New Secure Web Gateway Appliances / Software Platform FAQ

Sales Guide
Version 2.0
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.
Copyright © 2020 Broadcom. All Rights Reserved.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit
www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,
function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does
not assume any liability arising out of the application or use of this information, nor the application or use of any product or
circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
New Appliance Overview/Sales Questions
November 2020 Update to this FAQ : Content Analysis is now supported on the new SSP-S410 SWG Hardware
Appliances and is available through Enterprise Licensing.

What have we just released/announced?

Broadcom has recently released new, advanced hardware to replace Symantec ProxySG and Reverse Proxy appliances.
This new hardware platform will run ProxySG and will now run Content Analysis. Content Analysis was just added in
November 2020

What does the new hardware offer? What are the benefits of the new hardware?

1. Separation of Hardware and Software - This separation optimizes the customer’s upgrade experience as
hardware and software components may follow separate upgrade paths and enhancements can be adopted more
quickly.
2. Flexible licensing and portability - The new hardware supports the new Enterprise Licensing (see below)
3. Easier scalability - Add capacity as needed, where and when you need it.
4. Significantly higher performance – When running Symantec Proxy, the new hardware will deliver 5 Gbps of
throughput with 90% of SSL traffic being encrypted, 8 Gbps of throughput with 25% of SSL traffic being
decrypted.
5. Simplified configurations - From 30 hardware appliance models (10 ProxySG, 10 Standard RP, 10 Advanced RP)
down to just four, without the need of upgrade kits. These four models also replace Content Analysis and ASG
appliances. Future announcements will be made regarding Content Analysis and ASG appliances.
6. Hardware consolidation - With the highest model SSP hardware, customers can achieve the same performance in
1U of rack space as they could in 8U of rack space using the previous SWG hardware (current SG-S500
appliances are 2U) - an 8X performance per Rack Unit improvement
7. Reduce Data Center Costs - With reduced footprint, customers can reduce requirements for rack space, power,
cooling and management.

What is SWG?

SWG stands for Secure Web Gateway, a market category term. It represents Symantec's family of web security products
built on an advanced proxy architecture and delivered on-premises, in the cloud, or as a hybrid of each. Symantec
ProxySG is the core component for on-premises deployment (physical and virtual appliances) and Web Security Service
(WSS) for cloud-delivered, web security. Some of these advanced features within the SWG family may be offered as an
integrated solution, or as a separate, complementary solution.
What is ProxySG?

ProxySG consolidates a broad feature-set that protects customers from the ever-increasing sophistication and volume of
threats in web traffic. Sitting between users and their interactions with the Internet, ProxySG inspects content to identify
malicious payloads and then filter, strip, block or replace web content to mitigate risks and prevent data loss. ProxySG
can be deployed on-premises and managed by a customer via an appliance or virtual appliance. Customers can also
deploy it in public or private clouds (Google, AWS, Microsoft). Similar services (driven by ProxySG code) are also
available as a hosted service through Web Security Service.

What is Content Analysis?

Together with the ProxySG or Symantec Messaging Gateway, Content Analysis blocks known threats, sources and
signatures and centrally analyzes unknown content. Content Analysis is a sophisticated, multi-layer inspection platform
that combines reputation services, white and blacklisting, static code file analysis, machine learning, dual anti-malware
signature inspection engines and on-box or cloud sandboxing to protect against known and unknown threats. Integration
with Symantec Security Analytics, Endpoint Protection Manager and many other third-party security technologies enables
threat validation, inoculation and swift remediation across the network, cloud and endpoint.

Symantec Content Analysis is often deployed in conjunction with ProxySG and can now be deployed on the same SSP-
S410 SWG appliances.

What is ASG?

ASG stands for Advanced Secure Gateway and is a physical appliance that combines ProxySG with Symantec Content
Analysis. With Content Analysis now on the new hardware platform, customers can achieve the same functionality as the
ASG Appliances. Eventually, the ASG appliances will no longer be sold.

What is ISG?

ISG stands for Integrated Secure Gateway. ISG is a component of the new SWG software architecture that enables the
separation of the hardware from the software. It allows the customer to take the same SWG module and license and
deploy it on hardware, as a virtual appliance or in a cloud environment. Through the ISG framework, customers can
deploy Symantec’s Proxy or Content Analysis solution to the new SSP hardware platform (see below). Proxy and Content
Analysis can be deployed independently on the hardware or together in a similar configuration to what ASG has provided.
Note: ISG is NOT a term that will be marketed prominently as it is an element of the operating system and
deployment mechanism. You may have heard ISG used internally in recent months and an upcoming “ISG launch”. We
have to be careful that we focus our messaging and positioning with customers around our Secure Web Gateway
solution. Secure Web Gateway is an industry-recognized term and continues to be how analysts, customers and partners
refer to the Symantec Web Security product family. What we are delivering are advancements to both our SWG hardware
and software solutions.

What is SSP?

SSP represents the new multi-function hardware platform. In the past, SKUs were prefixed with the product, such as SG-
xxx and CAS-xxx. With the new platform, SKUs are branded with a generic SSP before the model number to distinguish
them from the previous SWG hardware. While we won’t be broadly using the acronym in messaging/marketing, SSP
stands for Symantec Security Platform.

