forceware networking and firewall administrator’s...

ForceWare Networking and Firewall Administrator’s Guide

Software Version 2.09th EditionNVIDIA CorporationSeptember 2005

nViewGuide.book Monday, September 19, 2005 6:01 PM

N V I D I A C o r p o r a t i o n

N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e

Copyright© 2005 by NVIDIA Corporation. All rights reserved.

Published byNVIDIA Corporation 2701 San Tomas ExpresswaySanta Clara, CA 95050

NoticeALL NVIDIA DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE.

Information furnished is believed to be accurate and reliable. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

TrademarksNVIDIA, the NVIDIA logo, and ActiveArmor are registered trademarks or trademarks of NVIDIA Corporation in the United States and/or other countries. Other company and product names may be trademarks or registered trademarks of the respective owners with which they are associated.

_____________________________________________________________________________________________

Copyright© 1982, 1986, 1988, 1990, 1993, 1995 The Regents of the University of California. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

• All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes software developed by the University of California, Berkeley and its contributors.”

• Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software * without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



Table of Contents

nViewGuide.book Page iii Monday, September 19, 2005 6:01 PM

1. IntroductionAudience . . . . . . . . . . . . . . . . . . . . . . . 10About NVIDIA ForceWare Network Access

Manager . . . . . . . . . . . . . . . . . . . . . . . 10NVIDIA Command Line Interface (nCLI). . . . 10Web-Based Interface. . . . . . . . . . . . . . . 11

Sample Web Pages. . . . . . . . . . . . . . 12Specifying Another Language for Web Page Content. . . . . . . . . . . . . . . . . . . . . 13

WMI Script. . . . . . . . . . . . . . . . . . . . . 14About Security . . . . . . . . . . . . . . . . . . . . 14ActiveArmor Firewall . . . . . . . . . . . . . . . . . 15

Key Features—ActiveArmor Firewall. . . . . . 15System Requirements . . . . . . . . . . . . . . . . 17

General Requirements . . . . . . . . . . . . . . 17Notes and Tips . . . . . . . . . . . . . . . . . . 17 Hardware Requirements . . . . . . . . . . . . 17 Operating Systems . . . . . . . . . . . . . . . 18Software, Memory, and Disk Space

Requirements . . . . . . . . . . . . . . . . . . 19ActiveArmor Firewall, ActiveArmor SNE, and

Ethernet Parameters Reference . . . . . . . . . 19ActiveArmor Firewall and Windows XP Service

Pack 2 . . . . . . . . . . . . . . . . . . . . . . . . 20Windows Security Center . . . . . . . . . . . . 20

2. Installation GuidelinesBefore Using the ForceWare Network Access

Manager Installer . . . . . . . . . . . . . . . . . . 21Installing ForceWare Network Access Manager . 21Installing Network Access Manager in Silent

Mode—Optional . . . . . . . . . . . . . . . . . . 23Creating the Response File . . . . . . . . . . . 23Running Installation in Silent Mode. . . . . . . 23

Launching the ForceWare Network Access Manager Web Interface . . . . . . . . . . . . . . 24

Trusting the Security Certificate—For Remote Users Only. . . . . . . . . . . . . . . . . . . . 25

Importing the Certificate—First Method . . 25Importing the Certificate—Second Method 28

Localizing the Web Interface . . . . . . . . . . 29Configuration Deployment . . . . . . . . . . . . . 30

Before You Begin . . . . . . . . . . . . . . . . . 30

3. ActiveArmor Firewall: Basic Concepts

Types of Firewalls . . . . . . . . . . . . . . . . . . 31Stateful vs. Stateless . . . . . . . . . . . . . . . . 32Inbound vs. Outbound Packets . . . . . . . . . . 32

About the TCP Protocol. . . . . . . . . . . . . 33About the UDP and ICMP Protocols . . . . . 33

UDP . . . . . . . . . . . . . . . . . . . . . . 33ICMP . . . . . . . . . . . . . . . . . . . . . 34

Stateful Filtering . . . . . . . . . . . . . . . . . . . 34Stateless Filtering . . . . . . . . . . . . . . . . . . 36

4. Configuring the ActiveArmor Firewall

ActiveArmor Firewall Parameters Reference . . 38Using the Basic Configuration Page . . . . . . . 38

Security Profile Settings . . . . . . . . . . . . 40Using the Intelligent Application Manager (IAM) 41

IAM Popup Dialog Boxes . . . . . . . . . . . . 42Information Dialog Box . . . . . . . . . . . 43Risk-Level Warnings . . . . . . . . . . . . . 43Basic Risk-Level Dialog Box . . . . . . . . 45Advanced Risk-Level Dialog Box . . . . . 46

Configuring the IAM . . . . . . . . . . . . . . . 47Advanced Configuration . . . . . . . . . . . . . . 48

Configuring Antihacking Features . . . . . . . 50About Working With Tables . . . . . . . . . . . . 51

Specifying Actions . . . . . . . . . . . . . . . . 51About Table Sorting . . . . . . . . . . . . . . . 51Reordering ActiveArmor Firewall Rules . . . . 52Table Default Action Settings. . . . . . . . . . 54

Using the ActiveArmor Firewall Wizards Page . 55DHCP Server/Client configuration . . . . . . . 56

DHCP Server . . . . . . . . . . . . . . . . . 56DHCP Client . . . . . . . . . . . . . . . . . 57

Configuration Dependencies. . . . . . . . . . . . 57Recommendations . . . . . . . . . . . . . . . 58

ActiveArmor Firewall Statistics . . . . . . . . . . 59ActiveArmor Firewall Logging . . . . . . . . . . . 63

5. Configuring NVIDIA ActiveArmorNVIDIA ActiveArmor Parameters Reference . . 66Understanding NVIDIA ActiveArmor . . . . . . . 66NVIDIA ActiveArmor and the ActiveArmor Firewall .

67

N V I D I A C o r p o r a t i o n iii


nViewGuide.book Page iv Monday, September 19, 2005 6:01 PM

Configuring ActiveArmor to Offload All Connections69

Tracking ActiveArmor Connections. . . . . . . 70Tracking ActiveArmor Statistics . . . . . . . . . 71

Using ActiveArmor as a TCP/IP Accelerator . . . 72Configuring ActiveArmor to Offload One

Application . . . . . . . . . . . . . . . . . . . . 73Configuring ActiveArmor to Offload One TCP

Port . . . . . . . . . . . . . . . . . . . . . . . . 74

6. Administrative TasksAccessing the Administration Menu . . . . . . . . 76Application Access Control Page . . . . . . . . . 76

Default Administrative Access Control Settings 77

Command Line Access . . . . . . . . . . . . . 78WMI Script. . . . . . . . . . . . . . . . . . . . . 79Local Web Access . . . . . . . . . . . . . . . . 79Remote Web Access . . . . . . . . . . . . . . . 79

Additional Notes. . . . . . . . . . . . . . . . 80Password . . . . . . . . . . . . . . . . . . . . . 80IP Address and IP Address Mask — optional . 80

Restore Factory Defaults . . . . . . . . . . . . . . 81Display Settings . . . . . . . . . . . . . . . . . . . 81Backup/Restore . . . . . . . . . . . . . . . . . . . 82

Backup Configuration . . . . . . . . . . . . . . 82Restore User Configuration . . . . . . . . . . . 82

ForceWare Network Access Manager Software Version . . . . . . . . . . . . . . . . . . . . . . . 83

7. Using WMI ScriptBefore You Begin . . . . . . . . . . . . . . . . . . 84Benefits of Using WMI Script . . . . . . . . . . . . 84Overview . . . . . . . . . . . . . . . . . . . . . . . 85Advanced Topics . . . . . . . . . . . . . . . . . . . 85

NVIDIA Namespace . . . . . . . . . . . . . . . 85

8. Using The NVIDIA Command Line Interface (nCLI)

Conventions Used . . . . . . . . . . . . . . . . . . 86About Examples Used . . . . . . . . . . . . . . . . 86Parameters . . . . . . . . . . . . . . . . . . . . . . 86Modes of Operation . . . . . . . . . . . . . . . . . 87

Expert Mode . . . . . . . . . . . . . . . . . . . 87Interactive Mode . . . . . . . . . . . . . . . . . 87

First Method . . . . . . . . . . . . . . . . . . 87Second Method . . . . . . . . . . . . . . . . 87

Using Single Parameters . . . . . . . . . . . . . . 88Set . . . . . . . . . . . . . . . . . . . . . . . . . 88

Example — (Expert Mode) . . . . . . . . . 88Set. . . . . . . . . . . . . . . . . . . . . . . . . 88

Example — (Interactive Mode) . . . . . . . 88Get . . . . . . . . . . . . . . . . . . . . . . . . 89

Example — (Expert Mode) . . . . . . . . . 89Example — (Interactive Mode) . . . . . . . 89

Help . . . . . . . . . . . . . . . . . . . . . . . . 90Example — (Expert Mode) . . . . . . . . . 90

Using Table Parameters . . . . . . . . . . . . . . 90Interactive and Expert Commands . . . . . . 90

Expert Commands . . . . . . . . . . . . . . 91Add Row . . . . . . . . . . . . . . . . . . . . . 91

Example — (Expert Mode) . . . . . . . . . 91Get Row . . . . . . . . . . . . . . . . . . . . . 92

Example — (Expert Mode) . . . . . . . . . 92Example — (Interactive Mode) . . . . . . . 93

Edit Row . . . . . . . . . . . . . . . . . . . . . 94Example — (Expert Mode) . . . . . . . . . 94

Delete Row . . . . . . . . . . . . . . . . . . . . 94Example — (Expert Mode) . . . . . . . . . 94

Help . . . . . . . . . . . . . . . . . . . . . . . . 94Example — (Expert Mode) . . . . . . . . . 94

Set Table . . . . . . . . . . . . . . . . . . . . . 95Examples — (Expert Mode) . . . . . . . . 95

Get Table . . . . . . . . . . . . . . . . . . . . . 96Example — (Expert Mode) . . . . . . . . . 96

About Other Table Commands . . . . . . . . . 96Syntax . . . . . . . . . . . . . . . . . . . . . 96

Browsing the Parameter Structure . . . . . . . . 96List . . . . . . . . . . . . . . . . . . . . . . . . 97

Example — (Interactive Mode) . . . . . . . 97Changing Directory . . . . . . . . . . . . . . . 97

Example 1 — (Interactive Mode) . . . . . . 97Example 2 — (Interactive Mode) . . . . . . 98

Current Working Directory . . . . . . . . . . . 99Example — (Interactive Mode) . . . . . . . 99

Context-Sensitive Operations . . . . . . . . . 99Example — (Interactive Mode) . . . . . . . 99

Text File Processing . . . . . . . . . . . . . . . .100Export . . . . . . . . . . . . . . . . . . . . . . .100

Syntax . . . . . . . . . . . . . . . . . . . . .100Example 1 — (Interactive Mode) . . . . . .101Example 2 — (Interactive Mode) . . . . . .101Example 3 — (Interactive Mode) . . . . . .101

Import . . . . . . . . . . . . . . . . . . . . . . .101Syntax . . . . . . . . . . . . . . . . . . . . .102

Support for Multiple Ethernet Interfaces . . . . .102Example 1 . . . . . . . . . . . . . . . . . .102Example 2 . . . . . . . . . . . . . . . . . .102

iv N V I D I A C o r p o r a t i o n


nViewGuide.book Page v Monday, September 19, 2005 6:01 PM

Glossary. . . . . . . . . . . . . . . . . . . . . . . 103

A. Ethernet Parameters ReferenceGroup: Remote Wakeup . . . . . . . . . . . . . 104

Remote Wakeup . . . . . . . . . . . . . . . . 104Remote Wakeup by Magic Packet . . . . . . 105Remote Wakeup (Pattern Match) . . . . . . . 105Remote Wakeup (Link State Change) . . . . 106Remote Wake Up from Hibernate or Shutdown

106Group: Protocol Offload . . . . . . . . . . . . . . 107

Checksum Offload . . . . . . . . . . . . . . . 107IPv4 Transmit Checksum Offload . . . . . . 107IPv4 Receive Checksum Offload . . . . . . . 108UDP Transmit Checksum Offload . . . . . . 108UDP Receive Checksum Offload . . . . . . . 109TCP Transmit Checksum Offload . . . . . . 109TCP Receive Checksum Offload . . . . . . . 110TCP Large Send Offlload . . . . . . . . . . . 110

Group: Microsoft Operating System VLAN (Virtual LAN) . . . . . . . . . . . . . . . . . . . . . . . . 111

Microsoft Operating System VLAN . . . . . 111Group: VLAN (Virtual LAN) . . . . . . . . . . . . 112

VLAN Support. . . . . . . . . . . . . . . . . . 112VLAN ID . . . . . . . . . . . . . . . . . . . . 112

Group: Jumbo Frame . . . . . . . . . . . . . . . 113Jumbo Frame Payload Size . . . . . . . . . 113

Group: Driver Optimization . . . . . . . . . . . . 114Ethernet Driver Optimization . . . . . . . . . 114

Group: Ethernet Performance . . . . . . . . . . 115Number of Receive Buffers . . . . . . . . . . 115Number of Receive Buffer Descriptors . . . . 115Number of Transmit Buffer Descriptors . . . 116Maximum Transmit Frames Queued . . . . . 116Number of Receive Packets to Process per

Interrupt . . . . . . . . . . . . . . . . . . . . 117Number of Transmit Packet to Process per

Interrupt . . . . . . . . . . . . . . . . . . . . 117Interrupt Interval . . . . . . . . . . . . . . . . 118

Group: Traffic Prioritization . . . . . . . . . . . . 118 IEEE 802.1p Support . . . . . . . . . . . . . 118

Group: Ethernet Speed/Duplex. . . . . . . . . . 119Configurable Ethernet Speed/Duplex Settings

119Link Speed . . . . . . . . . . . . . . . . . . . 120Maximum Link Speed . . . . . . . . . . . . . 121Duplex Setting . . . . . . . . . . . . . . . . . 121Link Status. . . . . . . . . . . . . . . . . . . . 122Promiscuous Mode . . . . . . . . . . . . . . . 122

Permanent Ethernet Address . . . . . . . . .123Group: Ethernet Address. . . . . . . . . . . . . .123

Current Ethernet Address . . . . . . . . . . .123Group: Network Interface information . . . . . .124

Computer (Machine) Name . . . . . . . . . .124IP Address . . . . . . . . . . . . . . . . . . . .124IP Address Mask . . . . . . . . . . . . . . . .125

Group: Factory Default . . . . . . . . . . . . . . .126Factory Default. . . . . . . . . . . . . . . . . .126

Table: Multicast Address List . . . . . . . . . . .126Multicast Address List. . . . . . . . . . . . . .126Multicast Addresses (Single Parameter) . . .127

Group: Ethernet Statistics . . . . . . . . . . . . .127Frames Received with Alignment Error . . . .127Frames Transmitted After One Collision . . .128Frames Transmitted After Two or More

Collisions . . . . . . . . . . . . . . . . . . . .128Frames Transmitted After Deferral . . . . . .129Display Name Frames Exceed Maximum

Collision . . . . . . . . . . . . . . . . . . . . .129Frames with Overrun Errors . . . . . . . . . .130Frames with Underrun Errors . . . . . . . . .130Frames with Heartbeat Failure . . . . . . . . .131Carrier Sense (CRS) Signal Lost . . . . . . .131Late Collisions . . . . . . . . . . . . . . . . . .132

Group: General Networking Statistics . . . . . .132Successfully Transmitted Frames . . . . . . .132Successfully Received Frames . . . . . . . .133Transmit Failures . . . . . . . . . . . . . . . .133Receive Failures . . . . . . . . . . . . . . . . .133No Receive Buffers . . . . . . . . . . . . . . .134Direct Frames Received . . . . . . . . . . . .134Multicast Frames Received . . . . . . . . . .134Broadcast Frames Received . . . . . . . . . .135

Group: Alert Standard Format . . . . . . . . . . .135ASF Support . . . . . . . . . . . . . . . . . . .135ASF Destination IP Address . . . . . . . . . .136ASF Send Count. . . . . . . . . . . . . . . . .136

Group: ASF Information . . . . . . . . . . . . . .137ASF Destination MAC Address . . . . . . . .137

Group: System Fails to Boot Alert . . . . . . . .137System Fails to Boot Alert . . . . . . . . . . .137

Group: Fan Problem Alert . . . . . . . . . . . . .138Fan Problem Alert . . . . . . . . . . . . . . .138

Group: ASF SMBus Error . . . . . . . . . . . . .138ASF SMBus Error . . . . . . . . . . . . . . . .138

Group: ASF WOL Alert . . . . . . . . . . . . . . .139ASF Wake On Lan (WOL) Alert . . . . . . . .139

Group: ASF Heartbeat Alert . . . . . . . . . . . .139

N V I D I A C o r p o r a t i o n v


nViewGuide.book Page vi Monday, September 19, 2005 6:01 PM

ASF Heartbeat Alert Interval . . . . . . . . . 139Group: ASF Operating System Hung Alert . . . 140

ASF Operating System Hung Alert . . . . . . 140Group: ASF Power Button Alert . . . . . . . . . 140

ASF Power Button Alert . . . . . . . . . . . . 140Group: ASF System Hot Alert . . . . . . . . . . 141

ASF System Hot Alert . . . . . . . . . . . . . 141Group: ASF CPU Overheated Alert . . . . . . . 141

ASF CPU Overheat Alert . . . . . . . . . . . 141Group: ASF CPU Overheated Alert . . . . . . . 142

ASF CPU Hot Alert . . . . . . . . . . . . . . . 142Group: ASF Case Intrusion Alert . . . . . . . . . 142

ASF Case Intrusion Alert . . . . . . . . . . . 142

B. ActiveArmor Firewall Parameters Reference

Group: Configure Firewall Security Level . . . . 143Configure Firewall Security Level. . . . . . . 143

About the FwlProfiles Settings . . . . . . 144Group: Configure Firewall Options . . . . . . . . 146

Disallow Promiscuous Mode . . . . . . . . . 146Disallow DHCP Server . . . . . . . . . . . . . 147Block Outbound Spoofed IP Packets. . . . . 147Block Spoofed ARP Packets . . . . . . . . . 148 Block UDPv4 with No UDP Checksum . . . 148

Group: EtherType Default Rule . . . . . . . . . . 149EtherType Default Rule . . . . . . . . . . . . 149

Group: IP Address/Mask Default Rule . . . . . . 149IP Address/Mask Default Action . . . . . . . 149

Group: Domain Name Default Rule . . . . . . . 150Domain Name Default Rule . . . . . . . . . . 150

Group: IP Option Default Rule . . . . . . . . . . 150Inbound IP Option Default Rule. . . . . . . . 150Outbound IP Option Default Rule. . . . . . . 151

Group: IP Protocol Default Rule . . . . . . . . . 151IP Protocol Default Rule . . . . . . . . . . . . 151

Group: Port Number Default Rule . . . . . . . . 152Inbound Port Number Default Rule . . . . . . 152Outbound Port Number Default Rule. . . . . 152

Group: TCP Options Default Rule . . . . . . . . 153TCP Options Default Rule . . . . . . . . . . . 153

Group: ICMP Messages Default Rule . . . . . . 153Inbound ICMP Default Rule . . . . . . . . . . 153Outbound ICMP Default Rule . . . . . . . . . 154

Group: Clear Firewall Statistics . . . . . . . . . . 154Clear Firewall Statistics . . . . . . . . . . . . 154

Group: Firewall Statistics . . . . . . . . . . . . . 155Allowed Inbound UDP Datagrams . . . . . . 155Denied Inbound UDP Datagrams I . . . . . . 155

Allowed Outbound UDP Datagrams . . . . . .155Denied Outbound UDP Datagrams . . . . . .156Denied Inbound UDP Connections . . . . . .156Allowed Outbound UDP Connections . . . . .156Denied Outbound UDP Connections . . . . .157Allowed Inbound TCP Segments . . . . . . .157Denied Inbound TCP Segments . . . . . . . .157Allowed Outbound TCP Segments . . . . . .158Denied Outbound TCP Segments . . . . . . .158Allowed Inbound TCP Connections . . . . . .158Denied Inbound TCP Connections . . . . . .159Allowed Outbound TCP Connections . . . . .159 Denied Outbound TCP Connections . . . . .159Allowed Inbound ICMP Packets . . . . . . . .160Denied Inbound ICMP Packets . . . . . . . .160Allowed Outbound ICMP Packets . . . . . . .160Denied Outbound ICMP Packets . . . . . . .161Other Allowed Inbound Packets . . . . . . . .161Other Denied Inbound Packets . . . . . . . .161Other Allowed Outbound Packets . . . . . . .162Other Denied Outbound Packets . . . . . . .162

Group: Factory Default . . . . . . . . . . . . . . .163Factory Default. . . . . . . . . . . . . . . . . .163

Group: Flush DNS Cache . . . . . . . . . . . . .163Flush DNS Cache . . . . . . . . . . . . . . . .163

Table: EtherType Rules. . . . . . . . . . . . . . .164Ether Type . . . . . . . . . . . . . . . . . . . .164EtherType Name. . . . . . . . . . . . . . . . .165EtherType Action . . . . . . . . . . . . . . . .165

Table: IP Address/Mask Rule . . . . . . . . . . .166Remote IP Address . . . . . . . . . . . . . . .166Remote IP Address Mask . . . . . . . . . . .167IP Action . . . . . . . . . . . . . . . . . . . . .167

Table: Domain Names Rule . . . . . . . . . . . .168Domain Name . . . . . . . . . . . . . . . . . .168Domain Action . . . . . . . . . . . . . . . . . .169

Table: IP Option Rules . . . . . . . . . . . . . . .169IP Option Number . . . . . . . . . . . . . . . .170IP Option Name . . . . . . . . . . . . . . . . .170 IP Version . . . . . . . . . . . . . . . . . . . .171IP Inbound Action . . . . . . . . . . . . . . . .171IP Outbound Action . . . . . . . . . . . . . . .171

Table: IP Protocol Rule . . . . . . . . . . . . . . .172IP Protocol . . . . . . . . . . . . . . . . . . . .172IP Protocol Name . . . . . . . . . . . . . . . .173IP Protocol Action . . . . . . . . . . . . . . . .173

Table: TCP/UDP Port Rule . . . . . . . . . . . .174TCP/UDP Port Outbound Action . . . . . . .175Remote IP Address . . . . . . . . . . . . . . .175

vi N V I D I A C o r p o r a t i o n


nViewGuide.book Page vii Monday, September 19, 2005 6:01 PM

Remote IP Subnet Mask . . . . . . . . . . . 175Port Name . . . . . . . . . . . . . . . . . . . 176Beginning Port Number . . . . . . . . . . . . 176Ending Port Number . . . . . . . . . . . . . . 176Port Protocol . . . . . . . . . . . . . . . . . . 177

Table: TCP Options Rule . . . . . . . . . . . . . 177TCP Option Number . . . . . . . . . . . . . . 178TCP Option Name I . . . . . . . . . . . . . . 178TCP Option Action . . . . . . . . . . . . . . . 178

Table: ICMP Rules . . . . . . . . . . . . . . . . . 179Remote IP Address . . . . . . . . . . . . . . 179Remote IP Subnet Mask . . . . . . . . . . . 180ICMP Type . . . . . . . . . . . . . . . . . . . 180ICMP Code . . . . . . . . . . . . . . . . . . . 180ICMP Name . . . . . . . . . . . . . . . . . . 181ICMP Version . . . . . . . . . . . . . . . . . . 181ICMP Inbound Action . . . . . . . . . . . . . 181ICMP Outbound Action . . . . . . . . . . . . 182

C. ActiveArmor Secure Network Engine (SNE) Parameters Reference

Group: Feature Controls . . . . . . . . . . . . . 183ActiveArmor SNE . . . . . . . . . . . . . . . . 183

Group: Offload Default. . . . . . . . . . . . . . . 184Offload Default . . . . . . . . . . . . . . . . . 184

Group: ActiveArmor Factory Default . . . . . . . 184Factory Default . . . . . . . . . . . . . . . . . 184

Table: Offloadable IP Address and Port Ranges 185Offloadable IP Address and Port Ranges . . 185Local IP Address . . . . . . . . . . . . . . . . 186Local IP Subnet Mask . . . . . . . . . . . . . 186Remote IP Address . . . . . . . . . . . . . . 186Remote IP Subnet Mask. . . . . . . . . . . . 187Beginning Port Number . . . . . . . . . . . . 187Ending Port Number . . . . . . . . . . . . . . 188Offload Setting for Inbound Connection . . . 188Offload Setting for Outbound Connection . . 189

Table: Application Offload Control . . . . . . . . 189Application Offload Control Table . . . . . . . 189IP Address. . . . . . . . . . . . . . . . . . . . 190IP Subnet Mask . . . . . . . . . . . . . . . . . 190Application Filename . . . . . . . . . . . . . . 191Application Path . . . . . . . . . . . . . . . . 191Offload Enable/Disable for Inbound Connection

192Offload Enable/Disable for Outbound

Connection . . . . . . . . . . . . . . . . . . 192Group: ActiveArmor Statistics . . . . . . . . . . 192

Received TCP Payload Bytes . . . . . . . . .193Transmitted TCP Payload Bytes . . . . . . . .193Received TCP Segments. . . . . . . . . . . .193Transmitted TCP Segments . . . . . . . . . .194Retransmitted TCP Segments . . . . . . . . .194Total ICMP “Destination Unreachable” Packets

Received . . . . . . . . . . . . . . . . . . . .194IP Fragments Received . . . . . . . . . . . . .195IP Packets Received with Options. . . . . . .195TCP Segments Received with Valid Reset Flag

Set . . . . . . . . . . . . . . . . . . . . . . . .195TCP Segments Transmitted with the Reset Flag

Set . . . . . . . . . . . . . . . . . . . . . . . .196Auto-ACKs Transmitted . . . . . . . . . . . . .196

Table: Connection Table Information . . . . . . .196Connection Table Information . . . . . . . . .196Connection Lifetime . . . . . . . . . . . . . . .197TCP State . . . . . . . . . . . . . . . . . . . .197Hardware Offload . . . . . . . . . . . . . . . .198Local IP Address . . . . . . . . . . . . . . . .198Local TCP Port. . . . . . . . . . . . . . . . . .199Remote IP Address . . . . . . . . . . . . . . .199Remote TCP Port . . . . . . . . . . . . . . . .199

D. Glossary

N V I D I A C o r p o r a t i o n vii

N V I D I A C o r p o r a t i o n viii


Table 1.1 Hardware and Software Features Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Table 1.2 Software, Memory, and Disk Space Requirements. . . . . . . . . . . . . . . . . . . . . . . . . 19Table 6.1 ActiveArmor Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

List of Tables

nViewGuide.book Page viii Monday, September 19, 2005 6:01 PM

N V I D I A C o r p o r a t i o n ix


Figure 1.1 ForceWare Network Access Manager—Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . 12Figure 1.2 Ethernet Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Figure 1.3 Firewall Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Figure 1.4 ActiveArmor Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Figure 2.1 Security Alert—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Figure 2.2 Certification Page—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Figure 2.3 Certification Page—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Figure 2.4 Certification Import Wizard—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . 27Figure 2.5 Certificate Import Wizard Completion Page—For Remote Users Only . . . . . . . . . . . . . . . . 27Figure 2.6 Root Certificate Store—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Figure 4.1 ActiveArmor Firewall—Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Figure 4.2 Information Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Figure 4.3 Low Risk Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 4.4 Medium Risk Warning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 4.5 High Risk Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 4.6 Basic Risk-Level Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Figure 4.7 Advanced Risk-Level Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Figure 4.8 ActiveArmor Firewall Application Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Figure 4.9 ActiveArmor Firewall Options—Configuring Antihacking Features . . . . . . . . . . . . . . . . . . 50Figure 4.10 Reordering ActiveArmor Firewall Rules — Cutting a Row . . . . . . . . . . . . . . . . . . . . . . 53Figure 4.11 Reordering ActiveArmor Firewall Rules — Pasting a Row . . . . . . . . . . . . . . . . . . . . . . 54Figure 4.12 Firewall Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Figure 4.13 Graphical Information for Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Figure 4.14 Bar Graph of Packet Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Figure 4.15 Table (Statistics) of Packet Activity—First Section . . . . . . . . . . . . . . . . . . . . . . . . . . 62Figure 4.16 Table (Statistics) of Packet Activity—Second Section . . . . . . . . . . . . . . . . . . . . . . . . 62Figure 4.17 Firewall Logging Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Figure 4.18 User Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Figure 5.1 Four Software Layering Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Figure 5.2 ActiveArmor Configuration and Application Table . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Figure 5.3 ActiveArmor Configuration and Port Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Figure 5.4 ActiveArmor Connections Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Figure 5.5 ActiveArmor Connection Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Figure 5.6 ActiveArmor Application – add rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Figure 5.7 ActiveArmor Port – add rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Figure 6.1 Application Access Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

List of Figures

nViewGuide.book Page ix Monday, September 19, 2005 6:01 PM

C h a p t e r 1 I n t r o d u c t i o n


C H A P T E R

INTRODUCTION

AudienceThis guide is intended for the system or network Administrator of an organization as a guide to install and use the NVIDIA® ForceWare™ Network Access Manager application.Note: This guide assumes the reader has Administrator access privileges.

