Flex 200H - graph and details missing

GiuseppeR

Hello everyone,

I put a 200H in production, so I started to look into details of its traffic analysis.

I went to the specific page for an "unknown virtual protocol" to understand what was going on and to start inspecting it:

As you can see the graph is zero, so you need to read the details in text somewhere else: I found no more columns of details, ports, IPs, something more to understand what happened.

For example I wanted to know details of first item: 12.63 GB of usage traffic.

I went to SecuReporter and I found the right hostname that generated that traffic:

As you can see the time of the event was 2024-09-27 22:00:11 so it happened past night but I cannot see that info in the graph on the 200H regarding last 24H.

Why?

Is there a plan to enrich onboard infos on 200H or it is mandatory to onboard and read its details only with SecuReporter?

The question is essentially related to the fact that not all Companies would love to send logs to SecuReporter.

I'm at your disposal 😎

Zyxel_Judy

Hi @GiuseppeR ,

In your site, the USG FLEX 200H with V1.21P0 is showing the Top Usages by Host IP Address as below:

To clarify the issue, we may need to access your device directly. Could you share the remote access information via private message?

so you need to read the details in text somewhere else: I found no more columns of details, ports, IPs, something more to understand what happened.

We're not entirely clear on your thoughts here, so could you provide more details about what you find problematic or unexpected?

GiuseppeR

Hello @Zyxel_Judy

it is not a problem to let you access the firewall, if you want I can open a Case from support so you will receive access priviledges.

As you can see with my shared screenshots I wanted to inspect details of 200H traffic analysis.

I went to the Applications and look into a specific page for an "unknown virtual protocol" to understand what was going on, which was the "unknown virtual protocol" to start identify it via IPs, ports and so on.

I wanted to understand what was that peak of traffic for about 12 gigs of data.

Maybe an unwanted esfiltration?

As you can see the graph I had on 200H was totally flat.

But the 200H showed me some data in the table below, so it was not possible to see the graph totally flat:

Looking here there is no trace about 12 gigs of usage traffic from a specific IP.

To understand better what happened with that usage traffic I had to go to SecuReporter and see that event at 2024-09-27 22:00:11

I expected to see this detail on the graph also on the onboard page inside 200H statistics.

In reality onboard pages I cannot see details like IPs ports and so on:

I see no options about that to add more columns (inbound/outbound traffic, external IPs, port used and other details that are shown on SecuReporter…).

So the last question is: 200H has really basic details onboard and gives deep details about firewall filtering and traffic mainly if these logs are sent to SecuReporter.

Is it mandatory to have SecuReporter with Flex H lineup or Zyxel plans to enrich onboard statistics without forcing each Company to send logs to SecuReporter?

I'm always at your disposal

Zyxel_Judy

HI @GiuseppeR ,

Regarding the graph issue: We have tested USG Flex H running firmware version 1.30 and found no similar problems. We recommend checking if this issue persists after you upgrade your firewall to version 1.30 later.

Regarding additional columns (such as inbound/outbound traffic, external IPs, ports used, and other details currently shown in SecuReporter): We currently have no plans to add these features to the device interface itself. Based on our product positioning strategy, we prefer to maintain these detailed analytics within SecuReporter.