doubt Flow Monitor

Gerardo, do you see any blocks of SIP (5060) in your Firewall log at the time that appeared in the Flow Monitor?

Cheers - Bob

hii !!

I do not have any block to sip

Phones and chat clients may have code that uses the protocol.  Are you sure you don't have any of that on your network?

Good idea, Darrell.  In 'Logging & Reporting >> Network Usage', on the 'Bandwidth Usage' tab, you can see which users had SIP traffic.

Cheers - Bob

Hi !!!

My laptop is the only device connected to the utm and I do not use sip.

Thanks !! 

It is possible the flow monitor is simply matching the port with a service rather than protocol inspection (I honestly don't know how it works), so if a service just happened to use the same port as SIP it might be inaccurately reported as SIP traffic.  Hopefully someone (Bob and lots of others) more knowledgeable than me will chime in.

Hii !

What kind of chat do you mean? I only use skype, facebook, etc.

I was thinking things like skype (older microsoft clients used SIP - not sure if skype does or not) or even some phone carriers will allow cell phones to use WiFi for making calls rather than cellular calls in areas where cellular service signals are not very good (some carriers even offer hardware that will enable this function when you are at home, work, etc.).

I am sorry I did not notice this before, but you are monitoring all interfaces.  Thus, you are likely seeing SIP scanning being performed on your IP from the internet.  Change your flow monitor to only your internal interface and see if it goes away.  Or, check your logs if you are logging drops and you should find several attempts to connect to SIP ports on your public IP.

I am sorry I did not notice this before, but you are monitoring all interfaces.  Thus, you are likely seeing SIP scanning being performed on your IP from the internet.  Change your flow monitor to only your internal interface and see if it goes away.  Or, check your logs if you are logging drops and you should find several attempts to connect to SIP ports on your public IP.

In which cases should I select the interface of my WAN?

Thanks !! 

You can select WAN to view your WAN traffic, but you may also see a lot of other traffic that the firewall is probably blocking.  In other words, don't let what you see surprise you.

One more question,

In saturation problems should I be guided by the LAN or WAN interface?

Very Thanks !!!

It depends on what you are trying to find out.  If you think a user is saturating the network connection, then I typically use the LAN (especially if you only have 2 interfaces).  If you have more than two interfaces, or if you are trying to find out what they are talking to, I would use WAN.  I have three interfaces, but still use LAN mostly because I don't have a lot of traffic between the two internal interfaces so what I see on LAN is mostly internet-based.