Exceptions are noted, where applicable.

About NVIDIA ForceWare Network Access ManagerUsing the ForceWare Network Access Manager application, you can easily configure and control NVIDIA networking hardware and software, gather statistics, and monitor logs. ForceWare Network Access Manager gives you several choices in managing your networking hardware and software:• “NVIDIA Command Line Interface (nCLI)” on page 10• “Web-Based Interface” on page 11• “WMI Script” on page 14

NVIDIA Command Line Interface (nCLI) The ForceWare Network Access Manager provides command line access through the nCLI program. The nCLI command can be run in either expert or interactive mode to configure and monitor NVIDIA networking components.

10 N V I D I A C o r p o r a t i o n



• Expert mode is suitable for deployment in an organization by running nCLI from a login script. To use nCLI in expert mode, you need to be familiar with the syntax and characteristics of configuration parameters. For details and examples of using the nCLI command with various Ethernet and ActiveArmor Firewall parameters, see “Ethernet Parameters Reference” on page 104 and “ActiveArmor Firewall Parameters Reference” on page 143.

• Interactive mode runs in a shell environment and is suitable for Administrators who do not have access to the syntax and characteristics of the nCLI configuration parameters. nCLI provides navigation feature to assist these users.

Note: Extensive nCLI usage samples in batch file format are provided in the following subdirectories under the default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or a path you specify: samples\Eth (for Ethernet) samples\Firewall (for Firewall) samples\ActiveArmor (for ActiveArmor) You can cut and paste the appropriate command and use them in batch files or in command lines. Also see “Using The NVIDIA Command Line Interface (nCLI)” on page 86.

Web-Based Interface The ForceWare Network Access Manager Web-based interface (see “Sample Web Pages” on page 12) offers convenient access through several features:• Wizards—see “Using the ActiveArmor Firewall Wizards Page” on page 55.• Profiles • Status summaries• Help. Context-sensitive online Help is available on a wide range of features.

From any ForceWare Network Access Manager Web page, click the Help tab, seen in Figure 1.1, to access detailed Help on the parameters you are configuring.

• Log. The ActiveArmor Firewall generates log entries that provide a historical view of ActiveArmor Firewall activities

• Tool tips. When your cursor rests on the name of a parameter, its description is displayed in a popup text window, called a tool tip.

N V I D I A C o r p o r a t i o n 11



Sample Web PagesFigure 1.1 ForceWare Network Access Manager—Home Page

Figure 1.2 Ethernet Basic Configuration




Figure 1.3 Firewall Wizards

Specifying Another Language for Web Page ContentForceWare Network Access Manager supports viewing of the Web-based interface in the following languages:• Brazilian Portuguese• French• German• Italian• Spanish• Japanese• Korean• Simplified Chinese• Traditional ChineseFor complete details, see “Installing ForceWare Network Access Manager” on page 21 and “Localizing the Web Interface” on page 29.




WMI Script You can use the Microsoft® Windows Management Instrumentation (WMI) script language to manage NVIDIA networking hardware and software. Using WMI script language is recommended only for Administrators who are already familiar with programming in WMI script and who have become familiar with the syntax and characteristics of configuration parameters. WMI script programming is being used by the IT staff of larger corporations to carry out day to day maintenance work. Overall benefits of using WMI scripts include:• Industry standard—WMI can be implemented using languages such as

VBScript and JScript.• Ease of use• Common scripts—allow access to ForceWare Network Access Manager

data.• Flexibility—If you are a WMI script user, you can utilize the power of the

script languages to meet almost any requirements. For example, as an Administrator, you can write a WMI script to scan for Yahoo Messenger on a computer and open the appropriate port if the computer user has sufficient rights.

• Remote use—means you can run the WMI script language remotely and use it as a deployment tool in an organization. See “Configuration Deployment” on page 30.

For further informations, see “Using WMI Script” on page 84.

About SecurityAccess control is based on the kind of application being run, whether you are an Administrator or non-Administrator user, and the kind of access needed—that is, local or remote. The ForceWare Network Access Manager Web-based Application Access Control page (“Application Access Control Page” on page 76) enables you to configure non-Administrator access to applications, including:• nCLI (NVIDIA command line interface)• WMI scripting interface • Local and remote Web access




Note: For applications that are accessed from the local computer, the application access rights depend on the current access rights for the Windows login session.

Note: A non-Administrator user on a computer cannot access the ActiveArmor Firewall parameters and modify the access control parameters.

For further details on security and access control, see “Application Access Control Page” on page 76.

ActiveArmor FirewallNote: ActiveArmor Firewall only operates on an NVIDIA Ethernet interface.

ActiveArmor Firewall will not protect network traffic/application on a system that uses a third-party Ethernet interface (for example 3Com, Intel, Broadcom, DLink, etc.) on an NVIDIA nForce motherboard.

ActiveArmor Firewall—the only “native” firewall in the market—is optimized and integrated into the NVIDIA nForce systems that support ForceWare Network Access Manager. (See Table 1.1 for supported NVIDIA hardware and features.)The ActiveArmor Firewall is a high performance, “hardware-optimized” firewall offering enhanced reliability and protection at the end-point—i.e., the desktop. It incorporates firewall and antihacking technologies such as antispoofing, antisniffing, anti-ARP cache poisoning, and anti-DHCP server, which are important security controls for corporate network environments.For an explanation of firewall concepts and the ActiveArmor Firewall, see Chapter 3—“ActiveArmor Firewall: Basic Concepts” on page 31.

Key Features—ActiveArmor Firewall • Intelligent Application Manager (IAM)

IAM enables you to create firewall rules based on the application name. Whenever an application attempts to open a new network connection (either as a client or as a server), you are prompted to Allow or Deny the application's access to the network. An application-based firewall rule is then automatically created or modified.

• System tray application The system tray application provides a convenient way for you to view and change the settings of Firewall profiles.

• User-friendly Web-based interface includes Wizards, charts, tables, and logging statistics. See “Configuring the ActiveArmor Firewall” on page 38.




• ICSA certifiedSee the following Web site for details: www.icsalabs.com.

• Antihacking features listed below provide important security controls for corporate network environments.• Antispoofing• Antisniffing• Anti-ARP cache poisoning• Anti-DHCP (Dynamic Host Configuration Protocol) server process Also see Table 1.1, “Hardware and Software Features Support” on page 18 and “Configuring Antihacking Features” on page 50.

• Comprehensive “packet filtering”—see “ActiveArmor Firewall: Basic Concepts” on page 31.

• “Stateful” and “stateless” packet inspections—see “ActiveArmor Firewall: Basic Concepts” on page 31.

• Predefined security profiles—see “Configuring the ActiveArmor Firewall” on page 38—include these key features:• User-customizable profiles• Internet Protocol version 6 (IPv6) support• Settings—Lockdown, High, Medium, Low, Off

• Advanced management features—see “Configuring the ActiveArmor Firewall” on page 38.• Remote administration • Monitoring • Configuration

• NVIDIA command line interface (nCLI) support — not available on all systems. For details, refer to Table 1.1, “Hardware and Software Features Support” on page 18.

• ActiveArmor Secure Network Engine (SNE)NVIDIA ActiveArmor controls the NVIDIA ActiveArmor SNE, which offloads CPU-intensive aspects of firewall and TCP processing.

• WMI scripting support — not available on all systems. For details, refer to Table 1.1, “Hardware and Software Features Support” on page 18.




System Requirements

General Requirements• WMI (Windows Management Instrumentation) service

Note: WMI service is not automatically started on Windows 2000. The ForceWare Network Installer needs to change this service to run automatically on Windows startup.

• WMI MOF compiler (MOFCOMP) must be available on your computer.• NTFS file system. It is recommended that you install the ForceWare

Network Access Manager application on an NTFS file system so that sensitive information such as Firewall or access configuration data are protected from being changed by a non-Administrator user. For further information on NTFS, please refer to Windows online Help.

Notes and Tips1 You are strongly encouraged to apply the latest service packs and Security

patches from Microsoft. The ForceWare Network Access Manager is compatible with Windows XP Service Pack 2 (see “ActiveArmor Firewall and Windows XP Service Pack 2” on page 20). You can refer to Windows online Help for details on using Windows Update; or, from your Windows desktop, you can click Start > Windows Update (or Start > Programs > Windows Update).

2 In addition to keeping your operating system software up-to-date, NVIDIA strongly recommends that you purchase and use the latest anti-virus software before running ActiveArmor Firewall to ensure that your computer is not infected by any virus or spyware.

3 To ensure that your computer is fully protected from attacks and intruders, install ActiveArmor Firewall on your computer before connecting it to a network.

Hardware RequirementsSupport of ForceWare Network Access Manager features on NVIDIA nForce series personal computer systems is outlined in Table 1.1.




Table 1.1 Hardware and Software Features Support

Note: Miscellaneous features that are not listed (such as checksum off-load, and segmentation off-loads) are supported by all four nForce platforms listed in Table 1.1.

Operating SystemsThe ForceWare Network Access Manager application supports the following 32-bit Microsoft operating systems:Windows XP 64

• Windows XP Professional—Service Pack 1 or later• Windows XP 64

Note: NVIDIA ForceWare Network Access Manager is a native 32-bit application that is supported under Windows XP 64.The only exception is that the Intelligent Application Manager (IAM) is unable to intercept 64-bit network applications. As a result, popup dialog boxes will not appear for 64-bit network applications such as Internet Explorer, Windows Media Player, and similar applications. However,

NVIDIA Software Supported

_________NVIDIA Hardware (Personal Computer)

nForce2 Gigabit MCPnForce3 250 GigabitnForce3 Ultra

nForce3 250 Professional

nForce4 nForce 4 UltranForce 4 SLINVIDIA nForce4 SLI for Intel

ActiveArmor Firewall Yes Yes Yes Yes

ForceWare Network Access Manager—Web-based interface

Yes Yes Yes Yes

ForceWare Network Access Manager—Command line interface (CLI) and WMI Script support

No Yes No Yes

VLAN, IEEE 802.1Q No Yes Yes Yes

Alert Standard Format (ASF)

No Yes No No

ActiveArmor No No No Yes




the underlying rule-based firewall will continue to operate for both Windows 64-bit and 32-bit applications and IAM will continue to manage 32-bit network applications. For information about IAM, see “Using the Intelligent Application Manager (IAM)” on page 41 in Chapter 4.

• Windows 2000• Windows Server 2003• Windows Server 2000

Software, Memory, and Disk Space RequirementsNote: All figures in Table 1.2 are estimates based on default settings and a

standard operating environment

For further information on driver installation, see “Installation Guidelines” on page 21.

ActiveArmor Firewall, ActiveArmor SNE, and Ethernet Parameters Reference

Appendix A: “Ethernet Parameters Reference” on page 104, Appendix B: “ActiveArmor Firewall Parameters Reference” on page 143, and Appendix C: “ActiveArmor Secure Network Engine (SNE) Parameters Reference” on page 183 provide detailed parameters reference and usage information. You can also obtain context-sensitive Help when using parameters by clicking the Help tab from any ForceWare Network Access Manager Web-based page.

Table 1.2 Software, Memory, and Disk Space Requirements

Software Memory Disk space for English

Disk Space for Non-English Languages

nForce Ethernet driver for Windows XP/2000 and Windows XP 64Note: To run the ForceWare Network Access Manager software, nForce Ethernet must be configured as a bridge device in the BIOS, which is the factory default.

1 MB 500 KB

Approximately 2 MB per language

ActiveArmor Firewall 5 MB 200 KB

ForceWare Network Access Manager 8 MB 25 MB




ActiveArmor Firewall and Windows XP Service Pack 2 Windows XP Service Pack 2 (SP2) includes a collection of security enhancements that are supported by the ActiveArmor Firewall. Service Pack 2 also makes it easier to monitor these settings with the new Windows Security Center, available through the Control Panel.

Windows Security CenterThe Windows Security Center provides a centralized view that allows you to monitor security settings that are essential for your computer’s well being (see “System Requirements” on page 17). One of the security components whose settings are monitored is the firewall. The ActiveArmor Firewall supports the Security Center by registering with it and providing up-to-date status.Figure 1.4 ActiveArmor Firewall




C H A P T E R

INSTALLATION GUIDELINES

Before Using the ForceWare Network Access Manager Installer

Before you run the ForceWare Network Access Manager installer program, NAMSetup.exe, note the following:• The nForce Ethernet driver must already be installed and operational on

your computer.• You must have Administrator access rights to do the following:

• Run the Setup installation program.• Uninstall and/or modify the ForceWare Network Access Manager

software, as needed.• If you are using the ForceWare Network Access Manager Web-based

interface, note the following:• Microsoft Internet Explorer version 5 or later must be running on your

computer. • The ForceWare Network Access Manager Web-based interface uses the

NVIDIA registered TCP port 3476. Make sure no other network application uses port 3476.

Installing ForceWare Network Access Manager The ForceWare Network Access Manager installation program (NAMSetup.exe)and software are part of the basic nForce driver installation


C h a p t e r 2 I n s t a l l a t i o n G u i d e l i n e s


package, which you can usually obtain from the NVIDIA Web site (www.nvidia.com) or a partner OEM. 1 Download the nForce driver installation package.Note: There are two basic language editions of the nForce driver installation

package: English only and International. If your preferred language is one of the following, make sure you download the International edition

• Brazilian Portuguese• French• German• Italian• Spanish• Japanese• Korean• Simplified Chinese• Traditional Chinese

2 Open or save the package to a specified directory. The directory root is usually C:\NVIDIA\nForce....

3 If you have saved the package, manually start the setup.exe file or if you chose to “open” the nForce package in step 2., the setup.exe program automatically starts running.

4 When the prompt appears to install the Network Access Manager and Firewall, proceed as requested, unless you want to run a “silent” installation, in which case, go to “Installing Network Access Manager in Silent Mode—Optional” on page 23.

5 If you are proceeding with the auto-installation of the Network Access Manager software, simply follow the prompts to complete the installation process.The ForceWare Network Access Manager installation program (<uncompressed directory_name>\Ethernet\NAM\NAMSetup.exe) uncompresses and saves all the relevant software in a directory you specify. By default, this directory is: c:\Program Files\NVIDIA Corporation\NetworkAccessManager.




Installing Network Access Manager in Silent Mode—Optional

The ForceWare Network Access Manager software supports the silent installation method, which means no user interaction is needed to install the software. For example, as an Administrator, you may want to create a custom “silent” installation script for end users to easily install Network Access Manager software.The silent installation process uses a response (.iss) file that contains information similar to what you would enter as responses to dialog boxes when running a normal setup.

Creating the Response File From the directory where the ForceWare Network Access Manager installation program is located (<uncompressed directory_name>\Ethernet\NAM\NAMSetup.exe), follow these steps:1 Enter the following command:

NAMSetup.exe /r /f1"c:\nvidia_net.iss"

2 Go through the installation dialog boxes as you would in a normal auto-installation—explained in the previous section. Note that in this installation process, you will select the options to be used in subsequent silent installations. All choices are recorded in the response file named nvidia_net.iss.Note: You can change the path and name of the response file by replacing

c:\nvidia_net.iss with a drive letter and file name of your choice.The ForceWare Network Access Manager installation program runs and uncompresses all the relevant software in a directory you specify. By default, this directory is: c:\Program Files\NVIDIA Corporation\NetworkAccessManager.

Running Installation in Silent ModeFrom the directory where the ForceWare Network Access Manager installation program is located (<uncompressed directory_name>\Ethernet\NAM\NAMSetup.exe), enter the following command to run the installation program in silent mode. NAMSetup.exe /s /f1"c:\nvidia_net.iss"




Launching the ForceWare Network Access Manager Web Interface

Before you launch the ForceWare Network Access Manager Web interface, make sure you have completed running the ForceWare Network Access Manager installer program using the instructions in the previous sections of this chapter.1 To launch the ForceWare Network Access Manager Web-based interface,

from your Windows taskbar, click Start > Programs > NVIDIA Corporation > Network Access Manager > Web-based Interface.To launch just the ActiveArmor Firewall Web interface, click on the ActiveArmor Firewall desktop link or from your Windows taskbar, click Start > Programs > NVIDIA Corporation > Network Access Manager > ActiveArmor Firewall.The ActiveArmor Web interface allows you to configure the ActiveArmor Firewall, ActiveArmor Secure Network Engine (SNE), and other general administrative features.

Note: If you are using the ForceWare Network Access Manager Web-based interface locally instead of remotely, you do not need to follow the instructions about working with security certificates as explained in the steps that follow.

2 Remote Users: If you are a “remote” user of the ForceWare Network Access Manager Web-based interface, before you can enter your user name and password, a Security Alert (Figure 2.1) page appears alerting you about the managed computer’s security certificate. The security certificate is generated by the Network Access Manager to enable Secure Sockets Layer (SSL) to secure the communications channel.




Figure 2.1 Security Alert—For Remote Users Only

Note: You have to enable your browser to trust this security certificate before you can proceed. To avoid being prompted by the Web browser about the security certificate, you can choose to import the certificate in one of two ways, as explained in “Trusting the Security Certificate—For Remote Users Only” on page 25.

Trusting the Security Certificate—For Remote Users Only

Importing the Certificate—First Method 1 When you are prompted by the Web browser about the managed computer’s

security certificate (Figure 2.1), click View Certificate to display the Certificate page (Figure 2.2).

2 On the Certificate page, click Install Certificate to launch the Certificate Import Wizard page (Figure 2.3).

3 Click Next to display the Certification Store page (Figure 2.4).4 Select Automatically select the certificate store based on the type of

certificate (Figure 2.4) and click Next.

The completion page of the Certificate Import Wizard appears (Figure 2.5).5 Click Finish. The Root Certificate Store dialog box appears (Figure 2.6).




Figure 2.2 Certification Page—For Remote Users Only

Figure 2.3 Certification Page—For Remote Users Only




Figure 2.4 Certification Import Wizard—For Remote Users Only

Figure 2.5 Certificate Import Wizard Completion Page—For Remote Users Only




Figure 2.6 Root Certificate Store—For Remote Users Only

6 Click Yes to add the certificate to the Root Store.

Importing the Certificate—Second Method This method is more secure than the “Importing the Certificate—First Method” on page 25 as you are assured that the certificate comes from the managed computer.Note that on the managed computer, the certificate is stored in:

<install directory>\Apache Group\Apache2\conf\ssl\server.crt

where <install directory> is the directory where Network Access Manager is installed. The “default” installation directory is c:\Program Files\NVIDIA Corporation\NetworkAccessManager. 1 Copy the server.crt certificate to the computer that is the remote Web

browser. 2 On the remote Web browser, launch Internet Explorer.3 Go to Tools > Internet Options > Content > Certificates and click Import

to launch the Certificate Import Wizard page (Figure 2.4).4 Click Next to display the Certification Store page (Figure 2.4).5 Select Automatically select the certificate store based on the type of

certificate (Figure 2.4) and click Next.The completion page of the Certificate Import Wizard appears (Figure 2.5).

6 Click Finish to display the Root Certificate Store dialog box (Figure 2.6).7 Click Yes to add the certificate to the Root Store.




Localizing the Web InterfaceIf you have installed the “International” edition of the ForceWare Network software as explained in “Installing ForceWare Network Access Manager” on page 21, then follow these steps available from the Internet Explorer menu to enable one of the non-English languages supported by your ForceWare Network Access Manager Web browser.Note: The Network Access Manager has components that are applications

based on Windows, such as the NVIDIA System Tray or the IAM pop-up dialog. These application are only displayed in the language used by the Windows operating system.

1 In Internet Explorer, on the Tools menu, click Internet Options. 2 On the General tab, click Languages. 3 Click Add. 4 Select the language you want to add. The following languages are supported

by your ForceWare Network Access Manager Web browser:• Brazilian Portuguese• French• German• Italian• Spanish• Japanese• Korean• Simplified Chinese• Traditional Chinese

5 Click OK. The language you added appears in the Language: list.6 If more than one language appears in the list and you want to activate the

language you just added, move it to the top of the list.7 Click OK and click OK again to exit the Internet Options dialog box.8 Press F5 to refresh your screen.

The Web interface now appears in your chosen language.




Configuration DeploymentConfiguration deployment means configuring multiple computers to use the same configuration through an “automated” procedure. You can use any one of the following configuration methods:• Run the nCLI command to change parameters during the login script. • Run nCLI to configure one parameter at a time or use the import command

for bulk configuration. Note: Sample command line access scripts can be found in the sample

directory, under the default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or the path you specified. See “Using The NVIDIA Command Line Interface (nCLI)” on page 86 section for more information.

• Create and run WMI scripts to change parameter when executing the login script.

Before You Begin• WMI script usage samples are provided in the following subdirectories:

samples\Eth

samples\Firewall

samples\ActiveArmor

under the default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or the path you specified.

• You can cut and paste the appropriate command and use them in a batch file or the command line. For further details, see “Using WMI Script” on page 84.

• To use WMI scripting, you must be familiar with the syntax and characteristics of configuration parameters. See the “Ethernet Parameters Reference” on page 104, “ActiveArmor Firewall Parameters Reference” on page 143, and “ActiveArmor Secure Network Engine (SNE) Parameters Reference” on page 183 for details.For additional details, refer to the Microsoft documentation on WMI scripting. Note: Many Ethernet parameters require restarting the network driver for

script changes to take effect. When the network driver is restarted, network connections will terminate, which will terminate the login




C H A P T E R

ACTIVEARMOR FIREWALL: BASICCONCEPTS

Types of FirewallsThe ActiveArmor Firewall is a type of firewall that is typically referred to as a “PC firewall” or a “desktop firewall.” Another classification of firewalls is the “gateway firewall.”The main difference between the PC firewall and the gateway firewall is that while the gateway firewall monitors network traffic and controls access between two different networks or administrative domains, the PC firewall controls traffic generated or received by a single computer. Therefore, a gateway firewall is usually a dedicated computer, or a part of a network switch or router, with multiple interfaces through which certain traffic is allowed and other traffic is blocked. A PC firewall is usually software that is installed on the personal computer, or a combination of software and hardware that is integrated to the computer. In both types of firewalls, certain traffic is allowed and certain traffic is blocked according to the specific rules configured for the firewall.Firewalls just discussed can be further classified as one of two types —• Application layer • Packet-based firewalls are of two main sub-types:

• Stateful• Stateless


C h a p t e r 3 A c t i v e A r m o r F i r e w a l l : B a s i c C o n c e p t s


Note: The ActiveArmor Firewall is a “packet-based PC firewall” with both “stateful” and “stateless” features.

