You want to know why your top users report shows a"-" as a user name

There are requests going to the ProxySG that are not authenticated. There are two possible reasons for this:

1. Requests from applications that are not configured to use a proxy. Your policy may deny these requests, but the logged denied request does not have a username therefore shows up as "-". If you drill-in on the "-" user, you can see the sites being requested, the IP addresses they are coming from, and the user-agent making the request.
   
    
2. Denied requests from non-authenticated end users. If you are not using "force-authenticate" in your ProxySG policy, then any denied request that is evaluated before authentication will log without any username since the user was not yet authenticated before the deny.

The dash "-" is a representation of the number un-authenticated users on your ProxySG appliances.

A value of around 30 percent for such a user is considered normal.