why speed test results are usually lower than advertised speed

Overhead

• Your internet speed is measured in raw bits per second (bps), but real-world data transfer includes additional information like headers, acknowledgments, and error checking.

• TCP/IP, Ethernet, and other protocols add packet overhead, meaning some portion of the bandwidth is used for network management rather than your actual data.
• This overhead typically accounts for 5-15% of the total bandwidth, which explains why you rarely see a full 1 Gbps in speed tests.

Speed test client and server

The speed test server’s capacity can impact results. Some servers may be congested or unable to fully utilize your bandwidth.

The distance between you and the test server affects latency, which can slightly reduce speeds.

The speed test client needs to have a good NIC (intel if possible) and good spec (RAM and CPU) because it needs to make many connections to test the connection. For example if you test with a 100mbps NIC that is the max speed you can see. You need a 1gig NIC or better to test a 1gig connection.

ISP and firewall/network management and contention

• ISPs often use network shaping, congestion control, and peering agreements that affect speed.
• During peak times, ISPs may limit speeds slightly to ensure fair distribution of bandwidth among users.
• Your internal network/firewall may do the same
• Its best to test out of hours with just your test laptop plugged into the internet connection to give the best results

check a DNS TXT record

 

https://mxtoolbox.com/SuperTool.aspx?action=txt%3a%40.dlrcoco.ie&run=toolpage#

nslookup -type=TXT mail._domainkey.domain.com

dig TXT domain.com +short

Powershell

Resolve-DnsName -Type TXT domain.com

Meraki monitoring pages

Organisation -> Alerts

Network-wide > clients

Network wide > Traffic

geoblock on palo alto

The FW needs to see the IP before geoblock can be applied 

under monitor > logs > GlobalProtect

( stage eq 'login' ) and ( status eq 'success' )

Also

Network > Gateways, click on the "Remote Users" link on the right

There is also the option to create the NAT for the GP IP only for the geo locations allowed

Have a general security rules with geoblock to/from any deny

Have a security rule to allow access to the GP IP only from the approved countries

Set the countries up in the GP config (portal / gateway)

Config the geoblock on any 2FA you might be using for 2FA as well as another line of defence

Enable the palo EDL blocks and dynamic threats etc, strict IPS

exclude IP's from nessus scan

Say we want to exclude 101 and 102 we can create targets like so:

192.168.1.1-192.168.1.100, 192.168.1.103-192.168.1.254

Nessus HSTS check and redirects HTTP 3xx codes

 https://community.tenable.com/s/article/Verify-strict-transport-security-header-for-HSTS-Missing-From-HTTPS-Server?language=en_US

curl -sSI http://domain.com/

Palo alto and azure SAML auth

KBs:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

https://learn.microsoft.com/en-us/entra/identity/saas-apps/palo-alto-networks-globalprotect-tutorial

Generate the the cert and make it active

Delete the old cert

Wait a few minutes for azure cloud to update 

Download the xml

delete old certs from palo

Import the xml into palo this will create cert and SAML IDP profile

Don't tick validate check box

Select the new IDP profile in your azure auth profile

NAT rules on palo alto

 Making a note because its a bit different to cisco ASA

NAT rule

OUTSIDE > OUTSIDE 

Public src > Public dst

FW rule 

OUTSIDE > INSIDE (counted as inside because of the NAT)

Public src > Public dst