I've not used jweb myself, but there is this visual management tool you can turn on and get some reporting from that may help.
https://www.juniper.net/documentation/en_US/jweb20.4/information-products/pathway-pages/j-web-security-user-guide.htmlOn the cli you main area to look if the issue is active is the session table.
This will list the total sessions you have at the moment as a reference
show security flow summary
This lists ALL sessions active if the total is something reasonable.
Output includes the current byte size of the session so you can look for unusually high numbers.
show security flow session
Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 1798, Valid
In: 192.168.0.1/2736 --> 192.168.0.20/22;tcp, If: fe-0/0/7.0, Pkts: 273, Bytes: 19082
Out: 192.168.0.20/22 --> 192.168.0.1/2736;tcp, If: .local..0, Pkts: 204, Bytes: 21677
The view of sessions can be limited by source or destination ip addresses or protocol/ports, policies, interfaces or a number of parameters.
Just add the ? and choose the option that will help investigate.
show security flow session ?
Possible completions:
<[Enter]> Execute this command
application Application protocol name
application-firewall Show application-firewall sessions
application-firewall-rule-set Show application-firewall session by rule-set
application-traffic-control Show application-traffic-control sessions
application-traffic-control-rule-set Show application-traffic-control session by rule-set
brief Show brief output (default)
destination-port Destination port (1..65535)
destination-prefix Destination IP prefix or address
dynamic-application Dynamic application name
dynamic-application-group Dynamic application group name
encrypted Show encrypted traffic
extensive Show detailed output
family Protocol family
idp IDP sessions
interface Name of incoming or outgoing interface
nat Sessions with network address translation
policy-id Policy id value (1..4294967295)
protocol IP protocol number
resource-manager Sessions with resource manager
session-identifier Show session with specified session identifier
source-port Source port (1..65535)
source-prefix Source IP prefix or address
summary Show output summary
tunnel Tunnel sessions
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
------------------------------
Original Message:
Sent: 02-26-2021 12:49
From: Leandro Gomes
Subject: Excessive network consumption
Hello guys. Okay ? I have a problem on my network, there are some users consuming a lot of network traffic, I believe it is a very large download. Is there any way to check which ip is performing this excessive consumption?
------------------------------
Leandro Gomes
------------------------------