We currently use MWG in a transparent router setup with version 220.127.116.11
The appliance has 3 interfaces enabled:
1 external (ETH0)
1 internal that intercepts http/https/ftp traffic (ETH1)
1 dedicated for accessing the GUI and for central management.(ETH3)
When reporting on Web Usage in CSR (Sum of Bytes from client / per site) the top site (87% of 'all bytes from client' transferred) is always the MWG appliance itself, on eth3.
When looking at the report details, all hits for this site are for the URL: http://MWG_ETH3_IP:proxy_port/crossdomain.xml
I don't have the username since the appliances are currently in transparent router mode and don't authenticate.
Looking at the browser information of each hit, it's always the same (Chrome on 64-bits windows) and I'm deducting that it's MY browser "causing" these hits since our standard browser is IE, only a subset of people actively use Chrome and only a subset of people using Chrome have 64-bits Windows and the users' browser traffic travels from ETH1 to ETH0.
The CSR report I'm looking at is for the last 24hours and my browser was opened on the management GUI of MWG (ETH3) pretty much all day.
I can see the same 'pattern' in the MWG dashboards: the top 2 "Source IPs by bytes transferred" are #1 the external interface IP (ETH0) and #2 the management interface IP (ETH3)
Looking at the number of "bytes from client" transferred for each 'GET' request in the detailed CSR report, it varies from 2MB to over 341MB (no particular order or pattern)
Here is the typical details page from the CSR report (Edited to remove IP and hostname)
Anyone has any idea what this is all about?