if I correctly understand your question you are trying to find a way to get all authentication-bypassed IP addresses from last month? (sorry if I am wrong)
At first, there is no list or command available on MWG which shows bypassed requests based on a specific rule (e.g. in authentication rule set).
By default, an access log line looks like:
[07/Jan/2020:15:30:08 +0000] "" <clientIP> 200 "GET http://mwginternal.com/ HTTP/1.1" "Business, Software/Hardware" "Minimal Risk" "text/html" 575 356 "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0" "" "0" ""
Between the timestamp at the beginning and the clientIP you see a "" which is the placeholder for the username (if authenticated). So if I get authentication, it would look like:
[07/Jan/2020:15:30:08 +0000] "Marcel" <clientIP> 200 "GET http://mwginternal.com/......"
So you can use your reporting solution to check for empty username but still you would NOT know where it was bypassed in the policy, so could be globally bypassed, in SSL scanning or in Authentication.
Further, there are 2 options I think.
Option1: Some users are manually setting an username.
<Authentication rule set start>
URL.Host equals www.google.com, Action: Stop Rule Set, Event: Set Authentication.Username = "Authentication Bypass"
<Authentication rule set end>
So, logging line would look like:
[07/Jan/2020:15:30:08 +0000] "Authentication Bypass" <clientIP> 200 "GET http://www.google.com.com/......"
If they now create a query/report with CSR (Content Security Reporter) or any other reporting solution, you can filter for the timerange and for the username = "Authentication Bypass" and you will get a list with all matching entries. In each line behind the username you will see the client IP address (so in your query/report you also need to display client IP address column of course).
Option2: MWG has a statistics DB but this does not contain information like "request A to website abc.com was bypassed in <rulename>".
Only logging is done in access log in above default logline format.
But it is also possible to create a new self-made log other than the default access log.
In authentication rule set you would configure something like:
<Criteria>, Action: Stop Rule Set, Event: <name of User-Defined-property> = Rules.CurrentRule.Name (e.g. "Bypassed IPs for Authentication") and Authentication.username = "Authentication Bypass"
In self-created log you would store any property/value information as you want. So you would log timestamp, username, client IP, URL, <name of User-Defined-property> and the log would look like:
[07/Jan/2020:15:30:08 +0000] "Authentication Bypass" <clientIP> "GET http://mwginternal.com/ "Bypassed IPs for Authentication"
If you have multiple bypass rules, a second log line could look like:
[07/Jan/2020:15:30:08 +0000] "Authentication Bypass" <clientIP2> "GET https://www.google.com/ "Bypassed IPs for Authentication 2"
and so on...
With this, you have a dedicated log which shows some basic information about authentication bypassed URL's only with the client IP addresses and requested URL's. This log can be hold and rotated/deleted on MWG or you can configure pushing to a share or FTP server as you probably do it with the access log.
In my opinion, first option (manually set username in bypass rule and then create a query/report filtered for time range and this username) should be enough and the easiest solution but you need to decide what you really need and whether it is worth the effort or not. Globally bypassed URL's have anyway no username, so if you manually set the username in authentication bypass rule only, it would be quit easy to identify them in a query/report.
Please let us know if you have further questions. I hope I did not make any mistake and my description is easy to understand! 😁
If you are running CSR, you can run a report there too. You can either use where there is no user name (user name does not exist) or a specific name if you set one for authentication bypass. Just run the report to show the Client IP and any other fields you want