What steps can be taken to increase GlobalProtect performance due to increased number of connections?
Environment
-
Palo Alto Firewall
-
PAN-OS 8.1 and above
-
GlobalProtect configured
Answer
Due to the risk of COVID-19 (Coronavirus), Increased number of employees are working from home.
The huge increase in the number of GlobalProtect connections when the device is not configured to handle such connections can cause slowness or connections can fail.
Here are some of the steps that can be taken to mitigate the issue:
-
Block all the non work related traffic from clients by using security Policy and security profiles.
Example:
If GlobalProtect clients are configured to be in VPN zone. Any non essential traffic from VPN Zone to Internet can be blocked.
The main applications that can be blocked include streaming services such as Netflix.
-
GUI:
Objects
>
Applications
>
Characteristic
>
Excessive Bandwidth
=>
provides the information of applications using high bandwidth.
-
Use Split-tunnels if the Network security policy allows the same. This is only possible in tunnel mode. Refer Split tunnel configuration under
Configuring GlobalProtect Gateway
and
Optimized Split Tunneling for GlobalProtect
.
-
Remove Idle users
-
GUI:
Network
>
GlobalProtect
>
Portal
>
(portal name)
>
App
>
Preserve Tunnel on User Logoff Timeout
=> set the value to
0 (default)
. This is applicable only in 8.1 version and above.
-
GUI:
Network
>
GlobalProtect
>
Gateways
>
(gateway name)
>
Agent
>
Timeout Settings
>
Here Change the
Inactivity Logout
time and
Disconnect on Idle
time to acceptable values.
-
Disable the video traffic from the tunnel ( GUI:
Network
>
GlobalProtect
>
Gateways
>
(gateway name)
>
Agent
>
Video Traffic
> and enable the setting "
Exclude video traffic from the tunnel"
and add the videos to be excluded from the
Applications
menu.
Additional Information