Upload
buimien
View
239
Download
4
Embed Size (px)
Citation preview
ForceWare Networking and Firewall Administrator’s Guide
Software Version 2.09th EditionNVIDIA CorporationSeptember 2005
nViewGuide.book Page 1 Monday, September 19, 2005 6:01 PM
N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
Copyright© 2005 by NVIDIA Corporation. All rights reserved.
Published byNVIDIA Corporation 2701 San Tomas ExpresswaySanta Clara, CA 95050
NoticeALL NVIDIA DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE.
Information furnished is believed to be accurate and reliable. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.
TrademarksNVIDIA, the NVIDIA logo, and ActiveArmor are registered trademarks or trademarks of NVIDIA Corporation in the United States and/or other countries. Other company and product names may be trademarks or registered trademarks of the respective owners with which they are associated.
_____________________________________________________________________________________________
Copyright© 1982, 1986, 1988, 1990, 1993, 1995 The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
• All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes software developed by the University of California, Berkeley and its contributors.”
• Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software * without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
nViewGuide.book Page 2 Monday, September 19, 2005 6:01 PM
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
Table of Contents
nViewGuide.book Page iii Monday, September 19, 2005 6:01 PM
1. IntroductionAudience . . . . . . . . . . . . . . . . . . . . . . . 10About NVIDIA ForceWare Network Access
Manager . . . . . . . . . . . . . . . . . . . . . . . 10NVIDIA Command Line Interface (nCLI). . . . 10Web-Based Interface. . . . . . . . . . . . . . . 11
Sample Web Pages. . . . . . . . . . . . . . 12Specifying Another Language for Web Page Content. . . . . . . . . . . . . . . . . . . . . 13
WMI Script. . . . . . . . . . . . . . . . . . . . . 14About Security . . . . . . . . . . . . . . . . . . . . 14ActiveArmor Firewall . . . . . . . . . . . . . . . . . 15
Key Features—ActiveArmor Firewall. . . . . . 15System Requirements . . . . . . . . . . . . . . . . 17
General Requirements . . . . . . . . . . . . . . 17Notes and Tips . . . . . . . . . . . . . . . . . . 17 Hardware Requirements . . . . . . . . . . . . 17 Operating Systems . . . . . . . . . . . . . . . 18Software, Memory, and Disk Space
Requirements . . . . . . . . . . . . . . . . . . 19ActiveArmor Firewall, ActiveArmor SNE, and
Ethernet Parameters Reference . . . . . . . . . 19ActiveArmor Firewall and Windows XP Service
Pack 2 . . . . . . . . . . . . . . . . . . . . . . . . 20Windows Security Center . . . . . . . . . . . . 20
2. Installation GuidelinesBefore Using the ForceWare Network Access
Manager Installer . . . . . . . . . . . . . . . . . . 21Installing ForceWare Network Access Manager . 21Installing Network Access Manager in Silent
Mode—Optional . . . . . . . . . . . . . . . . . . 23Creating the Response File . . . . . . . . . . . 23Running Installation in Silent Mode. . . . . . . 23
Launching the ForceWare Network Access Manager Web Interface . . . . . . . . . . . . . . 24
Trusting the Security Certificate—For Remote Users Only. . . . . . . . . . . . . . . . . . . . 25
Importing the Certificate—First Method . . 25Importing the Certificate—Second Method 28
Localizing the Web Interface . . . . . . . . . . 29Configuration Deployment . . . . . . . . . . . . . 30
Before You Begin . . . . . . . . . . . . . . . . . 30
3. ActiveArmor Firewall: Basic Concepts
Types of Firewalls . . . . . . . . . . . . . . . . . . 31Stateful vs. Stateless . . . . . . . . . . . . . . . . 32Inbound vs. Outbound Packets . . . . . . . . . . 32
About the TCP Protocol. . . . . . . . . . . . . 33About the UDP and ICMP Protocols . . . . . 33
UDP . . . . . . . . . . . . . . . . . . . . . . 33ICMP . . . . . . . . . . . . . . . . . . . . . 34
Stateful Filtering . . . . . . . . . . . . . . . . . . . 34Stateless Filtering . . . . . . . . . . . . . . . . . . 36
4. Configuring the ActiveArmor Firewall
ActiveArmor Firewall Parameters Reference . . 38Using the Basic Configuration Page . . . . . . . 38
Security Profile Settings . . . . . . . . . . . . 40Using the Intelligent Application Manager (IAM) 41
IAM Popup Dialog Boxes . . . . . . . . . . . . 42Information Dialog Box . . . . . . . . . . . 43Risk-Level Warnings . . . . . . . . . . . . . 43Basic Risk-Level Dialog Box . . . . . . . . 45Advanced Risk-Level Dialog Box . . . . . 46
Configuring the IAM . . . . . . . . . . . . . . . 47Advanced Configuration . . . . . . . . . . . . . . 48
Configuring Antihacking Features . . . . . . . 50About Working With Tables . . . . . . . . . . . . 51
Specifying Actions . . . . . . . . . . . . . . . . 51About Table Sorting . . . . . . . . . . . . . . . 51Reordering ActiveArmor Firewall Rules . . . . 52Table Default Action Settings. . . . . . . . . . 54
Using the ActiveArmor Firewall Wizards Page . 55DHCP Server/Client configuration . . . . . . . 56
DHCP Server . . . . . . . . . . . . . . . . . 56DHCP Client . . . . . . . . . . . . . . . . . 57
Configuration Dependencies. . . . . . . . . . . . 57Recommendations . . . . . . . . . . . . . . . 58
ActiveArmor Firewall Statistics . . . . . . . . . . 59ActiveArmor Firewall Logging . . . . . . . . . . . 63
5. Configuring NVIDIA ActiveArmorNVIDIA ActiveArmor Parameters Reference . . 66Understanding NVIDIA ActiveArmor . . . . . . . 66NVIDIA ActiveArmor and the ActiveArmor Firewall .
