Palo Alto VPN Speedtests

Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

Lab

My lab consists of two PA-200 firewalls with PAN-OS 7.1.1 installed. They were plugged into a simple layer 2 switch. The two notebooks were booted with Knoppix 7.6.1 and used iperf version 2.0.5.

Palo Alto VPN Speedtests Labor

I first tested the throughput with only routing and then built the VPN. After every test I changed the phase 2 parameters. The iperf tests ran in both directions. Here are some configuration screenshots:

Of course I verified the correct IPsec algorithms after each change, such as here:

 

Test Results

Here are the results, each Tx/Rx in Mbps:

And the raw values:

  • Only routing: 937/934
  • esp-3des-sha1-group2-1h: 198/228
  • esp-aes128-sha1-group5-1h: 215/271
  • esp-aes256-sha256-group14-1h: 205/254
  • esp-aes256-sha512-group20-1h: 212/260

That is: All tests are around 200 Mbps. The Tx direction is always a bit slower, which might be a test failure. The AES algorithms are faster than the old 3DES cipher. This might be related to the fact that AES is made to be fast in software and in hardware.

Conclusion

Wow, these are really high values. The data sheet talks about 50 Mbps, even for the bigger PA-500 firewall. I don’t know why, but my test results are four times greater than the official notes. Ok, I can live with that. ;)

Featured image “Mehrhoog ICE3m 4652 als trein 125 Frankfurt Main” by Rob Dammers is licensed under CC BY 2.0.

One thought on “Palo Alto VPN Speedtests

  1. Since PA-200 lacks hardware offloading (all managementplane stuff is put into one x86 core and all dataplane stuff is put into the other x86 core) – do you have any possibility to redo the test with any of the hardware based plattforms from Palo Alto Networks such as PA-3000, PA-5000 or even PA-7000 series?

    Im sure Palo Alto Networks would happily provide you with demo units.

    Also running the iperf tests it would be interresting to see if there is any difference of TCP vs UDP but also 1 stream vs multiple streams (lets say 8 or so)?

Leave a Reply

Your email address will not be published. Required fields are marked *