There can be many reasons why valid users are logged as "guest" on the ProxySG, such as being caused by a misconfiguration or a client that doesn't support authentication in the manner presented by the proxy. However, this article points out a specific configuration setting that may cause unexpected logging and access.
The "invalid_surrogate" error, when selected in a Permit Authentication Errors action in policy, can automatically cause the ProxySG to log a valid user as "guest" after the surrogate (cookie, IP, or connection) from a previous authentication has expired.
For example, consider the following conditions to understand how this situation can occur:
Ultimately, this behavior is likely to be unexpected and can be considered a problem for user experience. To avoid this, the "invalid_surrogate" error needs to be deselected from the Permit Authentication Errors action in policy.
See 000008712 for steps on configuring "guest authentication". When configuring the Permit Authentication Errors action, do the following to deselect only "invalid_surrogate" so that all other errors required for guest authentication will be permitted.