Available SSP Models The SSP S410-40 will

provide the equivalent
SSP-S410-10 performance of four SG-
S500-20 appliances.
SSP-S410-20

SSP-S410-30

SSP-S410-40

What appliances does the new hardware replace?

The new hardware initially replaces the ProxySG Appliances (Reverse Proxy and WAF included) and is also an option for
deploying Content Analysis (without on-premises sandboxing). It will replace the following hardware:

Hardware replaced by the SSP-S410

S200 Series S400 Series S500 Series

SG-S200-XX SG-S400-XX SG-S500-XX

ASG-S200-XX ASG-S400-XX ASG-S500-XX

CAS-S200-XX CAS-S400-XX SG-S500-XX

With Content Analysis now available on the ISG framework, customers can replace older Content Analysis and ASG
appliances with new SSP hardware and Enterprise Licensing. Legacy S-Series appliances (e.g. SG-S500-20) are still
available for a short time. Future announcements will be made regarding Content Analysis and ASG hardware End-of-
Life. Stay tuned.

Where can I find the pricing details of the new ISG platform and the various SSP models?

Pricing is available for quoting in CPQ and in the official price book.

What is the pricing of the new ISG platform and the various SSP appliance models?

Available
Available
Application
Application
Virtual CPU
Model MSRP Cores Memory (GB RAM)

S410-10 $ 29,995 16 32

S410-20 $ 39,995 32 80

S410-30 $ 59,995 48 160

S410-40 $ 89,995 64 320

What is the pricing of the enterprise license for SWG/Proxy, CAS and WAF?

SWG/Proxy: The Proxy Enterprise license (SKU: ISG-PR-SUB) is per CPU core annual subscription, and MSRP is
$10,000 per core/per year. Additionally, a license that includes Advanced Intelligence Services (IS-Advanced) is available
for $12,000/per core/per year (SKU: ISG-PR-ADV-SUB)

The Enterprise license includes all of the SG add-ons (ETAP, Flash, etc.) and BCIS-Standard.

RP/WAF: The Reverse Proxy Enterprise license is per CPU core annual subscription, and MSRP is $5,000 per core/per
year.

The Enterprise license includes all Reverse Proxy functionality and the following SG add-ons (Multi-tenant Policy,
Encrypted TAP, WAF Subscription, Geo-location).

Content Analysis (CAS): The CAS Enterprise License is also based on a per CPU core annual subscription, with an
MSRP of $1,500 per core/per year (SKU: ISG-CAS-SUB). CAS + Malware Analysis Service is also available on a per
core/per year subscription basis, with an MSRP of $1,840 per core/per year (SKU: ISG-CAS-MAAS-SUB). The SSP-S410
will also support CAS and Proxy on the same device, assuming the platform was sized for expansion.

What is happening to the S200, low-end series of hardware?

The SG-S200 appliance will follow the same End-of-Life (EOL) timeline as the larger SG appliances. Customers with an
SG-S200 appliance have a few options.

1. Upgrade to Symantec Web Security Service and achieve additional functionality

2. Deploy ProxySG as a Virtual Appliance
 3. Upgrade to the low end SSP S410-10 Appliance, and attach Content Analysis

What hardware upgrade path is Broadcom suggesting (guidance on mapping S-Series to replacing SSP model)?
The End-of-Life documents for the S200/400/500 appliances include recommended upgrade paths.

What are the prerequisites customers should prepare for when planning to migrate to the new platform? Run
SGOS version 6.7.5.3+, have Management Center version 2.4 in the network, transition from BCWF(WebFilter) to BCIS
(Intelligence Services), if needed.

What do my customers buy?

With the new platform, a customer will buy an SSP appliance (SSP-S410-10/20/30/40) depending on their throughput and
needed performance. They will purchase a license to Symantec ProxySG (SKU: ISG-PR-SUB) or Content Analysis (SKU:
ISG-CAS-SUB or ISG-CAS-MAAS-SUB) based on capacity and compute resources needed.

When will Content Analysis be available for deployment on the new hardware?

Content Analysis is now supported in the new SSP hardware. Malware Analysis is not currently supported on the new
hardware, so if customers need on-premises MA, they will need to purchase current S-Series hardware. Customers can
also purchase the cloud Malware Analysis Service in a combined subscription with Content Analysis (ISG-CAS-MAAS-
SUB)

Has licensing of ProxySG and Content Analysis changed with this release?

Yes. Licensing of the hardware (SSP-S410 appliances) will be separate from the licensing of the software components
(ProxySG, Reverse Proxy, Content Analysis). Customers can purchase through an Enterprise (subscription) license to the
software components or tie it to the hardware with a “Node-Lock” (perpetual) license. Note: Node-Lock licensing for CAS
is not yet available.

What is Enterprise Licensing?