67
N V I D I A C o r p o r a t i o n iii
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page iv Monday, September 19, 2005 6:01 PM
Configuring ActiveArmor to Offload All Connections69
Tracking ActiveArmor Connections. . . . . . . 70Tracking ActiveArmor Statistics . . . . . . . . . 71
Using ActiveArmor as a TCP/IP Accelerator . . . 72Configuring ActiveArmor to Offload One
Application . . . . . . . . . . . . . . . . . . . . 73Configuring ActiveArmor to Offload One TCP
Port . . . . . . . . . . . . . . . . . . . . . . . . 74
6. Administrative TasksAccessing the Administration Menu . . . . . . . . 76Application Access Control Page . . . . . . . . . 76
Default Administrative Access Control Settings 77
Command Line Access . . . . . . . . . . . . . 78WMI Script. . . . . . . . . . . . . . . . . . . . . 79Local Web Access . . . . . . . . . . . . . . . . 79Remote Web Access . . . . . . . . . . . . . . . 79
Additional Notes. . . . . . . . . . . . . . . . 80Password . . . . . . . . . . . . . . . . . . . . . 80IP Address and IP Address Mask — optional . 80
Restore Factory Defaults . . . . . . . . . . . . . . 81Display Settings . . . . . . . . . . . . . . . . . . . 81Backup/Restore . . . . . . . . . . . . . . . . . . . 82
Backup Configuration . . . . . . . . . . . . . . 82Restore User Configuration . . . . . . . . . . . 82
ForceWare Network Access Manager Software Version . . . . . . . . . . . . . . . . . . . . . . . 83
7. Using WMI ScriptBefore You Begin . . . . . . . . . . . . . . . . . . 84Benefits of Using WMI Script . . . . . . . . . . . . 84Overview . . . . . . . . . . . . . . . . . . . . . . . 85Advanced Topics . . . . . . . . . . . . . . . . . . . 85
NVIDIA Namespace . . . . . . . . . . . . . . . 85
8. Using The NVIDIA Command Line Interface (nCLI)
Conventions Used . . . . . . . . . . . . . . . . . . 86About Examples Used . . . . . . . . . . . . . . . . 86Parameters . . . . . . . . . . . . . . . . . . . . . . 86Modes of Operation . . . . . . . . . . . . . . . . . 87
Expert Mode . . . . . . . . . . . . . . . . . . . 87Interactive Mode . . . . . . . . . . . . . . . . . 87
First Method . . . . . . . . . . . . . . . . . . 87Second Method . . . . . . . . . . . . . . . . 87
Using Single Parameters . . . . . . . . . . . . . . 88Set . . . . . . . . . . . . . . . . . . . . . . . . . 88
Example — (Expert Mode) . . . . . . . . . 88Set. . . . . . . . . . . . . . . . . . . . . . . . . 88
Example — (Interactive Mode) . . . . . . . 88Get . . . . . . . . . . . . . . . . . . . . . . . . 89
Example — (Expert Mode) . . . . . . . . . 89Example — (Interactive Mode) . . . . . . . 89
Help . . . . . . . . . . . . . . . . . . . . . . . . 90Example — (Expert Mode) . . . . . . . . . 90
Using Table Parameters . . . . . . . . . . . . . . 90Interactive and Expert Commands . . . . . . 90
Expert Commands . . . . . . . . . . . . . . 91Add Row . . . . . . . . . . . . . . . . . . . . . 91
Example — (Expert Mode) . . . . . . . . . 91Get Row . . . . . . . . . . . . . . . . . . . . . 92
Example — (Expert Mode) . . . . . . . . . 92Example — (Interactive Mode) . . . . . . . 93
Edit Row . . . . . . . . . . . . . . . . . . . . . 94Example — (Expert Mode) . . . . . . . . . 94
Delete Row . . . . . . . . . . . . . . . . . . . . 94Example — (Expert Mode) . . . . . . . . . 94
Help . . . . . . . . . . . . . . . . . . . . . . . . 94Example — (Expert Mode) . . . . . . . . . 94
Set Table . . . . . . . . . . . . . . . . . . . . . 95Examples — (Expert Mode) . . . . . . . . 95
Get Table . . . . . . . . . . . . . . . . . . . . . 96Example — (Expert Mode) . . . . . . . . . 96
About Other Table Commands . . . . . . . . . 96Syntax . . . . . . . . . . . . . . . . . . . . . 96
Browsing the Parameter Structure . . . . . . . . 96List . . . . . . . . . . . . . . . . . . . . . . . . 97
Example — (Interactive Mode) . . . . . . . 97Changing Directory . . . . . . . . . . . . . . . 97
Example 1 — (Interactive Mode) . . . . . . 97Example 2 — (Interactive Mode) . . . . . . 98
Current Working Directory . . . . . . . . . . . 99Example — (Interactive Mode) . . . . . . . 99
Context-Sensitive Operations . . . . . . . . . 99Example — (Interactive Mode) . . . . . . . 99
Text File Processing . . . . . . . . . . . . . . . .100Export . . . . . . . . . . . . . . . . . . . . . . .100
Syntax . . . . . . . . . . . . . . . . . . . . .100Example 1 — (Interactive Mode) . . . . . .101Example 2 — (Interactive Mode) . . . . . .101Example 3 — (Interactive Mode) . . . . . .101
Import . . . . . . . . . . . . . . . . . . . . . . .101Syntax . . . . . . . . . . . . . . . . . . . . .102
Support for Multiple Ethernet Interfaces . . . . .102Example 1 . . . . . . . . . . . . . . . . . .102Example 2 . . . . . . . . . . . . . . . . . .102
iv N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page v Monday, September 19, 2005 6:01 PM
Glossary. . . . . . . . . . . . . . . . . . . . . . . 103
A. Ethernet Parameters ReferenceGroup: Remote Wakeup . . . . . . . . . . . . . 104
Remote Wakeup . . . . . . . . . . . . . . . . 104Remote Wakeup by Magic Packet . . . . . . 105Remote Wakeup (Pattern Match) . . . . . . . 105Remote Wakeup (Link State Change) . . . . 106Remote Wake Up from Hibernate or Shutdown
106Group: Protocol Offload . . . . . . . . . . . . . . 107
Checksum Offload . . . . . . . . . . . . . . . 107IPv4 Transmit Checksum Offload . . . . . . 107IPv4 Receive Checksum Offload . . . . . . . 108UDP Transmit Checksum Offload . . . . . . 108UDP Receive Checksum Offload . . . . . . . 109TCP Transmit Checksum Offload . . . . . . 109TCP Receive Checksum Offload . . . . . . . 110TCP Large Send Offlload . . . . . . . . . . . 110
