There are requests going to the ProxySG that are not authenticated. There are two possible reasons for this:
- Requests from applications that are not configured to use a proxy. Your policy may deny these requests, but the logged denied request does not have a username therefore shows up as "-". If you drill-in on the "-" user, you can see the sites being requested, the IP addresses they are coming from, and the user-agent making the request.
- Denied requests from non-authenticated end users. If you are not using "force-authenticate" in your ProxySG policy, then any denied request that is evaluated before authentication will log without any username since the user was not yet authenticated before the deny.
The dash "-" is a representation of the number un-authenticated users on your ProxySG appliances.
A value of around 30 percent for such a user is considered normal.