- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Palo Alto Networks understands that with an increased remote workforce, there is the possibility of performance issues in your network with GlobalProtect. Here is some great information on how to troubleshoot performance related to GlobalProtect.
First of all, please bear in mind that SSL VPN is not designed to be efficient (it is best effort and not designed for high throughput) mostly because it's TCP-based (TCP inside of TCP). What that means is that the GlobalProtect (GP) client and/or firewall doesn't have control over the underlying TCP layer (error detection, flow control, congestion control), which is slowing down the throughput. That is the main reason why we would recommend, if you're experiencing slow throughput (when using SSL), to migrate to IPsec whenever possible.
Below are a few ideas/suggestions/limitations regarding this topic.
It is expected for the throughput to be slower when the GlobalProtect client is being used as opposed to non-VPN or direct connection. There are several reasons for that:
It will be difficult to give numbers on the expected throughput difference between GlobalProtect client versus non-GlobalProtect client scenarios. The primary reason is that the throughput depends on several factors and each setup is different.
Performance related issues are not easy to troubleshoot. In other words, the throughput depends on several factors.
With or without VPN client, you will have different download speeds measured if you try to download the same file multiple times. The network path (between client and server) usually passes several devices and links, and the conditions are changing dynamically (CPU/link utilization, load, buffers, and so on).
Always try to collect a minimum of two sets of data for "low throughput" and "high throughput" scenario, so you have a baseline that you can use to compare. Always clarify which protocols are used (smb, http, ftp, etc.), location of the clients/servers, and Internet link speeds. Again, low/high throughput scenarios could also mean using two different protocols, such as smb and ftp (please bear in mind that smb is known to have the worst performance).
Of course, you'll need to use the same infrastructure for both tests. Otherwise, you don't have valid data for comparison. It would be great if we can have tests for two different protocols (like http and smb transfer) in two different scenarios. For example, http download with or without GlobalProtect, and the same for SMB.
Please note that firewall debugs and captures are affecting the firewall's load and can have negative impact on the actual throughput and test results. Although it sounds contradictory, debugs can sometimes even improve throughput, but we are talking about corner case scenario.
Don't rely solely on speedtest.net and don't forget to check trivial issues such as interface speed/duplex mismatch.
1. In case of GlobalProtect client, please collect packet captures on the client side (both physical and virtual adapter) and packet captures on the server side.
2. If possible, it would be ideal to have external packet captures before and after the firewall. If it's not possible, then collect the files on the firewall. Although the firewall can do packet captures, these are not 100% reliable (considered debugging feature):
If you are troubleshooting latency or "packets out-of-order" type of issues, external packet capture is mandatory (external packet capture means before and after the firewall without intermediate devices, otherwise, there's no way to know if the problem is on the firewall side or somewhere within the routing or switching infrastructure).
As always, when it comes to packet processing, don't forget to collect:
Palo Alto Networks Firewall Session Overview
How to check global counters for a specific source and destination IP address
How to Generate and Upload a Tech Support File Using the WebGUI and CLI
Thanks for taking time to read the blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.
As always, we welcome all comments and feedback in the comments section below.
Stay Secure,
Kiwi out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
4 Likes | |
3 Likes | |
3 Likes | |
2 Likes | |
2 Likes |
User | Likes Count |
---|---|
11 | |
4 | |
3 | |
2 | |
2 |