Stateful vs. Stateless Stateful and stateless are adjectives that describe whether a computer or computer program is designed to note and remember one or more preceding events in a given sequence of interactions with a user, another computer or program, a device, or other outside element. Stateful and stateless are derived from the usage of state as a set of conditions at a moment in time. Stateful means the computer or program keeps track of the state of interaction, usually by setting values in a storage field designated for that purpose.Stateless means there is no record of previous interactions and each interaction request has to be handled based entirely on information that comes with it.

Inbound vs. Outbound PacketsNetwork traffic is not inherently safe nor dangerous. In addition to the usual attributes of packets that can distinguish them from each other, such as IP addresses and TCP port numbers, one criterion that can be used to help discriminate traffic is the direction in which that traffic is flowing. For traffic arriving from the outside the PC, it is reasonable to presume that there is a chance that an attack may be present, whereas in traffic originated by the PC, it is less likely to be dangerous. The firewall rules consider the direction of traffic as an attribute when establishing the traffic that should be allowed (i.e., such traffic is deemed to be safe or to have an acceptable level of risk) versus the traffic that should be denied (i.e., such traffic is deemed to be unsafe). Note: The tolerance for risk will vary among users, so there is no universally

accepted definition of “dangerous” packets. However, the default configuration of the ActiveArmor Firewall represents industry-accepted best practices, and can be used as the basis for customized configurations that more closely match the end-user's specific requirements.

By defining the direction as part of the specification of a rule, the end-user can separate traffic that he/she considers to be safe enough from traffic considered unsafe. Most protocols exchange traffic bi-directionally; therefore, the “direction” of such exchanges is defined by the connection-initiation packet. For example, in the case of TCP packet, the first packet matching a new set of IP addresses and TCP ports for which the TCP SYN flag is set establishes the direction of that subsequent bi-directional flow.




Other protocols, such as User Datagram Protocol (UDP) or Internet Control Message Protocol (ICMP), may not have the equivalent of the TCP “SYN” flag. Therefore, for those protocols, the ActiveArmor Firewall uses the direction of the first packet matching a given set of IP addresses and, for example, UDP ports, as the direction for the subsequent bi-directional flow.

About the TCP ProtocolSome network protocols, such as TCP, require an explicit connection initialization process. Firewall rules that apply to TCP typically depend partially on the direction of the connection establishment. When referring to protocols that involve establishment of a connection: • Inbound describes a connection attempt not originated by the local

computer.• Outbound describes a connection attempt that was originated by the local

computer.

About the UDP and ICMP ProtocolsUnlike TCP, other protocols, such as UDP and ICMP do not have an explicit connection establishment process. A computer can use protocols such as UDP and ICMP to send data packets to any other computer at any time, but the receiving computer, or an intervening firewall, can reject or accept the data on a per-packet basis.

UDP UDP is frequently used in a connection-like manner, but without the connection establishment process. In other words, UDP-based applications may rely on long-term computer-to-computer sessions. However, the meaning of the “direction of the connection” in the UDP context is broader than in the TCP context. • The direction of a packet is inbound if the initial packet matching this new

set of IP and UDP header field values was a received packet. • Similarly, a UDP connection is considered to be outbound if the initial

packet matching this new set of IP and UDP header field values was a transmitted packet.

Thus, firewall rules that apply to UDP typically also depend on the direction of the first packet of a new “connection.” UDP packets, like TCP packets, can be matched against a “connection table” by performing a hash function on certain fields in the packet to determine if there is a match in a table of hash values where there is at least one connection that corresponds to each hash value.




ICMP ICMP is an example of a protocol with neither a connection establishment process nor any connection-like functionality. Firewall rules relevant to these types of protocols are applied to every packet, and inbound and outbound respectively refer to packets (of one of these protocols) that are received and transmitted across any of the network interfaces that the firewall is protecting.

Stateful FilteringStateful filtering (also known as stateful inspection or dynamic packet filtering) provides enhanced security by monitoring network packets over the period of the connection for that particular traffic. Because stateful filtering can dynamically track each connection, compare packets against the connection's expected state, and drop the packets that don't conform to the protocol, it has replaced static filtering as the industry standard firewall solution for networks.

It is also the case that stateful filtering scales much better than stateless filtering because the firewall policy table is only consulted once per connection, instead of once per packet. This means that as the number of rules grows, the stateful firewall will use a lower percentage of CPU, because in a stateless design, each packet will have to be compared against half of the firewall rules, on average, until a matching rule is found that explicitly allows or denies the packet. However, an increase in the size of the firewall policy rule table does not impact the stateful firewall to such a large degree, since the majority of packets are not connection setup packets. A stateful firewall amortizes the CPU cycles that were used to do the firewall policy rule table lookup over the massive per-packet CPU savings due to having only a simple per-packet hash to compute, to determine if the current packet is associated with a previously allowed connection. In contrast, a stateless firewall must examine every packet against the complete firewall policy rule table, or until it finds a matching rule, so in essence, every packet is treated as a connection setup packet, incurring the associated processing penalty. As a result of the differences in processing required for stateful vs. stateless firewall lookups, latency due to stateful firewall operations is very small and nearly constant on a per-packet basis, whereas latency in a stateless firewall depends on the size of the firewall policy rule table, and is of a much larger magnitude.Once a TCP or UDP connection is established, a stateful firewall ensures that data traffic for that connection can flow in either direction—even if the rules




governing the firewall limit such traffic to be only associated with remotely generated (i.e., inbound), or locally-originated (i.e., outbound) connections. When a stateful firewall has determined that a connection is being established by decoding each packet, it checks its policy table to find out whether the connection is allowed or denied. • In TCP, the connection establishment packet is a specially marked TCP

packet that the firewall can detect.• A UDP connection is initiated by the first packet matching a set of

identifying fields in the IP and UDP headers.If the firewall allows the new connection, the firewall saves a set of five values related to that connection’s establishment into its connection-tracking table during the lifetime of that connection. Every inbound and every outbound packet associated with a given connection contains the same five values. This allows the stateful firewall to quickly check whether or not the packet belongs to a connection that was previously granted permission and then deny or allow the packet accordingly. Note: Only TCP packets that match the connection-tracking table are allowed.

UDP packets that do not match the table may represent a new “connection” and are compared with the firewall rules in order to determine whether or not to add an entry to the connection-tracking table for this new connection.

The five “connection identifying” values saved into the connection-tracking table are:

• IP Source Address• IP Destination Address• IP Protocol• TCP or UDP Source Port• TCP or UDP Destination Port

For TCP, in addition to the five items in the list, the firewall tracks the state of the TCP connection (for example, the current stage of the connection establishment process) in order to enforce legal state transitions in the TCP protocol. The firewall also tracks the current TCP “sequence and acknowledgement” numbers and the most recent TCP window in order to determine whether to drop packets that fall outside the current valid TCP window. This kind of scrutiny prevents potential attackers from sending spurious TCP “reset” packets to the local computer in that the firewall prevents these reset packets to reach




the host if the TCP sequence number of the reset packet falls outside the current valid TCP receiving window.Some TCP options can also be used by the stateful firewall in determining whether to allow or deny TCP packets because certain TCP options can only be used if their use was negotiated during the connection establishment process. If such TCP options were negotiated during the connection establishment phase, then the TCP state will reflect the successfully negotiated TCP options for that connection. The TCP policy table can still override the peers and prevent certain TCP options from being negotiated at all.Note: Other TCP options are not pre-negotiated. Therefore, decisions about

whether to allow or deny TCP packets with such options must be based on the stateless (see “Stateless Filtering”) configuration of the firewall.

Stateless FilteringThe main difference between stateful filtering and stateless filtering is that contrary to the quick lookup-and-decide process enabled by the connection state tracking table that drives the decision making process in stateful filtering, all of the stateless filtering rules must be examined in sequence, for each packet, until a rule is found that either explicitly allows or denies that packet. Note: For protocols such as ICMP and other non-TCP and non-UDP protocols,

and for any non-IP protocols, the firewall performs stateless filtering but no stateful tracking or filtering.

In stateless filtering, the firewall can be configured to “allow in” or “deny in” certain kinds of traffic (from a specific protocol, with a particular option, etc.) on a given network interface. Similarly, the firewall can be configured to “allow out,” “deny out,” “allow in and out,” or “deny in and out” on the same traffic. Note that “in” implies the receive direction and “out” implies the transmit direction.On average, the firewall will need to search half of its rules list for any given packet in order to find an applicable rule. Therefore, in general, as the number of rules increases, the firewall consumes more time in determining the outcome of a given packet. On the other hand, the ActiveArmor Firewall has been optimized so that looking up certain commonly used parameters (for example, ICMP, TCP, and UDP in the IP protocol table) is much faster and independent of the table size.The firewall can be configured to perform stateless filtering based on: • EtherType values• Specific IPv4 or IPv6 addresses or address prefixes




• Specific domain names contained within DNS name resolution queries or responses

• Specific IP options• Specific TCP options• Specific ICMP (Type, Code) pairs• Other relevant parameters In all cases, stateless filtering rules are specified in the appropriate firewall table in the ForceWare Network Access Manager Web-based interface.For example, when filtering ICMP traffic, the filtering rule is based on both the first three items (IP Source Address, IP Destination Address, and IP Protocol) as listed in the section on “Stateful Filtering” on page 34, as well as the particular ICMP (Type, Code) field values in each ICMP packet. In ICMP filtering, the IP Protocol is implicitly required to have a value of “0x01,” which is the protocol value for ICMPv4. A similar requirement is placed on ICMPv6, with its own unique identifying number in the IPv6 headers (i.e., 0x3A).In most situations involving stateless filtering, it is necessary to allow a given protocol to go both in and out on a given interface in order for the associated application to operate normally. However, it may also be the case that certain applications require that one type of traffic be allowed in, while another type is allowed out.One example of the latter case is “ping” because in order for the application process to complete successfully, the firewall must be configured to allow both an outbound ICMP Echo packet (Type = 0x08, Code = 0x00) and an inbound ICMP Echo Reply packet (Type = 0x00, Code = 0x00). These settings will allow the local PC to “ping” remote computers but will not necessarily allow remote computers to “ping” the local computer because inbound ICMP Echo packets and outbound ICMP Echo Reply packets are not necessarily allowed. Note: Based on the above values, note that the ICMP (Type, Code) pair values

for ICMP Echo and Echo Reply are, in fact, different.


C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l


C H A P T E R

CONFIGURING THE ACTIVEARMORFIREWALL

ActiveArmor Firewall Parameters ReferenceAppendix B: “ActiveArmor Firewall Parameters Reference” on page 143 is an ActiveArmor Firewall Reference guide, categorizing the ActiveArmor Firewall parameters by group and table names.When you are using the Firewall parameters from the ForceWare Network Access Manager Web-based interface, you can easily access online Help by clicking the Help tab.

Using the Basic Configuration PageNote: ActiveArmor Firewall only operates on an NVIDIA Ethernet interface.

ActiveArmor Firewall will not protect network traffic/application on a system that uses a third-party Ethernet interface (for example 3Com, Intel, Broadcom, DLink, etc.) on an NVIDIA nForce motherboard.

1 Open the ActiveArmor Firewall desktop link or the ForceWare Network Access Manager Web-based interface. If you need help, see “Launching the ForceWare Network Access Manager Web Interface” on page 24.

2 From the Firewall menu, click the Basic Configuration option to open the Firewall Basic Configuration page (Figure 4.1).

3 Click the Security Profiles list to view the profiles, which are predefined sets of table rules.




Note: You cannot edit these basic pre-defined profiles. To create custom profiles to define the sets of ActiveArmor Firewall rules, see “Advanced Configuration” on page 48 and “Using the ActiveArmor Firewall Wizards Page” on page 55.




Figure 4.1 ActiveArmor Firewall—Basic Configuration

4 To enable a specific profile, click the Security profiles list and select the profile you want. See the next section, “Security Profile Settings” for an explanation of each setting.

5 Click Apply.6 To view the actual rules associated with a profile, repeat step 4 above. 7 From the Firewall > Advanced Configuration menu, click the appropriate

option to open a table. Using the table, you can determine whether the settings are appropriate at the level of protection you want for your application(s).

Security Profile SettingsNote: You cannot edit the pre-defined profile settings described below.

However, you can create custom profiles to define the sets of ActiveArmor Firewall rules, as explained in “Advanced Configuration” on page 48 and “Using the ActiveArmor Firewall Wizards Page” on page 55.




For additional details about security profiles, see “Configure Firewall Security Level” on page 143 in Appendix B.

• Lockdown drops all traffic packets, except outbound Alert Standard Format (ASF) packets, and the ActiveArmor Firewall Intelligent Application Manager (IAM) is disabled.

• High is an extremely secure setting. However, due to the stringent filtering rules associated with this setting, many applications may not work as expected and some applications may not work at all.

• Medium (the default profile setting after installation) is intended to provide a good balance between usability and security, with an emphasis on security.

• Low is the least secure of the profile settings, but allows most applications to work properly.

• Antihacking only is a profile setting that enables only the antihacking features of the ActiveArmor Firewall and is useful in a dual firewall configuration—for example, if you want to use a third-party firewall product along with the antihacking features of the ActiveArmor Firewall. Note: The Antihacking only setting disables the IAM, ActiveArmor, and

the ActiveArmor Firewall, allowing most incoming and outgoing network traffic**. The logging of ActiveArmor Firewall messages will proceed as usual, as long as you have enabled one of the logging message types in the ActiveArmor Firewall Log Settings page.

** If you are using the Antihacking only setting with a third-party firewall, then this third-party firewall controls the incoming and outgoing network traffic; it will probably deny most incoming and outgoing network traffic. However, the ActiveArmor Firewall will still continue to log messages pertaining to the Antihacking only setting, as long as you have enabled one of the log message types in the ActiveArmor Firewall Log Settings page. For additional information, see “ActiveArmor Firewall Logging” on page 63.

• Off turns off the IAM, ActiveArmor, and the ActiveArmor Firewall, allowing all incoming and outgoing network traffic.

Using the Intelligent Application Manager (IAM)The initial release of the ActiveArmor Firewall was designed for applications that use well-defined ports. However, with more applications using dynamic ports and with many applications never registering their ports, the firewall software had to be able to make decisions based not only on the port information, but also on the application trying to access the network. This led to




the development of the ActiveArmor Firewall Intelligent Application Manager (IAM).The IAM allows you to create firewall rules based on an application’s name. When an application attempts to open a new network connection (either as a client or as a server), you are prompted by a pop-up dialog to either allow or deny the application's access to the network (see “Basic Risk-Level Dialog Box” on page 45). An application-based firewall rule is then automatically created or modified based on your decision. Applications thus can be allowed or denied on the fly by you, and you have the ultimate control over whether an unknown application can, or cannot, access the network. Filtering by ports is still available, of course, augmenting the more user-friendly filtering based on application names the IAM provides in the ActiveArmor Firewall.A primary benefit of a firewall policy based on application names derives from the fact that many applications, such as Voice over IP and games, do not use well-defined ports. Such applications use unregistered or dynamically selected ports that cannot be predicted in advance. Filtering based on application names is preferable to filtering based on ports in this circumstance because you are more likely to know whether an application should be allowed network access, than to know whether the application should be able to use a given port. There is another large benefit of the IAM that derives from basing firewall filtering on application names. By making the application name the key factor in the allow/deny decision, and by only opening ports as they are requested by permitted applications, the firewall dynamically adjusts itself to allow only that traffic that is required at any given time. As soon as an application closes a socket, the IAM forgets that the port was ever open. By filtering based on application names, only those ports that an application actually uses are opened—in contrast to a port-based firewall that might have to open a large range of port numbers because it isn’t known in advance which ports the application will use at run-time (or at connect-time).

So, rather than opening large holes in the firewall configuration to support applications using dynamic ports, the firewall opens only “pinholes” for those ports that the application is actually using at any given time. You decide if an application is trustworthy, and, if so, the firewall opens only the minimum number of ports needed to ensure that the application can operate properly.

IAM Popup Dialog BoxesWhen you launch a network application, or when a local application attempts to access a remote device, the ActiveArmor Firewall IAM displays a pop-up dialog box that can be either of two types: Information or Risk-Level.




Information Dialog BoxAn Information dialog box message (Figure 4.2) indicates that the detected

application is recognized by the ActiveArmor Firewall. A rule is automatically generated that either allows or denies the application's access to the network based on the factory default settings. No user interaction is required. Application. Information in this box identifies the application that is attempting to access the network, and provides a short description of the application. ActiveArmor Firewall IAM. This section indicates the type of Firewall application rule to be automatically created by the IAM. Do not display informational messages in the future. Selecting this check box disables pop-up dialog boxes for all applications recognized by the ActiveArmor Firewall IAM.

Risk-Level Warnings To help you decide if an application should be allowed to access the network, the ActiveArmor Firewall IAM classifies the risk levels associated with various network applications as Low, Medium, or High.

Figure 4.2 Information Dialog Box




A Low Risk warning represents a common application that is attempting to access the network.

A Medium Risk warning is generated by a less common application that is attempting to access the network.

A High Risk warning is caused by an uncommon application’s attempt to use Raw Sockets (a potential high risk) to access the network.

A risk level message can appear under any of these four conditions:• The network application is attempting to access the network and a Firewall

rule does not exist for this application. • The network application is attempting to access the network and the Firewall

rule for this application says to prompt the user. • The network application has been modified due to an upgrade or virus

infection. • The risk level of the application has increased due to connection type

changes. Note: The risk level of the application increases by one level if the

connection type changes.Changes that can trigger an increased risk include the following:• An application moving from client-like to server-like behavior. • A modification of the protocol type from TCP to UDP, or TCP or UDP to

Raw Sockets.

Figure 4.3 Low Risk Warning

Figure 4.4 Medium Risk Warning

Figure 4.5 High Risk Warning




• A change in the checksum of the application (which indicates that the executable application has changed, and thus might have been corrupted by a virus of some kind).

Two kinds of pop-up dialog boxes contain these risk-level warnings: Basic Risk-Level dialog boxes and Advanced Risk-Level dialog boxes. Based on your response to these dialog boxes, a rule is automatically generated that either allows or denies the application's access to the network

Basic Risk-Level Dialog BoxThe low, medium, and high risk warnings can appear in either a basic risk-level message (Figure 4.6) or in an advanced risk-level message (Figure 4.7). The Basic Risk-Level dialog box has these components:• Application. This area identifies the application that is attempting to access

the network and includes a short description of the application.

• Allow. Click to add an Allow entry to the Firewall Application table and to allow the application to access the network in the future. No more pop-ups will occur for this application—unless a High Risk warning is generated.

• Deny. Click to add a Deny entry to the Firewall Application table and deny this application access to the network in the future. No more pop-ups related to this application will occur.

• More Options. Click to launch the Advanced Risk Level dialog box.

Figure 4.6 Basic Risk-Level Dialog Box




Advanced Risk-Level Dialog BoxThe Advanced Risk-Level dialog box has information and user choices beyond those of the Basic Risk-Level dialog box:• Company is the name of the company that developed the application. • Version is the version number of the application. • Path shows the application name and its directory location. • Application Type is a description of the application. • Protocol Type is information about the type of protocol that the application

is currently attempting to use. The choice is TCP/UDP or Raw Sockets. • Destination is the location to which the application is attempting to connect. • Source is the source of the application, such as the local computer's IP

address and the stack-assigned source port. • Allow adds an Allow entry to the Firewall Application table and allows the

application to access the network, as in the basic risk-level dialog box.

Figure 4.7 Advanced Risk-Level Dialog Box




• Allow Once adds an Allow entry to the Firewall Application table and allows the application to access the network for only the current session. The next time the application is launched, the dialog box will be displayed again.

• Deny adds a Deny entry to the Firewall Application table and denies the application to access the network, as in the basic risk-level dialog box.

• Deny Once adds a Deny entry to the Firewall Application table and denies the application to access the network for only the current session. The next time the application is launched, the dialog box will be displayed again.

• Advanced Configuration launches the NVIDIA ForceWare Network Access Manager Web-based user interface to allow for advanced configuration of the Firewall rules.

Configuring the IAMWhen you launch an application that attempts to access the network, the IAM presents a popup dialog box that lets you allow or deny the application's access to the network — for example, see “Basic Risk-Level Dialog Box” on page 45.An application-based firewall rule is automatically created or modified in the ActiveArmor Firewall Application table — see Figure 4.8, “ActiveArmor Firewall Application Table”. Using the Web interface of the Application table (Firewall > Advanced Configuration > Application) you can change the rule for an application, disable the IAM, or disable the Information dialog box.On the IAM configuration part of page, you can control the following two IAM settings:• IAM (Intelligent Application Manager)

This option allow you to turn off the IAM. If you do, you do not see the pop-up dialog, and the rules in the Application Table are not enforced. Rules in the rest of the ActiveArmor Firewall such as the TCP/UDP Port table or the ICMP table are still enforced. The IAM is also disabled when the ActiveArmor Firewall profile is set to Off, Antihacking only, or Lockdown.Note: When the IAM is enabled, an IAM application-based rule has

precedence over an ActiveArmor Firewall port-based rule. For example, the Firewall port table could be configured to deny port 80, and the IAM application table could be configured to allow Internet Explorer (IE) network access. When you launch IE, it is able to access the network. The Firewall rule in the port table is overridden by the rule in the IAM application table.




• Informational popup dialog You are given the choice to enable or disable the Information dialog box. The dialog box signifies that the detected application is recognized by the ActiveArmor Firewall, and that a rule will be automatically generated that either allows or denies the application's access to the network based on the factory default settings. No interaction is required by you. If the Information dialog box is disabled, you can still use the Firewall log to view the rules that are automatically created.

Advanced ConfigurationIf you want to create a custom profile, you can use any of the basic Lockdown, High, Medium, Low, Antihacking, or Off profiles discussed in “Using the Basic Configuration Page” on page 38 as a starting point. Note: You can define up to three independent custom profiles.

Figure 4.8 ActiveArmor Firewall Application Table




To create or choose a custom profile, follow these steps:1 Open the ForceWare Network Access Manager Web browser interface.

If you need help, see “Launching the ForceWare Network Access Manager Web Interface” on page 24

2 From the Firewall menu, click Basic Configuration to open the Firewall Basic Configuration page.

3 Click the Security Profiles list to view the profiles. 4 Select one of the three Custom profiles.

Note: Whether the IAM and ActiveArmor are disabled depends on what the custom profile is based on. If the custom profile is based on the Medium (default) profile, the IAM and ActiveArmor are not disabled. If the custom profile is based on Off, they are disabled.

5 Specify a new name for each custom profile you select in step 4 in the Rename edit box.Note: You will probably choose to generate a custom profile based on one of

the pre-defined profiles, e.g., Lockdown, High, Low, etc.6 To edit the associated table rules, select the appropriate option under the

Advanced Configuration menu to perform any of the following actions:• To add a rule or purge all rules in a table, use the Add Rule or Purge

Table buttons in the corresponding table’s page.• To change only the “action” of an existing rule, follow these steps:

a) Click the drop-down menu in the corresponding table row under the “action” column and choose either Allow or Deny (for all tables) or Ignore (for the UDP/TCP Port table only). For further details, see “About Working With Tables” on page 51.b) Click Apply. Note: Multiple “actions” may be modified before you click Apply, which accepts all the changes at once.

• To edit any other parameter of an existing rule, or to delete a rule, click the icon in the corresponding row under the Edit column to open the Rule editing page.

For brief descriptions of each table parameter, click the Help button on the upper-right corner of either the Table page or the Rule editing page. For more detailed descriptions of each table parameter, refer to “ActiveArmor Firewall Parameters Reference” on page 143 in this guide.The ActiveArmor Firewall > Advanced Configuration page also allows you to toggle the more advanced security features of the ActiveArmor Firewall. For




detailed information on these features, click the Help tab on the upper right corner of the page.

Configuring Antihacking Features The antihacking features of the ActiveArmor Firewall include antispoofing, antisniffing, anti-ARP cache poisoning, and anti-DHCP server, all of which provide important security controls for corporate network environments.You can configure antihacking features from the ActiveArmor Firewall Options page (Figure 4.9).Figure 4.9 ActiveArmor Firewall Options—Configuring Antihacking Features

Follow these steps to access the Firewall Options page:1 Open the ForceWare Network Access Manager Web-based interface. If you

need help, see “Launching the ForceWare Network Access Manager Web Interface” on page 24.

2 From the NVIDA Firewall menu, click Advanced Configuration, and then click Options to open the Firewall Options page (Figure 4.9).




3 For detailed information about the options and how to configure them, see “Group: Configure Firewall Options” on page 146 in Appendix B: “ActiveArmor Firewall Parameters Reference” on page 143.

About Working With Tables

Specifying ActionsFor each rule, you can specify the action that the ActiveArmor Firewall should perform if a packet or connection matches that rule. • In the following three types of tables, where the direction of traffic is

important, each rule will let you set the Inbound action and the Outbound action separately. • IP Option table• UDP/TCP Port table • ICMP table

• In all other types of tables, the direction is not important. Therefore, each rule lets you set one action for both inbound and outbound. Every rule can either Allow or Deny traffic, while each rule in the UDP/TCP Port table has an additional action called Ignore.

The Ignore action is useful when you want a UDP/TCP Port rule to apply in only one direction. For example, setting a rule for HTTP (Web) port 80 to deny inbound and ignore outbound will always block Web connections in the inbound direction, but will let a more generic matching rule or the “default action” to determine the action for outbound Web connections.

