What steps can be taken to increase GlobalProtect performance due to increased number of connections?
48654
Created On 03/14/20 02:45 AM - Last Modified 08/06/20 21:26 PM
Environment
- Palo Alto Firewall
- PAN-OS 8.1 and above
- GlobalProtect configured
Answer
Due to the risk of COVID-19 (Coronavirus), Increased number of employees are working from home.
The huge increase in the number of GlobalProtect connections when the device is not configured to handle such connections can cause slowness or connections can fail.
Here are some of the steps that can be taken to mitigate the issue:
- Block all the non work related traffic from clients by using security Policy and security profiles.
Example: If GlobalProtect clients are configured to be in VPN zone. Any non essential traffic from VPN Zone to Internet can be blocked.
The main applications that can be blocked include streaming services such as Netflix.
The main applications that can be blocked include streaming services such as Netflix.
- GUI: Objects > Applications > Characteristic > Excessive Bandwidth => provides the information of applications using high bandwidth.
- Use Split-tunnels if the Network security policy allows the same. This is only possible in tunnel mode. Refer Split tunnel configuration under Configuring GlobalProtect Gateway and Optimized Split Tunneling for GlobalProtect.
- Remove Idle users
- GUI: Network > GlobalProtect > Portal > (portal name) > App > Preserve Tunnel on User Logoff Timeout => set the value to 0 (default). This is applicable only in 8.1 version and above.
- GUI: Network > GlobalProtect > Gateways > (gateway name) > Agent > Timeout Settings > Here Change the Inactivity Logout time and Disconnect on Idle time to acceptable values.
- Disable the video traffic from the tunnel ( GUI: Network > GlobalProtect > Gateways > (gateway name) > Agent > Video Traffic > and enable the setting "Exclude video traffic from the tunnel" and add the videos to be excluded from the Applications menu.
Additional Information
- For a list of top trending content related to GP, please see the GlobalProtect Resource List on Configuring and Troubleshooting
- For an overview of GlobalProtect and other related features, please see the GlobalProtect datasheet
- To get an idea of max throughput by product, please see the Product Comparison tool