Slow speed with GlobalProtect

L2 Linker

Thank you for your response. Im try to explain better the scenario.

1st Test. One computer behind the firewall (Site A) downloading a file from I achieve acceptable speed. Im the only one using the firewall, no security profiles attached to the rule.

2n Test. From a computer in a remote site (Site B) and download the same file, I achieve better results due to the best line in Site B.

3rd Test From Site B establish a GP IPsec to Site A without Split tunneling, so all traffic crosses the FW. I go to the same Site and download the same file, the download speed dramatically slowdown.

In 2nd and 3rd scenario I'm the only one crossing the FW.

L7 Applicator

In all three scenarios, you're still using a single download. There are bottlenecks that can be associated with a single session (and even more when it comes to IPSec). Things like encapsulation/decapsulation and how it is split across multiple cores, and a whole host of things.


The datasheet numbers are for scale, not for individual downloads from a single client. 


I don't want to come across as harsh, I just can't think of a better way to say it. A single download is VASTLY different than real clients connecting and doing regular work.


If you insist on using this type of flawed testing, at the very least try doing several downloads at the same time from different sites on that test client at site B. At least then you'll be using multiple sessions to fill the tunnel better.

L2 Linker

Hi Gwesson,

Thank you for your words,

I understand how It works, thank you for your explanation.
But the fact is that the test that I am doing is the way of working that our customer has.
Workers in remote sites download files via HTTP and via FTP through Global Protect and L2L VPN and it is difficult to download the same file in múltiple parts as you are suggesting.

I am just surprised by the degradation of speed in a device with these characteristics, when the current equipment, much more older (ASA FW) and through VPN supports speeds by far much better doing the same.

Appreciate for your help,

Thank you,
L1 Bithead

Hello @nanukanu I hope you did find a solution for your issue 

I'm facing the same issue using PA-200  but the Upload is quite good  but the download traffic is slowing down (from 30 Mbps to 2Mbps).

SpeedTest Without Firewall 30 Mbps

SpeedTest with Firewall PA-200 2Mbps 


L0 Member

Hi @Adam42 ,

I am facing a very similar issue as you are.

Please could you tell which version of the firewall and the global protect you are using. I am suspecting of some version bug and I would like to know if you the version you are using is the same I am.


L1 Bithead

@HenriqueGurgel I think the slowdown issue is inherent in Palo Alto Networks GlobalProtect. I have used PAN GP for about 6 years now, across two different models (PA-500 and now PA-820) and the situation with the degraded download speed has always been the same. The firewall software and GP client version do not seem to matter. I've seen this same issue on PAN 6, 7, 8, and now 9 versions, and GP client 2, 3, 4, and now 5. We have a 1GB fiber line to the PA-820. We have people working remotely from customer offices, on all types of different connections (wired, wireless, 200mbps, 500mbps, 1gbps, it doesn't matter). Download tests will always report slow speeds (2-4mbps).


However, as was mentioned by another reply, when you look at the performance in aggregate, meaning across all remote users, the performance isn't as slow as 2-4mbps. I think part of the issue is the speedtests; I don't think they play well with IPsec VPN in general. However, I agree that other vendors' firewall VPNs (Cisco, SonicWall, etc.) do not seem to suffer from the same slowdowns. But remember also that you might have the threat stack enabled so the traffic has additional processing done on it. I realize Palo Alto Networks says that shouldn't slow down traffic below a certain amount, but here we are, all posting about slow PAN GP speeds.


Over the years, I've never bothered to open a support case to get the official answer, as the speed was always "good enough" to support our workloads. However, I would like to understand why this happens.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!