Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Deployment of SWG on the outside of the firewall

Created: 29 Apr 2010 | 9 comments
MortenT's picture

Hi,

I deployed SWG on the outside of the firewall. The customer have used this deployment method before on an old scan product. Traffic is flowing through the box, but i cannot connect to the threat center or validate/update license. I can ping internet addresses.
I did a traceroute to liveupdate.symantecliveupdate.com and ended up with tracing to a different ip that does not belong to liveupdate.symantecliveupdate.com
Any idea what might cause this to happen?

Discussion Filed Under:

Comments 9 CommentsJump to latest comment

MortenT's picture

Here is a picture of the deployment:

The switches that the SWG sits between is actually one switch with VLANs for inside and outside. Lan interface of SWG is connected to inside VLAN and WAN interface is connected to the outside VLAN. The SWG itself is configured with an public Inline IP address and an internal management IP address.
Is this the right way to do it?

Sergi Isasi's picture

Sounds right.  Couple of questions:

I assume the SWG's Default Gateway is the IP address of the external or ISP switch? 
Is the SWG giving you any warning message about the Default Gateway not existing?
Are there any proxies that SWG must be configured to use for internet access?
Can you ensure that the following hosts/ports are available for SWG access?
http://liveupdate.symantec.com 80
http://liveupdate.symantecliveupdate.symantec.com 80
https://threatcenter.symantec.com/ 443

Senior Product Manager - Web Gateway

MortenT's picture

Yes, the SWG default gateway is the IP address of the ISP switch. I saw a message about default gateway not existing a couple of times. Sometimes it would pop up, other times it didnt. I was able to ping default gateway from the SWG. There is no proxy needed for internet access.
How can i check access to these sites from SWG? Just browsing to it from LAN would that prove that it is working?

Sergi Isasi's picture

Sounds like there is some intermittent issue with the Default Gateway IP if the error is popping up at some times and not others.  Does the Switch directly connected to the SWG LAN port have an IP address?  Perhaps try that as the DFGW for SWG?

Checking access to the sites via SWG just requires pressing the 'Test Connection to Symantec Threat Center' button under the Admin Configuration -> Networks tab.

Senior Product Manager - Web Gateway

MortenT's picture

No IP address on the switch. After some testing we found out that the box uses management interface for updates. Needed some openings in the firewall for it to work.
So what exactly is the inline ip used for?

Since the SWG is deployed outside the firewall.. what would we need to put in "static routes" and "internal networks"?

reezalms's picture

Hi,

I had  the same problem where the SWG appliance keep on popping up the error "default gateway not exist" and currently the SWG unable to connect to Symantec threat Center eventhough PING test to other websites is fine.
Any idea?

MortenT's picture

Hi,

Check if your management port is allowed to communicate to symantec threat center. Open http/https for management ip to symantec threat center in your firewall.

Andinista's picture

Hi, i have the same problem and i try to connect direct to my ISP router with the correct DFGW, and the error always appear, but the internet access always is available.
I don`t have idea....

Mahesh Roja's picture

May be DNS issue

If this Info helps to resolve the issue please Mark as Solution

Thanks