Sophos UTM 9.6 Dashboard - Flow Monitor

The Sophos UTM Flow Monitor is an application that provides quick access to information about the current traffic passing through UTM's interfaces. It is easily accessed from the dashboard by clicking on one of the interfaces in the top right corner. If you click on All Interfaces, the Flow Monitor shows all traffic on all active interfaces. If you click on a single interface, the flow monitor will only show traffic on that interface.

Note - The flow monitor will open in a new browser window. As the window may be blocked by pop-up blockers, it is advisable to disable pop-up blockers for the WebAdmin.

The flow monitor offers two views, a diagram and a table, which are described in the next sections. The application refreshes every five seconds. You can click the Pause button to pause the update. When you click Next to resume the update, the flow monitor refreshes the data to show the current traffic.

Tabular view

The Flow Monitor table provides information on network traffic for the last five seconds:

#: Traffic is ordered by current bandwidth usage.

Application: Protocol or name of network traffic, if available. Unclassified traffic is a type of traffic unknown to the system. After clicking on an application, a window opens showing information about the server, the port used, the bandwidth required per server connection and the total traffic.

Clients: Number of client connections using the application. After clicking on a client, a window opens showing information about the client's IP address, the bandwidth required per client connection and the total traffic. Note that for unclassified traffic, the number of clients in the table may be higher than in the additional information window. This is because the designation "unclassified" includes more than one application. Therefore, it is possible that only one client is listed in the information window, but three clients are listed in the table. The latter are actually the connections of the one client to three different unclassified applications.

Current bandwidth usage: The bandwidth usage of the last five seconds. After clicking on a bandwidth, a window opens showing information about the download and upload rate of the application connection.

Total traffic: The total traffic of a connection as long as it exists. Example 1: A download was started some time ago and has not yet finished: The total data traffic since the start of the download is displayed. Example 2: Several clients are using Facebook: As long as one client keeps the connection open, the total traffic caused by all clients so far is displayed.

After clicking on the total traffic, a window opens showing information about the download and upload rate of the application connection.

Actions: Depending on the type of application, various actions can be performed (except for unclassified traffic).

• Block: Click the Block button to block the corresponding application with immediate effect. A rule is then created on the Application Control Rules page. This option is not available for applications that are relevant for the smooth operation of Sophos UTM. For example, WebAdmin traffic cannot be blocked as this could result in you no longer being able to access WebAdmin. Unclassified traffic cannot be blocked either.
• Traffic Shaping: Click on the Shape button to activate traffic shaping for the corresponding application. A dialogue box opens where you can make the rule settings. Click on Save when you are finished. This adds one rule to each of the Traffic Identifier and Download Throttling pages.Traffic Shaping is not available if you have selected a Flow Monitor view with all interfaces, as Traffic Shaping works on an interface-by-interface basis.
• Download Throttling: Click the Throttle button to enable download throttling for the corresponding application. A dialogue box opens where you can make the rule settings. Click on Save when you are finished. This adds one rule to each of the Traffic Indicator and Download Throttling pages. Download throttling is not available if you have selected a Flow Monitor view with all interfaces, as download throttling works on an interface-by-interface basis.

Diagram view

The Flow Monitor graph shows network traffic for the last ten minutes. The horizontal axis shows the time and the vertical axis shows the amount of traffic, with the scale dynamically adjusting to the throughput.

The chart view below displays a legend that provides information about the type of traffic on an interface. Each type of traffic is assigned a different colour, making it easy to distinguish the traffic displayed in the diagram.

Note - The Flow Monitor displays much more detailed traffic information when network visibility is enabled (see chapter Web Protection > Application Control > Network Visibility).

When you hover over the diagram, a dot is displayed to give you detailed information about that part of the diagram. The dot sticks to the line of the diagram. It follows the movements of the mouse pointer. If a chart has several lines, the dot changes between them depending on where you move the mouse pointer. In addition, the dot changes colour depending on which line its information relates to. This is particularly useful when lines are close together. The dot provides information on the type and size of traffic at the time.