Weekly Report

The Weekly Report is a deterministic weekly traffic report — a rolling filmstrip of week-long snapshots showing how much DHCP traffic flowed through the appliance and how much of it the firewall stopped.

You reach it at /weekly-report from the side menu labelled “Weekly Report”.

The report runs without an LLM. Numbers are aggregated directly from the events database over a fixed 7-day window (Monday 00:00 UTC to Sunday 23:59 UTC), so the same week’s snapshot always produces the same numbers. There is no model temperature, no analysis prompt, and no per-device verdict to triage on this page — for those, see Device Analysis (chapter 17).

What the Page Shows

A header with a Run Snapshot button, an optional trend sparkline once you have several weeks, and a horizontally scrolling row of tiles — one tile per week.

ASCII fallback

+----------------------------------------------------+
|  Weekly Report (?)             [Run Snapshot Now]  |
+----------------------------------------------------+
|  Filter Percentage Trend                           |
|  ___________________________________________       |
| /                                                  |   <-- sparkline (2+ weeks)
+----------------------------------------------------+
|  +-----+  +-----+  +-----+  +-----+  +-----+       |
|  | wk  |  | wk  |  | wk  |  | wk  |  | wk  | ...   |   <-- filmstrip
|  +-----+  +-----+  +-----+  +-----+  +-----+       |
+----------------------------------------------------+

Tiles are sorted newest-first. The current week is highlighted with a primary-coloured border and a “Current” badge.

How Snapshots Are Produced

Snapshots run automatically every Monday at 03:00 UTC, covering the previous Mon–Sun week.

A few details:

On first startup, the system backfills snapshots for the previous weeks it has data for, up to 90 days. So a fresh install with three months of traffic immediately shows about a dozen weekly tiles, not just the current week.
The current week’s tile is updated incrementally — every snapshot run during the in-progress week produces a fresher partial total. The badge marks it as Current so you know the numbers are not final.
The Run Snapshot Now button at the top right kicks off an immediate snapshot computation for the current week, without waiting for Monday 03:00.

When do snapshots run? Hovering the info icon next to the page title gives the same answer in-app.

Filter Percentage Trend (sparkline)

A thin trend line plotting the week-over-week filter percentage — what fraction of all DHCP packets the firewall blocked.

Appears only when two or more weekly snapshots exist. The y-axis auto-scales to a small range around the actual data so small changes are visible. Hover a point for the exact percentage and the week label.

Rising values mean enforcement caught more traffic week-over-week. That can be good (more blocks, fewer leaks) or bad (more attack traffic surviving up to the firewall). Read it together with the absolute volumes on the tiles to interpret correctly.

Weekly Tile

Each tile is a self-contained mini-summary of one week’s traffic.

Element	Meaning
Week label	Date range — same month: “Mar 17-23”; cross-month: “Mar 31 - Apr 6”
Current badge	Only on the in-progress week
Filter %	One-line text: “Filter: 12.4%” — the share of total packets the firewall stopped
Mini Sankey	Incoming → Accepted (green) and Incoming → Blocked (red); labels show the count and a `msg/s` rate
Avg Daily MACs	Average unique MAC addresses observed per day
Top Blocked	How many unique MACs were blocked during the week
Protocol Mix	A 40px donut showing the DHCPv4 vs DHCPv6 split, with “No data” when one is absent

The msg/s rate is computed against the actual observation period (snapshot creation time minus week start), so a current-week tile shows a meaningful per-second rate even if the week is only partially elapsed.

Click any tile to open the full detail view.

Clicking a tile opens a full-screen modal with the same week broken out by message type, plus a print button and a cross-week trend.

The modal title shows the date range and the filter percentage badge.

Print Report

The Print Report button opens a new browser window with a printable HTML report formatted for paper or PDF. The print version contains:

Heading — “Weekly System Report”, date range, generation timestamp.
Summary Statistics — six cards: Total Incoming, Total Accepted, Total Blocked, Filter %, Avg Daily MACs, Blocked MACs Count.
Protocol Mix — DHCPv4 vs DHCPv6 counts and percentages.
Traffic Flow by Message Type — full table with Accepted, Blocked, Total, and % of Total for every message type that had traffic, plus a row-summed TOTAL.
Week-over-Week Comparison — only when a previous week exists. Three cards showing absolute and percentage change for Total Incoming, Total Blocked, and Filter %.

The print stylesheet is plain and works straight to “Print to PDF” in any modern browser.

Section 1 — Traffic Flow by Message Type

A three-column Sankey diagram. Total Packets on the left, Accepted / Blocked in the middle, per-message-type on the right.

Every message type that had non-zero traffic in the week is rendered as its own column-3 node, with two ribbons feeding it (one green from Accepted, one red from Blocked). Hover any node for an exact count and a per-second rate; hover any ribbon for the source-to-target count and percentage of total weekly traffic.

The Sankey covers the full DHCP message catalog:

DHCPv4 — DISCOVER, OFFER, REQUEST, ACK, NAK, DECLINE, RELEASE, INFORM.
DHCPv6 — SOLICIT, ADVERTISE, REQUEST, REPLY, CONFIRM, RENEW, REBIND, RELEASE, DECLINE, RECONFIGURE, INFORMATION-REQUEST, RELAY-FORW, RELAY-REPL.

