In most cases, that is on all reports except the subnet report, the traffic direction is determined by the direction of the traffic through the LAN port and WAN port on the appliance. If the traffic flows from LAN-side to WAN-side, then the traffic is outbound. If the traffic flows from WAN-side to LAN-side, then the traffic is inbound. On the subnet report, traffic direction is determined relative to the subnet (or network object). Traffic originating from the network object is outbound. Traffic destined to the network object is inbound.
Because of these differences, when virtual circuits are based exclusively on a network object, you should generally expect the totals for that network object on the subnet report and the virtual circuit to match. However, there are a few cases where the totals will not match.
When the network object is marked as external, the inbound and outbound traffic are flipped, that is, the inbound virtual circuit traffic will match the outbound subnet traffic. This is because traffic direction for virtual circuits is reported relative to the internal network as determined by the WAN and LAN ports of the appliance, whereas traffic direction for the subnet is reported relative to the location of the network object as determined by the location setting on the network object. Consider the scenario where the External Network Object is used to define a virtual circuit as shown in the figure below. Traffic direction from the LAN to the External Network object will be reported as inbound on the Subnet Report and outbound on the Virtual Circuit Report.
Figure: Traffic inbound to the External Network Object is outbound from the internal LAN
When a network object is defined such that it is on both the LAN and WAN side of the appliance, the subnet report will double count the traffic, whereas the virtual circuit report will not double-count. Consider the scenario where 3 MB of traffic is flowing from host A to B and they are both defined within an internal network object yet reside on either side of the appliance.Traffic from host A on the LAN-side to host B on the WAN-side will be counted on the subnet report as both 3MB outbound from the network object as it leaves host A and 3MB inbound to the network object as it arrives to host B. Traffic from A to B on the virtual circuit report will be counted only as 3MB outbound traffic since the traffic flowed from the LAN-side of the appliance to the WAN-side.
Figure: Traffic from a network object to itself will be counted as both inbound and outbound traffic on the subnet, but only one direction on the virtual circuit
|
|
|