What computer is using all the bandwidth?

In Reporting (on-appliance if you have it, in Sophos Central if not), you could create a graph of Bandwidth Usage and switch the graph to display Date-Bytes-Source IP.

Thanks, Wayne! Sorry for the noob question, but I'm guessing I'd create this Bandwidth Usage graph in Reports/Custom? I'm not seeing a way to do that. (Much less display Date-Bytes-Source IP, but hopefully I can figure that out once I get to it.)

It does seem that I should see SOMETHING that's about 20GB in the top users & top hosts reports, wouldn't I? The biggest number I see is 570MB. That would d/l in under a minute at 100Mbps. We're talking about a download that's 40X that size. None of the other clients or hosts are anywhere near 570MB. In aggregate they're not even 1GB. How could a d/l that big show up in bandwidth usage graphs but not show up in top users & top hosts?

I only use Sophos Central, since the bottom of the line XGS87 doesn't have memory to do reporting. In Sophos Central, you go to Firewall Management > Report Generator, then choose the firewall and the default report is Bandwidth Usage. This breaks things down by Application. But you can go into the tool icon dropdown (on the graph) and choose Date-Bytes-Source IP (rather than the default Date-Bytes-Application). Remember, this is reporting, not Logs.

Also, the little table-with-plus icon on the top right of the table (below the graph) lets you do things like choose Source IP and Destination IP. Bytes is always selected and can't be changed. The idea is, the less you put in there, the more aggregation takes place.

I only use Sophos Central, since the bottom of the line XGS87 doesn't have memory to do reporting. In Sophos Central, you go to Firewall Management > Report Generator, then choose the firewall and the default report is Bandwidth Usage. This breaks things down by Application. But you can go into the tool icon dropdown (on the graph) and choose Date-Bytes-Source IP (rather than the default Date-Bytes-Application). Remember, this is reporting, not Logs.

Also, the little table-with-plus icon on the top right of the table (below the graph) lets you do things like choose Source IP and Destination IP. Bytes is always selected and can't be changed. The idea is, the less you put in there, the more aggregation takes place.

OK, thanks. I was working in the firewall's web console. I'll do this in Central.

I'm sure you can do it on the Firewall, I just don't know what the interface looks like. (Another advantage of Central is that it saves stuff for 30 days.)

I found it, and thanks for pointing me in this direction...still not seeing anything to account for 20GB. In fact, I downloaded a 5.5GB ISO earlier in the day (without bringing the WAN connection to its knees, and I'm not seeing that traffic either. I need to play with this some more.

Yeah, I had a mysterious incident the other day where something like 120GB of data hit my XGS. I didn't see that kind of traffic on any LAN, just on the WAN. Getting into the Advanced Shell, I was able to confirm the amount of traffic, but never figured out where it was going -- or even if it actually entered my network or whether it was all dropped by the firewall. (I.e. only hit the WAN interface but didn't go anywhere.) My ISP claims they couldn't see the surge at their end. Very mysterious.

I'm basically seeing the same data in Central that I do in the firewall console, just sliced differently. I still can't see my own, known 5.5GB download from an hour prior to the mystery download. So, either I don't know where to look, or SFOS doesn't know how to tell me. Hoping for the former, I will open a ticket with Sophos.

this task is indeed very difficult to identify.

you can check here, but the values are very inacurate.

do you have authenticated users on the firewall, synchronized security?

you could then use this graph