Cloud SWG (formerly WSS) Ingress and Egress IP addresses
search cancel

Cloud SWG (formerly WSS) Ingress and Egress IP addresses

book

Article ID: 167174

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

  • What are the IP addresses used to connect to the Symantec Cloud SWG?
  • What are the data center names and locations?
  • What are the Cloud SWG IP addresses and ranges that have to be permitted on firewalls?
  • What is a Localization Zone and where are they located?
  • What are the Cloud SWG ingress and egress IP subnet ranges?
  • What are the IP addresses used by integrated services, such as Web Isolation?

Resolution

Best Practices based on Connection Type (Access Method)

IPsec

For fault tolerance, fixed site backup connections must have IPsec tunnels to a physically separate compute region relative to your primary site, as well as:

  • Only IPsec connections should redirect traffic to an IP address.  All other connections should use Cloud SWG data center hostnames.
  • IPsec connections are only accepted by the IPsec specific ingress IP addresses in the table below.
  • IPsec configurations should have dead peer detection (DPD) enabled and a tunnel monitor (ie, IPSLA) configured.
  • IPsec phase 1 lifetime should be 24 hours, and phase 2 lifetime should be four hours.
    • IKEv2 FQDN phase 2 lifetime should be 50 minutes.
  • IPsec backup tunnels should never point to the same "compute POP" (data center) that the primary tunnel is going to.

Explicit over IPsec

Explicit traffic redirection within an IPsec tunnel to Cloud SWG should always point to ep.threatpulse.net:80 .  For additional information, please see the online documentation.

Explicit and Proxy Forwarding

For optimal performance and fault tolerance, explicit traffic should be redirected to proxy.threatpulse.net:8080.  This hostname automatically resolves to the nearest Cloud SWG data center based on the geo-location of the client's DNS resolver.  In the event of an outage (including planned maintenance), users will be automatically redirected to the nearest available data center.

Should the need to avoid geo-location services with explicit exist, the following Cloud SWG explicit IP addresses indicate the hosts an admin can point to for explicit or proxy forwarded traffic.

SEP Web and Cloud Access Protection

  • Explicit Mode (Pac File): For optimal performance and fault tolerance, explicit traffic should be redirected to sep-wtr.threatpulse.net:8080. This hostname automatically resolves to the nearest Cloud SWG data center based on the geo-location of the client's DNS resolver.  No manual configuration is required.
  • Tunnel Mode: Nearest data center selection is performed automatically by the agent based on the geo-location of the end user's public egress IP address.  No manual configuration is required.

WSS Agent

Nearest data center selection is performed automatically by the agent based on the geo-location of the end user's public egress IP address. No manual configuration is required. It is imperative that firewalls allow traffic between the agents and the Cloud SWG Ingress and egress ranges specified below.

 

IP Addresses for Cloud SWG-Integrated Services

 

Cloud SWG Portal
portal.threatpulse.com 35.245.151.224
34.82.146.64
Cloud Traffic Controller (CTC) 

Primary: ctc.threatpulse.com

Secondary: ctc-uat.threatpulse.com

Note: Use the secondary CTC endpoint service to route a subset of traffic from a different egress IP address. See Test Agent Traffic From a New Egress IP Address.

Primary: 130.211.30.2

Secondary: 34.110.245.218

Auth Manager
auth.threatpulse.com 35.245.151.226
34.82.146.65
PAC File Management Service
pfms.wss.symantec.com 34.120.17.44

 

Cloud SWG ingress and egress IP addresses

Note:  The "ingress ranges" in the third column are also the Cloud SWG "egress ranges".

Location (codename) Compute region Ingress IP address (IPsec and trans-proxy) Ingress and egress ranges for other access methods and for auth connector
AMERICAS
Buenos Aires, Argentina (GARBA)
Localization zone
Sao Paulo, Brazil 34.95.226.164 34.95.226.0/24
Columbia, South Carolina (GUSCO)
Dedicated IP site
Columbia, South Carolina 168.149.137.164 168.149.135.0/24
168.149.137.0/24
168.149.138.0/24
168.149.139.0/24
168.149.140.0/24
168.149.141.0/24
Dallas, Texas (GUSDA) Dallas, Texas 168.149.128.164 168.149.128.0/24
Des Moines, Iowa (GUSDM)
Dedicated IP site
Des Moines, Iowa 199.247.42.164

