Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 5 subscribers
  • Views 4542 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to view inbound traffic source? I have massive traffic 95% incoming but the source is me and it's external.

grammatonclerick

Boy I hate these new forums and the layout but oh well, finally created an account.

Anyhow, recently (over the past few days) when my Web Protection -> Web Filtering module is turned on I see massive influx of traffic (not all the time, maybe once a day).  The traffic is constant and 95% of the bandwidth.  I can't determine destination and the source is either AKAMAI or my own IP.  

Once I turn off Web Protection, the traffic stops.   I can turn it back again and everything will be normal...until it happens again few hours later.  What could be causing this and how do I determine the real destination of the traffic or the real source?

On the Top Applications Tab I can see "HTTP 20gb"

Then I go sort by User and no users accrued 20gb not even close (At most 750mb).



This thread was automatically locked due to age.
Parents
  • 0

    We've seen this issue here before, probably two or three times a year.  All the traffic is with the "External (Address)" IP because the Web Proxy downloads some of the file, the download dies and then the Proxy re-initiates the download.  It's a website that doesn't like the Proxy and the Proxy needs to be skipped for it.  A good candidate would be a program update.  Use the Search tab to look for timed out in the Web Filtering log.  There may be something else to look for, but it doesn't come to mind at the moment.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    We've seen this issue here before, probably two or three times a year.  All the traffic is with the "External (Address)" IP because the Web Proxy downloads some of the file, the download dies and then the Proxy re-initiates the download.  It's a website that doesn't like the Proxy and the Proxy needs to be skipped for it.  A good candidate would be a program update.  Use the Search tab to look for timed out in the Web Filtering log.  There may be something else to look for, but it doesn't come to mind at the moment.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML