The Flow Monitor of Sophos UTM on AWS is an application which gives quick access to information on network traffic currently passing the interfaces of Sophos UTM on AWS. It can be easily accessed via the Dashboard by clicking one of the interfaces at the top right. By clicking All Interfaces the Flow Monitor displays the traffic accumulated on all active interfaces. By clicking a single interface, the Flow Monitor displays the traffic of this interface only.
Note – The Flow Monitor opens in a new browser window. As pop-up blockers are likely to block this window it is advisable to deactivate pop-up blockers for WebAdmin.
The Flow Monitor provides two views, a chart and a table, which are described in the next sections. It refreshes every five seconds. You can click the Pause button to stop refreshing. After clicking Continue to start refreshing again, the Flow Monitor updates to the current traffic information.
The Flow Monitor table provides information on network traffic for the past five seconds:
#: Traffic is ranked based on its current bandwidth usage.
Application: Protocol or name of the network traffic if available. Unclassified traffic is a type of traffic unknown to the system. Clicking an application opens a window which provides information on the server, the port used, bandwidth usage per server connection, and total traffic.
Clients: Number of client connections using the application. Clicking a client opens a window which provides information on the client's IP address, bandwidth usage per client connection, and total traffic. Note that with unclassified traffic the number of clients in the table may be higher than the clients displayed in the additional information window. This is due to the fact that the term "unclassified" comprises more than one application. So, there might be only one client in the information window but three clients in the table, the latter actually being the connections of the single client to three different, unclassified applications.
Bandwidth Usage Now: The bandwidth usage during the last five seconds. Clicking a bandwidth opens a window which provides information on the download and upload rate of the application connection.
Total Traffic: The total of network traffic produced during the "lifetime" of a connection. Example 1: A download started some time in the past and still going on: the whole traffic produced during the time from the beginning of the download will be displayed. Example 2: Several clients using facebook: as long as one client keeps the connection open, the traffic produced by all clients so far adds up to the total traffic displayed.
Clicking a total traffic opens a window which provides information on the overall download and upload rate of the application connection.
Actions: Depending on the application type, there are actions available (except for unclassified traffic).
- Blocking: Click the Block button to block the respective application from now on. This will create a rule on the Application Control Rules page. This option is unavailable for applications relevant to the flawless operation of Sophos UTM on AWS. WebAdmin traffic, for example, cannot be blocked as this might lead to shutting yourself out of WebAdmin. Unclassified traffic cannot be blocked, either.
- Traffic shaping: Click the Shape button to enable traffic shaping of the respective application. A dialog window opens where you are asked to define the rule settings. Click Save when you are done. This will create a rule both on the Traffic Selectors and on the Bandwidth Pools page.Traffic shaping is not available when viewing the All Interfaces Flow Monitor as shaping works interface-based.
- Download throttling: Click the Throttle button to enable download throttling for the respective application. A dialog window opens where you are asked to define the rule settings. Click Save when you are done. This will create a rule both on the Traffic Selectors and on the Download Throttling page. Download throttling is not available when viewing the All Interfaces Flow Monitor as throttling works interface-based.
The Flow Monitor chart displays the network traffic for the past ten minutes. The horizontal axis reflects time, the vertical axis reflects the amount of traffic while dynamically adapting the scale to the throughput.
At the bottom of the chart view a legend is located which refers to the type of traffic passing an interface. Each type of traffic has a different color so that it can be easily distinguished in the chart.
Note – The Flow Monitor displays much more differentiated information on traffic if Network Visibility is enabled (see chapter Web Protection > Application Control > Network Visibility).
When hovering the mouse cursor on a chart a big dot will appear, which gives detailed information of this part of the chart. The dot is clung to the line of the chart. As you move the mouse cursor the dot follows. In case a chart has several lines, the dot switches between them according to where you move the mouse cursor. Additionally, the dot changes its color depending on which line its information refer to, which is especially useful with lines running close to each other. The dot provides information on type and size of the traffic at the respective point of time.