199.247.32.0/24
199.247.33.0/24
199.247.42.0/24
199.247.43.0/24
199.247.44.0/24
199.247.45.0/24
199.116.168.0/24
199.116.169.0/24
199.116.170.0/24
199.116.171.0/24
199.116.173.0/24
148.64.31.0/24
170.176.247.0/24

Las Vegas, Nevada (GUSLV)

Las Vegas, Nevada

168.149.133.164 168.149.133.0/24
168.149.160.0/24
Los Angeles, California (GUSLA)
Dedicated IP site

Los Angeles, California

199.19.248.164 148.64.18.0/24
199.19.248.0/24
Mexico City, Mexico (GMXMC)
Localization zone
Los Angeles, California 170.176.246.164 170.176.246.0/24
Montreal, Canada (GCAMO)
Dedicated IP site
Montreal, Canada 199.19.253.164

199.19.253.0/24
148.64.21.0/24

Portland, Oregon (GUSPO) Portland, Oregon 170.176.241.164 170.176.241.0/24
168.149.164.0/24
148.64.16.0/24
Sao Paulo, Brazil (GBRSP)
Dedicated IP site
Sao Paulo, Brazil 34.95.130.164 34.95.130.0/24
34.95.146.0/24

Toronto, Canada (GCATO)
Dedicated IP site

Toronto, Canada 168.149.130.164 168.149.130.0/24
168.149.131.0/24
Washington, DC (GUSAS) Washington, DC 170.176.240.164

168.149.142.0/24
168.149.143.0/24
168.149.144.0/24
168.149.145.0/24
168.149.146.0/24
168.149.151.0/24
168.149.152.0/24
168.149.153.0/24
168.149.157.0/24
170.176.240.0/24

APAC

Auckland, New Zealand (GNZAU)
Localization zone

Sydney, Australia 168.149.170.164

168.149.170.0/24

Bangkok, Thailand (GTHBA)
Localization zone

Singapore See ingress/egress range for GSGRS

168.149.179.64/27

Beijing, China (ACNBJ) Beijing, China 52.131.103.144

52.131.103.144/28
52.131.113.48/28
52.131.113.80/28
52.131.113.128/28
52.131.113.144/28
52.131.113.176/28
52.131.113.192/28
52.131.113.208/28
52.131.113.224/28
52.131.113.240/28
52.131.114.0/28
52.131.114.16/28
52.131.114.32/28
52.131.114.48/28

Delhi, India (GINDE)
Dedicated IP site
Delhi, India 168.149.182.164

168.149.182.0/24
168.149.183.0/24
168.149.184.0/24
168.149.185.0/24
168.149.186.0/24
168.149.187.0/24
168.149.188.0/24
168.149.189.0/24

Hanoi, Vietnam (GVNHA)
Localization zone
Singapore See ingress/egress range for GSGRS

168.149.179.96/27

Hong Kong (GCNHK) Hong Kong 103.246.38.164

103.246.38.0/24

Islamabad, Pakistan (GPKIS)
Localization zone
Zurich, Switzerland -

34.65.98.0/24

Jakarta, Indonesia (GIDJK) Jakarta, Indonesia -

168.149.180.0/24

Kuala Lumpur, Malaysia (GMYKL)
Localization zone
Singapore See ingress/egress range for GSGRS

168.149.179.0/26

Manila, Philippines (GPHMA)
Localization zone
Jakarta, Indonesia See ingress/egress range for GIDJK

168.149.181.0/25

Melbourne, Australia (GAUME) Melbourne, Australia 168.149.190.164

168.149.190.0/24
168.149.191.0/24
34.129.99.0/24

Mumbai, India (GINMU)
Dedicated IP site
Mumbai, India 148.64.4.164

148.64.1.0/24
148.64.4.0/24
148.64.5.0/24
148.64.7.0/24
148.64.12.0/24
148.64.13.0/24
168.149.165.0/24
168.149.166.0/24
168.149.167.0/24
168.149.168.0/24
168.149.169.0/24
168.149.172.0/24
168.149.173.0/24
168.149.174.0/24

Osaka, Japan (GJPOS) Osaka, Japan 98.158.245.164

98.158.245.0/24
98.158.246.0/24
103.9.96.0/24
103.9.97.0/24

Seoul, South Korea (GKRSE) Seoul, South Korea 168.149.154.164

168.149.154.0/24

Shanghai, China (ACNSH) Shanghai, China 40.72.119.208

40.72.119.208/28
40.72.119.224/28
52.130.200.0/28
52.130.200.16/28
52.130.200.48/28
52.130.200.64/28
52.130.200.96/28
52.130.200.128/28
52.130.200.144/28
52.130.200.176/28
52.130.200.192/28
52.130.200.208/28
52.130.200.224/28
52.130.200.240/28

