I've been working on some logging we recieve to our JSA from the SRX's we manage. Most of the SRXs are 340's. We are using JIMs at a our clients and i've noticed some weird returns from the WEBFILTER_URL_PERMITTED and WEBFILTER_URL_BLOCKED. I am seeing a few instances where the users return as: null, null\, unauthentciated-user and unknown-user. Now the unauthenticated-user is pretty self explanatory, and I believe the unknown-user is when the AD-Integration is unavailable for whatever reason. What i'm a bit confused on is the null\ returns. For example a raw log (with some PI redacted) :
<14>1 2019-11-13T14:59:25.284Z SRX340 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.135 source-address="X.X.X.X" source-port="XX" destination-address="X.X.X.X" destination-port="XX" session-id="158533" application="HTTPS" nested-application="MICROSOFT" category="N/A" reason="BY_FALLBACK_DEFAULT_ACTION" profile="DEFAULT" url="" obj="/" username="null\" roles="N/A" application-sub-category="miscellaneous"] |
The other odd return i've seen is where the url is completely blank, which we can see in the above example as well.
Just trying to get to the bottom of what may be causing the null returns. The messages aren't terribly common, just having a tough time finding any documentation on the reason for those different returns.
Thanks!