Group: Microsoft Operating System VLAN (Virtual LAN) . . . . . . . . . . . . . . . . . . . . . . . . 111
Microsoft Operating System VLAN . . . . . 111Group: VLAN (Virtual LAN) . . . . . . . . . . . . 112
VLAN Support. . . . . . . . . . . . . . . . . . 112VLAN ID . . . . . . . . . . . . . . . . . . . . 112
Group: Jumbo Frame . . . . . . . . . . . . . . . 113Jumbo Frame Payload Size . . . . . . . . . 113
Group: Driver Optimization . . . . . . . . . . . . 114Ethernet Driver Optimization . . . . . . . . . 114
Group: Ethernet Performance . . . . . . . . . . 115Number of Receive Buffers . . . . . . . . . . 115Number of Receive Buffer Descriptors . . . . 115Number of Transmit Buffer Descriptors . . . 116Maximum Transmit Frames Queued . . . . . 116Number of Receive Packets to Process per
Interrupt . . . . . . . . . . . . . . . . . . . . 117Number of Transmit Packet to Process per
Interrupt . . . . . . . . . . . . . . . . . . . . 117Interrupt Interval . . . . . . . . . . . . . . . . 118
Group: Traffic Prioritization . . . . . . . . . . . . 118 IEEE 802.1p Support . . . . . . . . . . . . . 118
Group: Ethernet Speed/Duplex. . . . . . . . . . 119Configurable Ethernet Speed/Duplex Settings
119Link Speed . . . . . . . . . . . . . . . . . . . 120Maximum Link Speed . . . . . . . . . . . . . 121Duplex Setting . . . . . . . . . . . . . . . . . 121Link Status. . . . . . . . . . . . . . . . . . . . 122Promiscuous Mode . . . . . . . . . . . . . . . 122
Permanent Ethernet Address . . . . . . . . .123Group: Ethernet Address. . . . . . . . . . . . . .123
Current Ethernet Address . . . . . . . . . . .123Group: Network Interface information . . . . . .124
Computer (Machine) Name . . . . . . . . . .124IP Address . . . . . . . . . . . . . . . . . . . .124IP Address Mask . . . . . . . . . . . . . . . .125
Group: Factory Default . . . . . . . . . . . . . . .126Factory Default. . . . . . . . . . . . . . . . . .126
Table: Multicast Address List . . . . . . . . . . .126Multicast Address List. . . . . . . . . . . . . .126Multicast Addresses (Single Parameter) . . .127
Group: Ethernet Statistics . . . . . . . . . . . . .127Frames Received with Alignment Error . . . .127Frames Transmitted After One Collision . . .128Frames Transmitted After Two or More
Collisions . . . . . . . . . . . . . . . . . . . .128Frames Transmitted After Deferral . . . . . .129Display Name Frames Exceed Maximum
Collision . . . . . . . . . . . . . . . . . . . . .129Frames with Overrun Errors . . . . . . . . . .130Frames with Underrun Errors . . . . . . . . .130Frames with Heartbeat Failure . . . . . . . . .131Carrier Sense (CRS) Signal Lost . . . . . . .131Late Collisions . . . . . . . . . . . . . . . . . .132
Group: General Networking Statistics . . . . . .132Successfully Transmitted Frames . . . . . . .132Successfully Received Frames . . . . . . . .133Transmit Failures . . . . . . . . . . . . . . . .133Receive Failures . . . . . . . . . . . . . . . . .133No Receive Buffers . . . . . . . . . . . . . . .134Direct Frames Received . . . . . . . . . . . .134Multicast Frames Received . . . . . . . . . .134Broadcast Frames Received . . . . . . . . . .135
Group: Alert Standard Format . . . . . . . . . . .135ASF Support . . . . . . . . . . . . . . . . . . .135ASF Destination IP Address . . . . . . . . . .136ASF Send Count. . . . . . . . . . . . . . . . .136
Group: ASF Information . . . . . . . . . . . . . .137ASF Destination MAC Address . . . . . . . .137
Group: System Fails to Boot Alert . . . . . . . .137System Fails to Boot Alert . . . . . . . . . . .137
Group: Fan Problem Alert . . . . . . . . . . . . .138Fan Problem Alert . . . . . . . . . . . . . . .138
Group: ASF SMBus Error . . . . . . . . . . . . .138ASF SMBus Error . . . . . . . . . . . . . . . .138
Group: ASF WOL Alert . . . . . . . . . . . . . . .139ASF Wake On Lan (WOL) Alert . . . . . . . .139
Group: ASF Heartbeat Alert . . . . . . . . . . . .139
N V I D I A C o r p o r a t i o n v
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page vi Monday, September 19, 2005 6:01 PM
ASF Heartbeat Alert Interval . . . . . . . . . 139Group: ASF Operating System Hung Alert . . . 140
ASF Operating System Hung Alert . . . . . . 140Group: ASF Power Button Alert . . . . . . . . . 140
ASF Power Button Alert . . . . . . . . . . . . 140Group: ASF System Hot Alert . . . . . . . . . . 141
ASF System Hot Alert . . . . . . . . . . . . . 141Group: ASF CPU Overheated Alert . . . . . . . 141
ASF CPU Overheat Alert . . . . . . . . . . . 141Group: ASF CPU Overheated Alert . . . . . . . 142
ASF CPU Hot Alert . . . . . . . . . . . . . . . 142Group: ASF Case Intrusion Alert . . . . . . . . . 142
ASF Case Intrusion Alert . . . . . . . . . . . 142
B. ActiveArmor Firewall Parameters Reference
Group: Configure Firewall Security Level . . . . 143Configure Firewall Security Level. . . . . . . 143
About the FwlProfiles Settings . . . . . . 144Group: Configure Firewall Options . . . . . . . . 146
Disallow Promiscuous Mode . . . . . . . . . 146Disallow DHCP Server . . . . . . . . . . . . . 147Block Outbound Spoofed IP Packets. . . . . 147Block Spoofed ARP Packets . . . . . . . . . 148 Block UDPv4 with No UDP Checksum . . . 148
Group: EtherType Default Rule . . . . . . . . . . 149EtherType Default Rule . . . . . . . . . . . . 149
Group: IP Address/Mask Default Rule . . . . . . 149IP Address/Mask Default Action . . . . . . . 149
Group: Domain Name Default Rule . . . . . . . 150Domain Name Default Rule . . . . . . . . . . 150