About Table SortingYou can sort any table based on the contents of any column by simply clicking either the Up or Down arrows adjacent to the column name in the header at the top of each column. When you first view a table, the tables are sorted by default in the following ways:• In the IP Address table, the Domain Name table, and the UDP/TCP Port

table, the rules are normally sorted by the Rule Order column, which is both the order that the rules have been added and the order that they will be applied. Executing the rules in the order of their creation allows you to add overlapping rules that provide one action for a more generic range of IP addresses or domain names, while having a different action for a more specific IP or domain.




For example, if you first create an IP Address table rule to allow address 10.1.1.2 and mask 255.255.255.255, and then create a rule to deny address 10.1.1.0 and mask 255.255.255.0, then the IP Address table will allow traffic to 10.1.1.2 but will block other IP address beginning with 10.1.1.x. Traffic to 10.1.1.2 will not be blocked by the second rule of this table because the first rule already matches it. You can similarly set up the Domain Name table to block a generic domain suffix (e.g., example.com) but allow specific domain names (e.g., foo.example.com).

• In all other tables, the rules are normally sorted by the most significant column. For example, EtherType rules are sorted by the EtherType value, the ICMP rules are sorted by the ICMP Type and then ICMP Code, etc.

• An exception to this behavior is that right after adding a rule to any table, the new rule appears at the bottom of the table so that it can be easily verified as having been added. When the table is viewed again (after navigating away to another page within the Web browser), the rules are back to the default sorting method.

Note: While every table has a Rule Order column, only in the IP Address table, the Domain Name table, and the TCP/UDP Port table mentioned above do you need to worry about the Rule Order when adding new rules, because they allow overlapping IP addresses or domain names.

Reordering ActiveArmor Firewall Rules Through the Web interface, the Network Access Manager lets you easily reorder NVDIA Firewall rules, using the steps that follow.Note: Firewall rules can be reordered for the following tables:

• Domain Name• UDP/TCP Port • IP Address

1 When a table is in Edit mode, click the column labeled Reorder (icon is a scissor); an example is shown in Figure 4.10. That row is then highlighted in red (Figure 4.11) and the reorder graphics is changed to a clipboard.

2 Then, click the clipboard icon of the row to which you want to move.




Figure 4.10 Reordering ActiveArmor Firewall Rules — Cutting a Row




Figure 4.11 Reordering ActiveArmor Firewall Rules — Pasting a Row

Table Default Action SettingsEach table has an associated default action, which may be set to Allow or Deny. Depending on the nature of the default action, a given individual rule may or may not have any effect. For example, if the TCP default action is to Allow packets associated with outbound connections and to Deny packets associated with inbound connections, then having a rule to allow outbound HTTP (i.e., TCP port 80) connections would be redundant, because that traffic would already have been allowed by the default action.The default action defines the action that will be performed when no other specific rules in that particular table applies to a given type of packet. • In general, if the default action of a table is to Deny, then most rules should

be set to Allow specific exceptions.• Similarly, if the default action is to Allow, then most rules should be to Deny

specific exceptions.




Note: It is generally agreed that it is safer to discard traffic unless you specifically need to allow it, so a default action of Deny is likely to be more secure (or at least more convenient) than a default action of Allow. The ActiveArmor Firewall compares each packet to the firewall tables in the following order, from the lower-numbered, more fundamental parameters to the higher-numbered, more complex parameters.

a EtherType tableb IP Address tablec IP Option tabled IP Protocol tablee TCP Option tablef UDP/TCP Port tableg ICMP tableh Domain Name tableNote: Packets of a specific protocol, such as TCP, will not be processed by

the table of an unrelated protocol, such as ICMP.

Using the ActiveArmor Firewall Wizards PageAnother way to configure rules in your custom profile is through the Firewall Wizards page (Figure 4.12); from the main menu, click Firewall > Wizards. Using a questionnaire format, the wizards provide a simple, step-by-step method to configure the tables and, for convenience, are separated into different categories of commonly-used applications.You can use the Firewall Wizards page to configure the ActiveArmor Firewall to enable specific applications or classes of applications to work. There are wizards for various types of applications including Telnet, FTP, SSH, game servers, and so on.




Figure 4.12 Firewall Wizards

These wizards will open the required network ports that are used by these applications. If the particular application you are using needs other non-specific network ports, you can use the Generic Port wizard to add those ports for the application to work.Note: Refer to your application documentation for information on the TCP/

UDP ports that are used, if applicable.

DHCP Server/Client configuration

DHCP Server1 Open the Firewall > Basic Configuration page and select a custom profile.2 To allow DHCP server traffic, you can do one of the following:

a From the Firewall menu, click Wizards to open the page.b Click DHCP (Dynamic Host Configuration Protocol) and then select the

server and finish.OR




a From the NVIDA Firewall menu, click Advanced Configuration and then click Anti-Hacking to open the page.

b Clear the Disallow DHCP server check box and click Submit.c From the Firewall menu, click Advanced Configuration and then click

UDP/TCP Port to open the page.d Confirm that port 53 Domain Name Service UDP is set to Allow (inbound

and outbound)3 To deny DHCP server traffic, follow these steps:

a From the NVIDA Firewall menu, click Advanced Configuration and then click Anti-Hacking to open the page.

b Select the Disallow DHCP server check box so that a check mark appears in the check box and click Submit.

DHCP Client1 To allow DHCP client traffic, you can do one of the following:

a From the Firewall menu, click Wizards to open the page.b Click DHCP (Dynamic Host Configuration Protocol) and then select the

client and finish.OR

c From the Firewall menu, click Advanced Configuration and then click UDP/TCP Port to open the page.

d Confirm that port 53 Domain Name Service UDP is set to Allow (outbound only)

2 To deny DHCP client traffic, follow these steps:e From the Firewall menu, click Advanced Configuration and then click

UDP/TCP Port to open the page.f Confirm that port 53 Domain Name Service UDP is set to Deny

(outbound only)

Configuration DependenciesUnder certain configurations, the ActiveArmor Firewall might not function as expected even though its functionality is still consistent with the actual rules that were configured. In particular, it is possible to provide the firewall with conflicting configuration directives, yet it might not be obvious that this is the




case. This situation may arise because of the many ways in which traffic can be allowed or denied and the overlapping scopes of the various firewall tables.For example, suppose that you had configured the ActiveArmor Firewall to allow certain types of ICMPv4 traffic but had also configured it to block all IPv4 packets. If you had forgotten that the latter was the case, you might wonder why the allowed ICMPv4 traffic was not getting through. In this case, you would have to realize that you cannot expect ICMPv4 traffic to flow unless you allow at least IP Protocol number 0x01 and EtherType 0x0800 for IPv4. Other less obvious cases are possible. For example, if all inbound packets with IP options are blocked, then IGMP Reports will not be received by the stack, since all IGMP Reports have an IP Router Alert option included in the packet.

RecommendationsNote: There are many ways to configure different parameters, which could

cause unintended and troublesome consequences. Therefore, it is best to work step-by-step through a configuration, building up one layer of rules at a time. Once a given configuration is known to be effective, then it is possible to amend the configuration slightly and re-verify the old configuration, while verifying the new configuration as well. Ultimately, the configuration will converge on a set of rules that meets the stated requirements.Note: Attempting to set up the final configuration in a single big step can

sometimes enable interdependencies that prevents things from working as intended and result in difficult troubleshooting.




ActiveArmor Firewall StatisticsAll packets generate statistics when passing through the ActiveArmor Firewall, whether they are allowed or denied. Each packet increments one of these packet counts—UDP, TCP, ICMP, or Other—as well as one of the TCP and UDP connection counts if it is a connection-initiating packet. The ActiveArmor Firewall statistics allow you to do the following:• Determine the kind of traffic your computer is exchanging• Determine the amount of the traffic being allowed or denied• Enable verification of whether a recently changed firewall rule is operating as

intendedFor example, suppose that you wanted to add a rule to deny TCP packets to any port between 1002 and 1009. To do so you can use the ForceWare Network Access Manager Web interface and follow these steps:1 From the NVIDA Firewall > Information menu, click any of the graph or

table choices.2 For example, to see statistics about the Firewall interface presented in a

graphical format, click Graphical to display a page similar to Figure 4.13.For detailed Help on options, click the Help tab.a To view statistics based on the number of packets, click the Packets tab.b To view statistics based on the number of connections, click the

Connections tab.c After noting the current TCP statistics, you can add a TCP Port Rule to

block the 1002 to 1009 range.d Then you can send some test packets to verify that such packets were

actually blocked.




Figure 4.13 Graphical Information for Packets

3 In order to send TCP traffic to a particular port, you can open a command prompt window and type:telnet foo.example.com 1003

where: foo.example.com is any valid domain name or IP address that will normally let a packet to be sent through the ActiveArmor Firewall.1003 is actually any number between 1002 and 1009 that should be blocked. The Telnet program will attempt to connect and the expected result (if the rule has been set up properly) is that the Telnet connection attempt should eventually time out because the packets associated with that connection have been blocked.

Arrows pointing to the computer icon represent . received packets or incoming connections.

Arrows originating from the computericon represent transmit packets or

Red arrows represent packets or connections that are stopped by

outgoing connections.

the ActiveArmor Firewall.

Firewall




4 After performing the above test, you can click the Bar graph or Table option from the Information menu to verify whether the “Outbound TCP connections denied” count or the “Outbound TCP packets denied” count has increased by an amount consistent with the tests that were performed.A sample bar graph is shown in Figure 4.14.

Figure 4.14 Bar Graph of Packet Activity

A sample table of Firewall statistics is shown in Figure 4.15 and Figure 4.16.




Figure 4.15 Table (Statistics) of Packet Activity—First Section

Figure 4.16 Table (Statistics) of Packet Activity—Second Section




ActiveArmor Firewall LoggingIn addition to statistics, the ActiveArmor Firewall generates log entries depending on the log filter. When a packet is dropped by the firewall, the log message saved by the firewall corresponds to the first table or rule that denied the packet, as described in the “Advanced Configuration” on page 48 section. For example, if the ActiveArmor Firewall generates a “Blocked IP option” message because a TCP packet has a disallowed IP option, the dropped packet might not have passed the TCP rules, but since it was blocked by the IP option table first, “Blocked IP option” is the message saved by the firewall.In the previous section “ActiveArmor Firewall Statistics” on page 59, the Telnet packet that was generated also causes a “Blocked port” message for port 1003—unless another table blocks it first, in which case a log message for that table is generated. In the latter case, the timestamps in the log messages can be used to correlate those log entries that were created during the test.Whenever a network application is set to Allow/Deny access to the network through the Intelligent Application Manager, a log is also created. Activities related to remote Web interface access are also logged; for example, when a user enters an incorrect password.Other events that generate log entries include changing to a different profile, packets dropped by an advanced ActiveArmor Firewall security option, enabling and disabling an NVIDIA network interface, and any other changes to the ActiveArmor Firewall configuration. Note: Log entries are saved in batches so that the most recent logs may take a

short time to appear in the ForceWare Network Access Manager Web interface.

Note: To increase the frequency of saving log message, select the Log each message immediately setting. Use this setting only for the purpose of debugging in order to avoid lowering system performance.

Note: Logging all successful packets may degrade network performance.1 To open the Log Settings page, choose Log Settings from the menu.2 Confirm that the None option is not selected.3 To view the log page (Figure 4.17), click Log from the menu.4 Then use the links at the bottom of the page (First, Previous, Next, and

Last) to navigate. 5 If you see too many log entries being generated, you can do one of the

following:




Figure 4.17 Firewall Logging Messages

• Click Clear All Logs or • Choose Log Settings from the menu to open the Log Settings page again.

Then consider changing the type of log messages to one of several options provided, as shown in Figure 4.18




Figure 4.18 User Log Settings


C h a p t e r 5 C o n f i g u r i n g N V I D I A A c t i v e A r m o r


C H A P T E R

CONFIGURING NVIDIA ACTIVEARMOR

NVIDIA ActiveArmor Parameters ReferenceAppendix C: “ActiveArmor Secure Network Engine (SNE) Parameters Reference” on page 183 is an NVIDIA ActiveArmor Reference guide, categorizing the ActiveArmor parameters by group and table names.When you are using the ActiveArmor parameters from the ForceWare Network Access Manager Web-based interface, you can easily access online Help by clicking the Help tab.

Understanding NVIDIA ActiveArmor NVIDIA ActiveArmor is software that controls the NVIDIA ActiveArmor Secure Networking Engine (SNE), which offloads CPU-intensive aspects of firewall and TCP processing. By processing the packets of those connections that are offloaded, the SNE significantly reduces CPU usage and accelerates firewall throughput. The ActiveArmor offloading policy is defined using the Web-based Network Access Manager (NAM), and configuring ActiveArmor is similar to the process used for the ActiveArmor Firewall. Under the Firewall menu is the ActiveArmor menu, which can be clicked to obtain links to Web pages that allow you to configure ActiveArmor and to observe its operation.The NVIDIA ActiveArmor SNE is enabled whenever the ActiveArmor Firewall is installed. ActiveArmor, by its default configuration, offloads all connections from the ActiveArmor Firewall.




Note: You have to define a policy that controls those connections that you do not want to be offloaded to ActiveArmor.

NVIDIA ActiveArmor and the ActiveArmor FirewallActiveArmor supports only the ActiveArmor Firewall. All software-based firewalls, including the ActiveArmor Firewall, intercept not only network traffic, but also the software interfaces between applications and the networking software stack. Firewalls also need to communicate between their own layers to coordinate the operation of their software components—when setting up and tearing down filtering information for a given connection, for example. As a result, it is extremely unlikely that two software-only firewalls can happily co-exist within a single system. The simplified diagram in Figure 5.1, “Four Software Layering Scenarios” shows how the ActiveArmor Firewall (and ActiveArmor) might be installed with a single third-party firewall. Even in this simple case, there are at least four possible ways that the software components could be layered with respect to the core Windows elements: the Windows Sockets API, the Windows TCP/IP stack, and the Windows Network Device Interface Specification (NDIS) API.In each of the four scenarios, the software layering arrangement has a different effect, depending on what traffic is allowed (or blocked) by each layer and on what interprocess communication is intercepted (or allowed to pass) by each layer. In some scenarios, both firewalls may appear to work, but they may cause unusual side-effects that affect each other, up to and including system crashIn most cases, you would be best served by picking your favorite firewall and using it alone, rather than trying to make multiple firewalls work together. Keep in mind that the software-based ActiveArmor Firewall is feature-rich and offers excellent performance and low CPU utilization with ActiveArmor.




Figure 5.1 Four Software Layering Scenarios

Windows Sockets API Layer

Third-Party WinSock Filter Layer

NVIDIA WinSock Filter Layer




Windows TCP/IP Stack

Windows NDIS API Layer



Third-Party NDIS Filter Layer

Ethernet Driver Ethernet DriverNVIDIA

Firewall


NVIDIA

Firewall

Third-Party TDI Filter Layer

NVIDIA TDI Filter Layer






Ethernet DriverNVIDIA

Firewall












Ethernet DriverNVIDIA

Firewall



Application Software Application Software

Application Software Application Software




Configuring ActiveArmor to Offload All Connections1 From the ActiveArmor menu, click the Application option to open the

ActiveArmor Configuration and Application Table page (Figure 5.2).

2 Ensure ActiveArmor is enabled and that the Offload Default is Offloadable. 3 Click the Purge Table button to remove all rules from the Application Table.

With no more-specific rules in force, the Offload Default controls all traffic.4 Click Apply in the Application Table section of the Web page to confirm

the change.5 From the ActiveArmor menu, click the Port option to open the

ActiveArmor Configuration and Port Table page (Figure 5.3).

Figure 5.2 ActiveArmor Configuration and Application Table




6 Again, click the Purge Table button, and then click the Apply button that is to the left of the Purge Table button.

Tracking ActiveArmor Connections1 From the ActiveArmor menu, click Connection Table (see Figure 5.4).2 Observe if any connections have been offloaded along with their lifetimes,

TCP states, and so on.

Figure 5.3 ActiveArmor Configuration and Port Tables




Because ActiveArmor works in conjunction with the ActiveArmor Firewall, only those connections that are permitted by the firewall’s policy rules are offloaded (even if ActiveArmor has been configured to offload everything).

Tracking ActiveArmor StatisticsAnother way to monitor ActiveArmor is to examine the statistics page.1 From the ActiveArmor menu, click Global Statistics (see Figure 5.5).2 As you may have noticed, this page updates itself regularly (every 10 seconds

by default).

Figure 5.4 ActiveArmor Connections Table




3 You can change the update frequency by clicking the Change Refresh Rate button, entering another value, and then clicking Apply.

4 Click the browser’s Back button to return to the statistics page.

Using ActiveArmor as a TCP/IP AcceleratorWhen the ActiveArmor Firewall is turned off (that is, when the selected security profile is the Off profile), ActiveArmor is also turned off. However, provided that no other firewall is active on the machine—which should only be considered on isolated networks with highly trusted neighbor machines!—it is possible to use ActiveArmor independently of the ActiveArmor Firewall to accelerate TCP/IP traffic.If you are using ActiveArmor in this way, without the policy rules of the ActiveArmor Firewall controlling which connections are permitted, you may want to be more specific about configuring which applications (and/or which TCP ports) may be offloaded.

Figure 5.5 ActiveArmor Connection Statistics




Configuring ActiveArmor to Offload One ApplicationBecause an application may open several TCP ports and you may not know in advance what ports it will use, the ActiveArmor Web pages permit you to allow an application to be permitted or denied based on nothing more than its name.1 From the ActiveArmor menu, click the Application option to open the

ActiveArmor Configuration and Application Table page.2 Ensure that ActiveArmor is enabled and that Offload Default is set to Not

Offloadable. In this mode, only application executable files that you specifically enumerate are offloaded.

3 Click Add Rule to open the ActiveArmor Application – add rule page. See Figure 5.6, “ActiveArmor Application – add rule” on page 73.

4 Click Browse to open a Choose file dialog box.5 Navigate the file system to the directory in which the desired executable is

located, select that file, and then click Open.6 Finally, specify whether connections related to this application should be

offloaded for incoming connections (to this PC), outgoing connections (from this PC), or both.

7 Click Apply once the configuration is satisfactory.

Figure 5.6 ActiveArmor Application – add rule




Repeat steps 3–7 to add a rule for a different application executable file.

Configuring ActiveArmor to Offload One TCP PortIt is also possible to configure ActiveArmor to offload traffic associated with certain TCP ports, regardless of which application is using those ports. This is useful when you know in advance which ports an application will be using.1 From the ActiveArmor menu, click the Port option to open the

ActiveArmor Configuration and Port Table page.2 Ensure that ActiveArmor is enabled.3 Click the Add Rule button to open the ActiveArmor Port – add rule page

(Figure 5.7, “ActiveArmor Port – add rule”).

4 Select which remote IP address pertains to this rule (use a mask of 255.255.255.255 for a single IP address, or use a wider mask to permit more IP addresses). Usually Any Remote IP address is a fine choice, unless you only want to offload connections to a certain address or a range of addresses.

5 Enter a Beginning port number and an Ending port number to establish a range of ports for which offloads will be possible.

Figure 5.7 ActiveArmor Port – add rule




6 Finally, specify whether connections related to these ports should be offloaded for incoming connections (to this PC), outgoing connections (from this PC), or both.

7 Click Apply once the configuration is satisfactory.Repeat steps 3 through 7 to add a different port-based rule.


C h a p t e r 6 A d m i n i s t r a t i v e T a s k s


C H A P T E R

ADMINISTRATIVE TASKS

Accessing the Administration Menu1 Open the ForceWare Network Access Manager Web menu.2 Click the Administration menu on the left of the window to expand it so that

you can see the various menu choices.3 Click the menu item to display its associated page on the right.

Application Access Control PageFrom the Administration menu, click Access Control to display the Application Access Control page (Figure 6.1).You can use the Application Access Control page to configure the application access permissions. Note the following about these permissions:• Permissions apply only to non-Administrator and remote users.• You must have Administrator rights to configure permissions from the local

computer. An Administrator on a local computer has access to all applications and configuration information—WMI scripts, the command line, and the Web interfaces—provided they are installed on the computer. The access control settings do not affect the Administrator.




Figure 6.1 Application Access Control Settings

• These permissions cannot be viewed, accessed, or configured remotely, even by an Administrator.

Note: Most of the access control in place will work only if the applications are installed on the NTFS file system, so it is recommended that you use NTFS, however the application will still function if installed on a FAT file system.

Default Administrative Access Control SettingsFigure 6.1 shows the “default” access settings of the ForceWare Network Access Manager software.




Note: You can also control access by using nCLI parameters such as AccessCLI, AccessWMIScript, etc.

Command Line AccessNote: The Access to CLI parameter is displayed only if the nCLI program is

installed on the computer. Default: Allow accessThis field lets you specify whether to Allow or Deny command line access to the non-Administrator users.

If local command line access is denied, non-Administrator users cannot access the Network Access Manager. Regardless of this setting, users with Administrator privileges can always access the Web interface.

Table 6.1 ActiveArmor Firewall Features

Feature Type of Access

nCLI WMI Script Web Local Web Remote

Ethernet andActiveArmor

——— Any user ——— Any user with the correct password and IP address/mask pair will be granted remote Web access with Administrator rights.

Firewall ——— Administrator only

——— Any user with the correct password and IP address/mask pair will be granted remote Web access with Administrator rights.

Ability to change access settings

——— Administrator only

——— NA




WMI ScriptDefault: Allow accessThis field lets you specify whether to Allow or Deny WMI scripting access to the non-Administrator users. If disabled, no instances of WMI classes, which are part of the NVIDIA namespace, will be available through WMI script or other third party WMI application. Administrator users can always access WMI using scripts.

Local Web Access Default: Local Web access is Allow.This options allows or denies access to the Web interface from the local computer. If local Web access is denied, non-Administrator users cannot access the Network Access Manager. Regardless of this setting, users with Administrator privileges can always access the Web interface.

Remote Web Access Default: Remote Web access is Deny. Note: Communication between remote Web client and Network Access

Manager is protected by SSL. For maximum security, you are encouraged to disable remote Web access.

When connecting to the Web interface from a remote computer using the following command:

https://<computer name>:3476

type admin as the user name, as shown below: username: adminpassword: ______ (password is blank by default)Note: The password for this account can be changed. The password must be

less than 255 characters. Valid characters are a through z, A through Z, 0 through 9, and space.




Additional Notes• Remote access to Network Access Manager is most suitable from a home

environment.• Remote access to Network Access Manager provides limited access to the IP

address/mask and can also be restricted based on the IP address or subnet address.

• Remote Web access activities are stored in the Log. • To view the log from the Web interface, select Log from the ActiveArmor

Firewall > Information menu.• To save unsuccessful remote Web access messages, follow these steps:

a From the Web interface, select Log Settings from the ActiveArmor Firewall > Information menu

b Select the Resource, error, and warning option to log warning messages.• To save successful remote Web access message, follow these steps:

a Select the Resource, error, warning, and informational option.a Select the Successful packets check box to insert a check mark.

PasswordDefault: No password—the password string is empty. When you enable remote Web access, you can set a password. Note: The user name for remote access is “admin”.

IP Address and IP Address Mask — optional Default: No IP address or maskAn IP address or a subnet (specified as a combination of an IP address and an IP address mask) can be used to restrict remote access to the computer such that access is limited to computers on the indicated IP subnet.Note: To restrict access to only one computer, you can specify an IP address

and no IP address mask. Specifying an IP address mask without an IP address is invalid.




Restore Factory DefaultsNote: Only Administrator users can restore factory default values to the

firewall.1 Click Ethernet, Firewall, or ActiveArmor to enable one of these options:

• Click Ethernet to restore factory default values to all the Ethernet-related parameters.

• Click Firewall to restore factory default values to all the firewall-related parameters.

• Click ActiveArmor to restore factory default values to all the ActiveArmor parameters.

2 After you make a selection, click Start Restore to restore the selected factory default values.An alert appears asking you to confirm whether you want to wipe out your current settings and replace them with the default values.

3 To proceed click OK. To cancel the operation, click Cancel.

Display SettingsThe Display Settings page allows you to configure the font size for the pages and the refresh rate for the statistics pages. Note: You can also view tooltip Help when you move the mouse over a

parameter name.• Statistics refresh rate (Min 1, Max 65535) controls the refresh rate of all

the statistics pages in the Web interface. • Range of values: 1 to 65535 seconds • Default: 10 seconds

• Font size controls the font size used in the Web interface. The options are:• Default font • Small font

Note: Click Apply for the changes to take effect.




Backup/RestoreThe Backup/Restore page allows you to backup your configuration to a file or restore your configuration from a file you specify.• Click Backup to launch the “Backup Configuration” page described below,

which will allow you to backup your configuration to a file.• Click Restore to launch the “Restore User Configuration” page described

below, which will allow you to restore the configuration you have backed up in a file.

Backup ConfigurationThe Backup Configuration page will allow you to export the current configuration into a file. You can select the filename and also provide a brief description to be added to the top of the file. Once the backup is completed, a link to the file will be provided. You can right click on the link and save the file to any folder you want.Note: Only Administrator users can backup the firewall configuration.• Backup filename is the filename of the backup file created.

Note: The default file name is export.txt• Description. You can enter a short description of the configuration you are

backing up. This description will be added to the top of the file along with the date and time of the backup.

• Configuration. You can choose any combination of the Ethernet, Firewall, and ActiveArmor components to back up. Note: If you don't choose one of the components, you will get an empty

backup file.• Backup. Click Backup to start backing up the configuration settings for the

selected components.

Restore User ConfigurationNote: Only an Administrator users can restore the firewall configurations.This Restore User Configuration page lets you restore or import the configuration settings from a backup file, which will replace all your current configuration with the values is the file. • Configuration File to Upload. Browse the folders in your computer and

choose the backup file with the configuration you want to restore.




