Skip to main content

FortiGate VPN Speedtests

Lab

My lab consists of the following components:
FortiGate VPN Speedtests Labor
Both FortiWiFi 90D firewalls had the firmware version v5.2.5, build701. The two notebooks were booted with Knoppix 7.6.1 and used Iperf version 2.0.5. The “left” machine ran as the server with either:
while the “right” machine started Iperf with the following commands for different TCP and UDP tests:

I tested the throughput without a VPN at all (only routing) and with a few different proposals (see table below). The Diffie-Hellman group for PFS was always set to 14. This is not related to the test results because it is only used for the key establishment and not for the actual symmetric encryption of the traffic.
I also switched the offloading of encryption to “enable” (refer to the Hardware Acceleration Guide), which did not change anything, either.

Furthermore, I tested the differences between a normal TCP test and the manual set of the TCP window size and buffer length with “-w 512k -l 512k”, such as shown here or here. But this made no differences, too, since Knoppix Linux seems to auto set the window size pretty optimal.

Results

These are the results. The first four tests are without a VPN. While the first two are without routing (simply plugged in both clients into the same software switch on the FortiGate), tests 3 & 4 are routed through the FortiGates. This was the first time at which I was really shocked about the bad performance of only 180 Mbit/s routing speed. Furthermore, almost all IPsec proposals ran at a speed of 86 MBit/s, which is only 9 % of the IPsec throughput listed in the data sheet.
ProposalsTCP
Tx/Rx
[MBit/s]
TCP
Tx/Rx
[MBit/s]
UDP
Tx/Rx
[MBit/s]
IPerf Options-r-r -P 8-u -r -b 1000M
Same Software Switch
H - FGSW - H
942/937941/936807/805
Same Software Switch
+ Hardware Switch
H - FGSW - SW - H
942/936941/936807/804
No VPN, only Routing
FortiGate directly
H - FG - FG - H
155/177151/168211/206
No VPN, only Routing
H - FG - SW - FG - H
155/177152/168211/210
DES-MD586/8683/8293/94
3DES-MD586/8683/8393/94
3DES-SHA186/8683/8395/94
AES128-SHA186/8683/8388/87
AES256-SHA25686/86122/13393/93
AES256-SHA51285/8580/8084/92

The software switch was the problem!

After hours of investigating the slow VPN speed results, I tested the VPN without the software switch on the network ports side, which led to the following results (first column with a “Hardware Switch”, second column with a single interface):
ProposalsHardware Switch
TCP
Tx/Rx
[MBit/s]
Single Interface
TCP
Tx/Rx
[MBit/s]
Iperf Options-r-r
No VPN, only Routing
H - FG - SW - FG - H
937/937933/932
DES-MD5852/840845/839
3DES-SHA1707/642701/634
AES128-SHA1825/835826/830
AES256-SHA1820/830816/825
AES256-SHA256723/819814/825
AES256-SHA512637/808812/810
Now the speed was quite acceptable, for the mere routing as well as for the VPN throughput. 940 MBit/s for routing through both FortiGate is almost realistic for TCP, and about 830 MBit/s for VPN encryption/decryption is realistic, too.
Here are the “single interface” results in a graph. Only the 3DES tests are a bit slower than all the other ones:

FortiGate VPN Speedtests Single InterfaceNo VPN TxNo VPN RxDES-MD5 TxDES-MD5 Rx3DES-SHA1 Tx3DES-SHA1 RxAES128-SHA1 TxAES128-SHA1 RxAES256-SHA1 TxAES256-SHA1 RxAES256-SHA256TxAES256-SHA256RxAES256-SHA512…AES256-SHA512…02505007501000MBit/s
Single InterfaceNo VPN TxNo VPN RxDES-MD5 TxDES-MD5 Rx3DES-SHA1 Tx3DES-SHA1 RxAES128-SHA1 TxAES128-SHA1 RxAES256-SHA1 TxAES256-SHA1 RxAES256-SHA256 TxAES256-SHA256 RxAES256-SHA512 TxAES256-SHA512 Rx
Single Interface933932845839701634826830816825814825812810

Conclusion

Well, it was my fault that I left the default software switch in place. I should have know better. However, it was the default setting on this FortiWiFi devices.

Comments

Popular posts from this blog

Checkpoint firewall common commands part 2

Checkpoint firewall common commands part 2 For basic firewall informaton gathering: fgate stat -Status and statistics of Flood-Gate-1. fwaccel <stat|stats|conns>  – View status, statistics or connection table of SecureXL. fw getifs -Show list of configured interfaces with IP and netmask. cpstat <app_flag> [-f flavour] -View OS, HW and CP application status. Issue cpstat without any options to see all possible application flags <app_flag> and corresponding flavours. Examples: cpstat fw -f policy – verbose policy info cpstat os -f cpu – CPU utilization statistics cpinfo -y all   -List all installed patches and hotfixes. cpd_sched_config print -Show task scheduled with CPD scheduler. enabled_blades -View enabled software blades avsu_client [-app <app>]   , get_version <app>  -Get signature version and status of content security .Without the -app option “Anti Virus” is used. show co...

Unable to Connect to Server Checkpoint R80

Unable to Connect to Server Checkpoint R80 Unable to Connect to Server A connection to the management server will fail if: A firewall between SmartConsole and the management server blocks Port 19009 -  port 19009 is used for a new R80 service. Allow traffic on this port for all clients and management servers. No GUI clients are assigned -  Open the Gaia Portal. If the First Time Configuration Wizard opens, complete it. If the First Time Configuration Wizard has already run, open  User Management > GUI Clients  and add a client. When using Multi-Domain Security Management, connect SmartConsole to the Multi-Domain Server and make sure the domains have GUI clients assigned to them. The required processes are not reachable -  Make sure the computer with SmartConsole installed can reach the IP address of the management server, and that these server processes are up and running: cpm fwm Operation time out  – Your connection ...

Configuring Proxy ARP for Manual NAT

Configuring Proxy ARP for Manual NAT Symptoms After creating a Manual Static NAT rule, Security Gateway does not answer the ARP Requests for the Static NATed IP address that was configured in the Manual NAT rule. Security Gateway replies to ARP requests with a wrong MAC address, mostly for the NAT traffic.  Introduction Let us consider the following scenario: Two networks ( Network_A  and  Network_B ) are separated by a Security Gateway (single Security Gateway or ClusterXL). On each network, there is a host ( Host_A  on  Network_A ,  Host_B  on  Network_B ). Let us assume, that  Network_A  represents the  Internal  network, and  Network_B  represents the  External  network. According to the existing standards, when  Host_B  needs to send data to  Host_A , an ARP Request for the MAC address of  Host_A  will be sent by  Host_B  to  Network...