Reports do not show usernames for requests blocked by ProxySG policy

book

Article ID: 171527

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Whether or not reports show usernames for blocked requests depends on the order in which denial and authentication occur in the policies you have defined. When the ProxySG appliance intercepts a client request, it uses the URL to determine the content category and, if the category is blocked based on your content filtering policies, the request will be denied before the user has been authenticated and the username is therefore not available for logging. This is because Deny has precedence over authentication.

Resolution

To force requests to be authenticated even in the case where the request is denied, you must include the authenticate.force(yes) property in the <proxy> layer of policy. For example, in the following example, requests for gambling websites will be denied before authentication occurs:


define subnet corporate_subnet
10.10.12.0/24
end

 

<proxy>
  client.address= ! corporate_subnet deny ; filter out strangers
  authenticate (MyRealm) ; this has lower precedence than deny

 

<proxy>
  category=Gambling exception (content_filter_denied)


However, by adding the property authenticate.force(yes), you can ensure that authentication will occur before the request is denied, allowing you to log the usernames of the users who attempt to access gambling sites:


define subnet corporate_subnet
10.10.12.0/24
end

 

<proxy>
  client.address= ! corporate_subnet deny ; filter out strangers
  authenticate(MyRealm) authenticate.force(yes); this has higher precedence than deny

 

<proxy>
  category=Gambling exception (content_filter_denied)