Note: If you don’t specify a file, the last configuration you exported will be restored.

• Restore. Click Restore to restore configuration values contained in the specified file.Note: A warning will be displayed indicating that the network interface

might have to be restarted for these settings to take effect. You might lose connection to the server but can get back to the page by clicking the Refresh once the changes are applied. To proceed click OK; to cancel the operation, click Cancel.

At the end of the restore operation, a log appears indicating any errors in the restore operation. You can restore the previous settings by clicking Restore Backup.

ForceWare Network Access Manager Software VersionFrom the main ForceWare Network Access Manager menu, click Administration - Software Version to display the Network Access Manager Software Version page. This page displays the version information for all the ForceWare Network Access Manager files you have installed on this computer.This page displays the version information of the NVIDIA networking software you have installed on this computer, which includes the NVIDIA display and networking drivers, ActiveArmor, and Network Access Manager.


C h a p t e r 7 U s i n g W M I S c r i p t


C H A P T E R

USING WMI SCRIPT

Before You BeginUsing WMI script language is recommended only for Administrators who are already familiar with programming in WMI script and who have become familiar with the syntax and characteristics of configuration parameters—see “Ethernet Parameters Reference” on page A-104 and “ActiveArmor Firewall Parameters Reference” on page B-143.Note: For further information, you may want to consult the Microsoft

documentation on WMI scripting.

Benefits of Using WMI Script WMI script programming is being used by the IT staff of larger corporations to carry out day to day maintenance work. The overall benefits of using WMI scripts include:• Industry standard—WMI can be implemented using languages such as

Visual Basic Script and JavaScript.• Ease of use

• Common scripts—allow access to NVIDIA ForceWare Network Access Manager data.

• Flexibility—The WMI script user can utilize the power of the script languages to meet almost any requirements. For example, as an Administrator, you can write a WMI script to scan for Yahoo Messenger on a computer and open the appropriate port if the computer user has sufficient rights.




• Remote use—you can run WMI script remotely and use it as a deployment tool in an organization. See “Configuration Deployment” on page 30.

Overview WMI technology is Microsoft Windows’s implementation of Web-Based Enterprise Management (WBEM), an industry standard for management infrastructure that supports Common Information Model (CIM), Managed Object Format (MOF), and a common programming interface. WMI consists of a management infrastructure (CIM object manager) and WMI custom Providers that communicate with each other through a common programming interface using Component Object Model (COM). The WMI technology also provides support for third-party Custom Providers. Custom Providers can be used to service requests related to managed objects that are environment-specific. Providers typically do the following:• Use the MOF language to define and create classes. • Use the WMI API to

• access the CIM Object Manager (CIMOM) object repository • respond to CIMOM requests made initially by applications.

The ForceWare Network Access Manager solutions supports • CIM extension schemas • Custom Providers.For further details. see the following Web site: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmi/html/wmiscript.asp

Advanced Topics

NVIDIA NamespaceNVIDIA ForceWare Network Access Manager classes are located under root/NVIDIA namespace in the WMI repository. Note: It is strongly recommended that you do not modify anything in the

NVIDIA namespace; for example, do not add or remove classes, or


C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )


C H A P T E R

USING THE NVIDIA COMMAND LINEINTERFACE (NCLI)

Conventions UsedText in “code” font (this is code font) means it is text that is displayed on your screen. Text in bold “code” font (bold code font) indicates text you type on your computer.

About Examples UsedExamples are used to show how to use the nCLI (NVIDIA Command Line Interface) command and parameters in “Expert” mode (not Interactive mode) to configure some of the networking features of the ForceWare Network Access Manager application. You can simplify the example to suit your needs. Note: Examples are also provided in the samples subdirectory, under the

default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or your user-specified path.

ParametersThe nCLI command accepts the following classes of parameters:• Single parameters contain a single value of some type.• Table parameters contain data grouped in rows. Each row follows a fixed

structure. You can only perform row operations on tables.




• Group parameters, such as Group get is useful in that you can view the value of all parameters inside a group with one command.

• Namespace parameters are a collection of tables and other parameters. Namespace is a way to group parameters. You can only browse into a namespace. No Set or Get commands are allowed on namespace parameters.

Modes of OperationYou can run nCLI in either “Expert Mode” or “Interactive Mode”. nCLI also supports import/export functions and expert commands grouped in batch files. The key difference between expert mode and interactive mode is whether the control is switched back to command prompt when a command has completed.

Expert Mode In expert mode, the control is switched back to the command prompt after a command has completed executing.From the command prompt, if you type ncli followed by a parameter, you exit to the command prompt after the command has completed.

Interactive ModeIn interactive mode, the control remains in nCLI until you type quit to exit nCLI. You remain in the nCLI shell during interactive operations.You can enter interactive mode in two ways:

First Method1 From the command prompt, type ncli and press Enter.

The nCLI command prompt (nCLI>) appears to indicate nCLI is ready to accept a command.

2 You can now type commands in the nCLI mode without having to prefix the keyword ncli.

Second MethodEnter an incomplete command from the command prompt. For example:

ncli set ASFSupport




nCLI automatically enters interactive mode. When this command completes, you will exit to the command prompt.

Using Single ParametersGet and Set are the two most frequently used nCLI operations. • Get is used to retrieve the setting of a parameter and can be invoked on

single, group, and table parameters. • Set is used to change or update the current setting of a parameter. It can be

used in an “expert” mode, where the command is done in one line, or it can be used in “interactive” mode.

Single parameter Get and Set operations are discussed with examples in the sections that follow.

Set Using the Set command in expert mode is intended for expert users to set a single parameter on a single computer. Using expert set requires knowing the correct (error-free) format or selection for the parameter and, therefore, requires familiarity with the distinguished name of the single parameter.Some frequently set parameters, such as ASFSupport enable or ASFSupport disable, are usually set using expert mode. Note: These commands can also be included in script or batch files.

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli set ASFSupport enable

Set Using interactive set doesn’t require too much prior knowledge of the parameter. In the following case, the parameter to be set, FwlDHCPServer, is a selection, so the two choices are shown to help you select a value.

Example — (Interactive Mode)C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli

NVIDIA Network Management Framework Version 01.00

ncli>set fwldhcpserver




FwlDHCPServer:

1 Disable

2 Enable

choose one(Enable): 1

ncli>quit

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>

Get

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli get ASFSupport

NVIDIA ForceWare Network Access Manager Framework Version 01.00

ASFSupport enable

Example — (Interactive Mode)C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli

NVIDIA Network Management Framework Version 01.00

ncli>get nv_fwlstat

FwlStatICMPInPktsAllowed 29303

FwlStatICMPInPktsDenied 19203

FwlStatICMPOutPktsAllowed 783847

FwlStatICMPOutPktsDenied 37487

FwlStatOtherInPktsAllowed 949849

FwlStatOtherInPktsDenied 389238

FwlStatOtherOutPktsAllowed 34343

FwlStatOtherOutPktsDenied 343423893

FwlStatTCPInConnectionsAllowed 123124

FwlStatTCPInConnectionsDenied 999999

FwlStatTCPInPktsAllowed 44444444049

FwlStatTCPInPktsDenied 9

FwlStatTCPOutConnectionsAllowed 10202

FwlStatTCPOutConnectionsDenied 37437

FwlStatTCPOutPktsAllowed 0

FwlStatTCPOutPktsDenied 3243244012




FwlStatUDPInConnectionsAllowed 405

FwlStatUDPInConnectionsDenied 4046

FwlStatUDPInPktsAllowed 34343

FwlStatUDPInPktsDenied 2222

FwlStatUDPOutConnectionsAllowed 4047

FwlStatUDPOutConnectionsDenied 440040048

FwlStatUDPOutPktsAllowed 4444

FwlStatUDPOutPktsDenied 5555

ncli>quit

Help

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli help ASFSupport


Enable or disable ASF (Alert Standard Format). ASF is an industry specification that defines alerting capability in both OS-present and OS-absent environments.

Using Table ParametersA table is a collection of groups (rows) that share the same fields (columns). Tables are frequently used to store the settings for firewall rules, filters, and statistics. Each row inside the table is uniquely identified by a key. A key is composed of one or more of fields of a row.

Interactive and Expert CommandsnCLI supports both interactive and expert operations on tables. • Interactive mode is recommended for average users. • Expert operations on tables are usually executed through batch files. Expert

users can also use the export/import method and text file to set up tables quickly.Note: Only expert users need to know the key format and composition.




Expert CommandsDue to the inherent complexity, expert commands are not as intuitive as interactive commands. The syntax of an expert command is shown below. Examples are also provided in the samples subdirectory, under the default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or your user-specified path.

Syntaxncli addrow <tablename> <column1>=<column1value>,<column2>=<column2value>,..î

ncli editrow <tablename>.<key1>=<key1value>,<key2>=<key2value>,..î <column1>=<column1value>,<column2>=<column2value>,..î

ncli delrow <tablename>.<key1>=<key1value>,<key2>=<key2value>,..î

ExamplesIn the examples in this section:• A new row for IPv6 EtherType is added and initially set to Allow.• The table is then edited with the IPv6 EtherType rule set to Deny. • Finally, the entire row is deleted.

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType “EtherType=34525,EtherTypeName=IPv6,EtherTypeRule=Allow”

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli editrow NV_FwlEtherType.EtherType=34525” “EtherType=34525,EtherTypeName=IPv6,EtherTypeRule=Deny”

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli delrow NV_FwlEtherType.EtherType=34525

Add RowThe following example shows how to add three rows to an empty table (NV_FwlEtherType), edit the table (see “Edit Row” on page 94), and then delete (see “Delete Row” on page 94) one row.

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType


EtherType:2048




EtherTypeName:IP

EtherTypeRule

1 Deny

2 Allow

choose one: 2

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType


EtherType:2054

EtherTypeName:ARP

EtherTypeRule

1 Deny

2 Allow

choose one: 2

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType


EtherType:32923

EtherTypeName:AppleTalk

EtherTypeRule

1 Deny

2 Allow

choose one: 1

Get RowThe command getrow displays table data one row at a time without any text being truncated.

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli getrow nv_fwlapp

. . .

. . . .




Example — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli


ncli>getrow nv_fwlappFwlAppCheckSum 38297wlAppCompany Microsoft CorporationwlAppCurrentLevels 16wlAppDescription LSA Shell (Export Version)wlAppName lsass.exewlAppPath c:\windows\system32\lsass.exewlAppRiskLevels 75492wlAppRule AllowwlAppRulePrompt falsewlAppVersion 5.1.2600.1106 (xpsp1.020828-1920)

Press Enter to see the next rowPress 'q' followed by Enter to exit:

FwlAppCheckSum 462721wlAppCompany Trend Micro Inc.wlAppCurrentLevels 8wlAppDescriptionwlAppName tmlisten.exewlAppPath c:\officescan nt\tmlisten.exewlAppRiskLevels 75492wlAppRule AllowwlAppRulePrompt falsewlAppVersion 6.5.0.1030

Press Enter to see the next rowPress 'q' followed by Enter to exit:




Edit Row

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli editrow NV_FwlEtherType


Select a row to edit: 3

EtherType(32923)=2056

EtherTypeName(AppleTalk)=Frame Relay ARP / Inverse ARP

EtherTypeRule:

1 Deny

2 Allow

choose one(Deny): 2

Delete Row

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli delrow NV_FwlEtherType


Select a row to delete: 3

Are you sure? (y/n): Y

Help

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli help NV_FwlEtherType

# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow 3 32923 AppleTalk Deny

# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow 3 2056 Frame Relay A.. Allow





Firewall rules for different Data Link Layer protocols

Firewall rules for different Data Link Layer protocols (identified by Ethernet type) including IP, IPX, NetBEUI, AppleTalk and other protocols.

Set TableInvoking the nCLI set command on table parameters guides you through different operations that can be performed on a table. In the following example, a row is added to the table, then edited, and finally deleted.Note: The Set table command does not require that you to know the

addRow, delRow, and editRow command names.

Examples — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli set NV_FwlEtherType


Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):A

EtherType:32923

EtherTypeName:AppleTalk

EtherTypeRule

1 Deny

2 Allow

choose one: 1

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli set NV_FwlEtherType


Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):E

EtherType(32923)=33079

EtherTypeName(AppleTalk)=IPX

EtherTypeRule:

1 Deny

2 Allow

choose one(Deny): 2




c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli set NV_FwlEtherType


Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):D

Select a row to delete: 3

Are you sure? (y/n): y

Get Table

Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli get NV_FwlEtherType


About Other Table CommandsNote: The purge command is used to delete all the rows in the table; i.e., the

entire table. Use this command cautiously.Note: If the table has read-only access, the purge action will fail.

Syntaxpurge <tablename>

Browsing the Parameter StructureThe ForceWare networking parameters are organized in a tree structure. You can explore the tree structure. The browsing capability of nCLI is a powerful tool for non-expert use as one does not have to know the parameter’s distinguished name before using the command.

# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow 3 33079 IPX Allow

# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow




ListThe ls or dir command lists the children of the current parameter, as shown in the next example.



ncli>ls

NS_Eth

NS_NvConfig

NS_Firewall

NS_UserLog

NS_Security

ncli>ls ns_eth

NS_EthStat

NS_EthConfig

NS_ASF

NV_DriverRestartCmd

NV_DriverRestartFlag

ncli>

Changing Directory

The cd command lets you browse through the parameter tree structure.

Example 1 — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli


ncli>ls

NS_Eth

NS_NvConfig

NS_Firewall

NS_UserLog




NS_Security

ncli>cd NS_Eth

ncli>ls

NS_EthStat

NS_EthConfig

NS_ASF

NV_DriverRestartCmd

NV_DriverRestartFlag

ncli>cd ns_ethstat

ncli>ls

NV_NetworkGenStat

NV_EthStat

ncli>

Example 2 — (Interactive Mode)Invoking the cd command by itself will bring you to the root level, as shown in the following example.

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli


ncli>cd ns_eth

ncli>cd ns_ethstat

ncli>cd

ncli>

Each ForceWare Network Access Manager parameter has a unique name, which can be used within ncli> to access each individual parameter. Therefore, you do not need the complete path to get to a single parameter. The example below shows how this can help you quickly access a parameter.



ncli>cd ASFSupport

ncli>pwd

<root>/NS_Eth/NS_ASF/NV_ASF/ASFSupport

ncli>




Current Working Directory

The pwd command is used to display the path to the current parameter.



ncli>cd ns_ethstat

ncli>pwd

<root>/NS_Eth/NS_EthStat

ncli>cd

ncli>pwd

<root>

ncli>

Context-Sensitive Operationsls, cd, and pwd commands allow you to browse through the parameters. When you have entered a current parameter, all the operations you invoke will be in the context of that parameter.



ncli>cd NV_FwlEtherTypencli>get

ncli>help

Firewall rules for different Data Link Layer protocols

Firewall rules for different Data Link Layer protocols (identified by Ethernet type) including IP, IPX, NetBEUI, AppleTalk and other protocols.

EtherType EtherTypeName EtherTypeRule 2048 IP Allow 2054 ARP Allow




ncli>addrow

EtherType:2056

EtherTypeName:FrameRelay ARP/Inverse IP

EtherTypeRule

1 Deny

2 Allow

choose one: 2

ncli>get

ncli>

Text File ProcessingText file processing is intended for expert users to quickly update complex parameters and perform large configurations. For example, you can use the nCLI command line to perform interactive settings only on tables. Text file processing offers an alternative to the Get and Set parameter values in a flat text format.

ExportExport files follow a standard format that will make it compatible with Web-based management. That is, export files from nCLI can be imported using the Web-based management and export files from Web-based management can be imported using nCLI.

Syntaxexport /f <filename> <parameter_name>

Note: Either one or both of /f <filename> and <parameter_name> may be omitted.

If /f <filename> is omitted, the output of the export will be stored in frontend\backup\cliexport.txt under the directory where ForceWare Network Access Manager software is installed.

# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow 3 2056 FrameRelay AR.. Allow




If <parameter_name> is omitted, only the current parameter and its children will be exported. An example is shown below.

Example 1 — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli


ncli>export

............................................................

.....Finished

ncli>

Example 2 — (Interactive Mode)Selective export allows you to export only the parameter branch specified. The sample command below can be used to export only the ns_xxxx namespace.

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli export /f c:\xxxx_export.txt ns_xxxx


..Finished

Example 3 — (Interactive Mode)nCLI enables you to browse into a parameter branch and export it. The sample commands below can be used to export only the NS_Eth branch.



ncli>cd ns_eth

ncli>export

ncli>

ImportBefore importing new parameter settings, old parameter settings are backed up to prevent any problems during import that could throw the system into an unknown state. If necessary, the backup file can be used to restore the system to the previous state.




Note: If nCLI encounters problems in importing parameters, it will stop processing and instruct you to restore to the previous state. Use the restore to restore to the previous state.

Syntaximport /f <filename>

If /f <filename> is omitted, the default file frontend\backup\cliexport.txt under the directory where ForceWare Network Access Manager software will be read and imported.

Support for Multiple Ethernet InterfacesSome systems have multiple NVIDIA Ethernet interfaces. Using nCLI, you can specify the command for an interface by entering the full path of the parameter, including the namespace.Note: The namespace for the first Ethernet interface is NS_Eth. Namespaces

for the second, third and forth Ethernet interfaces are NS_Eth1, NS_Eth2, NS_Eth3.

Example 1To get Ethernet information on the second Ethernet interface, the command is:

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli get NS_Eth2\NS_EthConfig:NV_Eth_Jumbo.EthJumboSize


EthJumboSize 1500

Example 2To get Ethernet information on the second Ethernet interface, the command is:

c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli get NS_Eth1\NS_EthConfig:NV_EthInfo


EthAddressPermanent 00:12:34:56:78:9A

EthConnectStatus Connected

EthDuplex Full Duplex

EthLinkMaxSpeed 1000

EthLinkSpeed 1000

EthPromiscuous Enable




GlossarySee “Glossary” on page 201.


A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e


A P P E N D I X

ETHERNET PARAMETERS REFERENCENote: For references to all the individual parameters, categorized by group, see

the entries listed for this appendix—A. Ethernet Parameters Reference—in the “Table of Contents” on page iii.

Group: Remote Wakeup

Remote Wakeup

Parameter WakeUp

Description Enables or disables Ethernet remote wake up capability. When enabled, the user can remotely turn on the power of systems across the network. For example, a network administrator can use Remote Wake Up to perform after-hours maintenance from a remote location without requiring a technician to be physically present.

Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig

Group: NV_EthWakeUp Single: WakeUp

Usage example: nCLI Set "WakeUp" "Enable"

Access ReadWrite

Data type Selection

User selection Disable or Enable




Remote Wakeup by Magic Packet

Remote Wakeup (Pattern Match)

Parameter WakeUpMagic

Description Enables or disables the magic packet wake-up feature. When this feature is enabled, networked computers that are in a low power state receive the “magic packet” to wake up.

Comment If WakeUp is set to Disable, this parameter value is ignored.


Group: NV_EthWakeUp Single: WakeUpMagic

Usage example: nCLI Set "WakeUpMagic" "Enable"

Access ReadWrite

Restart network: Network restart is required.

Data type Selection

User selection Disable Enable

Parameter WakeUpPattern

Description Enables or disables the pattern match remote wakeup feature. When this feature is enabled, networked computers that are in a low power state receive a packet that contains a pattern specified by the operating system's network protocol to wake up.



Group: NV_EthWakeUp Single: WakeUpPattern

Usage example: nCLI Set "WakeUpPattern" "Enable"

Access ReadWrite

Restart network: Network restart is required.

Data type Selection





Remote Wakeup (Link State Change)

Remote Wake Up from Hibernate or Shutdown

Parameter: WakeUpLink

Description

Enables or disables the WakeUpLink feature. Change in the link state refers to the connection or disconnection of the Ethernet network cable. When a networked computer is in a low power state, a change in the link state wakes up the computer.



Group: NV_EthWakeUp Single: WakeUpLink

Usage example: nCLI Set "WakeUpLink" "Enable"

Access ReadWrite

Network restart: Required

Data type Selection


Parameter WakeUpS4S5

Description Enables or disables the Remote Wake Up from Hibernate or Shutdown feature. Hibernate means that all devices in a networked computer are turned off. This state is saved to the computer's hard disk and is then used for a fast startup. Shutdown means that the operating system will shut down and the BIOS will be re-initialized during wake up.



Group: NV_EthWakeUp Single: WakeUp S4S5

Usage example: nCLI Set "WakeUpS4S5" "Enable"

Access ReadWrite

Network restart: Required

Data type Selection





Group: Protocol Offload

Checksum Offload

IPv4 Transmit Checksum Offload

Parameter EthOffloadChkSum

Description Enables or disables the Ethernet checksum offload feature. Offloads increase the system performance by offloading TCP/IP CPU-intensive tasks to hardware.

Comment This feature is not supported by WMI scripting.


Group: NV_Eth_Offload Single: EthOffloadChkSum

Usage example nCLI Set "EthOffloadChkSum" "Enable"

Access ReadWrite

Network restart Required

Data type Selection


Parameter EthOffloadIPv4TxChkSum

Description Enables or disables the IPv4 Transmit Checksum Offload feature. When this feature is enabled, the operating system passes the task of calculating IP (Internet Protocol) checksums for transmitted packets to the Ethernet hardware.

Comment This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored.


Group : NV_Eth_Offload Single: EthOffloadIPv4TxChkSum

Usage example: nCLI Set "EthOffloadIPv4TxChkSum" "Enable"

Access ReadWrite

Data type Selection





IPv4 Receive Checksum Offload

UDP Transmit Checksum Offload

Parameter: EthOffloadIPv4RxChkSum

Description Enables or disables the IPv4 Receive Checksum Offload feature. When this feature is enabled, the operating system passes the task of calculating IP checksums for received packets to the Ethernet hardware.



Group: NV_Eth_Offload Single: EthOffloadIPv4RxChkSum

Usage example: nCLI Set "EthOffloadIPv4RxChkSum" "Enable"

Access ReadWrite

Data type Selection


Parameter EthOffloadUDPTxChkSum

Description Enable or disables the UDP (User Datagram Protocol) Transmit Checksum Offload feature. When this feature is enabled, the operating system can use the Ethernet hardware to calculate UDP checksums for transmitted packets.

Comment Not supported through WMI script. If EthOffloadChkSum is set to Disable, this parameter value is ignored.


Group : NV_Eth_Offload Single: EthOffloadUDPTxChkSum

Usage example: nCLI Set "EthOffloadUDPTxChkSum" "Enable"

Access ReadWrite

Data type Selection

User selection Enable Disable




UDP Receive Checksum Offload

TCP Transmit Checksum Offload

Parameter EthOffloadUDPRxChkSum

Description Enables or disables the UDP Receive Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate UDP checksums for received packets.



Group: NV_Eth_Offload Single: EthOffloadUDPRxChkSum

Usage example: nCLI Set "EthOffloadUDPRxChkSum" "Enable"

Access ReadWrite

Data type Selection


Parameter EthOffloadTCPTxChkSum

Description Enables or disables the TCP Transmit Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate TCP checksums for transmitted packets.



Group: NV_Eth_Offload Single: EthOffloadTCPTxChkSum

Usage example: nCLI Set "EthOffloadTCPTxChkSum" "Enable"

Access ReadWrite

Data type Selection





TCP Receive Checksum Offload

TCP Large Send Offlload

Parameter EthOffloadTCPRxChkSum

Description Enables or disables the TCP Receive Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate TCP checksums for received packets.



Group: NV_Eth_Offload Single: EthOffloadTCPRxChkSum

Usage example: nCLI Set "EthOffloadTCPxChkSum" "Enable"

Access ReadWrite

Data type Selection


Parameter EthOffloadTxLargeSend

Description Enables or disables the TCP Large Send OfflLoad feature. When the feature is enabled, the operating system can utilize the Ethernet hardware capabilities to segment large TCP packets into smaller packets. Note: This feature applies to packet transmissions only.


Group: NV_Eth_Offload Single: EthOffloadTxLargeSend

Usage example: nCLI Set "EthOffloadTxLargeSend" "Enable"

Access ReadWrite

Network restart Required.

Data type Selection

User selection

Disable Enable




Group: Microsoft Operating System VLAN (Virtual LAN)

Microsoft Operating System VLAN

Parameter EthMSVLAN

Description Specifies the Virtual LAN (VLAN) ID returned by the Microsoft operating system. The VLAN ID is an identifier used by a networked computer to determine its associated VLAN. VLAN allows a set of networked computers to function as if they were not connected to the same wire even though they may be physically connected to the same segments of a Local Area Network (LAN).

Comment The Microsoft VLAN ID overrides the NVIDIA EthVLAN and EthVLANID settings. When the Microsoft VLAN ID is 0 (zero), the NVIDIA EthVLAN and EthVLANID are used.


Group: NV_Eth_MSVLAN Single: EthMSVLAN

Usage example: nCLI Get "EthMSVLAN"

Access Read

Data type Number ( 32 bit )

Maximum value 4095 Minimum Value: 0




Group: VLAN (Virtual LAN)

VLAN Support

VLAN ID

P arameter E th V L A N

D escrip tion Enables or d isables V LAN support. V LAN allows a netwo rk of co mputers to function as if they are not connected to the same wire even though they m ay be ph ysically located on diffe rent segments of a LAN .

C om m en t The M icrosoft V LAN ID o verrides the N V ID IA E thV LAN and E thV LAN ID values. W hen the M icrosoft V LA N ID is 0 (zero), the N V ID IA E thV LAN and E thV LAN ID are used.

