it is possible for next:
user authentificated by IP
user authentificated by destination site
global white list etc
PS.Also depends on version and configuration of WebGateway.
In addition to that, it could be the 407 authentication attempts that are being imported. They usually get excluded on import, but I've seen them leak in on older versions. I put a filter on the log import source of '\b407\b' to filter them out out of habit.
The user name is dash any time the request bypasses authentication. Most commonly this is due to rules set to bypass authentication because the client (such as Windows Update, Flash applications, etc.) could not do the proxy authentication.
It's true that http status code 407 is a dash since the user hasn't authenticated, but I have never seen any issue where HTTP status code 407 are "leaked" or imported unless the log header doesn't match the body. There should be no need to filter 407s. I have never heard of such an issue, and I would suspect we would have received calls if there ever was.
Speaking specifically to your issue, since there is a lot of traffic associated with a single IP address and "-" for the username, I would say that you have a rule causing that IP address to bypass authentication. I assume this is from Web Gateway 7.x? If so, check your rules for criteria that may exclude IP addresses from reaching the authentication rule.
I haven't had time to investigate the source of our "dashes", but since we have a rule set up to authenticate with Active Directory I'm suspecting it may have something to do with non-domain users. Does that sound like a possibility?
But almost everybody has exceptions for authentication because not all web apps can perform proxy authentication. Some common examples of excluded applications are Webex and Microsoft Update. Check the rules above your authentication ruleset for anything that results in a stop-cycle. Those would not get authenticated.
One think I like to do is to hard code the username on bypasses.
So, for instance, if you have a rule above the authentication ruleset that bypasses authentication and scanning for updaters (windowsupdate, mcafee, adobe, etc), you can create an event and set property (authentication.username) = "Bypass"
And that way in Web Reporter it's obvious what the traffic is.
Create an empty user filter and make sure the box at the bottom for anonymous is NOT checked. Save the filter and add it to your report.
Also, if your question is answerd, please mark the thread as answered. Thanks.
Sanjeev Singh wrote:
Can you please let me know how to exclude dash value in the report …?
How to Create an empty user filter. can you plz provied the steps.