Quick Question on Network Using - Incomming or Outgoing

I realize that I have not formulated it properly:

In deed it´s a Windows Server in my local Network, with which I have that issue, but in this context my "Server" is a "Client" in Sophos-Speak,
which simply means a machine INSIDE my local Network that has Internet-Connection through my UTM.

Server in this context and in Sophos-Speak is a Machine OUTSIDE of my local Network, in this Case a Server with IP 152.195.132.156, which is liveupdate.symantecliveupdate.com

So in other words my Question is:
Is 2,6GB transfered  FROM INSiDE my local Network TO that external Server with IP 152.195.132.156 ("Upload")
OR
Is 2,6GB transfered  FROM OUTSIDE, from  that external Server with IP 152.195.132.156 INTO my local Network ("Download")
?

What a pity that the statistics are so misleading and that you have to interpret them correctly to avoid drawing the wrong conclusions.
And that one can be mistaken in the process. :-(

"FROM OUTSIDE, from  that external Server with IP 152.195.132.156 INTO my local Network"

Is how I interpret that statistic.

2.6GB does seem a lot for a single day for AV updates.  Of course, if each update is say 20-30MB and you have 100 end points, well, it can add up.

The problem with UTM's bandwidth usage reporting is you can't just click on the service to see which clients were actually connecting to this server (symantec).  You can monitor real time using the web filtering application flow monitor, but not after the fact. This seems like the last necessary element of bandwidth usage logging.

In your example, under connections, it indicates 1017. That seems like a relatively high number, indicating numerous clients.

How many clients are using symantec on your network, configured to use the update feature?

Amodin Is XG usage reporting equally ambiguous?

Yeah it can be, the live connections/applications is nice to see in the Control Center on XG.  Unfortunately it seems to stuff an awful lot of traffic under 'Other Applications' but it is better than UTM, IMO.

I did away with Symantec a long time ago.  I had a problem like this where it was continuously downloading updates, and they actually blamed it on sunspots.  No joke.

 TJ Hooker , https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/ReportingNetworkUsageBandwidth.htm

This may or may not help you but it describes the In/Out, and it depends on the setup actually.

Thank you both!

I have "only" 85 Clients using Symantec, but they should get updates from my internal SEPM-Server (that´s the machine I see this huge Traffic with that IP in my "Daily Executive Report") and not from external Symantec-Servers. Only my internal SEPM-Server should connect to Symantec to get updates from there and then provide them for my Clients.

Also my Clients are not connected via direct IP to the internet, instead they use my UTM as a Proxy. In this Scenario, client traffic should not be logged under "Network Usage - Bandwith", right?

I oversaw the count of 1017 so far but you are right, huge number!
Adopted only my internal SEPM-Server connects to Symantec (and/or only these connections are logged here), this means one connection every 1,5 Minutes, when I have calculated right..

I think even proxied traffic still gets logged under network usage.

Case and point, at this moment the tablet below is indicating highest usage for the day so far (its 11am local time). The only activities on this device are web browsing and email (and whatever telemetry it reports back).

Clicking on the ip shows,

http-alt is port 8080

The web policy is for this subnet is url filtering only for https.

Thank you!

Thank you!