Skip to main content

Palo Alto VPN Speedtests

Palo Alto VPN Speedtests
Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.

(This is one of many VPN tutorials on my blog. Have a look at this full list.).)

Lab

My lab consists of two PA-200 firewalls with PAN-OS 7.1.1 installed. They were plugged into a simple layer 2 switch. The two notebooks were booted with Knoppix 7.6.1 and used Iperf version 2.0.5.
Palo Alto VPN Speedtests Labor
I first tested the throughput with only routing and then built the VPN. After every test I changed the phase 2 parameters. The Iperf tests ran in both directions. Here are some configuration screenshots:
Of course I verified the correct IPsec algorithms after each change, such as here:

Test Results

Here are the results, each Tx/Rx in Mbps:
Palo Alto VPN SpeedtestsNo VPN TxNo VPN Rx3des-sha1-group2Tx3des-sha1-group2Rxaes128-sha1-group5 Txaes128-sha1-group5 Rxaes256-sha256-group14 Txaes256-sha256-group14 Rxaes256-sha512-g…aes256-sha512-g…02505007501000MBit/s
foobarNo VPN TxNo VPN Rx3des-sha1-group2 Tx3des-sha1-group2 Rxaes128-sha1-group5 Txaes128-sha1-group5 Rxaes256-sha256-group14 Txaes256-sha256-group14 Rxaes256-sha512-group20 Txaes256-sha512-group20 Rx
blubb937934198228215271205254212260
And the raw values:
  • Only routing: 937/934
  • esp-3des-sha1-group2-1h: 198/228
  • esp-aes128-sha1-group5-1h: 215/271
  • esp-aes256-sha256-group14-1h: 205/254
  • esp-aes256-sha512-group20-1h: 212/260
That is: All tests are around 200 Mbps. The Tx direction is always a bit slower, which might be a test failure. The AES algorithms are faster than the old 3DES cipher. This might be related to the fact that AES is made to be fast in software and in hardware.
Labels:

Comments

Post a Comment

Popular posts from this blog

CLI Commands for Troubleshooting FortiGate Firewalls

CLI Commands for Troubleshooting FortiGate Firewalls 2015-12-21 Fortinet , Memorandum , Network Cheat Sheet , CLI , FortiGate , Fortinet , Quick Reference , SCP , Troubleshooting Johannes Weber This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI . It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff. I am using it personally as a cheat sheet / quick reference and will update it from time to time. Coming from Cisco, everything is “show”. With Fortinet you have the choice confusion between show | get | diagnose | execute . Not that easy to remember. It is “ get router info6 routing-table” to show the routing table but “ diagn...
Post a Comment
Read more

Check Throughput of Interfaces - Palo Alto Networks NGFW

Check Throughput of Interfaces - Palo Alto Networks NGFW Following command shows brief interface throughput. > show system statistics session To see the complete statistics, run the show system state browser command > show system state browser Press Shift+L and click on Ports To enable tracking and updates press Y and U To see additional ports, press space bar
Post a Comment
Read more

From MPLS to SD-WAN to SASE: An Evolution of Enterprise Networking

From MPLS to SD-WAN to SASE: An Evolution of Enterprise Networking The way we do business is changing. As critical business applications migrate to the cloud, and the mobile workforce continues to grow, networking and security solutions need to evolve in order to meet the changing business needs. Gartner believes (and we agree) that the future of networking lies with  SASE (Secure Access Service Edge)  – the convergence of networking and security into one cloud service. Here’s why. 1990s – 2000s: MPLS and the Era of Clear Network Boundaries? Back in the day, networking models were hardware-centric and manually configured. Applications, data, and services lived within private datacenters and relied on remote access solutions to connect remote workers. Dedicated network connectivity, known as MPLS, was the preferred approach for connecting remote locations. MPLS provides predictable performance, low latency and packet loss, and central management. However, MPLS is ...
Post a Comment
Read more