This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External Address is Top Client for Bandwidth Usage

On the Bandwidth Usage tab under Logging & Reporting / Network Usage, my Internet IP, or External (Address) user/host, is always the top talker.  Like about half my total bandwidth usage is attributed to my external interface rather than to an internal host that actually initiated whatever traffic was seen on that interface.  I'm sure there's some amount of traffic, like downloading firmware or pattern updates, that is rightfully attributed to the external interface.  But that shouldn't amount to GB's of data every day.  Should it?  It's more like some of my internal hosts' traffic is being associated with the external interface and it's hard to get an accurate read on how much each internal host is really using.  Does anyone else see that behavior or know how to change it?  



This thread was automatically locked due to age.
Parents
  • Any traffic that goes through Web Protection is recorded as downloading by the IP of "External (Address)" - was that your question?

    If you're seeing mysterious high bandwidth on the External Interface, try (thanks to kerobra & AlanT):

    zgrep 'deferred download status refresh timeout, removing' /var/log/http/2017/*/* |grep -oP 'url="https?://.*?/'|sort -n|uniq -c|sort -n

    That will show you FQDNs that need to be in an Exception for antivirus or skipped altogether.

    Cheers - Bob

    EDIT 2017-05-05: Modified grep to look only at the FQDN

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:
    Any traffic that goes through Web Protection is recorded as downloading by the IP of "External (Address)"


    But why is it represented this way? Isn't it possible for a client IP be attributed to the traffic? What is the benefit in having all that traffic effectively grouped as "unknown source" on the WAN like this?

    In my case, I typically see about 50% of total traffic coming from my WAN address, meaning I am only aware of roughly half of what is traversing my UTM.

     

    Edit: I got some clarity on this from Sophos today: community.spiceworks.com/.../819547-utm-wan-address-is-top-client-in-reporting


    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB

Reply
  • BAlfson said:
    Any traffic that goes through Web Protection is recorded as downloading by the IP of "External (Address)"


    But why is it represented this way? Isn't it possible for a client IP be attributed to the traffic? What is the benefit in having all that traffic effectively grouped as "unknown source" on the WAN like this?

    In my case, I typically see about 50% of total traffic coming from my WAN address, meaning I am only aware of roughly half of what is traversing my UTM.

     

    Edit: I got some clarity on this from Sophos today: community.spiceworks.com/.../819547-utm-wan-address-is-top-client-in-reporting


    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB

Children
No Data