Performance Analysis
The PA-2020’s architecture fundamentally limits remote access performance. GlobalProtect uses a hub-and-spoke model where all VPN traffic must pass through the PA-2020 firewall in Honolulu — even when the user and the resource are both outside Hawaii. NetBird’s peer-to-peer mesh eliminates this bottleneck by connecting users directly to the routing peer at the site hosting the resource.
PA-2020 Hardware Limits (from Palo Alto datasheet)
Section titled “PA-2020 Hardware Limits (from Palo Alto datasheet)”| Metric | PA-2020 Specification |
|---|---|
| Firewall throughput (App-ID) | 500 Mbps |
| IPsec VPN throughput | 200 Mbps (shared across ALL users) |
| Threat prevention throughput | 200 Mbps |
| Max concurrent SSL VPN users | 500 |
| Max sessions | 125,000 |
The 200 Mbps VPN ceiling is the total aggregate for every connected user. With 10 concurrent VPN sessions, each user gets a theoretical maximum of ~20 Mbps — before accounting for encryption overhead, App-ID inspection, and internet uplink constraints.
WireGuard vs IPsec Protocol Performance
Section titled “WireGuard vs IPsec Protocol Performance”| Metric | IPsec (PA-2020) | WireGuard (NetBird) | Source |
|---|---|---|---|
| Throughput | Baseline | ~15% higher | WireGuard performance study |
| Latency | Baseline | ~20% lower | WireGuard performance study |
| CPU overhead | High (2010-era hardware) | Low (kernel-level, modern CPU) | arxiv.org/pdf/2512.10135 |
| Codebase | ~100,000+ lines | ~4,000 lines | WireGuard whitepaper |
Scenario 1: Remote Worker in Hawaii to SMB File Share in Boulder
Section titled “Scenario 1: Remote Worker in Hawaii to SMB File Share in Boulder”Use case: An engineer working from home in Honolulu needs to access a project folder on a Boulder file server (10.15.0.x).
| Hop | GlobalProtect Path (hairpin) | NetBird Path (direct) |
|---|---|---|
| 1 | User (Honolulu home) | User (Honolulu home) |
| 2 | Internet (user’s home ISP) | Internet (user’s home ISP) |
| 3 | PA-2020 (Honolulu office, 98.147.1.83) | WireGuard P2P tunnel (direct to Boulder) |
| 4 | VPN decrypt, re-encrypt for site-to-site | Netgate 6100 routing peer (10.15.0.254) |
| 5 | Site-to-site IPsec tunnel (Hawaii to Colorado) | File server (10.15.0.x) |
| 6 | Comcast Boulder (50.198.217.249) | — |
| 7 | Netgate 6100, File server (10.15.0.x) | — |
| 8 | Entire path in reverse for response | — |
| Factor | GlobalProtect | NetBird | Improvement |
|---|---|---|---|
| Network hops | User -> Hawaii -> Boulder -> Hawaii -> User | User -> Boulder -> User | Eliminates hairpin |
| Round-trip latency | ~140-180ms (double ocean crossing) | ~70-90ms (direct) | ~50% lower |
| VPN throughput limit | 200 Mbps shared (PA-2020 ceiling) | Line speed (ISP-limited) | No appliance bottleneck |
| Estimated per-user SMB | 10-30 Mbps | 50-200 Mbps | 3-6x faster |
| 100MB CAD file transfer | ~30-80 seconds | ~4-16 seconds | 4-5x faster |
Why SMB is especially affected: SMB is a chatty protocol — each file operation requires multiple round trips (open, read, acknowledge, read, acknowledge…). SMB throughput degrades linearly with latency. The formula is roughly: Effective throughput = Window size / RTT. By cutting the RTT in half, NetBird approximately doubles SMB throughput before even accounting for the PA-2020’s encryption bottleneck.
