We have a large global network consisting of various FortiGate models. Most of what we have today are 80C and higher, but our new small office model is the 100E. Larger offices have 300Ds or 500Ds. Most devices currently run 5.4.5, but soon to be 5.4.8.
When it comes to VPN traffic, the main bandwidth consuming application is Windows file sharing (CIFS/SMB). When testing over tunnels that are 100Mbps fiber on each end, we can get max 20-25Mbps throughput. Yet, if we run an iPerf test, we get close to 50Mbps. We are using AES256/SHA256 encryption. We've tried with/without NPU off-loading, with/without UTM (IPS & AV), and the 20-25Mbps is the best scenario.
I see posts from other companies who are having this problem (examples below). Has anyone had a similar issue and been able to find ways to improve performance?
https://forum.fortinet.com/tm.aspx?m=144639
https://forum.fortinet.com/tm.aspx?m=143253
(this is for SSL VPN, which we also use on a 300D and have poor performance on as well)
One thing for sure is NPU on or off affects to the numbers you see in iperf test. As long as NPU off load is on the level of encryption wouldn't change much because that part is processed by NPU chip.
When picking one pair of locations, did you compare iperf test results between over the tunnel and outside of the tunnel(public IP to public IP) to have the base number for the internet path, which dictates the overall performance in our test experiences?
SSL VPN must be quite different because it goes through TCP and application layer on the client devices, instead of just L3. We don't have any comprehensive test done so far.
When enabled UTM along with encryption, CP would engage to improve performance if it (CP) was available.
Please check the inspection mode of your UTM profile first. Then check "diag test app ipsmonitor xx" for N-Turbo acceleration.
Some thoughts on this:
- CIFS is not AV scanned until FOS v6.0 so you can safely not apply for this kind of traffic. You can easily separate CIFS through different policies. IPS might be a good idea though.
- 50% throughput in comparison to other TCP file transfer protocols is not a surprise for the CIFS protocol
- offloading to NPU would not primarily affect throughput but CPU load. As soon as the CPU load gets too high, throughput will suffer. So to see an effect of this you need to plan the setup carefully.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.