Device discovery for cloud-based network security gateways

The invention claimed is: 1. A method for identifying client devices in a private network that violate a policy for accessing websites outside the private network, comprising: A. at a network security gateway in a public network: receiving an attempt to access a website from a client in a private network, the client's IP address being hidden from the network security gateway due to a network address translation (NAT) device that separates the private network from the public network and changes the client's IP address as packets traverse the NAT device from the private network to the public network; applying a policy to the attempt to access the website, the policy defined by an administrator of the private network and relating to any of security threats and acceptable use policies for the private network; generating an identifier for the attempt to access the website; based on determining that the attempt to access the website violates the policy, redirecting the client to a bouncer component in the private network; logging the identifier and sending a record with the identifier to a log processor and reporting component; B. at the log processor and reporting component; receiving the record from the network security gateway; receiving a record from the bouncer component, comprising the identifier and client information associated with the client; matching the record from the network security gateway with the record from the bouncer component; and, reporting the client information to enable remedial action against the client by at least one of: an administrator of the private network, and an automated system for taking action against the client in the private network. 2. The method of claim 1 , where the remedial action is taken by the automated system. 3. The method of claim 2 , wherein the action is at least one of: quarantining the client by disabling access to the private network, and enforcing a control to block the client from reaching outside an IP space of the private network. 4. The method of claim 1 , wherein the client information associated with the client comprises any of: IP address, hostname, client username. 5. The method of claim 1 , further comprising: the bouncer component capturing the client information associated with the client. 6. The method of claim 5 , the bouncer component capturing the client information associated with the client by performing at least one of the following: (i) extracting client IP address from a connection with the client; (ii) performing a reverse DNS lookup in an organizational DNS server to acquire a client hostname; (iii) looking up client hostname by client IP address in an organizational inventory; (iv) collecting user login events from an authentication server; (v) looking up user information in Radius server; and, (vi) performing online user authentication by accessing an organizational authentication server not accessible to the network security gateway. 7. A system for identifying client devices in a private network that violate a policy for accessing websites outside the private network, comprising: A. a network security gateway in a public network, the network security gateway comprising at least one hardware processor and memory holding instructions for execution on the at least one processor to cause, upon execution, the network security gateway to: receive an attempt to access a website from a client in a private network, the client's IP address being hidden from the network security gateway due to a network address translation (NAT) device that separates the private network from the public network and changes the client's IP address as packets traverse the NAT device from the private network to the public network; apply a policy to the attempt to access the website, the policy defined by an administrator of the private network and relating to any of security threats and acceptable use policies for the private network; generate an identifier for the attempt to access the website; based on determining that the attempt to access the website violates the policy, redirect the client to a bouncer component in the private network; log the identifier and sending a record with the identifier to a log processor and reporting component; B. the log processor and reporting component comprising at least one hardware processor and memory holding instructions for execution on the at least one processor to cause, upon execution, the log processor and reporting component to: receive the record from the network security gateway; receive a record from the bouncer component, comprising the identifier and client information associated with the client; match the record from the network security gateway with the record from the bouncer component; and, report the client information to enable remedial action against the client by at least one of: an administrator of the private network, and an automated system for taking action against the client in the private network. 8. The system of claim 7 , where the remedial action is taken by the automated system. 9. The system of claim 8 , wherein the action is at least one of: quarantine the client by disabling access to the private network, and enforce a control to block the client from reaching outside an IP space of the private network. 10. The system of claim 7 , wherein the client information associated with the client comprises any of: IP address, hostname, client username. 11. The system of claim 7 , wherein: the bouncer component comprises at least one hardware processor and memory holding instructions for execution on the at least one processor to cause, upon execution, the log processor and reporting component to: capture the client information associated with the client. 12. The system of claim 11 , wherein the capture of the client information associated with the client occurs by performing at least one of the following: (i) extract client IP address from a connection with the client; (ii) perform a reverse DNS lookup in an organizational DNS server to acquire a client hostname; (iii) look up client hostname by client IP address in an organizational inventory; (iv) collect user login events from an authentication server; (v) look up user information in Radius server; and, (vi) perform online user authentication by accessing an organizational authentication server not accessible to the network security gateway.