With Enterprise Licensing, a customer buys the appropriate number of SSP-S410 appliances to accommodate their
needed throughput and performance. They then purchase their ISG Enterprise License based on CPU core count. This is
basically an annual subscription to the software with the flexibility to deploy as they see fit. They can deploy those
licenses on-premises on SSP hardware, as a virtual appliance on their hardware, or in their private cloud environment.

What benefits does Enterprise Licensing offer to customers?

Enterprise licensing is based on CPU core count and provides:

● Simplification of SWG Ordering - We have significantly reduced the number of SKUs for customers to order.
● Deployment Flexibility - Customers can transition from on-premises hardware (SSP appliances) to local
virtualization (ESX/KVM) or public cloud (AWS, Azure, Google Cloud), all with the same license.
● Improved Scalability - customers can easily add capacity within the same license, resize, aggregate or split
instances.
● Add-ons are now included - customers no longer need to manage entitlement/licensing to add-on
features/services (Intelligence Services, Encrypted Tap, etc.)
● Supports Disaster Recovery/High-Availability plans - The Enterprise License is based on usage. There is no need
to pay for licenses that just stay idle or purchase unused capacity in advance.
● Separation of CapEx (capital expense) and OpEx (operational expense) - This may provide tax benefits as the
hardware can be reported as a capital expense, and the software component (subscription) can be reported as an
operational expense.
What is included in the Enterprise License on the ISG platform?

An Enterprise License for Symantec’s proxy solution includes core proxy as well as additional capabilities that had
previously been a separate purchase item:

ISG SG Enterprise License (ISG-PR-SUB)

● SGOS Security Edition (all features)

● BCIS Standard (Intelligence Services Standard)
● Encrypted Tap license
● Flash Proxy license
● CachePulse
● Multi-Tenant Policy (only Enterprise licensing, not in node-locked?)
● Web Application Firewall
● CASB App Feed for visibility into cloud application use. (This will be added to Intelligence Services Standard)

Reverse Proxy/Web Application Firewall (WAF) Enterprise Licensing (ISG-WAF-SUB)

● Advanced Reverse Proxy edition

● WAF Subscription including Geolocation

Content Analysis Enterprise License (ISG-CAS-SUB)

● Core Content Analysis functionality
● File Inspection with Symantec AV and Advanced Machine Learning
● 3rd-Party AV add-ons are not included
● On-box sandboxing is not included

Content Analysis with Malware Analysis Service Enterprise Licensing (ISG-CAS-MAAS-SUB)

● Everything in the Content Analysis Enterprise License
● Malware Analysis as a Service (sandboxing)

What is a Node-locked License?

This license is for companies that require a traditional CapEx license where the software is part of the hardware purchase.
A Node-locked license is like a perpetual VA that has fixed capacity. It can only be used with the SSP-S410 and provides
a similar licensing model to what was previously available for the former S-series hardware. A single Node-locked SKU
will include the hardware and ProxySG software. Note that Encrypted Tap, Flash and CachePulse licenses are included in
Node-locked license. Multi-tenant Policy, WAF and Intelligence Services (IS) are separate when purchasing Node-locked
licensing.
Where can I get more information on Licensing?

Internal training for SEs has covered various aspects of the new hardware and licensing. For recordings and slides of
those training sessions visit Jive: https://symantec.jiveon.com/docs/DOC-75693 (Internal link to Broadcom SEs)

Licensing Guide – Link will be added when available

What should be my immediate next steps with a customer?

Now that SGOS 7.2 is available, you should follow these steps with your customer to prepare them for upgrading to new
hardware, software and licensing:

1. Meet with your customer to review all SGOS 7.2 benefits (new Management/UI/support for new protocols/etc.)
2. Ensure your customer is on SG6.7.4 to ensure support...but, 6.7.5.3 is preferred as it will support ISG.
3. Meet and schedule a Health Check on the entire Proxy environment for proper sizing on S410 Platform
4. Ensure your customer is on Management Center 2.4 (or later)
5. If the customer is still on BCWF, have a plan to migrate to BCIS (Intelligence Services)
6. Plan with the customer:
a. How much of their traffic is encrypted and how much is inspected today? Do they anticipate a greater
need to decrypt SSL/TLS traffic in the future?
b. Direct their upgrade or help them transition to adopt a best-practice policy

Once the customer has upgraded their software environment as above, what should I do?

1. Meet with your customer to review the EOS/EOL notification and the inventory of the remaining S-series. What
are their immediate needs?
2. Ensure your customers are on 6.7.5 to be able to quickly transition to the new capabilities on ISG
3. Show them the upgrade matrix – (This includes WSS as an option)
4. Smaller customers are a natural fit for WSS; larger customers have to mitigate risk in a data center transition and
need more runway before moving to the cloud
5. Review the key benefits of the new S410 hardware and ISG deployment options
a. Greater performance density
b. New SGOS 7.2 features, CASB visibility, add-ons now included in license
c. Flexibility – customers can migrate to cloud at their own schedule, or use Hybrid
d. Low CapEx, easy transition to OpEx (if customer needs CapEx, use node-locked license)
 e. Simplified – one standard hardware platform for Proxy, CAS, RP/WAF
6. Show lower TCO with S410, plan to transition customer maintenance budget to adopt S410