Reports

The Traffic screen provides basic information about the following metrics:

Note: The reporting may decrease the overall throughput through the ZyWALL.

You use the Traffic screen to tell the ZyWALL when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic screen.

Maintenance > Report > Traffic 

Label
Description
Data Collection
 
Collect Statistics
Select this to have the ZyWALL collect data for the report. If the ZyWALL has already been collecting data, the collection period displays to the right. The progress is not tracked here real-time, but you can click the Refresh button to update it.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Traffics
 
Interface
Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge, PPPoE/PPTP, and auxiliary interfaces.
Traffic Type
Select the type of report to display. Choices are:
Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one.
Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one.
Web Site Hits - displays the most-visited Web sites and how many times each one has been visited.
Each type of report has different information in the report (below).
Refresh
Click this button to update the report display.
Flush Data
Click this button to discard the report data for the selected interface and update the report display.
 
These fields are available when the Report Type is Host IP Address/User.
#
This field is the rank of each record. The IP addresses and users are sorted by the amount of traffic.
IP Address/User
This field displays the IP address or user in this record. The maximum number of IP addresses or users in this report is indicated in Maximum Values for Reports.
Direction
This field indicates whether the IP address or user is sending or receiving traffic. Choices are Incoming and Outgoing.
Incoming - traffic is coming from the IP address or user to the ZyWALL.
Outgoing - traffic is going from the ZyWALL to the IP address or user.
Amount
This field displays how much traffic was sent or received from the indicated IP address or user. If the Direction is Incoming, a red bar is displayed; if the Direction is Outgoing, a blue bar is displayed. The unit of measure is bytes, Kbytes, Mbytes or Gbytes, depending on the amount of traffic for the particular IP address or user. The count starts over at zero if the number of bytes passes the byte count limit. See Maximum Values for Reports.
 
These fields are available when the Report Type is Service/Port.
#
This field is the rank of each record. The protocols and service ports are sorted by the amount of traffic.
Service/Port
This field displays the protocol or service port in this record. The maximum number of protocols or service ports in this report is indicated in Maximum Values for Reports.
Direction
This field indicates whether the indicated protocol or service port is sending or receiving traffic. Choices are Incoming and Outgoing.
Incoming - traffic is coming into the router through the interface
Outgoing - traffic is going out from the router through the interface
Amount
This field displays how much traffic was sent or received from the indicated service / port. If the Direction is Incoming, a red bar is displayed; if the Direction is Outgoing, a blue bar is displayed. The unit of measure is bytes, Kbytes, Mbytes, Gbytes, or Tbytes, depending on the amount of traffic for the particular protocol or service port. The count starts over at zero if the number of bytes passes the byte count limit. See Maximum Values for Reports.
 
These fields are available when the Report Type is Web Site Hits.
#
This field is the rank of each record. The domain names are sorted by the number of hits.
Web Site
This field displays the domain names most often visited. The ZyWALL counts each page viewed on a Web site as another hit. The maximum number of domain names in this report is indicated in Maximum Values for Reports.
Hits
This field displays how many hits the Web site received. The ZyWALL counts hits by counting HTTP GET packets. Many Web sites have HTTP GET references to other Web sites, and the ZyWALL counts these as hits too. The count starts over at zero if the number of hits passes the hit count limit. See Maximum Values for Reports.

The following table displays the maximum number of records shown in the report, the byte count limit, and the hit count limit.

Maximum Values for Reports 

Label
Description
Maximum Number of Records
20
Byte Count Limit
264 bytes; this is just less than 17 million terabytes.
Hit Count Limit
264 hits; this is over 1.8 x 1019 hits.

Session Screen

The Session screen displays information about active sessions for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed.

You can look at all the active sessions by user or by service, or you can filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user.

Maintenance > Report > Session 

Label
Description
View
Select how you want the information to be displayed. Choices are:
sessions by users - display all active sessions by user
sessions by services - display all active sessions by service or protocol
all sessions - filter the active sessions by the User, Service, Source Address, and Destination Address, and display them by user
The User, Service, Source Address, and Destination Address fields are only available when all sessions is selected.
Refresh
Click this button to update the information on the screen. The screen also refreshes automatically when you open and close the screen.
 