Scenario 2: Employee in Maryland to RDP to VM in Boulder
Section titled “Scenario 2: Employee in Maryland to RDP to VM in Boulder”Use case: A project manager in Maryland needs to RDP into a virtual machine (e.g., GSI-HYPV-WKS01 at 10.15.0.100) hosted on DATA007 in Boulder to run project management software.
| Hop | GlobalProtect Path | NetBird Path |
|---|---|---|
| 1 | User (Maryland) | User (Maryland) |
| 2 | Internet | Internet |
| 3 | PA-2020 (Honolulu, Hawaii) — traffic crosses entire US to Hawaii | WireGuard P2P (direct to Boulder) — Maryland to Colorado, ~30ms |
| 4 | Site-to-site tunnel — then crosses back to Colorado | Netgate 6100 routing peer |
| 5 | Netgate 6100 (Boulder) | VM (10.15.0.100) |
| 6 | VM (10.15.0.100) | — |
| Factor | GlobalProtect | NetBird | Improvement |
|---|---|---|---|
| Geographic path | MD -> HI -> CO (7,800+ miles) | MD -> CO (1,600 miles) | 5x shorter path |
| Round-trip latency | ~160-220ms | ~30-50ms | 75-80% lower |
| RDP responsiveness | Noticeable lag, sluggish mouse/typing | Near-LAN feel | Dramatically better UX |
| Video/screen redraw | Choppy, artifacts on fast updates | Smooth | Night and day |
| VPN bottleneck | PA-2020 200 Mbps shared | None (direct P2P) | Eliminated |
Why this matters for RDP: Remote Desktop Protocol adapts its quality based on available bandwidth and latency. At 160-220ms RTT (GlobalProtect hairpin), RDP throttles graphics quality, disables animations, and introduces visible input lag. At 30-50ms (NetBird direct), RDP delivers near-local-desktop responsiveness. Users currently tolerating sluggish RDP sessions may not even realize how much performance they’re losing to the Hawaii hairpin.
Scenario 3: Field Worker in Honolulu to Sage Server in Honolulu
Section titled “Scenario 3: Field Worker in Honolulu to Sage Server in Honolulu”Use case: A field worker on a job site in Honolulu connects via cellular to access the Sage accounting system (GSI-HYPV-SAGE at 10.100.7.40) hosted on DATA005 in the Honolulu office.
| Hop | GlobalProtect Path | NetBird Path |
|---|---|---|
| 1 | User (Honolulu job site, cellular) | User (Honolulu job site, cellular) |
| 2 | Cellular carrier, Internet | Cellular carrier, Internet |
| 3 | PA-2020 (Honolulu office, 98.147.1.83) | WireGuard tunnel to Honolulu routing peer |
| 4 | Decrypt, forward to LAN | Sage VM (10.100.7.40) |
| 5 | Sage VM (10.100.7.40) | — |
| Factor | GlobalProtect | NetBird | Improvement |
|---|---|---|---|
| Network path | Similar (both go through Honolulu) | Similar | Comparable |
| Round-trip latency | ~20-60ms (cellular + VPN overhead) | ~15-40ms (cellular + WireGuard) | ~20% lower |
| Throughput | Limited by PA-2020 (200 Mbps shared) | Limited by cellular bandwidth | Removes PA bottleneck |
| Connection stability | IPsec re-keying on cell tower handoff | WireGuard roaming (seamless) | Much better on cellular |
| Reconnection after signal loss | GP reconnect: 10-30 seconds | WireGuard: ~5 seconds (keepalive) | 2-6x faster recovery |
Key advantage on cellular: WireGuard handles IP address changes (cell tower handoffs) gracefully — the tunnel stays up when the device’s IP changes because WireGuard identifies peers by cryptographic key, not by IP address. GlobalProtect’s IPsec tunnels must renegotiate IKE, causing 10-30 second reconnection delays every time the cell signal switches towers.