Group: IP Option Default Rule . . . . . . . . . . 150Inbound IP Option Default Rule. . . . . . . . 150Outbound IP Option Default Rule. . . . . . . 151
Group: IP Protocol Default Rule . . . . . . . . . 151IP Protocol Default Rule . . . . . . . . . . . . 151
Group: Port Number Default Rule . . . . . . . . 152Inbound Port Number Default Rule . . . . . . 152Outbound Port Number Default Rule. . . . . 152
Group: TCP Options Default Rule . . . . . . . . 153TCP Options Default Rule . . . . . . . . . . . 153
Group: ICMP Messages Default Rule . . . . . . 153Inbound ICMP Default Rule . . . . . . . . . . 153Outbound ICMP Default Rule . . . . . . . . . 154
Group: Clear Firewall Statistics . . . . . . . . . . 154Clear Firewall Statistics . . . . . . . . . . . . 154
Group: Firewall Statistics . . . . . . . . . . . . . 155Allowed Inbound UDP Datagrams . . . . . . 155Denied Inbound UDP Datagrams I . . . . . . 155
Allowed Outbound UDP Datagrams . . . . . .155Denied Outbound UDP Datagrams . . . . . .156Denied Inbound UDP Connections . . . . . .156Allowed Outbound UDP Connections . . . . .156Denied Outbound UDP Connections . . . . .157Allowed Inbound TCP Segments . . . . . . .157Denied Inbound TCP Segments . . . . . . . .157Allowed Outbound TCP Segments . . . . . .158Denied Outbound TCP Segments . . . . . . .158Allowed Inbound TCP Connections . . . . . .158Denied Inbound TCP Connections . . . . . .159Allowed Outbound TCP Connections . . . . .159 Denied Outbound TCP Connections . . . . .159Allowed Inbound ICMP Packets . . . . . . . .160Denied Inbound ICMP Packets . . . . . . . .160Allowed Outbound ICMP Packets . . . . . . .160Denied Outbound ICMP Packets . . . . . . .161Other Allowed Inbound Packets . . . . . . . .161Other Denied Inbound Packets . . . . . . . .161Other Allowed Outbound Packets . . . . . . .162Other Denied Outbound Packets . . . . . . .162
Group: Factory Default . . . . . . . . . . . . . . .163Factory Default. . . . . . . . . . . . . . . . . .163
Group: Flush DNS Cache . . . . . . . . . . . . .163Flush DNS Cache . . . . . . . . . . . . . . . .163
Table: EtherType Rules. . . . . . . . . . . . . . .164Ether Type . . . . . . . . . . . . . . . . . . . .164EtherType Name. . . . . . . . . . . . . . . . .165EtherType Action . . . . . . . . . . . . . . . .165
Table: IP Address/Mask Rule . . . . . . . . . . .166Remote IP Address . . . . . . . . . . . . . . .166Remote IP Address Mask . . . . . . . . . . .167IP Action . . . . . . . . . . . . . . . . . . . . .167
Table: Domain Names Rule . . . . . . . . . . . .168Domain Name . . . . . . . . . . . . . . . . . .168Domain Action . . . . . . . . . . . . . . . . . .169
Table: IP Option Rules . . . . . . . . . . . . . . .169IP Option Number . . . . . . . . . . . . . . . .170IP Option Name . . . . . . . . . . . . . . . . .170 IP Version . . . . . . . . . . . . . . . . . . . .171IP Inbound Action . . . . . . . . . . . . . . . .171IP Outbound Action . . . . . . . . . . . . . . .171
Table: IP Protocol Rule . . . . . . . . . . . . . . .172IP Protocol . . . . . . . . . . . . . . . . . . . .172IP Protocol Name . . . . . . . . . . . . . . . .173IP Protocol Action . . . . . . . . . . . . . . . .173
Table: TCP/UDP Port Rule . . . . . . . . . . . .174TCP/UDP Port Outbound Action . . . . . . .175Remote IP Address . . . . . . . . . . . . . . .175
vi N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page vii Monday, September 19, 2005 6:01 PM
Remote IP Subnet Mask . . . . . . . . . . . 175Port Name . . . . . . . . . . . . . . . . . . . 176Beginning Port Number . . . . . . . . . . . . 176Ending Port Number . . . . . . . . . . . . . . 176Port Protocol . . . . . . . . . . . . . . . . . . 177
Table: TCP Options Rule . . . . . . . . . . . . . 177TCP Option Number . . . . . . . . . . . . . . 178TCP Option Name I . . . . . . . . . . . . . . 178TCP Option Action . . . . . . . . . . . . . . . 178
Table: ICMP Rules . . . . . . . . . . . . . . . . . 179Remote IP Address . . . . . . . . . . . . . . 179Remote IP Subnet Mask . . . . . . . . . . . 180ICMP Type . . . . . . . . . . . . . . . . . . . 180ICMP Code . . . . . . . . . . . . . . . . . . . 180ICMP Name . . . . . . . . . . . . . . . . . . 181ICMP Version . . . . . . . . . . . . . . . . . . 181ICMP Inbound Action . . . . . . . . . . . . . 181ICMP Outbound Action . . . . . . . . . . . . 182
C. ActiveArmor Secure Network Engine (SNE) Parameters Reference
Group: Feature Controls . . . . . . . . . . . . . 183ActiveArmor SNE . . . . . . . . . . . . . . . . 183
Group: Offload Default. . . . . . . . . . . . . . . 184Offload Default . . . . . . . . . . . . . . . . . 184
Group: ActiveArmor Factory Default . . . . . . . 184Factory Default . . . . . . . . . . . . . . . . . 184
Table: Offloadable IP Address and Port Ranges 185Offloadable IP Address and Port Ranges . . 185Local IP Address . . . . . . . . . . . . . . . . 186Local IP Subnet Mask . . . . . . . . . . . . . 186Remote IP Address . . . . . . . . . . . . . . 186Remote IP Subnet Mask. . . . . . . . . . . . 187Beginning Port Number . . . . . . . . . . . . 187Ending Port Number . . . . . . . . . . . . . . 188Offload Setting for Inbound Connection . . . 188Offload Setting for Outbound Connection . . 189
Table: Application Offload Control . . . . . . . . 189Application Offload Control Table . . . . . . . 189IP Address. . . . . . . . . . . . . . . . . . . . 190IP Subnet Mask . . . . . . . . . . . . . . . . . 190Application Filename . . . . . . . . . . . . . . 191Application Path . . . . . . . . . . . . . . . . 191Offload Enable/Disable for Inbound Connection
