User groups information missing from Cloud SWG access logs when Proxy Forwarding access method enabled
search cancel

User groups information missing from Cloud SWG access logs when Proxy Forwarding access method enabled

book

Article ID: 276945

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet services via Cloud SWG using Proxy forward access method.

Edge Proxy setup to forward all HTTP/HTTPS traffic on TCP 8080, 8443 and 8084 as per the documentation.

Authentication performed on Edge Proxy.

Edge Proxy setup to forward client IP address, username and groups within custom headers as per the documentation.

PCAPs on Edge Proxy confirm that all 3 above headers are sent into Cloud SWG.

Users can access any secure Web site successfully and policy is applied correctly.

When looking at the Cloud SWG access logs however, we see all users requests with the correct client IP address, username but the group information is missing - the BC_Auth_Groups HTTP header included a base64 encoded string with group details.

SIEM downloading Access logs from Cloud Proxy and we need all relevant information logged, including the group info.

Environment

Proxy Forwarding with Edge Proxy.

Client IP, User and Group information sent into Cloud Proxy via Edge proxy policy.

Cause

Cloud Proxy only logs group information for URLs where the users groups are referenced in a policy.

Resolution

Added a group policy to Cloud SWG content filtering policy that referenced the group that was sent in via the Edge Proxy HTTP headers.

Groups only get logged on Cloud Proxy side as long as they are 'groups of interest' ie. the groups are referenced in a policy.