Reports

whichever is more recent. Data is added when the firewall session is closed; therefore, a large file transfer in progress, for example, will not be tabulated until after it finishes.

Data is presented as one of the following graphs:

Top Web sites — The 25 most visited external Web sites by bandwidth. You must create a firewall rule to match with the “web-filter” action between zones that you wish to monitor. You do not need to enable either of the web filtering options (manual-filter or filter-service). Only connections to or from TCP port 80 are displayed. The web site name is extracted from the HTTP request headers; for requests that do not provide a host name or only an IP address, the IP is displayed. Sites with multiple domains or that host images and other data on different Web servers appear as multiple entries.

Firewall rule hits — The 25 most triggered firewall rules. The “hit count” is the number of firewall sessions that have matched that rule in the table. The top ten rules are assigned colors. Unlike the other tables, which are sorted by bandwidth, entries in this table are displayed in order of precedence; rules outside of the first ten are listed as “other” even if they have larger hit counts.

Top clients — The 25 protocols generating the most traffic to and from internal IP addresses by bandwidth. An internal address is one which is on an internal security zone, that is, one that is part of any internal virtual interface. Generally the only IP addresses not considered internal are those reached via a route out of the external virtual interface. Machines reached via PPTP, L2TP, and IPSec tunnels that terminate on an internal security zone are considered as internal addresses and can appear as clients.

Top services — The 25 services consuming the most bandwidth. For TCP and UDP, the service name is determined from the IP protocol and destination port. Traffic for which there is no known service is shown as a generic name tcp(port), udp(port) or ip(protocol), such as “tcp(1234),” “udp(5001),” or “ip(100).” FTP connections are aggregated, but services such as p2p that use different port numbers appear as multiple entries and cannot be agregated.

The following figure shows the Firewall Reports page.

Figure 5–7: Firewall Reports Page

X Family LSM User’s Guide V 2.5.1

127