The Application Protection service on ProxySG is a comprehensive suite of security features specifically designed to protect web applications from various threats and vulnerabilities.

Because the the Application Protection Service is in the enabled state (see the sysinfo excerpt below), the appliance continues to attempt to connect to the backend and also tries to download the subscription file, and consistently fails because of the expired subscription, and the end results are the update errors, leading to the "Critical" status seen.

- BEGIN application_protection
application-protection ;mode
enable
exit
!- END application_protection

SG/ASG

From the eventlog:

Time    Count/s    Message
xxx xxx xx xxxx xx:xx:xx    1    Failed trying to download the Application Protection subscription file
xxx xxx xx xxxx xx:xx:xx    1    Failed trying to download the Application Protection subscription file
xxx xxx xx xxxx xx:xx:xx    1    Failed trying to download the Application Protection subscription file
xxx xxx xx xxxx xx:xx:xx    1    Failed trying to download the Application Protection subscription file
xxx xxx xx xxxx xx:xx:xx    1    Failed trying to download the Application Protection subscription file
xxx xxx xx xxxx xx:xx:xx    1    Failed trying to download the Application Protection subscription file
xxx xxx xx xxxx xx:xx:xx    1    Failed trying to download the Application Protection subscription file

Further checks would show that the license for Web Application Protection (WAP) is inactive/Expired, hence the appliance's inability to download database updates for Application Protection.

Resolution: Renew the Web Application Protection subscription. It's expired since 2022-06-27. Please, engage your Broadcom Sales for requisite help with the subscription renewal process. After the subscription renewal, return the CLI of the appliance, ensure the Application Protection Service is enabled, using the "#(config application-protection) enable" CLI command, and then utilize the "#(config application-protection) download get-now" CLI command to download the download the Application Protection subscription file, for the database update.

Additional Doc.: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/learnabout/optimizepolicy/prerequisites2.html 

Workaround: Disable Application Protection Service on the appliance, using "the "#(config application-protection) disable" CLI command" to prevent to appliance from attempting the application protection subscription file/update.

For reference, please see the Tech. Doc. with the URL below. 

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/overview2/prerequisites1.html