or restarts needed. If the new key is not trusted at the point the key is rotated, uploads to the hosted reporting service fail until the new key is trusted. 

Note that you only need to configure this for the IP address of the regional upload host you are using.

The list of hosts/IP addresses can be found here: Cloud Web Gateway - Reporting Migration to the Google Cloud Platform

This change will be performed any time after March 1, 2024

Resolution

Complete the steps that are appropriate for your deployment: update the key directly through the device command line interface (CLI), or use the Management Center to execute the commands on managed devices. 

Update the Key via the CLI

Use this method if you must update the key on Edge SWG devices (versions 6.7.x or 7.x) individually.

Enter the following command using the supplied fingerprint 

  1. SSH to the device and log in to the CLI.
  2. Enter the following commands:
    enable
    conf t
    ssh-client
    known-hosts
    add "<ip_address> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCVrqT1fYotBRzv3c0SZwfh5y1ML52rKpKfK602k48PcTvpEgCplPl5cD2Hb3o0c3LmCt8Cd80tBG/qciMq+IIQ/Ot5YG1rAVbhA2eEJQwoq2igkZN24Uz2rivPmbT9U2A/r/vQPB8DlGq6RjFEJGMOWQAA5ABGGMGkkaCKJgvWd5REwkkLNGZPe3fvlnGfNruS5CW+AsVKA/U9+NTkIuEV9xKi+5LtmNIQcjhh+EM4xXC1OLNdtbv/qU7jDUvDj1jsPEL/MIJUcaednv5LTis7WrA1V6Qy4r0e7otI0Z0ymByOw4kBMhPk7h69EHhHSIIsCxWuaSQ+q8kQto5nGTz"
    exit
    exit

     

No reboot or service restart is required. After you add a valid key, the device checks the SCP server's SSH-RSA fingerprint against the key when an access log upload is attempted. 

Update the Key Using a Script 

Use this method if you manage Edge SWG devices through the Management Center.

  1. In the Management Center UI, select Configuration > Scripts.    



  2. Select Add > Add Script.
  3. On the Add Script dialog that opens, name the script and select ProxySG as the device type.



  4. Click Save.
  5. In the script editor that opens, paste the commands to add a fingerprint:
    enable
    conf t
    ssh-client
    known-hosts
    add "<ip_address> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCVrqT1fYotBRzv3c0SZwfh5y1ML52rKpKfK602k48PcTvpEgCplPl5cD2Hb3o0c3LmCt8Cd80tBG/qciMq+IIQ/Ot5YG1rAVbhA2eEJQwoq2igkZN24Uz2rivPmbT9U2A/r/vQPB8DlGq6RjFEJGMOWQAA5ABGGMGkkaCKJgvWd5REwkkLNGZPe3fvlnGfNruS5CW+AsVKA/U9+NTkIuEV9xKi+5LtmNIQcjhh+EM4xXC1OLNdtbv/qU7jDUvDj1jsPEL/MIJUcaednv5LTis7WrA1V6Qy4r0e7otI0Z0ymByOw4kBMhPk7h69EHhHSIIsCxWuaSQ+q8kQto5nGTz"
    exit
    exit

    Refer to the following example:


  6. Select Save > Save.
  7. (Optional) Run this script immediately on devices by clicking Execute on Device.
  8. On the Execute Script dialog that opens, choose the devices that should receive these commands and click Execute.