Hi @the_rock  ,

Thanks for your response.

Monitoring blade is not enabled ( not licensed ) , and the only blades that are enabled in the gateway are Firewall , app control and content awareness.

Do we have any other options please ?

Sorry, I saw you mentioned that in the description as far as blades, my bad. Hm, not really sure without monitoring blade, but I can test it in the lab tomorrow. Because, quite honestly, I dont believe there is an easy way (or any way for that matter) to filter for something like this from regular logs, but will confirm.

Thanks for your response. Very much appreciated. 

I see there is an option for bandwidth when searching in logs, but not sure what value to search for, as I never used it before. I will check more tomorrow and let you know. Its under field Other Fields: and then bandwidth,

Hi @PhoneBoy ,

Thanks for your response.

Does the cpview also shows the historical bandwidth usage per source/dest ? If not do we have any other options like cpviewer and Smartview or any other options we can really on.

@the_rock  That's correct there is a bandwidth option in the other fields but not sure what option to enter since even i haven't used that before.

I did not forget about you, just been a busy day, apologies. I had been trying to figure out how to actually run that filter, but no luck so far. Will definitely work on it Friday morning and update you in this thread.

Andy

No worries , really appreciate your kind support.

Im really sorry, tried every possible option I could think of for that bandwidth setting and no luck : (. Maybe you could confirm with TAC or someone else here can chime in.

cpview has historical options (i.e. you can see what was going on at a given point in time), but I don't know that it tracks specific top connections over time or not.

Thank you for your response.

So what are the other options we can rely on to check the historical bandwidth usage per source/network basis.

Try running the fw ctl multik print_heavy_conn command every day, it will show all connections that were classified by the firewall as "heavy" (a.k.a. an elephant flow) over the last 24 hours.  It won't show the top connections per se, but will help identify any bandwidth-hogging connections historically.  To clarify what constitutes a "heavy" connection see here: sk164215: How to Detect and Handle Heavy Connections

Thanks for your response.

Does the command help to identify the connection which had heavy flow a week ago ?

Since the issue occurred only once and usually this is occurring whenever the Microsoft patch upgrade over the systems ( happens once in a month ) . So basically wanted to know and get proof is this because of patch upgrade it happens or does any other traffic constituting to this.

Bandwidth spike occurrences are taking from the SolarWinds monitoring , and from the CP want to identify the historical bandwidth hogging connection for that particular time.

No just the last 24 hours and that can't duration be changed, which is why I suggested running it once a day.

Another way to catch real time high bandwidth sources is to run a tcpdump on the gateway for say 10 seconds and then export it to wireshark and sort by Bytes Down