Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 9710 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External Address is Top Client for Bandwidth Usage

WEL

On the Bandwidth Usage tab under Logging & Reporting / Network Usage, my Internet IP, or External (Address) user/host, is always the top talker.  Like about half my total bandwidth usage is attributed to my external interface rather than to an internal host that actually initiated whatever traffic was seen on that interface.  I'm sure there's some amount of traffic, like downloading firmware or pattern updates, that is rightfully attributed to the external interface.  But that shouldn't amount to GB's of data every day.  Should it?  It's more like some of my internal hosts' traffic is being associated with the external interface and it's hard to get an accurate read on how much each internal host is really using.  Does anyone else see that behavior or know how to change it?  



This thread was automatically locked due to age.
  • 0

    Any traffic that goes through Web Protection is recorded as downloading by the IP of "External (Address)" - was that your question?

    If you're seeing mysterious high bandwidth on the External Interface, try (thanks to kerobra & AlanT):

    zgrep 'deferred download status refresh timeout, removing' /var/log/http/2017/*/* |grep -oP 'url="https?://.*?/'|sort -n|uniq -c|sort -n

    That will show you FQDNs that need to be in an Exception for antivirus or skipped altogether.

    Cheers - Bob

    EDIT 2017-05-05: Modified grep to look only at the FQDN

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Although your version is 'universal' usable, the search function in the logs section is also working, especially for non-Linux-natives like me ;-)

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • +1 in reply to kerobra_retired

    The advantage of the line ending in |grep -oP 'url=^https?://.*?/'|sort -n|uniq -c|sort -n is that you don't have to dig through a lot of lines in the WebAdmin search result.  You get a list of the unique URLs/FQDNs that need attention, sorted in order of number of times they caused a problem.

    Cheers - Bob

    zgrep 'deferred download status refresh timeout, removing' /var/log/http/2017/*/* |grep -oP 'url="https?://.*?/'|sort -n|uniq -c|sort -n

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Okay, understood. But why do you have to sort 2 times? Would there be empty lines in the output after the uniq -c filters all double entries out?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    You're right, Kevin, all the second sort does is rearrange the list in order of least- to most-common errors as opposed to alphabetically by FQDN/URL.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes, Bob, I'm sure you've explained it correctly as being an artifact of user traffic being proxied through the Web Protection.  In fact, I started to think that way when I re-read my own words.  It always amounts to about half the total bandwidth?  Hmmm.  So you've confirmed what I'd begun to figure out for myself.  Thanks.  

  • 0 in reply to BAlfson

    BAlfson said:
    Any traffic that goes through Web Protection is recorded as downloading by the IP of "External (Address)"


    But why is it represented this way? Isn't it possible for a client IP be attributed to the traffic? What is the benefit in having all that traffic effectively grouped as "unknown source" on the WAN like this?

    In my case, I typically see about 50% of total traffic coming from my WAN address, meaning I am only aware of roughly half of what is traversing my UTM.

     

    Edit: I got some clarity on this from Sophos today: community.spiceworks.com/.../819547-utm-wan-address-is-top-client-in-reporting

    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB

Unfiltered HTML