The User, Service, Source Address, and Destination Address fields have no effect until you click the Search button, even if you click the Refresh button.
User
This field is only available when all sessions is selected. Type the user whose sessions you want to view. It is not possible to type part of the user name or use wildcards in this field; you must enter the whole user name.
Service
This field is only available when all sessions is selected. Select the service or service group whose sessions you want to view. The ZyWALL identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined.
Source Address
This field is only available when all sessions is selected. Type the source IP address whose sessions you want to view. You cannot include the source port.
Destination Address
This field is only available when all sessions is selected. Type the destination IP address whose sessions you want to view. You cannot include the destination port.
Search
Click this button to update the information on the screen using the filter criteria in the User, Service, Source Address, and Destination Address fields.
sessions per page
Select the number of active sessions displayed on each page. You can use the arrow keys on the right to change pages.
User
This field displays the user in each active session. If you are looking at the sessions by users or all sessions report, click the blue plus sign (+) next to each user to look at detailed session information by protocol.
Protocol
Service
This field displays the protocol used in each active session. If you are looking at the sessions by services report, click the blue plus sign (+) next to each protocol to look at detailed session information by user.
Source
This field displays the source IP address and port in each active session.
Destination
This field displays the destination IP address and port in each active session.
Rx
This field displays the amount of information received by the source in the active session.
Tx
This field displays the amount of information transmitted by the source in the active session.
Duration
This field displays the length of the active session in seconds.

Anti-Virus Report

This screen displays anti-virus statistics.

Maintenance > Report > Anti-Virus  

Label
Description
Collect Statistics
Select this check box to have the ZyWALL collect anti-virus statistics.
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the ZyWALL or click the Flush button. Collecting starts over and a new collection start time displays.
Total Files Scanned
This field displays the number of files that the ZyWALL has scanned for viruses.
Infected Files Detected
This field displays the number of files in which the ZyWALL has detected a virus.
Top Entry By
Use this field to have the following (read-only) table display the top anti-virus entries by Virus Name, Source or Destination.
Select Virus Name to list the most common viruses that the ZyWALL has detected.
Select Source to list the source IP addresses from which the ZyWALL has detected the most virus-infected files.
Select Destination to list the most common destination IP addresses for virus-infected files that ZyWALL has detected.
#
This field displays the entry's rank in the list of the top entries.
Virus name
This column displays when you display the entries by Virus Name. This displays the name of a detected virus.
Source IP
This column displays when you display the entries by Source. It shows the source IP address of virus-infected files that the ZyWALL has detected.
Destination IP
This column displays when you display the entries by Destination. It shows the destination IP address of virus-infected files that the ZyWALL has detected.
Occurrences
This field displays how many times the ZyWALL has detected the event described in the entry.
Total
This field displays the sum of the occurrences of the events in the entries.

IDP Report

This screen displays IDP (Intrusion Detection and Prevention) statistics.

Maintenance > Report > IDP 

Label
Description
Collect Statistics
Select this check box to have the ZyWALL collect IDP statistics.
The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second. All of the statistics are erased if you restart the ZyWALL or click the Flush button. Collecting starts over and a new collection start time displays.
Total Sessions Scanned
This field displays the number of sessions that the ZyWALL has checked for intrusion characteristics.
Total Sessions Dropped
The ZyWALL can detect and drop malicious sessions from network traffic. This field displays the number of sessions that the ZyWALL has dropped.
Total Sessions Reset
The ZyWALL can detect and reset suspicious network traffic sessions. This field displays the number of sessions that the ZyWALL has reset.
Total Packets Dropped
The ZyWALL can detect and drop malicious packets from network traffic. This field displays the number of packets that the ZyWALL has dropped.
Top Entry By
Use this field to have the following (read-only) table display the top IDP entries by Signature Name, Source or Destination.
Select Signature Name to list the most common signatures that the ZyWALL has detected.
Select Source to list the source IP addresses from which the ZyWALL has detected the most intrusion attempts.
Select Destination to list the most common destination IP addresses for intrusion attempts that the ZyWALL has detected.
#
This field displays the entry's rank in the list of the top entries.
Signature Name
This column displays when you display the entries by Signature Name. The signature name identifies a specific intrusion pattern. Click the hyperlink for more detailed information on the intrusion.
Type
This column displays when you display the entries by Signature Name. It shows the categories of intrusions.
Severity
This column displays when you display the entries by Signature Name. It shows the level of threat that the intrusions may pose.
Source IP
This column displays when you display the entries by Source. It shows the source IP address of the intrusion attempts.
Destination IP
This column displays when you display the entries by Destination. It shows the destination IP address at which intrusion attempts were targeted.
Occurrences
This field displays how many times the ZyWALL has detected the event described in the entry.
Total
This field displays the sum of the occurrences of the events in the entries.