Empty message types are omitted, so the diagram stays compact on networks that use only a subset.

Section 2 — Filter Percentage Trend (Across Weeks)

A larger version of the sparkline above the tiles, with a highlight on the currently selected week.

This is where you spot the curve. A flat filter percentage week-over-week means a stable baseline. A climbing filter percentage indicates increasing pressure (attack traffic or policy tightening). A dropping filter percentage with rising Total Incoming is the worrying one — more traffic, less filtered.

Section 3 — Stats Row

Three single-number cards:

Total Packets — total DHCP packets the appliance saw during the week.
Total Blocked — the red number; the filter percentage is shown beneath it.
Observation Period — the week’s date range and “7-day window”.

Snapshot Fields, in Detail

Every number on a tile and in the detail view comes from one of these fields, computed once per snapshot run.

Field	Definition
Total Incoming	All DHCP packets the inspector saw during the week, regardless of verdict
Total Accepted	Packets that passed all inspector rules and the firewall — these reached the DHCP server (or its relay)
Total Blocked	Packets the firewall dropped, summed across every drop chain (rate-limit, block-set, deny-set, throttle)
Filter %	Total Blocked / Total Incoming, as a percentage
Avg Daily MACs	Sum of distinct MAC counts per day, divided by the number of days in the observation period
Top Blocked MACs Count	Number of distinct MACs that had any block action against them during the week
Per-message-type counts	One Accepted and one Blocked counter per DHCP message type, for both v4 and v6
Total v4 / v6 packets	Combined accepted+blocked counts split by protocol
Created at	When the snapshot itself was computed — used internally to derive the per-second rate for an in-progress current week

The detail view’s per-second msg/s rates are calculated as count divided by observation seconds. For completed weeks that is the full 7 × 86400 seconds. For the current week it is the seconds elapsed between week-start and the snapshot’s created_at, so an early-Monday tile shows a meaningful rate rather than dividing a tiny count by a full week.

Reading the Report

A few things to look at, in order of usefulness:

Filter % trend. Is it stable, climbing, or dropping? A sudden change usually correlates with something operationally meaningful — new automation rules, an attack, or a relay misconfiguration.
Avg Daily MACs. Did the population grow? A sudden jump in unique MAC count without a matching jump in IP assignments is a classic spoofing signature.
Top Blocked. Is the block count proportional to the traffic? Networks running with healthy automation hover around a steady block count week to week.
DHCPv6 share. If you operate dual-stack, watch for v6 traffic disappearing — that often means a relay or pool has failed quietly.
Per-message-type Sankey. Look for asymmetry: lots of DISCOVERs but few OFFERs, or REQUESTs without ACKs. The asymmetry tells you whether traffic is reaching the server or being stopped at the firewall.
Week-over-week comparison (print view). Compare absolute deltas, not just percentages — a 30% jump on a tiny base is noise; a 5% jump on a large base is real.

Tip. The weekly report is a “step back and look at the curve” tool. For per-device investigation use Device History (chapter 13) or Device Details (chapter 14). For minute-by-minute traffic, use the Dashboard (chapter 7).

States You Might See

Loading

A skeleton sparkline and four placeholder tiles while data fetches.

Empty

“No Analysis Snapshots”. This is normal on a fresh install for the first few minutes — snapshots are computed in the background. You can press Run Snapshot Now to force the current week to be computed.

Error

A red banner asking you to check the database connectivity and a retry button. Snapshots query the events table; if that is unreachable, the report is empty for the same reason your dashboards are.

Why a Deterministic Pipeline?

Earlier releases of this appliance shipped an LLM-based “strategic analysis” that wrote a free-text weekly summary. It was replaced because:

A free-text summary is hard to compare week-over-week.
The model would sometimes invent or omit numbers that did not match the database.
The audit and compliance value of a deterministic, reproducible report is higher than that of a natural-language one.

This page is the replacement. Per-device LLM verdicts still exist — see Device Analysis (chapter 17) — but the weekly view is purely numerical.

Dashboard (chapter 7) — live, minute-resolution traffic. The weekly report is the long-horizon companion to the dashboard.
Device Analysis (chapter 17) — per-device LLM verdicts (the surviving “analysis” surface).
Statistics (chapter 19) — ad-hoc reports over the same underlying data.
Anomaly Detection (chapter 24) — the LLM-driven anomaly loop.

Troubleshooting

“No Analysis Snapshots” on a system that has been running for weeks. The snapshot job didn’t fire, or its database query failed. Check Alarms (chapter 11) for any system:clickhouse:* alarms first. Then press Run Snapshot Now to force a recomputation.

The “Current” tile shows a much smaller number than I expected. The current-week tile reflects the partial week up to the most recent snapshot run, not a full 7-day projection. Press Run Snapshot Now to refresh it, or wait for the next scheduled run.

Filter percentage suddenly dropped to zero. Either the firewall stopped enforcing (check Firewall Manager (chapter 20)) or all your blocked-MAC sets expired and the offenders are now back. Compare against the Dashboard (chapter 7) Dropped Packets widgets to confirm which case you are in.

Print Report opens an empty window. Browser pop-up blockers will silently drop the new window. Allow pop-ups for this site and try again.