192Offload Enable/Disable for Outbound
Connection . . . . . . . . . . . . . . . . . . 192Group: ActiveArmor Statistics . . . . . . . . . . 192
Received TCP Payload Bytes . . . . . . . . .193Transmitted TCP Payload Bytes . . . . . . . .193Received TCP Segments. . . . . . . . . . . .193Transmitted TCP Segments . . . . . . . . . .194Retransmitted TCP Segments . . . . . . . . .194Total ICMP “Destination Unreachable” Packets
Received . . . . . . . . . . . . . . . . . . . .194IP Fragments Received . . . . . . . . . . . . .195IP Packets Received with Options. . . . . . .195TCP Segments Received with Valid Reset Flag
Set . . . . . . . . . . . . . . . . . . . . . . . .195TCP Segments Transmitted with the Reset Flag
Set . . . . . . . . . . . . . . . . . . . . . . . .196Auto-ACKs Transmitted . . . . . . . . . . . . .196
Table: Connection Table Information . . . . . . .196Connection Table Information . . . . . . . . .196Connection Lifetime . . . . . . . . . . . . . . .197TCP State . . . . . . . . . . . . . . . . . . . .197Hardware Offload . . . . . . . . . . . . . . . .198Local IP Address . . . . . . . . . . . . . . . .198Local TCP Port. . . . . . . . . . . . . . . . . .199Remote IP Address . . . . . . . . . . . . . . .199Remote TCP Port . . . . . . . . . . . . . . . .199
D. Glossary
N V I D I A C o r p o r a t i o n vii
N V I D I A C o r p o r a t i o n viii
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
Table 1.1 Hardware and Software Features Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Table 1.2 Software, Memory, and Disk Space Requirements. . . . . . . . . . . . . . . . . . . . . . . . . 19Table 6.1 ActiveArmor Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
List of Tables
nViewGuide.book Page viii Monday, September 19, 2005 6:01 PM
N V I D I A C o r p o r a t i o n ix
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
Figure 1.1 ForceWare Network Access Manager—Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . 12Figure 1.2 Ethernet Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Figure 1.3 Firewall Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Figure 1.4 ActiveArmor Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Figure 2.1 Security Alert—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Figure 2.2 Certification Page—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Figure 2.3 Certification Page—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Figure 2.4 Certification Import Wizard—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . 27Figure 2.5 Certificate Import Wizard Completion Page—For Remote Users Only . . . . . . . . . . . . . . . . 27Figure 2.6 Root Certificate Store—For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Figure 4.1 ActiveArmor Firewall—Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Figure 4.2 Information Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Figure 4.3 Low Risk Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 4.4 Medium Risk Warning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 4.5 High Risk Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 4.6 Basic Risk-Level Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Figure 4.7 Advanced Risk-Level Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Figure 4.8 ActiveArmor Firewall Application Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Figure 4.9 ActiveArmor Firewall Options—Configuring Antihacking Features . . . . . . . . . . . . . . . . . . 50Figure 4.10 Reordering ActiveArmor Firewall Rules — Cutting a Row . . . . . . . . . . . . . . . . . . . . . . 53Figure 4.11 Reordering ActiveArmor Firewall Rules — Pasting a Row . . . . . . . . . . . . . . . . . . . . . . 54Figure 4.12 Firewall Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Figure 4.13 Graphical Information for Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Figure 4.14 Bar Graph of Packet Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Figure 4.15 Table (Statistics) of Packet Activity—First Section . . . . . . . . . . . . . . . . . . . . . . . . . . 62Figure 4.16 Table (Statistics) of Packet Activity—Second Section . . . . . . . . . . . . . . . . . . . . . . . . 62Figure 4.17 Firewall Logging Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Figure 4.18 User Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Figure 5.1 Four Software Layering Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Figure 5.2 ActiveArmor Configuration and Application Table . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Figure 5.3 ActiveArmor Configuration and Port Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Figure 5.4 ActiveArmor Connections Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Figure 5.5 ActiveArmor Connection Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Figure 5.6 ActiveArmor Application – add rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Figure 5.7 ActiveArmor Port – add rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Figure 6.1 Application Access Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
List of Figures
nViewGuide.book Page ix Monday, September 19, 2005 6:01 PM
C h a p t e r 1 I n t r o d u c t i o n
nViewGuide.book Page 10 Monday, September 19, 2005 6:01 PM
C H A P T E R
INTRODUCTION
AudienceThis guide is intended for the system or network Administrator of an organization as a guide to install and use the NVIDIA® ForceWare™ Network Access Manager application.Note: This guide assumes the reader has Administrator access privileges.