H ierarch y N amesp ace: N S _Eth N amesp ace: N S _EthC onfig

G rou p : N V _Eth_M S V LAN _S etting S ingle: E thV LAN

U sage examp le: nCLI Set "EthVLAN" "Disable"

A ccess R eadW rite

D ata typ e S election

U ser selection D isable Enable

Parameter EthVLANID

Description The VLAN ID is an identifier used by a computer to determine its associated VLAN. A value of 0 (zero) means VLAN is disabled. VLAN allows a set of networked computers to function as if they were not connected to the same wire even though they may be physically connected to same segments of a LAN.

Comment The Microsoft VLAN ID overrides the NVIDIA EthVLAN and EthVLANID values. When the Microsoft VLAN ID is 0 (zero), the NVIDIA EthVLAN and EthVLANID are used.


Group : NV_Eth_MSVLAN_Setting Single: EthVLANID

Usage example: nCLI Set "EthVLANID" "0"

Access ReadWrite


Maximum value 4095 Minimum value: 0




Group: Jumbo Frame

Jumbo Frame Payload Size

Parameter EthJumboSize

Description Specify the Ethernet jumbo frame payload size. Jumbo frame supports larger Ethernet packet sizes to reduce server overhead and increase throughput. Payload size of 1,500 means Jumbo Frame is disabled.

Comment Jumbo frame is supported only when the connection speed is 1000 Mbps.


Group: NV_Eth_EthJumbo Single: EthJumboSize

Usage example: nCLI Set "EthJumboSize" "1500"

Access ReadWrite

Network restart: Required.

Data type Selection

User selection 1500 2500 4500 9000




Group: Driver Optimization

Ethernet Driver Optimization

Parameter EthOptimization

Description Allows Ethernet driver optimization by adjusting Ethernet driver operating parameters to suit different needs.

Comment This parameter is not supported through WMI Script. WMI Script users need to configure each parameter individually in the Ethernet Performance class

Hierarchy Namespace: NS_Eth Namespace: NS_ Eth_Optimization

Group: NV_ EthOptimization Single: EthJumboSize

Usage example: nCLI Set "EthOptimization" "CPU Utilization"

Access ReadWrite

Data type Selection

User selection CPU Utilization is a setting that optimizes to lower the amount of time CPU spent in processing network traffic. Note: This is the recommended and default setting. Throughput is a setting that maximizes the amount of network traffic sent and received. Multimedia is a setting that reduces the time spent per network interrupt to allow time-critical media devices to be serviced.




Group: Ethernet Performance

Number of Receive Buffers

Number of Receive Buffer Descriptors

Parameter EthNoOfRxBuff

Description Specifies the number of receive buffers allocated by the NVIDIA Ethernet driver. Receive buffers are memory blocks used to store packets received from the network.

Comment For optimal performance, the number of receive buffers need to be at least TWICE the number of receive descriptors.

Hierarchy Namespace: NS_Eth Namespace: NS_ Eth_Config

Group: NV_ Eth_Performance Single: EthNoOfRxBuff

Usage example: nCLI Set "EthNoOfRxBuff" "512"

Access ReadWrite

Network connection: Restarting the network is required..

Data type Selection

User selection 2 4 8 16 32 64 128 256 512

Parameter EthNoOfRxDesc

Description Number of receive buffer descriptors available to the Ethernet hardware. Th is value determines the number of receive buffers that may be queued for the hardware.

Comment For optimal performance, the number of receive buffers need to be set to at least twice the number of receive descriptors.


Group : NV_ Eth_Performance Single: EthNoNoOfRxDesc

Usage example: nCLI Set "EthNoOfRxDesc" "64"

Access ReadWrite

Netwrork connection: Restarting the network is required.

Data type Selection

User selection 2, 4 8 16 32 64 128 256




Number of Transmit Buffer Descriptors

Maximum Transmit Frames Queued

Parameter EthNoOfTxDesc

Description Specifies the number of transmit buffer descriptors available to the Ethernet hardware. This value determines the number of transmit buffers that may be queued for the hardware.


Group: NV_ Eth_Performance Single: EthNoNoOfRxDesc

Usage example nCLI Set "EthNoOfTxDesc" "256"

Access ReadWrite

Restart network Yes, required for setting to take effect.

Data type Selection

User selection

2 4

8 16

32 64 128 256 512 1024

Parameter EthMaxTxPktQueue

Description Specifies the maximum number of frames which may be queued by the Ethernet driver.


Group: NV_ Eth_Performance Single: EthMaxTxPktQueue

Usage example: nCLI Set "EthMaxTxPktQueue" "1024"

Access ReadWrite

Network Connection: Restarting network is required.

Data type Selection

User selection 2 4

8 16

32 64

128 256

512 1024




Number of Receive Packets to Process per Interrupt

Number of Transmit Packet to Process per Interrupt

Parameter EthNoOfRxPktToProcessEachTime

Description Specifies the number of receive packet to process per interrupt.


Group: NV_ Eth_Performance Single: EthNoOfRxPktToProcessEachTime

Usage example: nCLI Set "EthNoOfRxPktToProcessEachTime" "1280"

Access ReadWrite

Network Connection:

Restarting network is required.

Data type Selection

User selection 10 20 40 80 160 320 640 1280

Parameter EthNoOfTxPktToProcessEachTime

Description Specifies the number of transmit packet to process per interrupt.


Group: NV_ Eth_Performance Single: EthNoOfTxPktToProcessEachTime

Usage example: nCLI Set "EthNoOfTxPktToProcessEachTime" "1280"

Access ReadWrite

Network connection: Restarting the network is required.

Data type Selection

User selection 5 10 20 40 80 160 320 640 1280




Interrupt Interval

Group: Traffic Prioritization

IEEE 802.1p Support

Parameter EthPollingInterval

Description Specifies the time (in milliseconds) between hardware interrupts in the hardware polling mode.


Group: NV_Eth_Performance Single: EthPollingInterval

Usage example: nCLI Set "EthPollingInterval" "425"

Access ReadWrite

Network connection: Restarting the network is required..

Data type Selection

User selection 0, 425

Parameter Eth8021p

Description Enables or disables Ethernet IEEE 802.1p support. IEEE 802.1p allows frames to be grouped into priority classes.


Group: NV_Eth_8021p Single: Eth8021p

Usage example: nCLI Set "Eth8021p" "Disable"

Access ReadWrite


Data type Selection

User selection • Disable • Enable




Group: Ethernet Speed/Duplex

Configurable Ethernet Speed/Duplex Settings

Parameter EthSpeed

Description — Specifies the configurable Ethernet speed/duplex settings. Three types of configuration supported by the nForce built-in Ethernet controller are explained below:• Full Autonegotiation — In this configuration, the link speed and duplex settings are

adjusted automatically for maximum performance based on the advertised capabilities of both peer devices.

• Chosen Autonegotiation for a chosen speed and duplex setting — The Ethernet controller will perform autonegotiation but will only accept an outcome that matches a user selection — other possibilities will be ignored if they exist. • Note: If the user-specified combination of speed and duplex is not supported, the

link will not be established and the Ethernet controller will not drop down to the next lowest speed.

• Notes: Chosen Autonegotiation selections are listed in the “User selection” section of this table. For systems equipped with Gigabit Ethernet PHY (physical layer transceivers), the Autonegotiate for 1000 Mbps selection is available. Otherwise, only the 100/10 Mbps selections are available.Autonegotiate for 1000 Mbps Half Duplex is not available as it is not supported by the nForce Ethernet controller.

• Forced Configuration to a chosen speed and duplex setting— The Ethernet controller will not perform autonegotiation but will be programmed according to user specification, even if the peer device does not support the “forced configuration” setting. Forced Configuration is useful for situations where the network speed and duplex modes are static and the Ethernet controller settings have to be forced to match, or for situations in which the peer device may not properly support autonegotiation or support it at all. Also, when the nForce Ethernet controller is connected to a managed switch that can be configured for a particular speed and duplex setting, using the Forced Configuration setting avoids wasted time in autoconfiguration when the link is being established. • Note: Regardless of the situation, you must be sure to configure both devices with

the same link parameters. • Notes: Forced Configuration selections are listed in the “User selection” section of

this table. Force to 1000 Mbps full duplex is not an available selection because Gigabit Ethernet connections require autonegotiation.

Hierarchy Namespace: NS_Eth Namespace: NS_EthConfigGroup: NV_Eth_SpeedSingle: EthSpeed

Usage example nCLI Set "EthSpeed" "Full Autonegotiation"

Access ReadWrite

Restart network? Yes, required for changes to take effect.




Link Speed

Data type Selection

User selections • Full Autonegotiation• Chosen Autonegotiation

• Autonegotiate for 1000 mbps Full Duplex• Autonegotiate for 100 mbps Full Duplex• Autonegotiate for 100 mbps Half Duplex• Autonegotiate for 10 mbps Full Duplex• Autonegotiate for 10 mbps Half Duplex

• Forced Autonegotiation• Force 100 mbps Full Duplex• Force 100 mbps Half Duplex• Force 10 mbps Full Duplex• Force 10 mbps Half Duplex

Parameter EthLinkSpeed

Description Specifies the current speed (in Mbps) of the Ethernet device.


Group: NV_EthInfo Single: EthLinkSpeed

Usage example: nCLI Get "EthLinkSpeed"

Access Read


Maximum Value 10000

Minimum Value 0




Maximum Link Speed

Duplex Setting

Parameter EthLinkMaxSpeed

Description Specifies the maximum speed (in Mbps) at which the Ethernet interface can operate.


Group: NV_EthInfo Single: EthLinkMaxSpeed

Usage example: nCLI Get "EthLinkMaxSpeed"

Access Read


Maximum Value 10000

Minimum Value 0

Parameter EthDuplex

Description Specifies the current Ethernet interface duplex setting. Full duplex means that the Ethernet interface on both ends of a link can receive and transmit data simultaneously over the cable. Half duplex means that either the transmit or the receive operation can occur at a given time.


Group: NV_EthInfo Single: EthDuplex

Usage example: nCLI Get "EthDuplex"

Access Read

Data type Selection

User selection Half Duplex Full Duplex




Link Status

Promiscuous Mode

Parameter EthConnectStatus

Description Displays the current Ethernet link status. When the Ethernet link is disconnected, the remote configuration tool will not function.


Group: NV_EthInfo Single: EthConnectStatus

Usage example: nCLI Get "EthConnectStatus"

Access Read

Data type Selection

User selection Connected Disconnected

Parameter EthPromiscuous

Description When this parameter is enabled, all packets (including frames addressed for other stations) that arrive at this Ethernet interface are received.


Group: NV_EthInfo Single: EthPromiscuous

Usage example: nCLI Get "EthPromiscuous"

Access Read

Data type Selection





Permanent Ethernet Address

Group: Ethernet Address

Current Ethernet Address

Parameter EthAddressPermanent

Description Specifies the fixed Ethernet address encoded in the hardware.


Group: NV_EthInfo Single: EthAddressPermanent

Usage example: nCLI Get "EthAddressPermanent"

Access Read

Data type MAC Address

Parameter EthAddressCurrent

Description Specifies the Ethernet address currently being used. The Ethernet interface then uses the Current Ethernet Address in place of the Permanent Ethernet Address.

Comment Format of Ethernet address should be: XX:XX:XX:XX:XX:XX


Group: NV_Eth_Address Single: EthAddressCurrent

Usage example: nCLI Set "EthAddressCurrent" "0C:12:34:56:78:9A"

Access ReadWrite






Group: Network Interface information

Computer (Machine) Name

IP Address

Parameter MachineName

Description Specifies the unique name that is used to identify a computer on the network domain. The computer (machine) name is specified through the operating system and must be unique within a network domain.


Group: NV_InterfaceInfo Single: MachineName

Usage example: nCLI Get "MachineName"

Access Read

Data type String

Maximum length 64

Parameter IPAddress

Description Specifies the IP address of the current Ethernet interface.

Comment If an interface has multiple IP addresses and masks, only the first set returned by the operating system is shown.


Group: NV_InterfaceInfo Single: IPAddress

Usage example: nCLI Get "IPAddress"

Access Read

Data type String

Maximum length 64




IP Address Mask

Parameter IPAddressMask

Description Specifies the IP address mask of the current Ethernet interface.

Comment If an interface has multiple IP addresses and masks, only the first set returned by the operating system is shown.


Group: NV_InterfaceInfo Single: IPAddressMask

Usage example: nCLI Get "IPAddressMask"

Access Read

Data type String

Maximum length 64




Group: Factory Default

Factory Default

Table: Multicast Address List

Multicast Address List

Parameter EthDefault

Description Restores the Ethernet factory default settings.

Comment Restore factory default feature is not available through WMI scripting.


Group: NV_Eth_FactoryDefault Single: EthDefault

Usage example: nCLI Set "EthDefault" "Restore"

Access ReadWrite

Data type Selection

User selection NoRestore Restore

Table Parameter

NV_Eth_MulticastAddress

Description Specifies a list of multicast addresses from which the Ethernet interface will receive frames. The Ethernet multicast packet refers to packets addressed to a group of recipients.


Table: NV_Eth_MulticastAddress

Usage example: nCLI Get "NV_Eth_MulticastAddress"

Access Read

Single parameter

EthMulticast (See the next tabe for details on the EthMulticast parameter.)




Multicast Addresses (Single Parameter)

Group: Ethernet Statistics

Frames Received with Alignment Error

Parameter EthMulticast

Description The Ethernet multicast packet refers to packets addressed to a group of recipients.


Table: NV_Eth_MulticastAddress Single: EthMulticast

Access Read

Table key This parameter is a key to the table


Parameter EthReceiveErrorAlign

Description Specifies the number of received frames with alignment errors.

Hierarchy Namespace: NS_Eth Namespace: NS_EthStat

Group: NV_EthStat Single: EthReceiveErrorAlign

Usage example: nCLI Get "EthReceiveErrorAlign"

Access Read





Frames Transmitted After One Collision

Frames Transmitted After Two or More Collisions

Parameter EthTransmitOneCollision

Description Specifies the number of frames that successfully transmitted after encountering one collision.


Group: NV_EthStat Single: EthTransmitOneCollision

Usage example: nCLI Get "EthTransmitOneCollision"

Access Read


Parameter EthTransmitMoreCollision

Description Specifies the number of frames that successfully transmitted after encountering two or more collisions.


Group: NV_EthStat Single: EthTransmitMoreCollision

Usage example: nCLI Get "EthTransmitMoreCollision"

Access Read





Frames Transmitted After Deferral

Display Name Frames Exceed Maximum Collision

Parameter EthTransmitDeferred

Description Specifies the number of frames that successfully transmitted after the Ethernet hardware defers transmission at least once.


Group: NV_EthStat Single: EthTransmitDeferred

Usage example: nCLI Get "EthTransmitDeferred"

Access Read


Parameter EthTransmitMaxCollision

Description Specifies the number of frames not transmitted because of excessive collisions.


Group: NV_EthStat Single: EthTransmitMaxCollision

Usage example: nCLI Get "EthTransmitMaxCollision"

Access Read





Frames with Overrun Errors

Frames with Underrun Errors

Parameter EthReceiveOverrun

Description Specifies the number of frames not received because of overrun errors. An overrun error occurs when the Ethernet hardware receives more data than it can process.


Group: NV_EthStat Single: EthReceiveOverrun

Usage example: nCLI Get "EthReceiveOverrun"

Access Read


Parameter EthTransmitUnderrun

Description Specifies the number of frames not transmitted because of underrun errors. An underrun error occurs when the Ethernet hardware cannot transmit frames because the data is not available within the expected time.


Group: NV_EthStat Single: EthTransmitUnderrun

Usage example: nCLI Get "EthTransmitUnderrun"

Access Read

Data type Number (64 bit )




Frames with Heartbeat Failure

Carrier Sense (CRS) Signal Lost

Parameter EthTransmitHeartbeatFail

Description Specifies the number of frames transmitted without detection of the collision-detect heartbeat.


Group: NV_EthStat Single: EthTransmitHeartbeatFail

Usage example: nCLI Get "EthTransmitHeartbeatFail"

Access Read


Parameter EthTransmitTimesCRSLost

Description Specifies the number of times the CRS signal has been lost during packet transmission.


Group: NV_EthStat Single: EthTransmitTimesCRSLost

Usage example: nCLI Get "EthTransmitTimesCRSLost"

Access Read





Late Collisions

Group: General Networking Statistics

Successfully Transmitted Frames

Parameter EthTransmitLateCollisions

Description The number of collisions detected after the normal detection period.

Hierarchy Namespace: NS_Eth Namespace: NS_EthStat\

Group: NV_EthStat Single: EthTransmitLateCollisions

Usage example: nCLI Get "EthTransmitLateCollisions"

Access Read


Parameter TransmitOK

Description Specifies the number of frames transmitted without errors.


Group: NV_ NetworkGenStat Single: TransmitOK

Usage example: nCLI Get "TransmitOK"

Access Read





Successfully Received Frames

Transmit Failures

Receive Failures

Parameter ReceiveOK

Description Specifies the number of frames that the network card has received without errors.


Group: NV_NetworkGenStat Single: ReceiveOK

Usage example: nCLI Get "ReceiveOK"

Access Read


Parameter TransmitError

Description Specifies the number of frames that failed to transmit.


Group: NV_NetworkGenStat Single: TransmitError

Usage example: nCLI Get "TransmitError"

Access Read


Parameter ReceiveError

Description Specifies the number of frames that are received but not passed to the operating system because of errors.


Group : NV_NetworkGenStat Single: ReceiveError

Usage example: nCLI Get "ReceiveError"

Access Read





No Receive Buffers

Direct Frames Received

Multicast Frames Received

Parameter ReceiveNoBuffer

Description The number of frames that are dropped because of lack of space for receive buffers.


Group : NV_NetworkGenStat Single: ReceiveNoBuffer

Usage example: nCLI Get "ReceiveNoBuffer"

Access Read


Parameter ReceiveFramesDirect

Description The number of packets received without errors and addressed to the local Ethernet address.


Group : NV_NetworkGenStat Single: ReceiveFramesDirect

Usage example: nCLI Get "ReceiveFramesDirect"

Access Read


Parameter ReceivedFramesMulticast

Description Specifies the number of multicast frames received without errors.


Group : NV_NetworkGenStat Single: ReceiveFramesMulticast

Usage example: nCLI Get "ReceiveFramesMulticast"

Access Read





Broadcast Frames Received

Group: Alert Standard Format

ASF Support

Parameter ReceiveFramesBroadcast

Description Specifies the number of broadcast frames received without errors.


Group: NV_NetworkGenStat Single: ReceiveFramesBroadcast

Usage example: nCLI Get "ReceiveFramesBroadcast"

Access Read


Parameter ASFSupport

Description Enables or disables the ASF (Alert Standard Format) feature. ASF is a industry specification that defines alerting capability in both operating system-present and operating system-absent environments.

Hierarchy Namespace: NS_Eth Namespace: NS_ASF

Group: NV_ASF Single: ASFSupport

Usage example: nCLI Set "ASFSupport" "Disable"

Access ReadWrite

Data type Selection





ASF Destination IP Address

ASF Send Count

Parameter ASFDestIPAddr

Description Specifies the IP address of the managing station computer that is receiving the ASF alert frames. For ASF to be functional, the destination IP address must be specified.

Comment Only the IPv4 (not IPv6) address is supported. Note: If ASFSupport is set to Disable, th is parameter value is ignored.


Group : NV_ASF Single: ASFDestIPAddr

Usage example: nCLI Set "ASFDestIPAddr" ""

Access ReadWrite

Data type String

Maximum length 15

Parameter ASFSendCount

Description Specifies the number of times an ASF alert will be sent out for a given event. If the value is more than one, the alert is sent at an interval of approximately 1 second. This is a global setting applied across all events.

Comment If ASFSupport is set to Disable, this parameter value is ignored.


Group: NV_ASF Single: ASFSendCount

Usage example: nCLI Set "ASFSendCount" "1"

Access ReadWrite

Data type Selection

User selection 0 1 2 3




Group: ASF Information

ASF Destination MAC Address

Group: System Fails to Boot Alert

System Fails to Boot Alert

Parameter ASFDestMACAddr

Description Displays the MAC address of the managing station computer that is receiving the ASF alert frames.



Group: NV_ASFEventInfo Single: ASFDestNACAddr

Usage example: nCLI Get "ASFDestMACAddr"

Access Read


Parameter ASFEventBootFailure

Description This ASF alert is triggered when the operating system fails to start up.



Group: NV_ASFEventBootFailure Single: ASFEventootFailure

Usage example: nCLI Set "ASFEventBootFailure" "Disable"

Access ReadWrite

Data type Selection





Group: Fan Problem Alert

Fan Problem Alert

Group: ASF SMBus Error

ASF SMBus Error

Param eter ASFEventFanProblem

Description Th is alert is triggered if the CP U fan is running at a low speed or has stopped, which can cause the CPU or system temperature to increase.

Comm ent If ASFSupport is set to Disable, this param eter value is ignored.

Hierarch y Nam espace: NS_Eth Nam espace: NS_ASF

Group : NV_ASFEventFanProblem Single: ASFEventFanProblem

Usage exam ple: nCLI Set "ASFEventFanProblem" "Disable"

Access ReadW rite

Data type Selection


Parameter ASFEventSMBusError

Description This alert packet is sent when there is a SM Bus (System Management Bus) error. The SM Bus is a two-wire interface through which the system can communicate with simple power-related chips.



Group : NV_ASFEventSM BusError Single: ASFEventSMBusError

Usage example: nCLI Set "ASFEventSMBusError" "Disable"

Access ReadWrite

Data type Selection





Group: ASF WOL Alert

ASF Wake On Lan (WOL) Alert

Group: ASF Heartbeat Alert

ASF Heartbeat Alert Interval

Parameter ASFEventWOL

Description This alert is triggered when the system is wakened through the wake on LAN feature.



Group : NV_ASFEventWOL Single: ASFEventWOL

Usage example: nCLI Set "ASFEventWOL" "Disable"

Access ReadWrite

Data type Selection


Parameter ASFHeartbeatInterval

Description Set the interval (in seconds) between ASF heartbeat alerts.



Group: NV_ASFEventHeartbeatInterval Single: ASFEventHeartbeatInterval

Usage example: nCLI Set "ASFHeartbeatInterval" "10 seconds"

Access ReadWrite

Data type Selection

User selection 10 seconds 20 seconds

30 seconds 45 seconds

1 minute 2 minutes

3 minutes 5 minutes

7.5 minutes 10 minutes




Group: ASF Operating System Hung Alert

ASF Operating System Hung Alert

Group: ASF Power Button Alert

ASF Power Button Alert

Parameter ASFEventOSHung

Description This alert is triggered when the operating system is hung and the driver software or the operating system is not servicing the interrupts generated by the network interfaces.



Group: NV_ASFEventOSHung Single: ASFEventOSHung

Usage example: nCLI Set "ASFEventOSHung" "Enable"

Access ReadWrite

Data type Selection


Parameter ASFEventPowerButton

Description Enables or disables the power button alert. This alert is triggered each time the user presses the power button for shutting down or turning on the computer.



Group: NV_ASFEventPowerButton Single: ASFEventPowerButton

Usage example: nCLI Set "ASFEventPowerButton" "Enable"

Access ReadWrite

Data type Selection





Group: ASF System Hot Alert

ASF System Hot Alert

Group: ASF CPU Overheated Alert

ASF CPU Overheat Alert

Parameter ASFEventSystemHot

Description This alert is triggered when the temperature in the computer has exceeded a threshold limit.



Group: NV_ASFEventSystemHot Single: ASFEventSystemHot

Usage example: nCLI Set "ASFEventSystemHot" "Enable"

Access ReadWrite

Data type Selection


Parameter ASFEventCPUOverheated

Description This alert is triggered when the temperature of the CPU exceeds a threshold.



Group: NV_ASFEventCPUOverheated Single: ASFEventCPUOverheated

Usage example: nCLI Set "ASFEventCPUOverheated" "Enable"

Access ReadWrite

Data type Selection





Group: ASF CPU Overheated Alert

ASF CPU Hot Alert

Group: ASF Case Intrusion Alert

ASF Case Intrusion Alert

Parameter ASFEventCPUHot

Description This alert is triggered when the fan in the CPU is not functioning or the CPU temperature is increasing.



Group: NV_ASFEventCPUHot Single: ASFEventCPUHot

Usage example: nCLI Set "ASFEventCPUHot" "Enable"

Access ReadWrite

Data type Selection


Parameter ASFEventCaseIntrusion

Description This alert is triggered when the computer’s case is opened.



Group: NV_ASFEventCaseIntrusion Single: ASFEventCaseIntrusion

Usage example: nCLI Set "ASFEventCaseIntrusion" "Disable"

Access ReadWrite

Data type Selection





A P P E N D I X

ACTIVEARMOR FIREWALL PARAMETERSREFERENCE

Note: For references to all the individual parameters, categorized by group, see the entries listed for this appendix—B. ActiveArmor Firewall Parameters Reference—in the “Table of Contents” on page iii.

Group: Configure Firewall Security Level

Configure Firewall Security Level

Parameter Fw lProfiles

Description Selects a default security level or configure a custom security level, which is a set of rules that determines the policy that the firewall follows.

Com ment This parameter is not supported through W M I script. For CLI user who wants to customize the firewall settings and not use a pre-defined profile, change the firewall security level to one of the custom levels: Note: For details on the settings, see the next section.

