Hey everyone,
Can I get some suggestions on how to look into traffic spikes? We're seeing downloads in the Kbps range then suddenly it hits 150Mbps, bringing our network to a crawl.
I need to figure out how to trace/locate the source of the network traffic.

Traffic monitor will show me bytes sent and received but I can't use any arguments, or complex filters. That I know of.

Running a firebox, with access to system manager.
I am not accessing any cloud services at the moment. Although I believe we do have access to "something".

    Have you tried using HostWatch inside of System Manager?
    This will give you a graphical view of the hosts, connections, data rates, plus more, and it looks pretty cool to boot.

    It's the icon directly under the "H" of Help on the top menu.

    It's usually something simple.

    And FSM Service Watch can show you the firewall policies which are using the highest bandwidth.
    It is most useful if you do not have dozens of policies in your config.

    HostWatch is generally much better for this.

    james.carsonjames.carson Moderator, WatchGuard Representative

    (Adding on to what the others said)
    FireWatch (in the firewall's WebUI) does a much better job of presenting the same data hostwatch does [in my opinion.]

    See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/firewatch_web.html

    The front panel display can also give you a quick abbreviated display of your top clients. See:
    (Expand the "front panel" section in that help doc.)

    -James Carson
    WatchGuard Customer Support

    Hey Thanks guys! I appreciate the feedback.
    I'll read over the documentation provided in the URLs by James and dig further.

    I tried using Host Watch but it's constantly refreshing, even when I pause the thing, and I can't get any real info. It tells me pretty much the same thing the bandwidth meter tells me, with the exception of narrowing it down to an IP..which is very helpful now that I say it(so to speak). But again, it refreshes and that IP is gone... >.< is there a way to filter or review the real-time logs?

    I'll go read those URLs now. :]



    If you have the appropriate logging enabled, you can set up Dimension which is a log & report setup.
    From Dimension, you can see the top clients, top domains etc. for a specific time period on the Executive Summary.

    There is also Firewatch in Dimension, which allow one to see the connections or bytes for a top client.

    Plus lots more.

    Also, if you have managed switches, you can use SNMP tools to capture usage of the switch ports, and present historical graphs of use.

    In the past, I used MRTG to do this, but there are plenty of other options.
    MRTG - The Multi Router Traffic Grapher

