URLs that allow SEP and SES to connect to Symantec servers

Symantec Endpoint Protection
(SEP) and
Symantec Endpoint Security
(SES) communicate with specific URLs that Symantec owns to perform multiple functions, such as validating licenses, submitting samples of suspicious files, and using file reputation security features.
You must allow the following URLs if you use one or more proxies in your environment to redirect the necessary traffic to the Symantec servers. You add the URLs listed to your proxy or perimeter firewall. Use remote ports 80 and 443. The direction is outbound.
Note:
If your proxy is configured to perform SSL inspection, you must bypass SSL inspection for these URLs, otherwise some services, such as Insight, do not function due to pinned certificates.
SYMANTEC AGENT/SYMANTEC ENDPOINT PROTECTION CLIENT
The following table is lists the required URLs for the Symantec Endpoint Protection client (also called the Symantec Agent), regardless of whether you manage the client from the Symantec Endpoint Protection Manager or the ICDm cloud console.
URLs for the Symantec Endpoint Protection client/Symantec Agent
Purpose
URL
Port
Agent Installation Package
Installation package for the cloud agent and definitions.
https://liveupdate.symantec.com
https://liveupdate.symantecliveupdate.com
443
Symantec reputation servers
Used by the client to retrieve the reputation of a file from Symantec servers.
https://ent-shasta.rrs.symantec.com
443
Symantec Endpoint Telemetry Information (SETI)
Sends data to Symantec about installation-related events, which includes information about how the customer base uses the product.
https://tses.broadcom.com
https://telemetry.broadcom.com
443
Sample telemetry submissions
Used for the client to upload telemetry data, if opted in.
These URLs accept samples of any detections that the clients make. If a client detects a threat, the client queries Symantec to see if a sample is needed. At this point, no formal definition created for this item yet. If a sample is not needed because a formal definition is already created, the client does not submit the sample. This query response system effectively reduces the network traffic that SEP creates, and makes SEP more responsive to new and emerging threats.
https://ent-shasta-mr-clean.symantec.com
https://central.ss.crsi.symantec.com
https://central.nrsi.symantec.com
https://central.avsi.symantec.com
https://central.b6.crsi.symantec.com
https://central.crsi.symantec.com
443
Ping submissions
Used for Symantec to judge the effectiveness of a set of definitions that are not yet taking any action, such as beta detections. This effectiveness is based on the number of "pings" each detection or definition creates. For example, if a detection creates multiple ping replies to Symantec, this detection may be a false positive detection and is investigated for effectiveness. This system and related URLs are part of Symantec's false positive avoidance system.
Ping submissions are based on the definition type (such as antivirus).
https://stnd-avpg.crsi.symantec.com
https://avs-avpg.crsi.symantec.com
https://stnd-ipsg.crsi.symantec.com
https://bash-avpg.crsi.symantec.com
443
Web pulse reputation server
Requests to URLs are first checked against the local Intelligence Services database on the proxy, or the local categorization cache on other Symantec products.
For 14.3 MP1 or later.
https://sp.cwfservice.net
443
Client Authentication Token (CAT) submissions
Used so that the client authenticates itself to Symantec and makes use of the reputation servers for Download Insight, for example.
https://tus1gwynwapex01.symantec.com
443
SymQual
Used to send information on data and crash dumps for processes to Symantec to help improve the product.
https://faults.qalabs.symantec.com (14.3 MP1 and earlier)
https://faults.symantec.com (as of 14.3 RU1)
443
Linux Agent
https://linux-repo.us.securitycloud.symantec.com (as of 14.3 RU1)
443
To allow public SSL/TLS certificates from the existing DigiCert public roots, see: SSL/TLS OCSP and CRL in DigiCert new Web PKI hierarchy certificates
Additional URLs to allow for the hybrid-managed or cloud-managed Symantec Agent
Purpose
URL
Port
Symantec Cloud API gateway
If this URL is blocked, the client cannot invoke cloud APIs.
https://usea1.r3.securitycloud.symantec.com
443
Cloud notification service (SPOC)
Used to notify the client to check into the cloud services.
https://us.spoc.securitycloud.symantec.com
443
Cloud storage services
Used for the secure upload of large data files to the cloud.
https://us-east-1-s3-symc-prod-ses-shared-content.s3.amazonaws.com
https://us-east-1-s3-symc-prod-saep-cis.s3.amazonaws.com
*https://storage.googleapis.com
Live Shell
Lets PowerShell run remotely on the agents.
https://ws.securitycloud.symantec.com
https://bds.securitycloud.symantec.com
https://us-east-1-s3-symc-prod-cdm-websocket.s3.amazonaws.com
*https://storage.googleapis.com
443
MANAGEMENT CONSOLE
URLs to allow for
Symantec Endpoint Protection Manager
(on-premises)
Purpose
URL
Port
Telemetry
https://tses.broadcom.com
https://telemetry.broadcom.com
443
Licensing
Used to activate the license.
Used to verify if the license being used is current and active.
https://services-prod.symantec.com
443
Symantec LiveUpdate servers
Used for SEP to connect to for definition engine and content updates.
https://liveupdate.symantec.com
https://liveupdate.symantecliveupdate.com
If you use a proxy server and default LiveUpdate servers on SEPM, allow the following URLs with port 80 (no longer required in 14.3 RU1):
http://liveupdate.symantec.com
http://liveupdate.symantecliveupdate.com
443
Endpoint Protection Manager Windows definitions "Latest from Symantec"
Used for the retrieval of information about the latest definitions from Symantec.
https://www.broadcom.com/support/security-center
443
Additional URLs to allow if the Symantec Endpoint Protection Manager is enrolled in the cloud console
Purpose
URL
Port
Symantec Cloud API gateway
https://usea1.r3.securitycloud.symantec.com
443
Cloud storage services
Used for the secure upload of large data files to the cloud. If this URL is blocked,
Symantec Endpoint Protection Manager
cannot upload device, device group, and events information to the cloud.
https://global-s3-cpe-prod-saep-hub.s3.amazonaws.com/
*https://storage.googleapis.com
443
Cloud notification service (SPOC)
https://us.spoc.securitycloud.symantec.com
443
URLs to allow for accessing the Integrated Cyber Defense Manager (ICDm) cloud console
Purpose
URL
Port
ICDm cloud console
https://sep.securitycloud.symantec.com
https://avagoext.okta.com/
443
Temporary area for the console to retrieve downloaded files
Location where the console retrieves a file that had been uploaded from an agent.
https://us-east-1-s3-symc-prod-saep-edr-samples.s3.amazonaws.com
*https://storage.googleapis.com
443
Live Shell
https://ws.securitycloud.symantec.com
https://bds.securitycloud.symantec.com
https://us-east-1-s3-symc-prod-cdm-websocket.s3.amazonaws.com
*https://storage.googleapis.com
443
* In November 2020, SEP and SES are changing their data center provider from Amazon Web Services (AWS) to Google Cloud Platform (GCP). For the specific date of the migration, see the FAQ: Symantec Endpoint Protection Migration to Google Cloud Platform - FAQs. To prepare for this migration, you should allow the GCP URL now.
If a proxy or corporate firewall blocks access to these URLs if they are not allowed, these issues can occur:
  • Traffic to the Download Insight servers is blocked when using proxy servers with authentication defined by URL or .PAC proxy settings. As a result, Endpoint Protection cannot use the reputation data on the Download Insight servers to evaluate potential threats.
  • Licenses cannot be activated.
  • Symantec Endpoint Protection Manager (SEPM) cannot be enrolled with cloud services.
  • Symantec Endpoint Protection Manager is having trouble communicating with cloud services post enrollment.