This article assumes that another device has identified the ProxySG appliance as the source of an attack on a website. Further, the device gives the IP address of the destination, not the hostname.
If the ProxySG appliance is using its IP address when accessing the Internet (that is, the Reflect Client IP option is not being used), the simplest way to identify the source IP address of an attack is to add the destination IP address to a copy of the main Access Log. The modified Access Log will contain both the destination address being attacked and the client IP address that originated the requests to the destination.
A copy of the main Access Log is being used so that Reporter can be run on the original main Access Log. Reporter is sensitive to the format of the main Access Log being processed. Adding the destination IP address to the format of the main Access Log (bcreportermain_v1) could cause Reporter to fail.
When the ProxySG appliance is using its address as the source IP address for accessing the Internet, an outside device has no way to identify the true source address when an attack on a website occurs. Modifying a copy of the main Access Log by adding the destination IP address will allow the log to identify both the true source and destination of all requests. The default format of the main Access Log contains the hostname of the destination, not the IP address.
The steps to define the new Access Log follow:
Step 1: Define an Access Log format that contains the variables: