Our customer has ISA 2006 SE. Most of the clients are SecureNAT, but there is WebProxy filter in place. The management is worried about internet connection usage so they would like to have some sort of traffic reports - by protocols and by machines.
There are two problems: 1. ISA Reports show only a few megabytes of traffic although there were probably ten times more of for example, HTTP traffic according to logs. The ISP is also reporting a much bigger amount of traffic. Why can this happen?
2. ISA firewall logs show about 30-40% more traffic than ISP. I investigated this and found that there are some records with ZERO bytes sent like: ISASRV 2/11/2009 17:00:46 TCP z.z.z.z:35234 y.y.y.y:80 z.z.z.z Terminate 0x80074e24 HTTP - 0 1807769
These sessions are not logged by the ISP. What do these records mean?
From: Southern California
There will be records in your logs for each request made of the ISA firewall, regardless where the request was ultimately served from. Remember, this is true for requests that are denied as well, as long as you haven't disabled logging for denied requests.
Hello All! It seems that I have a similar problem. My ISA reports do not include Symantec Live Update traffic. I can see this traffic in logs, but it does not appear in reports. Symantec Antivirus connects to akamai network servers via FireWall Client. I've got in logs following records: