Hi all
I was searching for a quick solution to identify what’s happen on the firewall if users reporting very poor performance or a ping response for common websites grows up to hundrets of miliseconds.
Perhaps it’s a DDOS, Clients/Users doing wrong things or it’s just a missconfigured update service.
To identify what’s happen, you need to connect to CLI.
First you can clear the application statistics to identify what actually consuming your bandwidth.
diagnose stats app-stat-clear
Now you need to find out which application is the one who consumes your bandwidth – wait a minute to gather statistics
diagnose stats app-bandwidth
app=”SSL” appid=15895 total-sessions=59 bps=404657 bytes=404657
app=”Twitter” appid=16001 total-sessions=2 bps=137956 bytes=137956
app=”HTTP.BROWSER” appid=15893 total-sessions=50 bps=45220 bytes=45220
app=”iCloud” appid=29880 total-sessions=2 bps=21911 bytes=21911
app=”HTTP.BROWSER_Firefox” appid=34050 total-sessions=2 bps=4737 bytes=4737
This command shows a list of current application crossing your firewall. The first one is probably the interessting one. For further analysis you need the following command:
diagnose stats app-usage-ip <applicationID or Name>
diagnose stats app-usage-ip HTTP.BROWSER
app=”HTTP.BROWSER” total-usage=45220 total-sessions=50
ip=”192.168.1.1″ total-sessions=16 bytes=14128
ip=”192.168.1.2″ total-sessions=15 bytes=13417
ip=”192.168.1.3″ total-sessions=12 bytes=10776
ip=”192.168.1.4″ total-sessions=6 bytes=5298
ip=”192.168.1.5″ total-sessions=1 bytes=1601
You find now a list of source addresses using this application. Now you have identified the source of the bandwidth consumer.
If you want to know more details about the session, you can filter the session list diagnose using the source ip.
diagnose sys session filter clear
diagnose sys session filter src <src ip>
diagnose sys session filter src 192.168.1.1
diagnose sys session list
You get now a list of all sessions from this source ip.
For me it’s a good way to quickly find which applications crossing the firewall and consuming your bandwidth.