Nexapp - Monitoring

Monitoring

NexappOS provides comprehensive monitoring tools to track firewall health, performance, traffic trends, VPN activity, and security events. Monitoring helps administrators quickly detect issues such as congestion, service degradation, or attacks.

NexappOS offers two monitoring modes:

• Real-time monitoring
  Uses Netdata, the Netify agent, and live logs to show the current status of the firewall.
  Metrics are stored in RAM, so they reset after every reboot.

• Historical monitoring (subscription required)
  Stores long-term metrics on a remote Controller.
  This preserves data across reboots and enables centralized reporting.

---

Real-time Monitoring

Real-time monitoring shows live data so administrators can respond quickly to:

• network congestion
• WAN instability
• VPN problems
• malware and brute-force activity

All data is kept in memory and resets on reboot.

The Real-time monitor page is divided into 5 areas:

1. Traffic
2. Connectivity (WAN uplinks)
3. VPN
4. Security
5. Real-time Traffic

---

Traffic

Traffic charts are generated from the dpireport daemon.

Available views:

• Daily total traffic
  Total volume of traffic for the current day.

• Recent traffic
  Histogram of daily traffic, updated every 60 minutes.
  Useful for spotting spikes, dips, and peak usage windows.

• Local Hosts
  Shows top internal devices by traffic.
  Helpful for bandwidth control and detecting abnormal internal activity.

• Applications
  Displays traffic grouped by applications/services.
  Useful to identify heavy consumers and enforce app-usage policies.

• Remote Hosts
  Lists external hosts exchanging the most data with your network.
  Useful to detect suspicious destinations or unusual outbound patterns.

• Protocol
  Displays traffic split by protocol (HTTP, HTTPS, FTP, etc.).
  High usage of unknown protocols can be a red flag.

You can filter by clicking any host/app/protocol label in the tables below each chart.

---

Connectivity (WAN Uplinks)

This area summarizes WAN state and quality.

• WANs
  List of WAN interfaces with:

  • status (UP/DOWN)
  • assigned public IP
    Data comes from mwan3 status.

• WAN events
  Connection/disconnection events from the last 24 hours.
  Helps confirm stability or recurring provider outages.
  Cached for 5 minutes.

• WAN interface traffic
  Histogram showing WAN traffic over the last 60 minutes, sourced from Netdata.
  Useful for spotting saturation or imbalance.

• Latency to <address>
  Live latency chart for the target configured in Ping latency monitoring.

• Packet delivery rate to <address>
  Shows packet loss toward the same target.
  Values below 100% suggest congestion or instability.

---

VPN

The VPN section covers both remote-access and site-to-site tunnels.

OpenVPN Road Warrior servers

For each Road Warrior server NexappOS shows:

• Status
  Current availability of the VPN instance.

• Connected clients
  Total currently connected users.

• Total traffic by hour
  Bandwidth consumption of all clients per hour.

• Daily connections
  List of currently connected users and connection time.
  Data from the local SQLite history.

• Connected clients by hour
  How client count changes during the day.

• Client traffic by hour
  Per-client bandwidth usage trends.

Site-to-site VPN

Includes OpenVPN net-to-net and IPsec tunnels:

• Connected tunnels
  Count of currently active tunnels.

• Configured tunnels
  Full list of tunnels with type and state.

• Tunnel traffic
  Real-time traffic histogram per tunnel (last 60 minutes).
  Useful for diagnosing throughput drops or instability.

---

Security

This section appears only if InstaShield IP is enabled.
Data is read from logs (last 24 hours), cached 5 minutes.

Blocklist activity

• Blocked threats
  Total blocked packets for today.

• Blocked threats by hour
  Shows when attacks are most active.

• Threats by direction
  Distribution by firewall chain. Depending on enabled logging:

  • inp-wan – WAN → firewall
  • fwd-wan – WAN → LAN
  • fwd-lan – LAN → WAN
  • pre-ct – invalid-state floods
  • pre-syn – SYN floods
  • pre-udp – UDP floods

• Threats by category
  Breakdown by list category to evaluate list effectiveness.

Brute force activity

• Blocked IP addresses
  Unique IPs blocked today due to failed logins.

• Blocked IP addresses by hour
  Trend of brute-force activity.

• Most frequently blocked IP address
  Persistent offenders to review or blacklist.

---

Real-time Traffic

Updated every 2 minutes:

• Local Hosts
  Current traffic by internal devices.

• Applications
  Live traffic by application.

• Protocols
  Live traffic by protocol.

---

Netdata

Netdata is enabled by default and reachable from LAN.
To open it:

• Go to Monitoring
• In Real-time report, click Open report

Netdata metrics are stored in RAM and reset on reboot.
If connected to a Controller, metrics can be preserved remotely.

---

Ping Latency Monitoring

Ping monitoring measures round-trip time and packet loss to chosen hosts.

• Click Add host
• Enter target IP or hostname (VPN targets are supported too)
• Click Save

Changes apply instantly.
Latency graphs are visible inside Netdata.

---

Historical Monitoring (subscription required)

Historical monitoring works only if:

• the firewall has a valid subscription
• the Controller has a valid subscription

If a firewall was connected before subscription activation, historical monitoring is not enabled automatically.

To enable:

1. Disconnect the unit from the Controller
2. Confirm the Controller subscription is valid
3. Reconnect the unit

See Controller → Metrics for details.

---

Alerts

Alerts use Netdata’s engine and focus only on issues that could impact firewall stability.

If the firewall has a valid subscription, alerts are also sent to remote portals for centralized tracking.

Implemented alerts:

• Disk Space
  Triggered when storage runs low.

• MultiWAN Status (Up/Down)
  Triggered on WAN failover or recovery events.