I am looking at individual ports and users. We are using this to monitor what sites users are attempting to access. I am a bit confused on how the Active Time is calculated as in this screen grab it shows Netflix is active for 16 hrs plus another 10 Hrs. We have this site blocked on our proxy firewall and I do understand that the switch would not know this and is just reporting what is passing through the port. How is Netflix reporting 26 hrs though when the site is not even accessible
We have it blocked on our FortiGate Firewall and I can see all the info I need there. However, my boss is using the Meraki Dashboard for easier reporting (for him) and he is questioning the Active Time.
Judging by the data usage it clearly isn't actually streaming video as you say, perhaps it could be traffic flows that are passing through the switch (DNS and TCP SYN's etc) which the Meraki switch recognises as Netflix, but are then blocked as they hit your firewall.
The flows are still present with clients trying to reach Netflix, but are simply passing through the switch then getting terminated.
Just my 2 cents on how I see it, someone may be able to confirm for definite.
How does it report Active Time? I cannot image that he keeps trying to access Netflix with the blocked message. Thats 26 hr of active time between the 2 points
I would take the active time with a pinch of salt, have seen other people reporting this is not 100% accurate. An installed app on a mobile or even desktop will still continue to send traffic periodically despite the firewall blocking it.
I would say - try blocking it on the MX side and if you have any MR's on that side as well.
See if you are able to see any active time once this is done for next reporting.
We had a similar issue. This resolved.
@RichV the 16 hours and 10 hours are not additive. They are different ways the devices have recognised traffic conversations with Netflix. If someone had a device trying to talk to Netflix, but not actually working, then thinks what you'd see as the Meraki stack isn't configured to block it. However 16 hours is a long time for someone's shift, is that possible for this client?
16 Hrs is not possible for someones shift hence why the confusion in the numbers. I kind of figured the 2 was not cumulative but was not sure. I am just trying to figure out how Meraki totals the Active Time to make more sense of it.