Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Gab_FTNT
Staff
Staff

Created on ‎11-23-2023 09:38 AM Edited on ‎11-23-2023 10:38 AM By Moderator

Article Id 285823

Technical Tip: How to verify bandwidth passing through a FortiGate remotely

Description This article describes a method to bypass SSLVPN or IPsec dial-up for bandwidth verification using Iperf.
Scope All FortiGate firmware.
Solution

Picture1.png
The main goal of this test is to help identify and narrow down where a bandwidth issue lies. By running an IPerf test without passing through SSLVPN or IPsec Dialup, it is possible to confirm if the issue is related to those or from another source.

Requirements.

It is first necessary to have IPerf installed on a host sitting outside of the network and on another one sitting internally.

IPerf is available to download at this external link: https://iperf.fr/iperf-download.php

VIP configuration.

Go to -> Policy & Object -> Virtual IPs -> Create new.

Interface: Select which WAN interface traffic will be coming from.
External IP address/range: The public IP of the WAN interface.
IPv4 address/range: The private IP of the internal host running IPerf.
Port Forwarding: Since IPerf uses port 5201 by default, the External service port can be set to 5201 as well as the Map to IPv4 Port.


Picture2.png
Policy.

Create a policy to allow traffic from WAN to LAN with the destination VIP previously created.

Incoming Interface: The WAN interface traffic is coming from.
Outgoing Interface: The LAN interface on which the internal host is located.
Source: Can be the public IP of the host sitting outside or ALL.
Destination: The VIP previously created.
Service: Can be 'all' or a custom service specifying port 5201.
Action: Accept.
NAT: Enable.


Picture3.png
IPerf Test.

Starting on the internal host: open CMD, go to the IPerf folder and run IPerf as a server. In this example, IPerf is located on the desktop.

 

cd Desktop
cd iperf
iperf3 -s


Picture4.png
Now, open CMD on the external host. Navigate to the IPerf folder and run IPerf as a client.
In this exemple, IPerf is located on the desktop.

 

cd Desktop
cd iperf
iperf3 -c 10.9.11.15 <- This command is for testing upload speed.
or
iperf3 -c 10.9.11.15 -R <- This command is for testing download speed.

 


Picture5.png
After testing the bandwidth for downloading and uploading, compare the speed obtained with and without the use of SSLVPN or IPSec. Also please make sure to remove the policy and VIP configuration once finished with the testing.

For more information or if any problem occurs, contact Fortinet Support.
439
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.