Scenario 4: Boulder Office Worker to File Server in Honolulu (Remote Site Access)
Section titled “Scenario 4: Boulder Office Worker to File Server in Honolulu (Remote Site Access)”Use case: An engineer physically in the Boulder office needs to access the FILES server (GSI-HYPV-FILES at 10.100.7.15) or GIS data in Honolulu.
| Hop | Current IPsec S2S Path | NetBird S2S Path |
|---|---|---|
| 1 | User workstation (Boulder LAN, 10.15.0.x) | User workstation (Boulder LAN, 10.15.0.x) |
| 2 | Netgate 6100, Comcast WAN | Netgate 6100 (also NetBird routing peer) |
| 3 | Site-to-site IPsec tunnel | WireGuard tunnel (direct Boulder to Honolulu routing peer) |
| 4 | PA-2020 (Honolulu), decrypt, forward to LAN | FILES server (10.100.7.15) |
| 5 | FILES server (10.100.7.15) | — |
| Factor | Current IPsec S2S | NetBird S2S | Improvement |
|---|---|---|---|
| Round-trip latency | ~60-80ms | ~55-75ms | Slight improvement |
| Throughput ceiling | PA-2020 IPsec: 200 Mbps | WireGuard: line speed | Higher ceiling |
| Encryption overhead | PA-2020 hardware (2010-era) | Netgate 6100 + Honolulu VM (modern) | Lower CPU load |
| Failover | Manual (PA-2020 single point) | NetBird HA routing peers | Automatic |
Note: For same-path site-to-site traffic (Boulder to Honolulu), the latency improvement is modest because the geographic distance is the same. The main gains are throughput ceiling (no PA-2020 bottleneck) and connection reliability.
Scenario 5: Remote Worker Anywhere to AD Password Reset
Section titled “Scenario 5: Remote Worker Anywhere to AD Password Reset”Use case: Any of the 90% of users who only need VPN connectivity to reset their AD password.
| Factor | GlobalProtect | NetBird + SSPR |
|---|---|---|
| User action required | Open GP app -> connect -> wait -> navigate to password change | None (NetBird is always connected) |
| Time to complete | 3-10 minutes (connect + reset + wait for cached creds) | 30-60 seconds (browser -> SSPR -> done) |
| Helpdesk tickets generated | ~200/year | ~0/year |
| Attack surface during process | Login portal exposed to credential spraying | Zero (no portal, SSPR is Microsoft-hosted) |
| Works from any device | Only devices with GP client installed | Any device with a browser (SSPR) + company laptop (cached creds update via always-on tunnel) |
Summary: Performance Gains by Location
Section titled “Summary: Performance Gains by Location”| User Location | Target Resource | GlobalProtect RTT | NetBird RTT | Throughput Gain | Experience |
|---|---|---|---|---|---|
| Hawaii (remote) | Boulder SMB/RDP | 140-180ms | 70-90ms | 3-6x | Major improvement |
| Maryland | Boulder RDP | 160-220ms | 30-50ms | 4-7x | Transformative |
| East Coast (any) | Boulder resources | 150-200ms | 25-60ms | 3-5x | Major improvement |
| West Coast (any) | Boulder resources | 100-140ms | 15-30ms | 2-3x | Noticeable improvement |
| Hawaii (field) | Honolulu Sage/CAD | 20-60ms | 15-40ms | ~1.2x | Modest + better stability |
| Boulder (office) | Honolulu FILES/GIS | 60-80ms | 55-75ms | ~1.1x | Modest (geography-limited) |
| Anywhere | Password reset | 3-10 min process | 30-60 sec | N/A | Eliminates the process |
The takeaway: Any user accessing Boulder resources through the Hawaii VPN hairpin is losing 50-80% of their potential throughput and experiencing 2-4x the latency they should be. The further east the user is from Hawaii, the worse the penalty. A Maryland user accessing Boulder through the Honolulu VPN is sending packets on a 7,800-mile detour when the direct path is 1,600 miles.