Why speeds appear capped
If the site has Threat Analysis (Snort IPS/IDS) enabled — set under Firewall › Threat Analysis in the Portal — a single speed test will appear to cap around 150 Mbps. That number is per connection, not per network.
The Threat Analysis inspector runs across multiple processor cores. Each inspection instance handles roughly 40–75 Mbps, and the gateway has about 2.5 cores worth of inspection capacity available. To actually exercise all the cores at once you have to give them several concurrent connections to inspect — a single TCP stream from a single workstation can’t do it.
Measuring the full throughput
To get a representative number for the whole network, run speed tests on at least two workstations at the same time. Add the results together to get the network-wide throughput. The more workstations you run in parallel, the more accurate the total will be, up to the point where the inspection cores or the WAN link saturates.
A short video explainer is available here: https://youtu.be/XvdVDR9L3w8