Facing an issue after migrating the SWG from ASG to ISG, in order to open the Proxy MGMT GUI I needed to add my PC IP to the static routing table with MGMT GW.

The problem is that when i try to surf the internet it gets directed to the MGMT GW instead of the WAN and browsing fails. Please advise.

ASG migration to ISG-Proxy

To access the management console/SGAC, the management interface should be configured initially and with a default gateway that allows the requisite network access.

Given the specific detail that your internet traffic is being incorrectly routed through a Management Gateway (MGMT GW) instead of the Wide Area Network (WAN) when trying to use the internet through a ProxySG, it appears to be an issue with how your ProxySG is configured or how it's interacting with your network's routing setup. ProxySG appliances are typically used to control, optimize, and secure internet traffic, and incorrect configuration can lead to issues like the one you're experiencing. Here's how you can approach resolving this issue:

1. Check ProxySG Configuration

Routing Settings: Review the routing configuration on the ProxySG to ensure it's set to direct internet traffic to the WAN gateway. ProxySG allows for detailed policy and routing settings, which can be adjusted to direct traffic correctly.
Proxy Settings in Browsers: Ensure that browsers or devices directing traffic through the ProxySG are configured with the correct proxy settings. Incorrect settings here can lead to traffic not reaching the intended destination.

2. Review Network Routing

Network Routes: Beyond the ProxySG itself, ensure that the network's routes are correctly configured to send traffic from the ProxySG out through the WAN. This involves checking the network routers or switches that direct traffic within your network.
Default Gateway Configuration: The ProxySG should have its default gateway set to route through the WAN, not the MGMT GW. This setting is crucial for ensuring traffic flows correctly to the internet.

3. Inspect Access Control and Policies

Access Control Lists (ACLs): Verify that any ACLs applied within the network devices do not inadvertently direct traffic towards the MGMT GW instead of the WAN.
Policy Configuration: Within the ProxySG, review the configured policies to ensure they're designed to route traffic appropriately. Misconfigured policies can redirect traffic incorrectly. Example of such rules would be Forwarding rules.

4. Firewall and Security Device Settings

Firewall Rules: Check if there are any firewall rules either on the network firewalls, or security devices that might be redirecting traffic to the MGMT GW mistakenly.
Security Policies: Security devices and software might have settings or policies that influence routing. Ensure these are correctly set to allow WAN access for internet browsing.

Note: 

Even though your intention is to migrate from the ASG to the ISG-Proxy, it's important to note that the ASG is a combination of a Proxy and an integrated CAS appliance, and with the intended migration, you will now have to separate the CAS from the Proxy. The Proxy will now be the ISG-Proxy, deployed on your platform of choice, while the CAS will now be the ISG-CAS. With direct reference to this ticket, please refer to the Tech. Doc. with the URL below, for the deployment steps for the ISG-Proxy, with the VMWare as the example.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/deploy-edge-swg-va/Overview_ISG_SGW_VA.html 

Specifically, for the initial configuration of the ISG Proxy, please refer to the detailed steps in the Tech. Doc. with the URL below. Of note should be the steps for the "Prepare for Initial Configuration of the ISG Enterprise Edge SWG (ProxySG) VA on VMware". Ensure to follow the steps to Verify the Configuration of the ISG Enterprise Edge SWG (ProxySG) VA on VMware.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/deploy-edge-swg-va/Overview_ISG_SGW_VA/ISG_SWG_VA_configure_the_swg_va.html

Only after you have successfully deployed the ISG-Proxy on your chosen VM platform (e.g., VMWare), should you begin any process to migrate the Proxy configurations from the ASG to the ISG-Proxy, and the restored config should not include network configs, as you would have already deployed the ISG-Proxy and successfully tested the network connectivity.

Now, if the restored configs had routing implemented, it's important to note that the routing configs must have worked in alignment with the ASG's interface config and default gateway. With this understanding you should ensure to have planned the network implementation of the ISG-Proxy to align/match what was done with the ASG. This way, migrating your routing configs wouldn't break both your access to the SGAC (Management console) and the Internet.