Exceptions are noted, where applicable.
About NVIDIA ForceWare Network Access ManagerUsing the ForceWare Network Access Manager application, you can easily configure and control NVIDIA networking hardware and software, gather statistics, and monitor logs. ForceWare Network Access Manager gives you several choices in managing your networking hardware and software:• “NVIDIA Command Line Interface (nCLI)” on page 10• “Web-Based Interface” on page 11• “WMI Script” on page 14
NVIDIA Command Line Interface (nCLI) The ForceWare Network Access Manager provides command line access through the nCLI program. The nCLI command can be run in either expert or interactive mode to configure and monitor NVIDIA networking components.
10 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 11 Monday, September 19, 2005 6:01 PM
• Expert mode is suitable for deployment in an organization by running nCLI from a login script. To use nCLI in expert mode, you need to be familiar with the syntax and characteristics of configuration parameters. For details and examples of using the nCLI command with various Ethernet and ActiveArmor Firewall parameters, see “Ethernet Parameters Reference” on page 104 and “ActiveArmor Firewall Parameters Reference” on page 143.
• Interactive mode runs in a shell environment and is suitable for Administrators who do not have access to the syntax and characteristics of the nCLI configuration parameters. nCLI provides navigation feature to assist these users.
Note: Extensive nCLI usage samples in batch file format are provided in the following subdirectories under the default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or a path you specify: samples\Eth (for Ethernet) samples\Firewall (for Firewall) samples\ActiveArmor (for ActiveArmor) You can cut and paste the appropriate command and use them in batch files or in command lines. Also see “Using The NVIDIA Command Line Interface (nCLI)” on page 86.
Web-Based Interface The ForceWare Network Access Manager Web-based interface (see “Sample Web Pages” on page 12) offers convenient access through several features:• Wizards—see “Using the ActiveArmor Firewall Wizards Page” on page 55.• Profiles • Status summaries• Help. Context-sensitive online Help is available on a wide range of features.
From any ForceWare Network Access Manager Web page, click the Help tab, seen in Figure 1.1, to access detailed Help on the parameters you are configuring.
• Log. The ActiveArmor Firewall generates log entries that provide a historical view of ActiveArmor Firewall activities
• Tool tips. When your cursor rests on the name of a parameter, its description is displayed in a popup text window, called a tool tip.
N V I D I A C o r p o r a t i o n 11
C h a p t e r 1 I n t r o d u c t i o n
nViewGuide.book Page 12 Monday, September 19, 2005 6:01 PM
Sample Web PagesFigure 1.1 ForceWare Network Access Manager—Home Page
Figure 1.2 Ethernet Basic Configuration
12 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 13 Monday, September 19, 2005 6:01 PM
Figure 1.3 Firewall Wizards
Specifying Another Language for Web Page ContentForceWare Network Access Manager supports viewing of the Web-based interface in the following languages:• Brazilian Portuguese• French• German• Italian• Spanish• Japanese• Korean• Simplified Chinese• Traditional ChineseFor complete details, see “Installing ForceWare Network Access Manager” on page 21 and “Localizing the Web Interface” on page 29.
N V I D I A C o r p o r a t i o n 13
C h a p t e r 1 I n t r o d u c t i o n
nViewGuide.book Page 14 Monday, September 19, 2005 6:01 PM
WMI Script You can use the Microsoft® Windows Management Instrumentation (WMI) script language to manage NVIDIA networking hardware and software. Using WMI script language is recommended only for Administrators who are already familiar with programming in WMI script and who have become familiar with the syntax and characteristics of configuration parameters. WMI script programming is being used by the IT staff of larger corporations to carry out day to day maintenance work. Overall benefits of using WMI scripts include:• Industry standard—WMI can be implemented using languages such as
VBScript and JScript.• Ease of use• Common scripts—allow access to ForceWare Network Access Manager
data.• Flexibility—If you are a WMI script user, you can utilize the power of the
script languages to meet almost any requirements. For example, as an Administrator, you can write a WMI script to scan for Yahoo Messenger on a computer and open the appropriate port if the computer user has sufficient rights.
• Remote use—means you can run the WMI script language remotely and use it as a deployment tool in an organization. See “Configuration Deployment” on page 30.
For further informations, see “Using WMI Script” on page 84.
About SecurityAccess control is based on the kind of application being run, whether you are an Administrator or non-Administrator user, and the kind of access needed—that is, local or remote. The ForceWare Network Access Manager Web-based Application Access Control page (“Application Access Control Page” on page 76) enables you to configure non-Administrator access to applications, including:• nCLI (NVIDIA command line interface)• WMI scripting interface • Local and remote Web access
14 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 15 Monday, September 19, 2005 6:01 PM
Note: For applications that are accessed from the local computer, the application access rights depend on the current access rights for the Windows login session.
