Slow speed with GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Slow speed with GlobalProtect

L2 Linker
Hi to all,

We are trying to understand why the download speed is really slow vía GP.

We stablish a VPN GP with IPsec without Split Tunneling. We acces to some public web to download a test file. Im downloading a 1G file.

If we download without GP but through the Palo Alto we achieve 60MB/s, but vía GP we achieve maybe 6 or 10MB/s.

Any idea about that? Someona has experienced this issue? The differents shows issued don't present mss or mtu problems.

Thank you!
16 REPLIES 16

@HenriqueGurgel I think the slowdown issue is inherent in Palo Alto Networks GlobalProtect. I have used PAN GP for about 6 years now, across two different models (PA-500 and now PA-820) and the situation with the degraded download speed has always been the same. The firewall software and GP client version do not seem to matter. I've seen this same issue on PAN 6, 7, 8, and now 9 versions, and GP client 2, 3, 4, and now 5. We have a 1GB fiber line to the PA-820. We have people working remotely from customer offices, on all types of different connections (wired, wireless, 200mbps, 500mbps, 1gbps, it doesn't matter). Download tests will always report slow speeds (2-4mbps).

 

However, as was mentioned by another reply, when you look at the performance in aggregate, meaning across all remote users, the performance isn't as slow as 2-4mbps. I think part of the issue is the speedtests; I don't think they play well with IPsec VPN in general. However, I agree that other vendors' firewall VPNs (Cisco, SonicWall, etc.) do not seem to suffer from the same slowdowns. But remember also that you might have the threat stack enabled so the traffic has additional processing done on it. I realize Palo Alto Networks says that shouldn't slow down traffic below a certain amount, but here we are, all posting about slow PAN GP speeds.

 

Over the years, I've never bothered to open a support case to get the official answer, as the speed was always "good enough" to support our workloads. However, I would like to understand why this happens.

The best way to test true throughput is to download and run "openspeedtest" on a server on the same switch or local LAN with your firewall.  It will setup a speed test page on any server or workstation and the user just hits the start button.  That will give you actual speed between the client and local server cutting out all other delays.   The link below will take you to the windows version of the download page they also have versions for different operating systems.   We use this to test speed instead of IPERF3 now.  Works great and any user can figure it out.  

https://go.openspeedtest.com/Win

 

Stephen Swindall
  • 47002 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!