External Address is Top Client for Bandwidth Usage

Question

On the Bandwidth Usage tab under Logging & Reporting / Network Usage, my Internet IP, or External (Address) user/host, is always the top talker. Like about half my total bandwidth usage is attributed to my external interface rather than to an internal host that actually initiated whatever traffic was seen on that interface. I'm sure there's some amount of traffic, like downloading firmware or pattern updates, that is rightfully attributed to the external interface. But that shouldn't amount to GB's of data every day. Should it? It's more like some of my internal hosts' traffic is being associated with the external interface and it's hard to get an accurate read on how much each internal host is really using. Does anyone else see that behavior or know how to change it?

This thread was automatically locked due to age.

BAlfson · Answer

The advantage of the line ending in |grep -oP 'url=^https?://.*?/'|sort -n|uniq -c|sort -n is that you don't have to dig through a lot of lines in the WebAdmin search result. You get a list of the unique URLs/FQDNs that need attention, sorted in order of number of times they caused a problem. 
 Cheers - Bob 
 zgrep 'deferred download status refresh timeout, removing' /var/log/http/2017/*/* |grep -oP 'url="https?://.*?/'|sort -n|uniq -c|sort -n

BAlfson · Answer

Any traffic that goes through Web Protection is recorded as downloading by the IP of "External (Address)" - was that your question? 
 If you're seeing mysterious high bandwidth on the External Interface, try (thanks to kerobra & AlanT): 
 zgrep 'deferred download status refresh timeout, removing' /var/log/http/2017/*/* |grep -oP 'url="https?://.*?/'|sort -n|uniq -c|sort -n 
 That will show you FQDNs that need to be in an Exception for antivirus or skipped altogether. 
 Cheers - Bob 
 EDIT 2017-05-05: Modified grep to look only at the FQDN