Sophos XG Firewall: How to monitor bandwidth usage between IPs in realtime


This article describes the steps to monitor XG Firewall traffic in real time from the command line. For example, to identify what IP is using bandwidth.

The following sections are covered:

Applies to the following Sophos products and versions
SFOS v17 and above

What to do

To monitor traffic usage in real-time then do as follows:

  1. Log on to the firewall using SSH.
  2. Access the Advanced Shell (Option 5, option 3).
  3. Enter the command:
    iftop -i IFNAME
    Where IFNAME is the name of the interface, usually the LAN interface)

  4. The description for the tool output is as follow:

  5. To stop the tool type Q to quit.
  6. To show the traffic separated by source and destination port, append -P to the above command:
    iftop -i IFNAME -P
  • Iftop is an old tool that I still use on Linux Machines where UI is not even installed.

    On XG, We expect to see a complete flow monitor like UTM 9 has.

    2 tabs where one shows the traffic in a grid, one shows the diagrams.

    Connection list is just useless at the moment on XG.

    Iftop is much better than the connection list.

  • If we want to see bandwidth usage per source IP, simply run the following:

    iftop -i <interface_name> 

    then press s

    This will sort the source IP bandwidth in descending order

