Watchguard Cloud bandwidth usage reporting
I'm in the process of investigating multiple Windows 10 hosts that are using excessive bandwidth sporadically. From what I've gathered so far, OfficeClickToRun.exe, while using excessive CPU, is also occasionally downloading ridiculous amounts of data for no apparent reason. Like 650 Mbps for 10-15 minutes straight. So far I've manually observed it happening while viewing Bandwidth meter in FSM. Combining that with HostWatch, I can see which machine is the culprit, but I have to do it in real time.
I've been logging data to Watchguard Cloud with the hope of being able to pull reports that will quickly show which hosts are problematic and a which times to try to see if there is any pattern.
Today for example, I know one machine was exhibiting this behavior between 9-9:30am. When I look at at Health > Interface Summary in WG Cloud for that time frame, it shows a graph that matches what I observed - about 64GB downloaded at 9:15.
However, any other report that I run to narrow down which hosts are responsible for all of the bandwidth usage, the results don't jive. In this case I know the host responsible for that 64 GB download is 192.168.12.116. But when I view Traffic > Top Clients set to filter on Hosts/Sent and Received/By Bandwidth, 192.168.12.116 is 8th on list and only shows 63.73 MB received.
And even the top entry shows only 4171 MB received. The total of everything on this report is 6833 MB received, a far cry from the 64 GB reported on the Interface Summary.
Any other host-centric reports show similar results where only a fraction of what was actually consumed is reported. Any ideas why that would be?
Comments
Dimension gets its info from log records.
To get data usage for HTTPS connections one needs to use a HTTPS proxy and have the "Enable logging for reports" option selected.
Review this:
Where to Enable Logging for Reports
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/reports_enable-logging_d.html
Also, look at Dashboards -> FireWatch, if you have not done so already.
It can show the top source devices. Then you can filter on a selected source, and see the destinations.
And FireWatch will only show info based on what the logs that are received by WG cloud contain.
Ahhh, that's got to be it. The HTTPS proxy did have Enable logging for reports checked but the HTTP proxy did not. And I think the connection that OfficeClickToRun.exe is using to connect to Microsoft servers is HTTP surprisingly.