Frequently Asked Question
Traffic Monitoring
Last Updated 3 years ago
You'll need your firewall login details to be able to use this FAQ. If you don't have these please log a support ticket and we will provide them.
IT IS ESSENTIAL YOU DO NOT MAKE ANY CHANGES TO THE CONFIGURATION OF YOUR FIREWALL USING THESE CREDENTIALS. DOING SO MAY IMPACT YOUR NETWORK AND INTERNET CONNECTION. YOU WILL NOT BE COVERED UNDER YOUR SUPPORT CONTRACT IF ANY CHANGES YOU MAKE RESULT IN A SUPPORT TICKET
Log into the firewall using the information provided. You'll be presented with the Dashboard which will include basic information regarding traffic flowing through your firewall.
From the menu bar click "Status" and select "Traffic Graph", This will bring up the detailed graphs. By default your internal network will be shown, normally this is called "Lan". Next to the graph you'll see the IP addresses on your network currently using the internet connection. For most network connections this should "burst" with addresses only showing up for a few seconds and then falling off the list. If an IP address stays it is performing a sustained transfer. This can be a download, video stream or updates.
This is all traffic on your network, if you have other networks this will include traffic flowing between the two of them which isn't necessarily going out onto your broadband connection. At the top you can select the connection you are looking at. If you change this to WAN (Your connection may have a different name) you can see all traffic leaving and entering your internet connection but you will not see a detailed breakdown as you do for the LAN connection. If you have multiple external IP addresses you WILL see these listed however.
Systems running BandwidthD - All systems installed/upgraded from May 2021
These systems can provide in depth reports on network use. However this isn't a default option and may not be installed. You can have it added on request.
Click "Diagnostics" and select "BandwidthD"
You'll be presented with an in depth report of addresses on your network and their data use. This report doesn't need any real explanation but it IS printable. You can click an IP address for an individual breakdown further down the page.
Relating IP addresses to devices
Your network is normally split into three segments. Within these segments we use static and dynamic assignments. Static assignments never change, for example 192.168.0.3 is ALWAYS 192.168.0.3. A dynamic IP can change and is moved around to where the system has space for it. We typically set all addresses below 20 and above 200 as statics with the dynamic addresses in between from 20 to 200. Most servers, printers and network devices will be static addresses with your computers and phones set as dynamic. This can make tracking down culprits harder. When a device asks for an address is must give it's host name and this is recorded in the "lease" table. You can view this by clicking "Status" and selecting "DHCP Leases"
The table shows all the addresses the firewall has recently given out and their state. You can ignore those that show as "Offline". The devices hostname is shown here and may give clues as to what it is. The name shown is that given when the machine is set up and you can normally change this, it's definitely worth doing for fixed systems like desktop machines. Phones will generally use the name the owner setup when configuring it for the first time. Static assignments won't show up in here.
Large sustained data transfers / Out of the ordinary traffic
There are some devices on your network that will seem to permanently be causing traffic, depending on the device this can be normal. Telephone systems will generate almost continuous low level traffic, servers may produce large bursts downloading updates or performing backups. Generally unless you know that you or a staff member is downloading a file or streaming you should not see sustained traffic in your dynamic IP range, this can be a sign of misuse and/or a malware issue.
IT IS ESSENTIAL YOU DO NOT MAKE ANY CHANGES TO THE CONFIGURATION OF YOUR FIREWALL USING THESE CREDENTIALS. DOING SO MAY IMPACT YOUR NETWORK AND INTERNET CONNECTION. YOU WILL NOT BE COVERED UNDER YOUR SUPPORT CONTRACT IF ANY CHANGES YOU MAKE RESULT IN A SUPPORT TICKET
Log into the firewall using the information provided. You'll be presented with the Dashboard which will include basic information regarding traffic flowing through your firewall.
From the menu bar click "Status" and select "Traffic Graph", This will bring up the detailed graphs. By default your internal network will be shown, normally this is called "Lan". Next to the graph you'll see the IP addresses on your network currently using the internet connection. For most network connections this should "burst" with addresses only showing up for a few seconds and then falling off the list. If an IP address stays it is performing a sustained transfer. This can be a download, video stream or updates.
This is all traffic on your network, if you have other networks this will include traffic flowing between the two of them which isn't necessarily going out onto your broadband connection. At the top you can select the connection you are looking at. If you change this to WAN (Your connection may have a different name) you can see all traffic leaving and entering your internet connection but you will not see a detailed breakdown as you do for the LAN connection. If you have multiple external IP addresses you WILL see these listed however.
Systems running BandwidthD - All systems installed/upgraded from May 2021
These systems can provide in depth reports on network use. However this isn't a default option and may not be installed. You can have it added on request.
Click "Diagnostics" and select "BandwidthD"
You'll be presented with an in depth report of addresses on your network and their data use. This report doesn't need any real explanation but it IS printable. You can click an IP address for an individual breakdown further down the page.
Relating IP addresses to devices
Your network is normally split into three segments. Within these segments we use static and dynamic assignments. Static assignments never change, for example 192.168.0.3 is ALWAYS 192.168.0.3. A dynamic IP can change and is moved around to where the system has space for it. We typically set all addresses below 20 and above 200 as statics with the dynamic addresses in between from 20 to 200. Most servers, printers and network devices will be static addresses with your computers and phones set as dynamic. This can make tracking down culprits harder. When a device asks for an address is must give it's host name and this is recorded in the "lease" table. You can view this by clicking "Status" and selecting "DHCP Leases"
The table shows all the addresses the firewall has recently given out and their state. You can ignore those that show as "Offline". The devices hostname is shown here and may give clues as to what it is. The name shown is that given when the machine is set up and you can normally change this, it's definitely worth doing for fixed systems like desktop machines. Phones will generally use the name the owner setup when configuring it for the first time. Static assignments won't show up in here.
Large sustained data transfers / Out of the ordinary traffic
There are some devices on your network that will seem to permanently be causing traffic, depending on the device this can be normal. Telephone systems will generate almost continuous low level traffic, servers may produce large bursts downloading updates or performing backups. Generally unless you know that you or a staff member is downloading a file or streaming you should not see sustained traffic in your dynamic IP range, this can be a sign of misuse and/or a malware issue.