I am testing firewall analyzer using three cisco firewalls: a pix 506 running 6.3 code, a 515E running 7.2.2, and an ASA 5505 running 8.2.1.  On the 506 and ASA, hardly anything shows up as inbound, it almost all shows as outbound.  The 515E seems to be reporting correctly.  Here is a test I did using the 506: I connected to a remote site and uploaded approx. 200mb of data(just an http upload).  The additional data did show up on FA, but as received data, not sent.  I did see the correct source/dest.  The 515E is mostly serving hosted sites, where users would connect in and pull data.  Does FA have a hard time distinguishing data when it is pushed rather then pulled? 

 

I did add the intranet sites on all 3 firewalls to match internal networks.