Singapore (GSGRS)
Dedicated IP site
Singapore 103.246.37.164

103.246.37.0/24
148.64.3.0/24
168.149.178.0/24
168.149.150.0/24

Sydney, Australia (GAUSY)
Dedicated IP site
Sydney, Australia 103.246.36.164

103.246.36.0/24
170.176.245.0/24
148.64.2.0/24

Taipei, Taiwan (GTWTA) Taipei, Taiwan 168.149.155.164

168.149.155.0/24

Tokyo, Japan (GJPTK)
Dedicated IP site
Tokyo, Japan 223.29.216.164

223.29.216.0/24
223.29.217.0/24
223.29.218.0/24
223.29.219.0/24

EUROPE AND THE MIDDLE EAST

Abu Dhabi, UAE (GAEAD)
Localization zone

Mumbai, India 168.149.175.164

168.149.175.0/24

Amsterdam, the Netherlands (GNLAM)
Dedicated IP site
Amsterdam, the Netherlands 98.158.252.164

98.158.252.0/24

Ankara, Turkey (GTRAN)
Localization zone

Zurich, Switzerland 46.235.158.192

46.235.158.192/26

Athens, Greece (GGRAT)
Localization zone
Frankfurt, Germany See ingress/egress range for GROBU

46.235.156.128/27

Brussels, Belgium (GBEBR) Brussels, Belgium -

46.235.155.0/24
148.64.25.0/24

Bucharest, Romania (GROBU)
Localization zone

Frankfurt, Germany 168.149.148.164

168.149.148.0/24 

Copenhagen, Denmark (GDKCP)
Localization zone
Amsterdam, the Netherlands 148.64.14.164

148.64.14.0/24

Dover, England (GGBDO)
Localization zone
Dedicated IP site

Brussels, Belgium 148.64.24.164

148.64.24.0/24
109.68.59.0/24
109.68.60.0/24
109.68.61.0/24
109.68.62.0/24
170.176.242.0/24

Dubai, UAE (GAEDX)
Localization zone

Zurich, Switzerland -

34.65.98.0/24

Dublin, Ireland (GIEDU)
Localization zone
London, England 148.64.15.164

148.64.15.0/24

Frankfurt, Germany (GDEFR)
Dedicated IP site
Frankfurt, Germany 199.247.38.164

199.247.34.0/24
199.247.38.0/24
199.247.39.0/24
199.247.40.0/24
199.247.41.0/24

Helsinki, Finland (GFIHE) Helsinki, Finland 168.149.149.164

168.149.149.0/24

Lisbon, Portugal (GPTLI)
Localization zone
Zurich, Switzerland See ingress/egress range for GESMA and GESTO

46.235.158.96/27

London, England (GGBLO)
Dedicated IP site
London, England 148.64.26.164

148.64.9.0/24
148.64.26.0/24
148.64.27.0/24
148.64.28.0/24
148.64.29.0/24
148.64.30.0/24
46.235.152.0/24
46.235.154.0/24

Madrid, Spain (GESMA)
Localization zone
Dedicated IP site
To be retired:  TBD
Zurich, Switzerland 185.180.48.164

185.180.48.0/24
185.180.51.0/24

Madrid, Spain (GESTO)
Dedicated IP site
New:  Coming soon (Date TBD)
Madrid, Spain 168.149.147.164

168.149.147.0/24

Manama, Bahrain (GBHMA)
Localization zone
Mumbai, India See ingress/egress range for GAEAD

148.64.6.64/27

Milan, Italy (GITMI)
Dedicated IP site
Localization zone
To be retired:  January 31, 2024
Frankfurt, Germany 46.235.159.164

46.235.159.0/24
148.64.10.0/24

Milan, Italy (GITMO)
Dedicated IP site
New:  Coming soon - January 10, 2024
Milan, Italy 185.180.49.164

185.180.49.0/24

Nicosia, Cyprus (GCYNI)
Localization zone
Frankfurt, Germany See ingress/egress range for GROBU

46.235.156.64/27

Oslo, Norway (GNOOS)
Localization zone
Helsinki, Finland 109.68.63.164

109.68.63.0/24

Paris, France (GFRPA)
Localization zone
Dedicated IP site
To be retired:  TBD
Brussels, Belgium 46.235.153.164

46.235.153.0/24
148.64.19.0/24
168.149.163.0/24

Paris, France (GFRVE)
New:  Coming Soon (Date TBD)
Paris, France 199.116.172.1

199.116.172.0/25

Riyadh, Saudi Arabia (GSARI)
Localization Zone

Mumbai, India 148.64.6.1

148.64.6.0/26

Stockholm, Sweden (GSESK)
Localization zone
Helsinki, Finland 199.247.35.164

199.247.35.0/24

Tel Aviv, Israel (GILTA) Tel Aviv, Israel 198.135.125.164

198.135.125.0/24

Valletta, Malta (GMTVA)
Localization zone
Frankfurt, Germany See ingress/egress range for GITMI and GITMO

46.235.156.160/27 > RETIRING on March 18, 2024
34.154.50.128/27 > NEW on March 4, 2024

Vienna, Austria (GATVI)
Localization zone
Frankfurt, Germany See ingress/egress range for GDEFR

46.235.156.32/27

Warsaw, Poland (GPOWA) Warsaw, Poland 103.9.99.164

103.9.99.0/24

Zurich, Switzerland (GCHZU) Zurich, Switzerland 148.64.11.164

148.64.11.0/24

AFRICA

Abuja, Nigeria (GNGAB)
Localization zone

Zurich, Switzerland See ingress/egress range for for GESMA and GESTO

46.235.158.64/27

Accra, Ghana (GGHAC)
Localization zone

Zurich, Switzerland See ingress/egress range for GESMA and GESTO

46.235.158.0/27

Algiers, Algeria (GDZAL)
Localization zone

Frankfurt, Germany See ingress/egress range for GITMI and GITMO

46.235.156.0/27 > RETIRING on March 18, 2024
34.154.250.192/27 > NEW on March 4, 2024

Cairo, Egypt (GEGCA)
Localization zone

Frankfurt, Germany See ingress/egress range for GROBU

46.235.156.96/27

Dakar, Senegal (GSNDA)
Localization zone

Zurich, Switzerland See ingress/egress range for GESMA and GESTO

46.235.158.128/27

Gaborone, Botswana (GBWGA)
Localization zone
London, England See ingress/egress range for GZAJB

109.68.57.32/27

Harare, Zimbabwe (GZWHA)
Localization zone
London, England See ingress/egress range for GZAJB

109.68.56.0/27

Johannesburg, South Africa (GZAJB)
Localization zone

London, England 109.68.58.164

109.68.58.0/24

Lilongwe, Malawi (GMWLI)
Localization zone

London, England See ingress/egress range for GZAJB

109.68.57.96/27

Luanda, Angola (GAOLU)
Localization zone

London, England See ingress/egress range for GZAJB

109.68.57.0/27

Lusaka, Zambia (GZMLU)
Localization zone

London, England See ingress/egress range for GZAJB

109.68.57.224/27

Maputo, Mozambique (GMZMA)
Localization zone
London, England See ingress/egress range for GZAJB

109.68.57.160/27

Nairobi, Kenya (GKENA)
Localization zone
London, England See ingress/egress range for GZAJB

109.68.57.64/27

Port Louis, Mauritius (GMUPL)
Localization zone
London, England See ingress/egress range for GZAJB

109.68.57.128/27

Rabat, Morocco (GMARA)
Localization zone
Zurich, Switzerland See ingress/egress range for GESMA and GESTO

46.235.158.32/27

Tunis, Tunisia (GTNTU)
Localization zone
Frankfurt, Germany See ingress/egress range for GITMI and GITMO

46.235.156.192/27 > RETIRING on March 18, 2024
34.154.50.192/27 > NEW on March 4, 2024

Windhoek, Namibia (GNAWI)
Localization zone
London, England See ingress/egress range for GZAJB

109.68.57.192/27

POP Types

Compute POP - Otherwise known as a data center, a point of presence that contains physical compute infrastructure.

Localization Zones - Provide an improved user experience by localizing content requests for countries where there is no Cloud SWG compute POP.

Dedicated IP Sites

The Dedicated IPs feature is a cloud-native solution where Broadcom provides tenant-dedicated IPs in Cloud SWG data centers.  The sites that host dedicated IPs are denoted in the table above with the "Dedicated IP sites"  label below the site location and codename.

 

Additional Information

The Cloud SWG service now has a service points URL that can be used to retrieve our IP address space for all hosts, including the Portal, authentication, PFMS, CTC and so forth.  The service points URL is https://servicepoints.threatpulse.com/ and is a JSON formatted document.  Please note that the auth connector (aka bcca.exe) connects to IP addresses within the egress IP address range.