Note: A non-Administrator user on a computer cannot access the ActiveArmor Firewall parameters and modify the access control parameters.
For further details on security and access control, see “Application Access Control Page” on page 76.
ActiveArmor FirewallNote: ActiveArmor Firewall only operates on an NVIDIA Ethernet interface.
ActiveArmor Firewall will not protect network traffic/application on a system that uses a third-party Ethernet interface (for example 3Com, Intel, Broadcom, DLink, etc.) on an NVIDIA nForce motherboard.
ActiveArmor Firewall—the only “native” firewall in the market—is optimized and integrated into the NVIDIA nForce systems that support ForceWare Network Access Manager. (See Table 1.1 for supported NVIDIA hardware and features.)The ActiveArmor Firewall is a high performance, “hardware-optimized” firewall offering enhanced reliability and protection at the end-point—i.e., the desktop. It incorporates firewall and antihacking technologies such as antispoofing, antisniffing, anti-ARP cache poisoning, and anti-DHCP server, which are important security controls for corporate network environments.For an explanation of firewall concepts and the ActiveArmor Firewall, see Chapter 3—“ActiveArmor Firewall: Basic Concepts” on page 31.
Key Features—ActiveArmor Firewall • Intelligent Application Manager (IAM)
IAM enables you to create firewall rules based on the application name. Whenever an application attempts to open a new network connection (either as a client or as a server), you are prompted to Allow or Deny the application's access to the network. An application-based firewall rule is then automatically created or modified.
• System tray application The system tray application provides a convenient way for you to view and change the settings of Firewall profiles.
• User-friendly Web-based interface includes Wizards, charts, tables, and logging statistics. See “Configuring the ActiveArmor Firewall” on page 38.
N V I D I A C o r p o r a t i o n 15
C h a p t e r 1 I n t r o d u c t i o n
nViewGuide.book Page 16 Monday, September 19, 2005 6:01 PM
• ICSA certifiedSee the following Web site for details: www.icsalabs.com.
• Antihacking features listed below provide important security controls for corporate network environments.• Antispoofing• Antisniffing• Anti-ARP cache poisoning• Anti-DHCP (Dynamic Host Configuration Protocol) server process Also see Table 1.1, “Hardware and Software Features Support” on page 18 and “Configuring Antihacking Features” on page 50.
• Comprehensive “packet filtering”—see “ActiveArmor Firewall: Basic Concepts” on page 31.
• “Stateful” and “stateless” packet inspections—see “ActiveArmor Firewall: Basic Concepts” on page 31.
• Predefined security profiles—see “Configuring the ActiveArmor Firewall” on page 38—include these key features:• User-customizable profiles• Internet Protocol version 6 (IPv6) support• Settings—Lockdown, High, Medium, Low, Off
• Advanced management features—see “Configuring the ActiveArmor Firewall” on page 38.• Remote administration • Monitoring • Configuration
• NVIDIA command line interface (nCLI) support — not available on all systems. For details, refer to Table 1.1, “Hardware and Software Features Support” on page 18.
• ActiveArmor Secure Network Engine (SNE)NVIDIA ActiveArmor controls the NVIDIA ActiveArmor SNE, which offloads CPU-intensive aspects of firewall and TCP processing.
• WMI scripting support — not available on all systems. For details, refer to Table 1.1, “Hardware and Software Features Support” on page 18.
16 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 17 Monday, September 19, 2005 6:01 PM
System Requirements
General Requirements• WMI (Windows Management Instrumentation) service
Note: WMI service is not automatically started on Windows 2000. The ForceWare Network Installer needs to change this service to run automatically on Windows startup.
• WMI MOF compiler (MOFCOMP) must be available on your computer.• NTFS file system. It is recommended that you install the ForceWare
Network Access Manager application on an NTFS file system so that sensitive information such as Firewall or access configuration data are protected from being changed by a non-Administrator user. For further information on NTFS, please refer to Windows online Help.
Notes and Tips1 You are strongly encouraged to apply the latest service packs and Security
patches from Microsoft. The ForceWare Network Access Manager is compatible with Windows XP Service Pack 2 (see “ActiveArmor Firewall and Windows XP Service Pack 2” on page 20). You can refer to Windows online Help for details on using Windows Update; or, from your Windows desktop, you can click Start > Windows Update (or Start > Programs > Windows Update).
2 In addition to keeping your operating system software up-to-date, NVIDIA strongly recommends that you purchase and use the latest anti-virus software before running ActiveArmor Firewall to ensure that your computer is not infected by any virus or spyware.
3 To ensure that your computer is fully protected from attacks and intruders, install ActiveArmor Firewall on your computer before connecting it to a network.
Hardware RequirementsSupport of ForceWare Network Access Manager features on NVIDIA nForce series personal computer systems is outlined in Table 1.1.
N V I D I A C o r p o r a t i o n 17
C h a p t e r 1 I n t r o d u c t i o n
nViewGuide.book Page 18 Monday, September 19, 2005 6:01 PM
Table 1.1 Hardware and Software Features Support
Note: Miscellaneous features that are not listed (such as checksum off-load, and segmentation off-loads) are supported by all four nForce platforms listed in Table 1.1.