H ierarchy N am espace: N S_Firew all G roup: N V _FwlProfiles

Single: FwlProfiles

Usage example nCLI Set "FwlProfiles" "Medium"

Access ReadW rite

Data type Selection

O ff Low M edium H igh Lockdown User selection

Anti-hacking only Custom1 Custom2 Custom3


A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e


About the FwlProfiles SettingsThe FwlProfiles parameter is supported through the WMI scripting language. If you are a CLI user and want to customize the ActiveArmor Firewall settings without using a pre-defined profile, change the firewall security level to one of the custom levels described below. • The Lockdown profile settings blocks all incoming and outgoing traffic,

except locally generated ASF alerts. Lockdown drops all traffic packets, except outbound Alert Standard Format (ASF) packets, and the ActiveArmor Firewall Intelligent Application Manager (IAM) is disabled.

• High is an extremely secure setting. However, due to the stringent filtering rules associated with this setting, many applications may not work as expected and some applications may not work at all. This setting has the following features and functionality:• Allows the least amount of traffic through. • Only outbound connections may be established. Inbound connections are

not allowed. Inbound traffic is allowed only if it is in response to an outbound packet that was seen previously on a valid connection.

• Encompasses what is commonly known as “stealth mode” in which the station cannot be “pinged” and is not allowed to generate any ICMP error messages, except where necessary for normal operation.

• Allows VPNs, including those based on IPsec (requiring AH, ESP, L2TP, IKE, UDP port 500), as well as those that rely on point-to-point punneling protocol (PPTP), which uses generic routing encapsulation (GRE).

• Restricts network traffic by preventing the use of IP and/or TCP options, which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.

• Medium (the default profile setting after installation) is intended to provide a good balance between usability and security, with an emphasis on security.This setting has the following features and functionality:• It is the factory “default” profile setting when the ActiveArmor Firewall is

enabled.• It does not have the “stealth” features associated with the High profile

setting and therefore allows most (but not all) ICMP error messages to be sent and received.

• Blocks most incoming connections with the “default” action of Deny. In order to allow file transfers through MSN Messenger and Yahoo! Messenger, incoming connections to port 80 must be allowed.




Note: MSN Messenger and Yahoo! Messenger will not work with the High setting.

• Allows dynamic ports to be opened up from the inside only: Default in: DenyDefault out: Allow

• Supports outgoing NetMeeting calls. • Allows VPNs based on both IPsec and on PPTP. • Restricts network traffic by preventing the use of IP and/or TCP options,

which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.

• Low is the least secure of the profile settings, but allows most applications to work properly. This setting allows “safe” incoming connections, denies those that are known to be dangerous, and defaults to allow TCP or UDP connections for which a rule has not been specified. Additional features and functionality of this setting include the following:• Allows mostly all ICMP traffic, except for sending router-oriented (e.g.,

router advertisement) or deprecated (e.g., source quench) (Type, Code) pairs.

• Allows bi-directional dynamic ports to be opened. Default in: AllowDefault out: AllowFor example, the Low setting supports the NetMeeting application in either direction.

• Allows VPNs based on both IPsec and PPTP.• Restricts network traffic by preventing the use of IP and/or TCP options,

which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.

• The Anti-hacking only profile setting enables only the anti-hacking features of the ActiveArmor Firewall and is useful in a dual firewall configuration—for example, if you want to use a third-party firewall product along with the anti-hacking features of the ActiveArmor Firewall. Note: The Antihacking only setting disables the IAM, ActiveArmor, and

the ActiveArmor Firewall, allowing most incoming and outgoing network traffic**. The logging of ActiveArmor Firewall messages will proceed as usual, as long as you have enabled one of the logging message types in the ActiveArmor Firewall Log Settings page.




** If you are using the Antihacking only setting with a third-party firewall, then this third-party firewall controls the incoming and outgoing network traffic; it will probably deny most incoming and outgoing network traffic. However, the ActiveArmor Firewall will still continue to log messages pertaining to the Antihacking only setting, as long as you have enabled one of the log message types in the ActiveArmor Firewall Log Settings page. For additional information, see “ActiveArmor Firewall Logging” on page 63.

• Off turns off the IAM, ActiveArmor, and the ActiveArmor Firewall, allowing all incoming and outgoing network traffic.

Group: Configure Firewall Options

Disallow Promiscuous Mode

Parameter FwlPromiscuous

Description When this parameter is enabled, the firewall prevents applications from setting the NVIDIA network interface to promiscuous mode. Promiscuous mode is primarily used by packet sniffing software.

Hierarchy Namespace: NS_Firewall Group: NV_FwlOptions

Single: FwlPromiscuous

Usage example: nCLI Set "FwlPromiscuous" "Enable"

Access ReadWrite

Data type Selection

User selection Enable Disable




Disallow DHCP Server

Block Outbound Spoofed IP Packets

Parameter FwlDHCPServer

Description When this option is enabled, the firewall prevents a DHCP (Dynamic Host Configuration Protocol) server process in the computer from using the NVIDIA network interface to communicate using the DHCP protocol. The DHCP server is used to assign IP addresses to client computers.


Single: FwlDHCPServer

Usage example: nCLI Set "FwlDHCPServer" "Enable"

Access ReadWrite

Data type Selection


Parameter FwlAntiIPSpoofing

Description When this parameter is enabled, the firewall blocks any application on the NVIDIA network interface from sending network traffic using an IP address different than the one assigned to the interface. Such network packets are called spoofed IP packets, and this feature, also known as “anti-IP-spoofing,” is intended to prevent the NVIDIA network interface from participating in distributed denial of service attacks.


Single: FwlAntiIPSpoofing

Usage example: nCLI Set "FwlAntiIPSpoofing" "Enable"

Access ReadWrite

Data type Selection





Block Spoofed ARP Packets

Block UDPv4 with No UDP Checksum

Parameter FwlAntiARPSpoofing

Description When this parameter is enabled, the firewall filters out any ARP packets sent by an offending computer (i.e, a computer that pretends to be another computer by altering the local ARP cache). Such network packets are called spoofed ARP packets and this feature is also known as “anti-ARP-spoofing”.


Single: FwlAntiARPSpoofing

Usage example: nCLI Set "FwlAntiARPSpoofing" "Enable"

Access ReadWrite

Data type Selection


Parameter FwlChecksumUDP

Description When this parameter is enabled, the firewall drops any UDP datagram that has no UDP checksum if it is inside an IPv4 packet (UDP checksums are optional when used over IPv4, but are mandatory when used over IPv6).


Single: FwlChecksumUDP

Usage example: nCLI Set "FwlChecksumUDP" "Enable"

Access ReadWrite

Data type Selection





Group: EtherType Default Rule

EtherType Default Rule

Group: IP Address/Mask Default Rule

IP Address/Mask Default Action

Parameter FwlEtherTypeDefault

Description This rule is applied when a packet contains an EtherType that does not match any rule in the EtherType rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlEtherTypeDefault

Single: FwlEtherTypeDefault

Usage example: nCLI Set "FwlEtherTypeDefault" "Deny"

Access ReadWrite

Data type Selection

User selection Deny Allow

Parameter FwlIPDefault

Description This action is applied when a packet contains an IP address/mask that does not match any rule in the IP rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlIPDefault

Single: FwlIPDefault

Usage example: nCLI Set "FwlIPDefault" "Allow"

Access ReadWrite

Data type Selection





Group: Domain Name Default Rule

Domain Name Default Rule

Group: IP Option Default Rule

Inbound IP Option Default Rule

Parameter FwlDomainDefault

Description This rule is applied when a DNS packet contains a domain name that does not match any rule in the domain name rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlDomainDefault

Single: FwlDomainDefault

Usage example: nCLI Set "FwlDomainDefault" "Allow"

Access ReadWrite

Data type Selection


Parameter FwlIPOptionDefaultIn

Description This rule is applied when an inbound packet contains an IP option that does not match any rule in the IP option rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlIPOptionDefault

Single: FwlIPOptionDefaultIn

Usage example: nCLI Set "FwlIPOptionDefaultIn" "Deny"

Access ReadWrite

Data type Selection





Outbound IP Option Default Rule

Group: IP Protocol Default Rule

IP Protocol Default Rule

Parameter FwlIPOptionDefaultOut

Description This rule is applied when an outbound packet contains an IP option that does not match any rule in the IP option rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlIPOptionDefault

Single: FwlIPOptionDefaultOut

Usage example: nCLI Set "FwlIPOptionDefaultOut" "Deny"

Access ReadWrite

Data type Selection


Parameter FwlIPProtocolDefault

Description This rule is applied when a packet contains an IP protocol that does not match any rule in the IP protocol rule table

Hierarchy Namespace: NS_Firewall Group: NV_FwlIPProtocolDefault

Single: FwlIPProtocolDefault

Usage example: nCLI Set "FwlIPProtocolDefault" "Deny"

Access ReadWrite

Data type Selection





Group: Port Number Default Rule

Inbound Port Number Default Rule

Outbound Port Number Default Rule

Parameter FwlPortDefaultIn

Description This rule is applied when an inbound packet contains a UDP or TCP port that does not match any rule in the Port rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlPortDefault

Single: FwlPortDefaultIn

Usage example nCLI Set "FwlPortDefaultIn" "Deny"

Access ReadWrite

Data type Selection


Parameter FwlPortDefaultOut

Description This rule is applied when an outbound packet contains a UDP or TCP port that does not match any rule in the Port rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlPortDefault

Single: FwlPortDefaultOut

Usage example: nCLI Set "FwlPortDefaultOut" "Allow"

Access ReadWrite

Data type Selection





Group: TCP Options Default Rule

TCP Options Default Rule

Group: ICMP Messages Default Rule

Inbound ICMP Default Rule

Parameter FwlTCPOptionDefault

Description This rule is applied when a packet contains a TCP option that does not match any rule in the TCP option rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlTCPOptionDefault

Single: FwlTCPOptionDefault

Usage example: nCLI Set "FwlTCPOptionDefault" "Deny"

Access ReadWrite

Data type Selection


Parameter FwlICMPDefaultIn

Description This rule is applied when an inbound packet contains an ICMP type/code pair that does not match any rule in the ICMP rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlICMPDefault

Single: FwlICMPDefaultIn

Usage example: nCLI Set "FwlICMPDefaultIn" "Deny"

Access ReadWrite

Data type Selection





Outbound ICMP Default Rule

Group: Clear Firewall Statistics

Clear Firewall Statistics

Parameter FwlICMPDefaultOut

Description This rule is applied when an outbound packet contains an ICMP type/code pair that does not match any rule in the ICMP rule table.

Hierarchy Namespace: NS_Firewall Group: NV_FwlICMPDefault

Single: FwlICMPDefaultOut

Usage example: nCLI Set "FwlICMPDefaultOut" "Deny"

Access ReadWrite

Data type Selection


Parameter FwlStatClearAll

Description Clears all firewall statistics.

Hierarchy Namespace: NS_Firewall Group: NV_FwlStatClear

Single: FwlStatClearAll

Usage example: nCLI Set "FwlStatClearAll" "Clear"

Access ReadWrite

Data type Selection

User selection Clear




Group: Firewall Statistics

Allowed Inbound UDP Datagrams

Denied Inbound UDP Datagrams I

Allowed Outbound UDP Datagrams

Parameter FwlStatUDPInPktsAllowed

Description Specifies the number of inbound UDP datagrams allowed by the firewall.

Hierarchy Namespace: NS_Firewall Group: NV_FwlStat

Single: FwlStatUDPInPktsAllowed

Usage example: nCLI Get "FwlStatUDPInPktsAllowed"

Access Read


Parameter FwlStatUDPInPktsDenied

Description Number of inbound UDP datagrams denied by the firewall.


Single: FwlStatUDPInPktsDenied

Usage example nCLI Get "FwlStatUDPInPktsDenied"

Access Read


Parameter FwlStatUDPOutPktsAllowed

Description Number of outbound UDP datagrams allowed by the firewall.


Single: FwlStatUDPOutPktsAllowed

Usage example: nCLI Get "FwlStatUDPOutPktsAllowed"

Access Read





Denied Outbound UDP Datagrams

Denied Inbound UDP Connections

Allowed Outbound UDP Connections

Parameter FwlStatUDPOutPktsDenied

Description Number of outbound UDP datagrams denied by the firewall.


Single: FwlStatUDPOutPktsDenied

Usage example: nCLI Get "FwlStatUDPOutPktsDenied"

Access Read


Parameter FwlStatUDPInConnectionsDenied

Description Number of inbound UDP connections denied by the firewall.


Single: FwlStatUDPInConnectionsDenied

Usage example: nCLI Get "FwlStatUDPInConnectionsDenied"

Access Read


Parameter FwlStatUDPOutConnectionsAllowed

Description Number of outbound UDP connections allowed by the firewall.

Hierarchy Namespace: NS_Firewall Group : NV_FwlStat

Single: FwlStatUDPOutConnectionsAllowed

Usage example: nCLI Get "FwlStatUDPOutConnectionsAllowed"

Access Read





Denied Outbound UDP Connections

Allowed Inbound TCP Segments

Denied Inbound TCP Segments

Parameter FwlStatUDPOutConnectionsDenied

Description Number of outbound UDP connections denied by the firewall.


Single: FwlStatUDPOutConnectionsDenied

Usage example: nCLI Get "FwlStatUDPOutConnectionsDenied"

Access Read


Parameter FwlStatTCPInPktsAllowed

Description Number of inbound TCP segments allowed by the firewall.


Single: FwlStatTCPInPktsAllowed

Usage example: nCLI Get "FwlStatTCPInPktsAllowed"

Access Read


Parameter FwlStatTCPInPktsDenied

Description Number of inbound TCP segments denied by the firewall.

Hierarchy Namespace: NS_Firewall Namespace: NS_Firewall

Single: FwlStatTCPInPktsDenied

Usage example: nCLI Get "FwlStatTCPInPktsDenied"

Access Read





Allowed Outbound TCP Segments

Denied Outbound TCP Segments

Allowed Inbound TCP Connections

Parameter FwlStatTCPOutPktsAllowed

Description Number of outbound TCP segments allowed by the firewall.


Single: FwlStatTCPOutPktsAllowed

Usage example: nCLI Get "FwlStatTCPOutPktsAllowed"

Access Read


Parameter FwlStatTCPOutPktsDenied

Description Number of outbound TCP segments denied by the firewall.


Single: FwlStatTCPOutPktsDenied

Usage example: nCLI Get "FwlStatTCPOutPktsDenied"

Access Read


Parameter FwlStatTCPInConnectionsAllowed

Description Number of inbound TCP connections allowed by the firewall.


Single: FwlStatTCPInConnectionsAllowed

Usage example: nCLI Get "FwlStatTCPInConnectionsAllowed"

Access Read





Denied Inbound TCP Connections

Allowed Outbound TCP Connections

Denied Outbound TCP Connections

Parameter FwlStatTCPInConnectionsDenied

Description Number of inbound TCP connections denied by the firewall.


Single: FwlStatTCPInConnectionsDenied

Usage example: nCLI Get "FwlStatTCPInConnectionsDenied"

Access Read


Parameter FwlStatTCPOutConnectionsAllowed

Description Number of outbound TCP connections allowed by the firewall.


Single: FwlStatTCPOutConnectionsAllowed

Usage example: nCLI Get "FwlStatTCPOutConnectionsAllowed"

Access Read


Parameter FwlStatTCPOutConnectionsDenied

Description Number of outbound TCP connections denied by the firewall.


Single: FwlStatTCPOutConnectionsDenied

Usage example: nCLI Get "FwlStatTCPOutConnectionsDenied"

Access Read





Allowed Inbound ICMP Packets

Denied Inbound ICMP Packets

Allowed Outbound ICMP Packets

Parameter FwlStatICMPInPktsAllowed

Description Number of inbound ICMP packets allowed by the firewall.


Single: FwlStatICMPInPktsAllowed

Usage example: nCLI Get "FwlStatICMPInPktsAllowed"

Access Read


Parameter FwlStatICMPInPktsDenied

Description Number of inbound ICMP packets denied by the firewall.


Single: FwlStatICMPInPktsDenied

Usage example: nCLI Get "FwlStatICMPInPktsDenied"

Access Read


Parameter FwlStatICMPOutPktsAllowed

Description Number of outbound ICMP packets allowed by the firewall.


Single: FwlStatICMPOutPktsAllowed

Usage example: nCLI Get "FwlStatICMPOutPktsAllowed"

Access Read





Denied Outbound ICMP Packets

Other Allowed Inbound Packets

Other Denied Inbound Packets

Parameter FwlStatICMPOutPktsDenied

Description Specifies the number of outbound ICMP packets denied by the firewall.


Single: FwlStatICMPOutPktsDenied

Usage example: nCLI Get "FwlStatICMPOutPktsDenied"

Access Read


Parameter FwlStatOtherInPktsAllowed

Description Specifies the number of inbound packets allowed by the firewall that are not UDP, TCP, or ICMP.


Single: FwlStatOtherInPktsAllowed

Usage example: nCLI Get "FwlStatOtherInPktsAllowed"

Access Read


Parameter FwlStatOtherInPktsDenied

Description Number of inbound packets denied by the firewall that are not UDP, TCP, or ICMP.


Single: FwlStatOtherInPktsDenied

Usage example: nCLI Get "FwlStatOtherInPktsDenied"

Access Read





Other Allowed Outbound Packets

Other Denied Outbound Packets

Parameter FwlStatOtherOutPktsAllowed

Description Number of outbound packets allowed by the firewall that are not UDP, TCP, or ICMP.


Single: FwlStatOtherOutPktsAllowed

Usage example: nCLI Get "FwlStatOtherOutPktsAllowed"

Access Read


Parameter FwlStatOtherOutPktsDenied

Description Specifies the number of outbound packets denied by the firewall that are not UDP, TCP, or ICMP.


Single: FwlStatOtherOutPktsDenied

Usage example: nCLI Get "FwlStatOtherOutPktsDenied"

Access Read





Group: Factory Default

Factory Default

Group: Flush DNS Cache

Flush DNS Cache

Parameter FwlDefault

Description Specifies to restore all firewall settings to the factory default.

Comment This parameter is not supported through WMI scripting.

Hierarchy Namespace: NS_Firewall Group: NV_Fwl_Default

Single: FwlDefault

Usage example: nCLI Set "FwlDefault" "NoRestore"

Access ReadWrite

Data type Selection

User selection NoRestore Restore

Parameter FwlFlushDNS

Description Specifies to flush the operating system DNS cache.

Comment DNS cache needs to be flushed when Firewall Domain Name configuration is changed.

Hierarchy Namespace: NS_Firewall Group: NV_FwlFlushDNS

Single: FwlFlushDNS

Usage example nCLI Set "FwlFlushDNS" "Clear"

Access ReadWrite

Data type Selection

User selection Clear




Table: EtherType Rules

Ether Type

Table parameter NV_FwlEtherType

Description Specifies table to configure EtherType firewall ru les. As part of the Ethernet header, the EtherType is used to identify the type of Ethernet payload. Example payloads include IPv4, AppleTalk, IPX, and NetBEUI.

Comment For EtherType that does not match any rule in the table, default setting in FwlEtherTypeDefault w ill be used.

Hierarchy Namespace: NS_Firewall Table: NV_FwlEtherType

Usage example nCLI AddRow "NV_FwlEtherType" "EtherType=2048,EtherTypeName=Internet Protocol version 4 (IPv4) (RFC 791),EtherTypeAction=Allow" _______________________________________________________ nCLI EditRow "NV_FwlEtherType.EtherType=2048" "EtherTypeName=Address Resolution Protocol (ARP) (RFC 826),EtherTypeAction=Allow" _______________________________________________________ nCLI DelRow "NV_FwlEtherType.EtherType=2048"

Access ReadWrite

Single parameters EtherType

EtherTypeName EtherTypeAction

Parameter EtherType

Description The EtherType identifies the type of Ethernet payload. Some exam ples and their hexadecimal values include IPv4 (0x0800), AppleTalk (0x809B), IPX (0x8137) and NetBEUI (0x8191).


Single: EtherType

Access ReadW rite



M aximum value 65535

M inimum value 1501




EtherType Name

EtherType Action

Parameter EtherTypeName

Description Name associated with the EtherType.


Single: EtherTypeName

Access ReadWrite

Data type String

M aximum Length 60

Parameter EtherTypeAction

Description Specifies action for the EtherType.


Single: EtherTypeAction

Access ReadW rite

Data type Selection





Table: IP Address/Mask Rule

Remote IP Address

Table parameter NV_FwlIP

Description Specifies table to configure firewall rules based on IP addresses/masks.

Comment For IP address/mask pair that does not match any rule in the table, default setting in FwlIPDefault will be used.

Hierarchy Namespace: NS_Firewall Table: NV_FwlIP

Usage example nCLI AddRow "NV_FwlIP" "IPRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,IPRemoteIPMask=32,IPAction=Allow" ___________________________________________________________ nCLI DelRow "NV_FwlIP.IPRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',IPRemoteIPMask='32'"

Access ReadWrite

Single parameter IPRemoteIP IPRemoteIPMask IPLocalIP IPLocalIPMask IPAction

Parameter IPRemoteIP

Description IP address of the remote machine or subnet.

Tree Namespace: NS_Firewall Table: NV_FwlIP

Single: IPRemoteIP

Access ReadWrite


Data type IP Address




Remote IP Address Mask

IP Action

Parameter IPRemoteIPMask

Description IP address mask of the remote machine or subnet.

Tree Namespace: NS_Firewall Table: NV_FwlIP

Single: IPRemoteIPMask

Access ReadWrite


Data type IP Mask Length

Parameter IPAction

Description Specifies the action for network traffic.

Hierarchy Namespace: NS_Firewall Table: NV_FwlIP Single: IPAction

Access ReadWrite

Data type Selection





Table: Domain Names Rule

Domain Name

Table parameter: NV_FwlDomain

Description Specifies the table to configure domain name rules. Domain name is a user-friendly name used to identify a Web site; for example, www.nvidia.com. The firewall blocks DNS lookups of domain names. You can bypass this filter by directly entering an IP address (if the IP address is known) instead of a domain name to access a Web site.

Comment CLI users need to flush DNS cache for domain name rules to take effect. To flush DNS cache, set FwlFlushDNS. For a given domain name that does not match any rule in the table, the default setting in FwlDomainDefault will be used.

Hierarchy Namespace: NS_Firewall Table: NV_FwlDomain

Usage example: nCLI AddRow "NV_FwlDomain" "DomainName=www.dummy.com,DomainAction=Deny" _______________________________________________________ nCLI EditRow "NV_FwlDomain.DomainName='www.dummy.com'" "DomainAction=Deny" ________________________________________________________ nCLI DelRow "NV_FwlDomain.DomainName='www.dummy.com'"

Access ReadWrite

Single Parameter DomainName DomainAction

DomainLocalIP DomainLocalIPMask

Parameter DomainName

Description Domain name of the computer or Web site


Single: DomainName

Access ReadWrite


Data type String

Maximum Length 127




Domain Action

Table: IP Option Rules

Parameter DomainAction

Description Specifies action for network traffic.


Single: DomainAction

Access ReadWrite

Data type Selection


Table parameter NV_FwlIPOption

Description Specifies the table to configure IP option rules. IPv4 options are added to the basic IPv4 header to provide additional features beyond those that are supported by the standard IPv4 packet's header. The standard 20-byte IPv4 header can be expanded to have up to 40 bytes of options. IPv6 options have no fixed size, but are otherwise similar to IPv4 options and provide for many of the same features.

Comment For an IP option that does not match any rule in the table, the default setting in FwlIPOptionDefault will be used.

Hierarchy Namespace: NS_Firewall Table: NV_FwlIPOption

Usage example nCLI AddRow "NV_FwlIPOption" "IPOptionNumber=0,IPOptionName=End of Option List,IPOptionVersion=IPv4,IPOptionActionIn=Allow,IPOptionActionOut=Allow" _________________________________________________________ nCLI EditRow "NV_FwlIPOption.IPOptionNumber=0,IPOptionVersion=4" "IPOptionName=Pad-1 (i.e., one octet of padding),IPOptionActionIn=Allow,IPOptionActionOut=Allow" ________________________________________________________ nCLI DelRow "NV_FwlIPOption.IPOptionNumber=0,IPOptionVersion=4"

Access ReadWrite

Single parameter IPOptionNumber IPOptionName

IPOptionVersion IPOptionActionIn

IPOptionActionOut




IP Option Number

IP Option Name

Parameter IPOptionNumber

Description IP option number. IPv4 options are added to the basic IPv4 header to provide additional features beyond those that are supported by the standard IPv4 packet's header. The standard 20-byte IPv4 header can be expanded to have up to 40 bytes of options. IPv6 options have no fixed size, but are otherwise similar to IPv4 options and provide for many of the same features.


Single: IPOptionNumber

Access ReadWrite



Maximum Value 255 Minimum Value: 0

Parameter IPOptionName

Description Specifies name associated with the IP option number.


Single: IPOptionName

Access ReadWrite

Data type String

Maximum Length 60




IP Version

IP Inbound Action

IP Outbound Action

Parameter IPOptionVersion

Description Specifies whether ru le is for IPv4 or IPv6.


Single: IPOptionVersion

Access ReadWrite


Data type Selection

User selection IPv4 IPv6

Parameter IPOptionActionIn

Description Specifies action for inbound network traffic.


Single: IPOptionActionIn

Access ReadWrite

Data type Selection

User selection Allow Deny

Parameter IPOptionActionOut

Description Specifies action for outbound network traffic.


Single: IPOptionActionOut

Access ReadWrite

Data type Selection

User selection Allow Deny




Table: IP Protocol Rule

IP Protocol

Table parameter NV_FwlIPProtocol

Description Specifies table to configure IP protocol rules. IP protocol identifies the type of IP payload. ICMP, TCP and UDP are examples of common IP payloads.

Comment For an IP protocol that does not match any rule in the table, the default setting in FwlIPProtocolDefault will be used.

