This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Quick Question on Network Using - Incomming or Outgoing

Hi Folks!

At the moment I have a problem with one of my Servers generating a lot traffic with IP, which is
I saw this first in my "Daily Executive Report", where only the amount of Data ist shown but not the direction of the data.

Looking into "Logging an Reporting" an narrowing down to that mentioned IP I see this (see below).

Does that mean, that my Server ist SENDING 2,6GB to that IP? Until now I thought my Server is RECEIVING?
Or do I misinterprete "IN" and "OUT" in this case an "OUT" means "OUT" FROM that IP, what means INCOMMING for me?



This thread was automatically locked due to age.
  • I realize that I have not formulated it properly:

    In deed it´s a Windows Server in my local Network, with which I have that issue, but in this context my "Server" is a "Client" in Sophos-Speak,
    which simply means a machine INSIDE my local Network that has Internet-Connection through my UTM.

    Server in this context and in Sophos-Speak is a Machine OUTSIDE of my local Network, in this Case a Server with IP, which is

    So in other words my Question is:
    Is 2,6GB transfered  FROM INSiDE my local Network TO that external Server with IP ("Upload")
    Is 2,6GB transfered  FROM OUTSIDE, from  that external Server with IP INTO my local Network ("Download")

    What a pity that the statistics are so misleading and that you have to interpret them correctly to avoid drawing the wrong conclusions.
    And that one can be mistaken in the process. :-(

  • "FROM OUTSIDE, from  that external Server with IP INTO my local Network"

    Is how I interpret that statistic.

    2.6GB does seem a lot for a single day for AV updates.  Of course, if each update is say 20-30MB and you have 100 end points, well, it can add up.

    The problem with UTM's bandwidth usage reporting is you can't just click on the service to see which clients were actually connecting to this server (symantec).  You can monitor real time using the web filtering application flow monitor, but not after the fact. This seems like the last necessary element of bandwidth usage logging.

    In your example, under connections, it indicates 1017. That seems like a relatively high number, indicating numerous clients.

    How many clients are using symantec on your network, configured to use the update feature?

    Is XG usage reporting equally ambiguous?

  • Yeah it can be, the live connections/applications is nice to see in the Control Center on XG.  Unfortunately it seems to stuff an awful lot of traffic under 'Other Applications' but it is better than UTM, IMO.

    I did away with Symantec a long time ago.  I had a problem like this where it was continuously downloading updates, and they actually blamed it on sunspots.  No joke.


    This may or may not help you but it describes the In/Out, and it depends on the setup actually.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Thank you both!

    I have "only" 85 Clients using Symantec, but they should get updates from my internal SEPM-Server (that´s the machine I see this huge Traffic with that IP in my "Daily Executive Report") and not from external Symantec-Servers. Only my internal SEPM-Server should connect to Symantec to get updates from there and then provide them for my Clients.

    Also my Clients are not connected via direct IP to the internet, instead they use my UTM as a Proxy. In this Scenario, client traffic should not be logged under "Network Usage - Bandwith", right?

    I oversaw the count of 1017 so far but you are right, huge number!
    Adopted only my internal SEPM-Server connects to Symantec (and/or only these connections are logged here), this means one connection every 1,5 Minutes, when I have calculated right..

  • I think even proxied traffic still gets logged under network usage.

    Case and point, at this moment the tablet below is indicating highest usage for the day so far (its 11am local time). The only activities on this device are web browsing and email (and whatever telemetry it reports back).

    Clicking on the ip shows,

    http-alt is port 8080

    The web policy is for this subnet is url filtering only for https.

Reply Children
No Data