- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL VPN Speed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN Speed
Hello,
I was wondering what kind of speed / performance others are getting with the SSL VPN in tunnel mode.
I have a FortiGate 80C and a 10Mbps Internet connection.
I have been running some download speed tests. I' m downloading a folder containing 129 files with a grand total of 130 MB.
On a 4G WiFi (12,000 kbps), it takes 12 minutes to download which works out to 1,444 kbps.
On a Comcast line (14,000 kbps), it takes 9 minutes 30 seconds which works out to 1,824 kbps.
The 4G & Comcast speeds are based on speeds tests from DSL Reports. So even if you take those with a grain of salt, I still expect the download speed to closer match my slowest connection. At least on the Comcast line I would expect higher, double for example.
I talked to a Fortinet consultant at a trade show who said to check my CPU% because 80C' s vpn is totally software based and doesn' t have a special chip (n2p?) to accelerate VPN performance. So I did that and the CPU percentage number got more than 14%. He thought if the CPU was limiting, the % would jump to 100%.
What kind of file transfer speeds are others getting via SSL VPN? Or does anyone have any tips (other than lowering encryption) to get more speed out of it?
Thanks,
Jamie
- « Previous
-
- 1
- 2
- Next »
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The configuration of VPN policies may affect the throughput. You can try different cipher strength. And don' t enable any UTM features, such as IPS, AV.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cipher strength has a much smaller bearing on the bigger boxes. My 1000A didn' t see any difference between 3DES or AES.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both 3DES and AES are hardware accelerated. On low end models, you may not have new CP build-in. That should affect affect the performance, to some extent.
UTM features have much more effect on the throughput.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to match fortinet testing, than you might want find out what/how they test and via what protocol. TCP is not a protocol I would use for benchmarking encrypted fw performance btw
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This weekend I ran another test.
PC->WAN1->80C->Internal1->Gigabit Switch->Server
It still took me 3 minutes and 12 seconds. 5,400 Kbps which matched the traffice history graph. CPU was never above 15% and memory 31%.
Immediately after, I ran this test
PC->Gigabit Switch->Server
That took 7 seconds.
There is no UTM turned on anywhere. The encryption is default. But my speeds are a third of what Selective got with a 60C.
Anyone have any ideas of what else I should check? I don' t expect to hit 50 Mbps (spec) but I should be able to match/beat 15MBps (Selective' s 60C).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are all ports GBit?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vanc I checked the network utilization and it matched the speed I was getting. And I know it can handle higher speeds since it works fine on the LAN. Now I didn' t check CPU% but I would be shocked if my i7 (2nd Gen) 2.2 GHz quad core CPU was strained. But I will check that. Thanks for the info!
@rwpatterson Yes, with one exception. The server has two teamed Gigabit ports which are plugged into a Gigabit switch. The 80C is plugged into the same switch. Internal1 on a 80C is just a 10/100, hence the one exception. The WAN port is Gigabit. Finally, my laptop has a gigabit card.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The official spec for SSL VPN throughput is, unfortunately, the web portal speed. NOT the tunnel mode throughput.
My resource told me that tunnel mode speed depends on the PC side. PC' s CPU and network card may be different and it' s not possible to obtain a meaningful value.
You can check your PC' s CPU usage and see if there are bottlenecks somewhere.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- FortiGate FGT200F MTU 7.v7.4.3 build2573 (Feature) 115 Views
- FortiGate 30E Slow connection via NAT 344 Views
- Fortinet Firewall shows 100Mbps (100%) bandwidth... 471 Views
- IPv6, Central NAT, and SD-WAN and... 172 Views
- Traffic Shaping outbandwidth Speedtest 298 Views
Labels
-
FortiGate
6,687 -
FortiClient
1,331 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
343 -
FortiAP
340 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
59 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.