Hierarchy Namespace: NS_Firewall Table: NV_FwlIPProtocol

Usage example: nCLI AddRow "NV_FwlIPProtocol" "IPProtocol=1,IPProtocolName=Internet Control Message Protocol for IPv4 (ICMP),IPProtocolAction=Allow" _____________________________________________________ nCLI EditRow "NV_FwlIPProtocol.IPProtocol=1" "IPProtocolName=Internet Group Management Protocol for IPv4 (IGMP),IPProtocolAction=Allow" ______________________________________________________ nCLI DelRow "NV_FwlIPProtocol.IPProtocol=1"

Access ReadWrite

Single Parameters IPProtocol IPProtocolName IPProtocolAction

Parameter IPProtocol

Description Specifies the IP protocol number. IP protocol identifies the type of IP payload. Common protocols and their decimal values include ICMP (1), TCP (6), and UDP (17).


Single: IPProtocol

Access ReadWrite



Maximum Value 255

Minimum Value 0




IP Protocol Name

IP Protocol Action

Parameter IPProtocolName

Description Specifies a name for an IP protocol.


Single: IPProtocolName

Access ReadWrite

Data type String

Maximum Length 60

Parameter IPProtocolAction

Description Specifies the action for network traffic.


Single: IPProtocolAction

Access ReadWrite

Data type Selection





Table: TCP/UDP Port Rule Parameter name NV_FwlPort

Description Specifies the table to configure TCP or UDP port rules. Port numbers are used by TCP or UDP to identify sending and receiving applications. Some common ports include HTTP (80), TELNET (23) and SMTP (25).

Comment For a TCP/UDP port that does not match any rule in the table, the default setting in FwlPortDefault will be used.

Hierarchy Namespace: NS_Firewall Table: NV_FwlPort

Usage examples nCLI AddRow "NV_FwlPort" "PortActionIn=Deny,PortActionOut=Deny,PortRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,PortRemoteIPMask=32,PortName=Reserved,PortRangeBegin=0,PortRangeEnd=0,PortProtocol=Both" ________________________________________________________ nCLI EditRow "NV_FwlPort.PortRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',PortRemoteIPMask='32',PortRangeBegin=0,PortRangeEnd=0,PortProtocol=0" "PortActionIn=Deny,PortActionOut=Allow,PortName=Time (RFC 868)" ________________________________________________________ nCLI DelRow "NV_FwlPort.PortRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',PortRemoteIPMask='32',PortRangeBegin=0,PortRangeEnd=0,PortProtocol=0"

Access ReadWrite

Single parameter PortActionIn PortActionOut PortRemoteIP

PortRemoteIPMask PortLocalIP PortRangeBegin

PortRangeEnd PortLocalIPMask

PortName PortProtocol




TCP/UDP Port Outbound Action

Remote IP Address

Remote IP Subnet Mask

Parameter PortActionOut

Description Specifies outbound action for the network connection.


Single: PortActionOut

Access ReadWrite

Data type Selection


Parameter PortRemoteIP



Single: PortRemoteIP

Access ReadWrite



Parameter PortRemoteIPMask

Description Specifies the IP address mask of the remote machine or subnet.


Single: PortRemoteIPMask

Access ReadWrite






Port Name

Beginning Port Number

Ending Port Number

Parameter PortName

Description Specifies thename associated with the TCP or UDP port range.


Single: PortName

Access ReadWrite

Data type String

Maximum Length 100

Parameter PortRangeBegin

Description Specifies the first UDP or TCP port in the range.


Single: PortRangeBegin

Access ReadWrite



Maximum Value 65535

Parameter PortRangeEnd

Description Specifies the last UDP or TCP port in the range.


Single: PortRangeEnd

Access ReadWrite



Maximum Value 65535




Port Protocol

Table: TCP Options Rule

Parameter PortProtocol

Description Specifies whether the port protocol is UDP, TCP, or both.


Single: PortProtocol

Access ReadWrite


Data type Selection

User selection UDP TCP

Table parameter NV_FwlTCPOption

Description Specifies the table to configure the TCP options rule. TCP options are added to the standard 20-byte TCP header to provide additional features that typically can only be used if they are negotiated at the beginning of a TCP connection.

Comment For a given TCP option that does not match any rule in the table, the default setting in FwlTCPOptionDefault will be used.

Hierarchy Namespace: NS_Firewall Table: NV_FwlTCPOption

Usage examples: nCLI AddRow "NV_FwlTCPOption" "TCPOptionNumber=0,TCPOptionName=End of Option List (RFC 793),TCPOptionAction=Allow" _______________________________________________________ nCLI EditRow "NV_FwlTCPOption.TCPOptionNumber=0" "TCPOptionName=No Operation (RFC 793),TCPOptionAction=Allow" _______________________________________________________ nCLI DelRow "NV_FwlTCPOption.TCPOptionNumber=0"

Access ReadWrite

Single parameters TCPOptionNumber TCPOptionName TCPOptionAction




TCP Option Number

TCP Option Name I

TCP Option Action

Parameter TCPOptionNumber

Description Represents the TCP option number. TCP options are added to the standard 20-byte TCP header to provide additional features that typically can only be used if they are negotiated at the beginning of a TCP connection.


Single: TCPOptionNumber

Access ReadWrite


Data type Number (32 bit)

Maximum Value 255 Minimum Value: 0

P aram eter T C P O p tion N am e

D es crip tion S p ecif ies a n am e asso cia ted w ith a TC P o p tio n n um b er.

H ie rarch y S in g le : TC P O p tio n N am e N am es p ace : N S _ F irew all T ab le: N V _ F w lTC P O p tio n

S in g le : TC P O p tio n N am e

A ccess R ead W rite

D ata typ e S trin g

M ax im u m L eng th 60

Parameter TCPOptionAction

Description Specifies the action for network traffic containing a given TCP option number.


Single: TCPOptionAction

Access ReadW rite

Data type Selection





Table: ICMP Rules

Remote IP Address

Table parameter NV_Fw lICM P

Description Specifies the table to configure ICMP message rules. ICM P communicates error, diagnostic and control messages. Examples of ICM P messages include echo (i.e., ping) and 'destination unreachable'.

Comment For an ICMP message that does not match any rule in the table, the default setting in FwlICM PDefault will be used.

Hierarchy Namespace: NS_Firewall Table: NV_FwlICM P

Usage examples: nCLI AddRow "NV_FwlICMP" "ICMPRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,ICMPRemoteIPMask=32,ICMPType=0,ICMPCode=0,ICMPName=Echo reply (RFC792),ICMPVersion=ICMPv4,ICMPActionIn=Allow,ICMPActionOut=Allow" _______________________________________________________ nCLI EditRow "NV_FwlICMP.ICMPRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',ICMPRemoteIPMask='32',ICMPType=0,ICMPCode=0,ICMPVersion=4" "ICMPName=Not assigned,ICMPActionIn=Deny,ICMPActionOut=Deny _______________________________________________________ nCLI DelRow "NV_FwlICMP.ICMPRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',ICMPRemoteIPMask='32',ICMPType=0,ICMPCode=0,ICMPVersion=4"

Access ReadWrite

Single Parameters ICMPRemoteIP ICMPRemoteIPM ask ICMPLocalIP

ICMPLocalIPM ask ICMPType ICMPCode

ICMPName ICMPVersion

ICMPActionIn ICMPActionOut

Parameter ICMPRemoteIP

Description Specifies the IP address of the remote machine or subnet.

Hierarchy Namespace: NS_Firewall Table: NV_FwlICMP

Single: ICMPRemoteIP

Access ReadWrite







ICMP Type

ICMP Code

Parameter ICMPRemoteIPMask

Description Specifies the IP address mask of the remote machine or subnet.


Single: ICMPRemoteIPMask

Access ReadWrite



Parameter ICM PType

Description Specifies the ICMP type

Hierarch y Namespace: NS_Firewall Table: NV_FwlICMP

Single: ICMP Type

Access ReadW rite

Table key Th is param eter is a key to the table

Data type Number (32 bit)

M aximum value 255 M inimum Value: 0

Parameter ICM PCode

Description Specifies the ICMP code.


Single: ICMPCode

Access ReadW rite



M aximum value 255 M inimum Value: 0




ICMP Name

ICMP Version

ICMP Inbound Action

Parameter ICMPName

Description Specifies a name for the ICMP type/code pair.


Single: ICMPName

Access ReadWrite

Data type String

Maximum Length 120

Parameter ICMPVersion

Description Specifies whether the rule is for ICMPv4 or ICMPv6.


Single: ICMPVersion

Access ReadWrite


Data type Selection

User selection ICMPv4 ICMPv6

Parameter ICMPActionIn

Description Specifies the action for inbound network traffic.


Single: ICMPActionIn

Access ReadWrite

Data type Selection





ICMP Outbound Action

Parameter ICMPActionOut

Description Specifies the action for outbound network traffic.


Single: ICMPActionOut

Access ReadWrite

Data type Selection





A P P E N D I X

ACTIVEARMOR SECURE NETWORKENGINE (SNE) PARAMETERS REFERENCENote: For references to all the individual parameters, categorized by group, see

the entries listed for this appendix—C. NVIDIA ActiveArmor Parameters Reference—in the “Table of Contents” on page iii.

Group: Feature ControlsThese are the overall controls for high-level ActiveArmor functions. They determine which connections are handled by ActiveArmor. ActiveArmor Secure Network Engine (SNE)

ActiveArmor SNE

Parameter HOT

Description Enables or disables all ActiveArmor functionality.

Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTControls

Single: HOT

Usage example nCLI Set "HOT" "Enabled"

Access ReadWrite

Factory default value Enabled

Data type Selection


A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e


Group: Offload Default

Offload Default

Group: ActiveArmor Factory Default

Factory Default

User Selection Disabled

User Selection Enabled

Parameter HOTAppDefault

Description Configure the default offload behavior of any connections not listed in the ActiveArmor application table or the port table.

Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTAppDefault

Single: HOTAppDefault

Usage example nCLI Set "HOTAppDefault" "Offloadable"

Access ReadWrite

Factory default value Offloadable

Data type Selection

User Selection NotOffloadable

User Selection Offloadable

Parameter HOTDefault

Description Restores the ActiveArmor factory default settings

External Comment Restore factory default feature is not available through WMI Script.

Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOT_FactoryDefault

Single: HOTDefault

Usage example nCLI Set "HOTDefault" "NoRestore"

Access ReadWrite




Table: Offloadable IP Address and Port Ranges

Offloadable IP Address and Port Ranges

Factory default value NoRestore

Data type Selection

User Selection NoRestore

User Selection Restore

Table Parameter NV_HOTPort

Description Defines the offload behavior of specific IP addresses and ports.

Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort

Usage example nCLI AddRow "NV_HOTPort" "HOTPortLo-calIP=0000:0000:0000:0000:0000:FFFF:0000:0000,HOTPortLo-calIPMask=32,HOTPortRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,HOTPortRemoteIPMask=32,HOTPortRangeBegin=0,HOT-PortRangeEnd=0,HOTPortOffloadPriority=Default,HOTPortOff-loadIn=NotOffloadable,HOTPortOffloadOut=NotOffloadable" nCLI DelRow "NV_HOTPort.HOTPortLo-calIP='0000:0000:0000:0000:0000:FFFF:0000:0000',HOTPortLo-calIPMask='32',HOTPortRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',HOTPortRemoteIPMask='32',HOTPortRangeBe-gin=0,HOTPortRangeEnd=0"

Access ReadWrite

Single Parameter HOTPortLocalIP (See “Local IP Address” on page 186.)

Single Parameter HOTPortLocalIPMask (See “Local IP Subnet Mask” on page 186.)

Single Parameter HOTPortRemoteIP (See “Remote IP Address” on page 186.)

Single Parameter HOTPortRemoteIPMask (See “Remote IP Subnet Mask” on page 187.)

Single Parameter HOTPortRangeBegin (See “Beginning Port Number” on page 187.)

Single Parameter HOTPortRangeEnd (See “Ending Port Number” on page 188.)

Single Parameter HOTPortOffloadIn (See “Offload Setting for Inbound Connection” on page 188.)

Single Parameter HOTPortOffloadOut (See “Offload Setting for Outbound Connection” on page 189.)




Local IP Address

Local IP Subnet Mask

Remote IP Address

Parameter HOTPortLocalIP

Description Specifies the local or source IP address.


Row:Single: HOTPortLocalIP

Access ReadWrite

Factory default value 0000:0000:0000:0000:0000:FFFF:0000:0000



Parameter HOTPortLocalIPMask

Description Specifies the local or source IP subnet mask


Row:Single: HOTPortLocalIPMask

Access ReadWrite

Factory default value 32



Parameter HOTPortRemoteIP



Row: Single: HOTPortRemoteIP





Beginning Port Number

Access ReadWrite




Parameter HOTPortRemoteIPMask

Description IP address mask of the remote machine or subnet.


Row: Single: HOTPortRemoteIPMask

Access ReadWrite




Parameter HOTPortRangeBegin

Description First UDP or TCP port in the range.


Row: Single: HOTPortRangeBegin

Access ReadWrite




Maximum Value 65535




Ending Port Number

Offload Setting for Inbound Connection

Parameter HOTPortRangeEnd

Description Last UDP or TCP port in the range.

External Comment Ending port number value should be equal or greater than starting port number.


Row: Single: HOTPortRangeEnd

Access ReadWrite




Maximum Value 65535

Parameter HOTPortOffloadIn

Description Specifies if the inbound connection within this port number range will be handled by ActiveArmor.


Row: Single: HOTPortOffloadIn

Access ReadWrite

Factory default value NotOffloadable

Data type Selection






Offload Setting for Outbound Connection

Table: Application Offload Control

Application Offload Control Table

Parameter HOTPortOffloadOut

Description Specifies if the outbound connection within this port number range will be handled by ActiveArmor.


Row: Single: HOTPortOffloadOut

Access ReadWrite


Data type Selection



Table Parameter NV_HOTApp

Description Defines the offload behavior of specified applications.

Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTApp

Usage example nCLI AddRow "NV_HOTApp" "HOTAppIPAd-dress=0000:0000:0000:0000:0000:FFFF:0000:0000,HOTAppIP-Mask=32,HOTAppFileName=example.exe,HOTAppPath=c:,HOTAppOffloadPriority=Default,HOTAppOffloadIn=NotOffloadable,HOTAp-pOffloadOut=NotOffloadable" nCLI DelRow "NV_HOTApp.HOTAp-pIPAddress='0000:0000:0000:0000:0000:FFFF:0000:0000',HOTAppIPMask='32',HOTAppFileName='example.exe',HOTAppPath='c:'"

Access ReadWrite

Single Parameter HOTAppIPAddress (See “IP Address” on page 190.)

Single Parameter HOTAppIPMask (See “IP Subnet Mask” on page 190.)

Single Parameter HOTAppFileName (See “Application Filename” on page 191.)




IP Address

IP Subnet Mask

Single Parameter HOTAppPath (See “Application Path” on page 191.)

Single Parameter HOTAppOffloadIn (See “Offload Enable/Disable for Inbound Connection” on page 192.)

Single Parameter HOTAppOffloadOut (See “Offload Enable/Disable for Outbound Connection” on page 192.)

Parameter HOTAppIPAddress

Description Defines the remote IP address or subnet.


Row: Single: HOTAppIPAddress

Access ReadWrite




Parameter HOTAppIPMask

Description Remote IP subnet mask applied to the remote IP address.


Row: Single: HOTAppIPMask

Access ReadWrite







Application Filename

Application Path

Parameter HOTAppFileName

Description The name of the application (up to 255 characters). The name is used by ActiveArmor to identify an application that will be handled by ActiveArmor.


Row: Single: HOTAppFileName

Access ReadWrite

Factory default value example.exe


Data type String

Maximum Length 255

Parameter HOTAppPath

Description Directory where the application file resides.


Row: Single: HOTAppPath

Access ReadWrite

Factory default value c:


Data type String

Maximum Length 255




Offload Enable/Disable for Inbound Connection

Offload Enable/Disable for Outbound Connection

Group: ActiveArmor StatisticsThese are global statistics pertaining to ActiveArmor that are designed to aid performance monitoring and tuning. The statistics are derived from all connections maintained by ActiveArmor.

Parameter HOTAppOffloadIn

Description Specifies if this application's inbound connection will be handled by ActiveArmor.


Row: Single: HOTAppOffloadIn

Access ReadWrite


Data type Selection



Parameter HOTAppOffloadOut

Description Specifies if this application's outbound connection will be handled by ActiveArmor.


Row: Single: HOTAppOffloadOut

Access ReadWrite


Data type Selection






Received TCP Payload Bytes

Transmitted TCP Payload Bytes

Received TCP Segments

Parameter HotStatTotalRxBytes

Description The total number of data bytes that have been received.

Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat

Single: HotStatTotalRxBytes

Usage example nCLI Get "HotStatTotalRxBytes"

Access Read


Parameter HotStatTotalTxBytes

Description The total number of data bytes that have been transmitted.


Single: HotStatTotalTxBytes

Usage example nCLI Get "HotStatTotalTxBytes"

Access Read


Parameter HotStatTotalRxSegments

Description The total number of TCP segments that have been received.


Single: HotStatTotalRxSegments

Usage example nCLI Get "HotStatTotalRxSegments"

Access Read





Transmitted TCP Segments

Retransmitted TCP Segments

Total ICMP “Destination Unreachable” Packets Received

Parameter HotStatTotalTxSegments

Description The total number of TCP segments that have been transmitted.


Single: HotStatTotalTxSegments

Usage example nCLI Get "HotStatTotalTxSegments"

Access Read


Parameter HotStatTotalReTxSegments

Description The total number of TCP segments that have been retransmitted.


Single: HotStatTotalReTxSegments

Usage example nCLI Get "HotStatTotalReTxSegments"

Access Read


Parameter HotStatICMPDestUnreachable

Description The total number of ICMP “Destination Unreachable” packets that were received.


Single: HotStatICMPDestUnreachable

Usage example nCLI Get "HotStatICMPDestUnreachable"

Access Read





IP Fragments Received

IP Packets Received with Options

TCP Segments Received with Valid Reset Flag Set

Parameter HotStatIPv4FragmentsRx

Description The total number of IP fragments, which were re-assembled into TCP segments.


Single: HotStatIPv4FragmentsRx

Usage example nCLI Get "HotStatIPv4FragmentsRx"

Access Read


Parameter HotStatIPv4OptionsRx

Description The total number of IP packets received with any IP options.


Single: HotStatIPv4OptionsRx

Usage example nCLI Get "HotStatIPv4OptionsRx"

Access Read


Parameter HotStatValidResetsRx

Description The total number of valid TCP segments with the RST flag set that were received.


Single: HotStatValidResetsRx

Usage example nCLI Get "HotStatValidResetsRx"




TCP Segments Transmitted with the Reset Flag Set

Auto-ACKs Transmitted

Table: Connection Table Information

Connection Table Information

Access Read


Parameter HotStatValidResetsTx

Description The total number of TCP segments with the RST flag set that were transmitted.


Single: HotStatValidResetsTx

Usage example nCLI Get "HotStatValidResetsTx"

Access Read


Parameter HotStatAutoAckTx

Description The total number of TCP acknowledgements that have been generated by the ActiveArmor SNE (Secure Networking Engine) hardware.


Single: HotStatAutoAckTx

Usage example nCLI Get "HotStatAutoAckTx"

Access Read


Table Parameter NV_HOTCon

Description This table lists all the connections that are handled by ActiveArmor.




Connection Lifetime

TCP State

Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon

Usage example nCLI Get "NV_HOTCon"

Access Read

Single Parameter ConLifetime (See “Connection Lifetime” on page 197.)

Single Parameter ConTCPState (See “TCP State” on page 197.)

Single Parameter ConHardware (See “Hardware Offload” on page 198.)

Single Parameter ConLocalIP (See “Local IP Address” on page 198.)

Single Parameter ConLocalTCPPort (See “Local TCP Port” on page 199.)

Single Parameter ConRemoteIP (See “Remote IP Address” on page 199.)

Single Parameter ConRemoteTCPPort (See “Remote TCP Port” on page 199.)

Parameter ConLifetime

Description Time in seconds since the connection was established.


Row: Single: ConLifetime

Access Read


Parameter ConTCPState

Description Indicates the TCP State of the connection.


Row: Single: ConTCPState

Access Read

Data type Selection




Hardware Offload

Local IP Address

User Selection CLOSED

User Selection LISTENING

User Selection SYN_SENT

User Selection SYN_RECEIVED

User Selection ESTABLISHED

User Selection CLOSE_WAIT

User Selection FIN_WAIT1

User Selection FIN_WAIT2

User Selection CLOSING

User Selection LAST_ACK

User Selection TIME_WAIT

Parameter ConHardware

Description Indicates if the connection is currently offloaded to the ActiveArmor hardware.


Row: Single: ConHardware

Access Read

Data type Selection

User Selection Not Offloaded

User Selection Offloaded

Parameter ConLocalIP

Description The IP Address of the local machine for the connection.


Row: Single: ConLocalIP




Local TCP Port

Remote IP Address

Remote TCP Port

Access Read


Parameter ConLocalTCPPort

Description The TCP port used by the local machine for this connection.


Row: Single: ConLocalTCPPort

Access Read


Parameter ConRemoteIP

Description The IP address of the remote machine for this connection.


Row: Single: ConRemoteIP

Access Read



Parameter ConRemoteTCPPort

Description The TCP port used by the remote machine for this connection.


Row: Single: ConRemoteTCPPort




Access Read






A P P E N D I X

GLOSSARY

• ActiveArmor. NVIDIA ActiveArmor is software that controls the NVIDIA ActiveArmor Secure Networking Engine (SNE), which offloads CPU-intensive aspects of firewall and TCP processing (see “Understanding NVIDIA ActiveArmor” on page 66).

• distinguished name. In reference to the ForceWare Network Access Manager application, a distinguished name is the name that uniquely identifies a parameter. Each parameter has a distinguished name.

• group parameter. In reference to the ForceWare Network Access Manager application, a group parameter is a collection of single parameters that belong to a functionality set.

• IAM (Intelligent Application Manager). The IAM is part of the ActiveArmor Firewall allows you to create firewall rules based on an application’s name (see “Using the Intelligent Application Manager (IAM)” on page 41).

• ICMP (Internet Control Message Protocol) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses IP datagrams, but the messages are processed by the IP software and are not necessarily directly apparent to the application user.

• IP (Internet Protocol) is the method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it from all other computers on the Internet. When you send or receive data (for example, an e-mail note or a Web page), the message gets divided into little chunks called packets. Each of these packets contains the sender's Internet address and the receiver's Internet address.


A p p e n d i x D G l o s s a r y


When the sender needs to send a packet to a receiver on a different subnetwork, the packet is sent first to a to the sender's “default gateway” computer that understands a small part of the Internet. The gateway computer reads the destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain. That gateway then forwards the packet directly to the computer whose address is specified. Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet. Packets can arrive in a different order than the order in which they were sent. The Internet Protocol just delivers them. For applications requiring in-order delivery, it's up to a higher-layer protocol to ensure proper sequencing across a packet stream.IP is a connectionless protocol, which means that there is no continuing connection between the end points that are communicating. Each packet that travels through the Internet is treated as an independent unit of data without any relation to any other unit of data.In the Open Systems Interconnection (OSI) communication model, IP is in layer 3, the Networking Layer. The most widely used version of IP today is IPv4. However, IPv6 is also beginning to be supported. IPv6 provides for much longer addresses and therefore for the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets often can also support IPv4 packets.

• namespace parameter. In reference to the ForceWare Network Access Manager application, a namespace parameter is the largest container of parameters. A namespace parameter contains multiple group parameters and/or table parameters.

• nCLI (NVIDIA command line interface). In ForceWare Network Access Manager, nCLI is a command line interface that can be used to configure and monitor NVIDIA networking components. nCLI can run in either export or interactive mode.

• SSL (Secure Sockets Layer) is the industry-standard method for protecting Web communications. Built upon public key encryption technology, SSL provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. When you come across a Web page that is secured, the browser will usually display a “closed lock” or other symbol to inform you that SSL has been enabled. At this point, the Web site address will also start with “<https://>” instead of the normal “<http://>.”




Note: NVIDIA ForceWare Network Access Manager uses SSL when the Web-based interface is remotely accessed.

• single parameter. In ForceWare Network Access Manager, a single parameter is the smallest parameter unit. It contains a name and value pair.

• table parameter. In ForceWare Network Access Manager, a table parameter is a collection of group parameters (rows) that share the same fields (columns). Table parameters are frequently used as place holders for ActiveArmor Firewall rules, filters, and statistics. Each row inside the table is uniquely identified by a key. A key is composed of one or more of fields of a row.

• TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the IP to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called segments) that a message is divided into for efficient routing through the Internet.

TCP is known as a connection-oriented protocol, which means that a connection is established and maintained until such time as the message or messages to be exchanged by the application programs at each end have been exchanged. TCP is responsible for ensuring that a message is divided into the packets that IP manages and for reassembling the packets back into the complete message at the other end. In the OSI communication model, TCP is in layer 4, the Transport Layer.

• UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the IP. UDP is an alternative to the TCP and, together with the IP, is sometimes referred to as UDP/IP. Like the TCP, the UDP uses the IP to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in. This means that the application program that uses UDP must be able to make sure that the entire message has arrived and is in the right order. To save processing time, network applications that have very small data units to exchange (and therefore very little message reassembling to do) may choose UDP instead of TCP. The Trivial File Transfer Protocol (TFTP) uses UDP instead of TCP.


A p p e n d i x D G l o s s a r y


UDP provides two services not provided by the IP layer. It provides port numbers to help distinguish different user requests, and, optionally, a checksum capability to verify that the data arrived intact In the Open Systems Interconnection (OSI) communication model, UDP, like TCP, is in layer 4, the Transport Layer.


forceware networking and firewall administrator’s...

Documents