The UTM10 has a wide array of reporting capabilities including log files, daily and weekly reports and security alerts. I'm going to cover a few of them to give the general idea.
I configured my UTM to send emails on all activity, and I got an email every day containing both the UTM10's service and system logs. The service logs contained text entries regarding successful security database updates and sending of notifications. The system logs contained text entries generated by traffic that is meant for the UTM, by traffic that is routed or forwarded through the UTM, and by running systems such as NTP and activity on the WAN interface.
I found the Daily and Weekly Reports generated by the UTM10 interesting. The reports are sent in a zip file as an attachment to an email. These reports provide hourly details on Web, Mail and System transactions, broken down by protocol. For example, the Daily Web Report shows the hourly HTTP traffic counts as shown in Figure 10.
Figure 10: Daily Web Report
In the above report, you can see there were 762 HTTP connections between 18:00 and 19:00, using 3.346 MB of bandwidth. During that same hour, 72 URLs were blocked by the UTM10.
The daily report presents the data numerically and graphically. In addition to the above data, there are graphs for each protocol by hour. The corresponding HTTP graph to Figure 10 is shown in Figure 11. As you can see, the high traffic hours depicted on this graph were 12:00 and 18:00.
Figure 11: HTTP traffic graph
SMTP and POP3 traffic is reported in the Daily and Weekly Mail reports in similar fashion. An additional statistics report is available to examine highest traffic generating source and destination IP addresses.
Another reporting feature I found useful is the UTM10 is the Status screen. Immediately presented when you log in and continuously available on the Monitoring-System Status menu is a useful dashboard presenting real time CPU, Memory and Disk utilization, the status of the Web and Email protocol monitors, and key licensing information for the security services, shown in Figure 12.
Figure 12: System status
Another nice display within the UTM10 is the real-time security dashboard, updated every 30 seconds, which shows the running total of Email, Web, IM/P2P and Network events. Figure 13 shows the numerical output of this dashboard. This security dashboard on the UTM10 also provides graphical displays of threat types, counts of most recent and top threat types, and detailed statistics on each of the 6 key protocols monitored by the UMT10 (HTTP, HTTPS, FTP, POP3, SMTP, IMAP).
Figure 13: Real-time security dashboard
Lastly, there are five types of security alerts on the UTM10: Failure to Update; Malware Detected; Malware Threshold Exceeded; IPS Detected; and IPS Threshold Exceeded. The Malware and IPS threshold alerts are configurable for the number of violations per time period. The default is two Malware or IPS Attacks within 10 minutes will send an alert. The Alerts are emails indicating the offending condition, such as the IPS Alert I covered in back in the Security – Network section.
I tested network throughput and VPN throughput on the UTM10 using jperf with its default settings as my TCP/IP throughput measurement tool. I used two physical laptops with a measured minimum throughput of 310 Mbps as my endpoints.
I tested outbound (LAN-WAN) and inbound (WAN-LAN) network throughput with the UTM10's traffic filtering enabled and disabled. I took four different throughput measurements: no UTM protection (All Off), just Intrusion Protection (IPS On), just Email/Web protection (Email/Web On), and finally with both Intrusion and Email/Web protection (All On).
Table 2: Network throughput
Table 2 shows that enabling all of the UTM10's bells and whistles knocks throughput down around 90%. But the 8 - 10 Mbps of remaining bandwidth should still handle many small business DSL and cable-based Internet connections. However, if you have fiber-based service, the UTM10 would not be a good choice.
I also tested VPN throughput over an IPSec Site-to-Site tunnel and over a SSL Client-to-Site tunnel. I used the 3DES VPN tunnel between the UTM10 and the TZ100W I described earlier. I tested VPN throughput in the same manner I tested network throughput, with no UTM protection (All Off), just Intrusion Protection (IPS On), just Email/Web protection (Email/Web On), and finally with both Intrusion and Email/Web protection (All On). My VPN throughput results are in Table 3.
Table 3: VPN throughput
The row labeled S2S VPN in Table 3 shows my throughput results over the IPSec Site-to-Site tunnel. while the row labeled SSL VPN shows my throughput results over the SSL Client-to-Site tunnel.
The results show a 70% throughput reduction in the IPsec tunnel with all UTM features enabled and a 45% drop with an SSL client connection.
What's the takeaway here? With all security features enabled, expect 8 -10 Mbps throughput to and from the Internet. Further, with all security features enabled, expect about 5 - 6 Mbps throughput over a Site-to-Site IPsec VPN tunnel and about 4 - 5 Mbps throughput over an client SSL VPN tunnel.