Symantec is making an update that will affect all Hosted Reporting customers. As part of a continuous program to improve the security posture of Symantec services and products, several outdated TLS ciphers are being removed from the secure upload service. 

This requires that the Server Key associated with the service be rotated, and all customers must trust a new Server Key on their Edge SWG (ProxySG) devices or in scripts. The process is manual, but you can complete it at any time in advance of the key rotation with no outages or restarts needed. If the new key is not trusted at the point the key is rotated, uploads to the hosted reporting service fail until the new key is trusted. 

Note that you only need to configure this for the IP address of the regional upload host you are using.

The list of hosts/IP addresses can be found here: Cloud Web Gateway - Reporting Migration to the Google Cloud Platform

Update

This change was performed / completed on March 14, 2024.

Use this method if you must update the key on Edge SWG devices (versions 6.7.x or 7.x) individually.

Enter the following command using the supplied fingerprint 

1. SSH to the device and log in to the CLI.
2. Enter the following commands:

   enable conf t ssh-client known-hosts add "<ip_address> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCVrqT1fYotBRzv3c0SZwfh5y1ML52rKpKfK602k48PcTvpEgCplPl5cD2Hb3o0c3LmCt8Cd80tBG/qciMq+IIQ/Ot5YG1rAVbhA2eEJQwoq2igkZN24Uz2rivPmbT9U2A/r/vQPB8DlGq6RjFEJGMOWQAA5ABGGMGkkaCKJgvWd5REwkkLNGZPe3fvlnGfNruS5CW+AsVKA/U9+NTkIuEV9xKi+5LtmNIQcjhh+EM4xXC1OLNdtbv/qU7jDUvDj1jsPEL/MIJUcaednv5LTis7WrA1V6Qy4r0e7otI0Z0ymByOw4kBMhPk7h69EHhHSIIsCxWuaSQ+q8kQto5nGTz" exit exit

    

No reboot or service restart is required. After you add a valid key, the device checks the SCP server's SSH-RSA fingerprint against the key when an access log upload is attempted. 

Update the Key Using a Script 

Use this method if you manage Edge SWG devices through the Management Center.

1. In the Management Center UI, select Configuration > Scripts.    
   
   
   
   
2. Select Add > Add Script.
3. On the Add Script dialog that opens, name the script and select ProxySG as the device type.
   
   
   
   
4. Click Save.
5. In the script editor that opens, paste the commands to add a fingerprint:
   

   enable conf t ssh-client known-hosts add "<ip_address> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCVrqT1fYotBRzv3c0SZwfh5y1ML52rKpKfK602k48PcTvpEgCplPl5cD2Hb3o0c3LmCt8Cd80tBG/qciMq+IIQ/Ot5YG1rAVbhA2eEJQwoq2igkZN24Uz2rivPmbT9U2A/r/vQPB8DlGq6RjFEJGMOWQAA5ABGGMGkkaCKJgvWd5REwkkLNGZPe3fvlnGfNruS5CW+AsVKA/U9+NTkIuEV9xKi+5LtmNIQcjhh+EM4xXC1OLNdtbv/qU7jDUvDj1jsPEL/MIJUcaednv5LTis7WrA1V6Qy4r0e7otI0Z0ymByOw4kBMhPk7h69EHhHSIIsCxWuaSQ+q8kQto5nGTz" exit exit

   Refer to the following example:
   
   
   

6. Select Save > Save.
7. (Optional) Run this script immediately on devices by clicking Execute on Device.
8. On the Execute Script dialog that opens, choose the devices that should receive these commands and click Execute.