Re: WinNT and Firewall-1

["Michael Embree" <embreem () gov ns ca>]

> Date: Wed, 20 Jan 1999 21:56:46 -0600 
> From: Alyea (walyea () insnet com)
> Subject: WinNT and Firewall-1
>
> I am preparing to install a Firewall-1 (v.4.0) box on Windows NT
> (v.4.0SP3 + hotfixes).  The catch is that it will have 4 network
> interfaces (2 full Ts and 2 ethernet).  My concern is that NT will bog
> down to unacceptable levels of performance.  Installation on a Unix box
> is not an option (client is unable to support it).
>
> Does anyone have any real experience with a similar configuration (2 -
> 300MHz processors and 512M RAM)?  How is performance?

I have FW-1 v3.0b sp8 VPN+DES and NT Server 4.0 sp4 (upgraded from 
FW-1 3064 and NT sp3 about 10 days ago) on a dual Pentium Pro 200 
with 128 Mb RAM, a 3c905x NIC and an Adaptec ANA-6944a 4 port NIC.  
Currently only 3 of the 5 interfaces are connected, 100 Mbs for inside, 
10 Mbs for public servers (web, ftp, email, etc.) and 10 Mbs to our Internet 
router (T1).  The T1 is pretty much saturated for inbound traffic and 
somewhat less than 50% utilized for outbound (mostly from our servers 
segment) and is overdue for an upgrade.  We use dynamic NAT for our 
inside networks and no NAT for our server segment.  I commonly see 
about 2000 active FW-1 connections during the day with about 20-30% 
CPU utilization (with spikes above 50%), no paging and committed 
memory of about 60 MB (less than half the physical memory).  I am 
currently logging pretty much everything (no accounting log) and am not 
currently using Secure Remote or any security servers.  I am planning on 
using the mail server now that I am at sp8 (I hope I don't end up regretting 
this).  We have had to tweak the FW-1 Memory, PacketPoolSize and 
BufferPoolSize parameters to get it to work smoothly with this amount of 
activity.  I have no complaints about the firewall's performance.