Slow speed with GlobalProtect

Which model of firewall are you using?

Do you have threat profiles enabled for that traffic?

Each firewall model has a throughput limit based on the horsepower of the firewall. If you run traffic through the threat stack, it slows it down more. For example, I had a PA-500 and the max throughput is rated at 100mbps for traffic running through the threat stack. That equates to about 10/MB a second. Also, you have overhead from the IPSec encryption, that will slow down most traffic as well.

It is really the price you pay for security. Running traffic through the VPN and firewall means that additional overhead gets added on the traffic. Here are some ideas if you want:

- enable some routes in GP to exclude traffic to certain sites from the VPN

- If you have a GP portal license, you can turn on "exclude video" sites and it won't slow down video.

- create policies to disable the threat stack for certain type of traffic

I understand. The specs for your firewall are high enough. I was just relating my experience where traffic outside of the GP VPN was fast, but traffic over the VPN is slow. That seems to be a universal condition introduced by the overhead of the VPN encryption. That is what I meant by price of security; VPN traffic won't be as fast as regular firewall traffic in my experience. Maybe there is some setting that makes it faster, but I'd love to know that as well. So far across two different PA firewalls, VPN traffic is slower.

So as my recent efforts have lead me down this path, this is a very difficult question to answer.

When I first deployed GP using SSL only type tunnel on my 5220 (With decryption) I noticed a significant disparity in my speedtest results.  At home without GP I would get between 90-105Mbps.  With GP SSL type VPN tunnel I would get between 10-25Mbps.  I opened a few tickets with TAC and got various answers and "fixes."

The best fix I've since deployed is converting the tunnel type to allow IPSec VPN for clients. This setting got me to around 50-65Mbps on a speedtest.

In one of my tickets with TAC they modified the tunnel I use for VPN to a lower amount to account for the encryption overhead (something I hadn't done.)  There were varied settings here going down to 1424 down to as low as 1350 which is where I'm currently at.  This was done to help prevent fragmentation of the "transfer stream."  When this particular change was made I didn't really notice a significant change in throughput capacity.

In one of my tickets an engineer made a great observation, speed test sites aren't really a good measure of "throughput" or capacity while on VPN.  They have their own unique setup that doesn't necessarily jive well for a VPN client.

Your best bet is to use a site that tests as if you're transferring a file.  So in my case I feel getting 50-65Mbps via VPN w/o split-tunneling is more than enough.  

Here is a better site to use:  https://www.thinkbroadband.com/download 

If you're trying to do this on a PA-850 and expecting high throughput I wouldn't.  There are A LOT of factors that go into a devices performance specs.  

I'm assuming your box is doing more than just supporting this single user GP connection.  If your client is getting 48Mbps (6MB) of total potential capacity of 500Mbps, what other traffic is the box doing?

The testing you are doing is flawed, at least when compared with a full traffic test. The reason is based on the number of sessions and how they are handled within the dataplane of the firewall.

If you're using a single download from your browser, you are only using a single TCP connection to actually get the content. You'll have multiple connections when browsing the site, but that one object being downloaded is limited by many factors.

If you had 50 PCs downloading 50 different objects from different servers, then you'll have a much more accurate test. Sessions can be distributed across dataplanes and cores, for example.