License usage: EXCEEDING 100% OF USER COUNT, but who are they?

Essentially, any device that uses an IP address on the internal side of UTM that touches UTM in any way (for example as a gateway or dhcp lease) is considered a user, so there are always more than you think.  The only answer is to check your network traffic and match mac addresses to ip using the firewall logs.

Thanks for the reply.

I have opened the firewall log / exported to Excel for analyze and only found 10 unique internal IPs listed there. So it does not explain my confuse.

Hi,

check your dhcp address range and make sure it is less than your licence. The addresses in the licence table age off after approximately 30 day.

Does the licence table show the addresses as part of your DHCP range?

thanks for the reply. I think I got some ideas now. Apparently, I used another dhcp server and use SOphOs as gateway. then I enabled dhcp on Sophos. All devices got a new IP, I assume Sohpos double counted each device.

I don't know that's a possible cause or not.

Hi,

the UTM only counts addresses that talk to it, so if you have devices that are internal only you should only see devices using UTM resources which will be addresses assigned from the UTM DHCP server.

I checked IP addresses in scope of license in Sophos. Almost half of IP cannot be reachable. So I assume they are the old IP that was contacting Sophos. But Sophos doesn't get rid of them when they got a new IP. 

How do I reset this least? 

I restart the UTM. Or search the forums for the cli instructions.

Hi, Cliff, and welcome to the UTM Community!

There is no longer a way to reset this at the command line.  Switching DHCP servers likely did cause this problem.  You're stuck with the extra IPs, but they will "age-out" after 7 days.

The only other way is to get several configuration backups off the UTM, Factory Reset and restore from backup.  This does result in the loss of all history in logging and reporting.

Cheers - Bob