Documentation Index

Fetch the complete documentation index at: https://support.appgate.com/llms.txt

Use this file to discover all available pages before exploring further.

Troubleshooting tab

  • Published on Jun 17, 2026
  • 2 minute read
Prev Next

If someone in your organization cannot access a resource through a specific device, an AppGate ZTNA administrator can check whether the device is receiving a high risk level—which would explain why the resource is blocked. The high risk level may be a real value calculated by the Risk Engine based on information from the AppGate ZTNA Collective and third-party services, or it may be a fallback risk level applied under certain error conditions.

An AppGate ZTNA administrator can inspect risk rule values—including whether a value is a fallback—by viewing the ag user claims of an active session. See Viewing risk level details for instructions.

NOTE

The end user must have an active session in AppGate ZTNA for the administrator to view it in the admin UI.

If a device that should have access to a resource is receiving a high risk level that is not a fallback, investigate why the Risk Engine assigned that value before troubleshooting the access problem.

Each risk rule has a Troubleshooting tab with two downloadable resources for identifying issues with rules and adapters connected to the Risk Engine: a Host Log and a Usage Report, both available in CSV format.

Download files from the Troubleshooting tab

  1. In the ZTP Cloud Console, go to Services > Risk Engine. Click the risk rule configured for the adapter you want to review.

  1. Click the Troubleshooting tab, then download the Host Log and Usage Report files in CSV format.

NOTE

For more information about the data ZTP collects, see the Data retention section.

Host Log

The Host Log shows information about the latest events—individual incident, threat, or detection records—received from third-party services through each adapter. Use this information to understand which data the Risk Engine used to determine a given risk level.

Most fields are common to all detection events. Depending on the adapter, the file may also include columns specific to that third party, such as trust scores, confidence levels, or severity values. Fields include:

  • External event ID

  • Datetime

  • Agent ID

  • Hostname

  • MAC address

  • Additional third-party specific fields

Usage Report

The Usage Report shows the following information for each time the Controller called the Risk Engine, including the risk level returned for each device:

  • Device ID

  • Client type

  • Username

  • Client version

  • Identity provider

  • OS

  • Timestamp

  • Agent IDs

  • Result

  • Hostname

  • Risk score (risk level)

  • MAC addresses

NOTE

The Agent ID is a value generated by third-party services—such as CrowdStrike or Microsoft Intune—and automatically retrieved by the AppGate Client as a device claim. By default, the Risk Engine uses the Agent ID to retrieve risk data from a third party. If the Agent ID is not available, the Risk Engine attempts to match data using the Hostname and MAC address values. For more information about the Agent ID for a specific third party, see Adapters.

Related articles