Example: Identifying a disruptive internal user

An example of administrators looking for a specific trend in network activity to identify a specific user.

Administrators at Company A notice that downloads have gone up dramatically over the past week. They suspect that there might be an individual user that is excessively downloading files from the Internet. To confirm their suspicions, the Administrators decide to run a report that shows them who has used the most bandwidth in the network.

The administrators take the following steps:
  1. Activate Log Accounting Information for each rule that allows connections from internal hosts to the Internet and install the policy. (Incoming connections to internal workstations are not allowed.)
  2. Wait for a full workday for the logs with accounting information to be generated.
  3. Create a filter that matches the IP address space of regular workstations as the source address and any external IP addresses as the destination address.
  4. Create a Report Design based on the Firewall Daily summary and attach the filter created in the previous step to the Report Design.
  5. Increase the “Top Limit” value for the section “Traffic by src. IP” to see more results.
  6. Generate a report for the previous day to check the traffic volumes for the top hosts.