Slow iPerf (and generall traffic) through firewall
Before I start, I want to clarify that the remote iPerf server I’m testing against is on a 10Gbps link.
I have a Fortigate 61F with the wan2 interface connected to a 1Gbps (synchronous) Internet connection. If I run an iPerf test from that interface, I can achieve ~740mbps. However, if I run the same test from a machine on the inside of the firewall, I can never get past 300Mbps.
I'm not using a VPN tunnel, I don’t have any strange routing (no PBR), and I don’t even run a routing protocol, just a single static default route. There is no traffic-shaping, and I did not create any software switches. I have a single physical interface is connected to a Cisco switch (no errors on the ports), and it’s configured for VLAN trunking.
I thought maybe the outbound policy might be slowing it down, so I’ve removed all UTM features, set the SSL inspection to “no-inspection”, and even disable traffic logging but it doesn’t make the slightest difference.
config firewall policy edit 2 set name "outbound default" set uuid 31503162-25f6-51eb-f268-20a2aadc8c96 set srcintf "Servers" "Workstations" "Lab-1" set dstintf "Outside" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic disable set logtraffic-start enable next
I’m not sure where to start looking next so any suggestions would be appreciated!
May I ask why you never spoke to support? You could very possibly have a hardware issue on that device. As everything you've mentioned in this thread points to no real explanation as to why you aren't seeing faster speeds. It might be something that requires RMA.
Yes. I would like to refer you to the small amount of tickets that I've opened since owning the device. Not very many of them have been solved by contacting support. Generally, they are set to "Other", "Problem solved by Customer", and one of them they couldn't even figure out (they set the resolution to "Out of scope").
I could definitely go on about the "difficulties" with the Fortigate, but I want to be very careful as to not turn this into a bashing thread. They aren't the worst firewall in the world but I, like many others, feel there are better players out there.
Well it's unfortunate you didn't follow up with those tickets if they weren't handled to your satisfaction. Escalations are definitely possible. You have the ability to request escalation any time. If you still do not get satisfactory responses your account team can go to bat for you and escalate internally.
I would still highly recommend you open a ticket. And knowing what you know now, feel free to escalate if you're not getting the response you need.
And please feel free to share your other difficulties. It's good for others to hear about them absolutely. And who knows, you might learn something as well if you never got a resolution to the problems in the first place. Might be best to open it as a separate topic in case it gets buried but I'd be all for sharing them either way.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.