Operating SystemsThe ForceWare Network Access Manager application supports the following 32-bit Microsoft operating systems:Windows XP 64
• Windows XP Professional—Service Pack 1 or later• Windows XP 64
Note: NVIDIA ForceWare Network Access Manager is a native 32-bit application that is supported under Windows XP 64.The only exception is that the Intelligent Application Manager (IAM) is unable to intercept 64-bit network applications. As a result, popup dialog boxes will not appear for 64-bit network applications such as Internet Explorer, Windows Media Player, and similar applications. However,
NVIDIA Software Supported
_________NVIDIA Hardware (Personal Computer)
nForce2 Gigabit MCPnForce3 250 GigabitnForce3 Ultra
nForce3 250 Professional
nForce4 nForce 4 UltranForce 4 SLINVIDIA nForce4 SLI for Intel
ActiveArmor Firewall Yes Yes Yes Yes
ForceWare Network Access Manager—Web-based interface
Yes Yes Yes Yes
ForceWare Network Access Manager—Command line interface (CLI) and WMI Script support
No Yes No Yes
VLAN, IEEE 802.1Q No Yes Yes Yes
Alert Standard Format (ASF)
No Yes No No
ActiveArmor No No No Yes
18 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 19 Monday, September 19, 2005 6:01 PM
the underlying rule-based firewall will continue to operate for both Windows 64-bit and 32-bit applications and IAM will continue to manage 32-bit network applications. For information about IAM, see “Using the Intelligent Application Manager (IAM)” on page 41 in Chapter 4.
• Windows 2000• Windows Server 2003• Windows Server 2000
Software, Memory, and Disk Space RequirementsNote: All figures in Table 1.2 are estimates based on default settings and a
standard operating environment
For further information on driver installation, see “Installation Guidelines” on page 21.
ActiveArmor Firewall, ActiveArmor SNE, and Ethernet Parameters Reference
Appendix A: “Ethernet Parameters Reference” on page 104, Appendix B: “ActiveArmor Firewall Parameters Reference” on page 143, and Appendix C: “ActiveArmor Secure Network Engine (SNE) Parameters Reference” on page 183 provide detailed parameters reference and usage information. You can also obtain context-sensitive Help when using parameters by clicking the Help tab from any ForceWare Network Access Manager Web-based page.
Table 1.2 Software, Memory, and Disk Space Requirements
Software Memory Disk space for English
Disk Space for Non-English Languages
nForce Ethernet driver for Windows XP/2000 and Windows XP 64Note: To run the ForceWare Network Access Manager software, nForce Ethernet must be configured as a bridge device in the BIOS, which is the factory default.
1 MB 500 KB
Approximately 2 MB per language
ActiveArmor Firewall 5 MB 200 KB
ForceWare Network Access Manager 8 MB 25 MB
N V I D I A C o r p o r a t i o n 19
C h a p t e r 1 I n t r o d u c t i o n
nViewGuide.book Page 20 Monday, September 19, 2005 6:01 PM
ActiveArmor Firewall and Windows XP Service Pack 2 Windows XP Service Pack 2 (SP2) includes a collection of security enhancements that are supported by the ActiveArmor Firewall. Service Pack 2 also makes it easier to monitor these settings with the new Windows Security Center, available through the Control Panel.
Windows Security CenterThe Windows Security Center provides a centralized view that allows you to monitor security settings that are essential for your computer’s well being (see “System Requirements” on page 17). One of the security components whose settings are monitored is the firewall. The ActiveArmor Firewall supports the Security Center by registering with it and providing up-to-date status.Figure 1.4 ActiveArmor Firewall
20 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 21 Monday, September 19, 2005 6:01 PM
C H A P T E R
INSTALLATION GUIDELINES
Before Using the ForceWare Network Access Manager Installer
Before you run the ForceWare Network Access Manager installer program, NAMSetup.exe, note the following:• The nForce Ethernet driver must already be installed and operational on
your computer.• You must have Administrator access rights to do the following:
• Run the Setup installation program.• Uninstall and/or modify the ForceWare Network Access Manager
software, as needed.• If you are using the ForceWare Network Access Manager Web-based
interface, note the following:• Microsoft Internet Explorer version 5 or later must be running on your
computer. • The ForceWare Network Access Manager Web-based interface uses the
NVIDIA registered TCP port 3476. Make sure no other network application uses port 3476.
Installing ForceWare Network Access Manager The ForceWare Network Access Manager installation program (NAMSetup.exe)and software are part of the basic nForce driver installation
N V I D I A C o r p o r a t i o n 21
C h a p t e r 2 I n s t a l l a t i o n G u i d e l i n e s
nViewGuide.book Page 22 Monday, September 19, 2005 6:01 PM
package, which you can usually obtain from the NVIDIA Web site (www.nvidia.com) or a partner OEM. 1 Download the nForce driver installation package.Note: There are two basic language editions of the nForce driver installation
package: English only and International. If your preferred language is one of the following, make sure you download the International edition
• Brazilian Portuguese• French• German• Italian• Spanish• Japanese• Korean• Simplified Chinese• Traditional Chinese
2 Open or save the package to a specified directory. The directory root is usually C:\NVIDIA\nForce....
3 If you have saved the package, manually start the setup.exe file or if you chose to “open” the nForce package in step 2., the setup.exe program automatically starts running.
4 When the prompt appears to install the Network Access Manager and Firewall, proceed as requested, unless you want to run a “silent” installation, in which case, go to “Installing Network Access Manager in Silent Mode—Optional” on page 23.
5 If you are proceeding with the auto-installation of the Network Access Manager software, simply follow the prompts to complete the installation process.The ForceWare Network Access Manager installation program (<uncompressed directory_name>\Ethernet\NAM\NAMSetup.exe) uncompresses and saves all the relevant software in a directory you specify. By default, this directory is: c:\Program Files\NVIDIA Corporation\NetworkAccessManager.
22 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 23 Monday, September 19, 2005 6:01 PM
Installing Network Access Manager in Silent Mode—Optional
The ForceWare Network Access Manager software supports the silent installation method, which means no user interaction is needed to install the software. For example, as an Administrator, you may want to create a custom “silent” installation script for end users to easily install Network Access Manager software.The silent installation process uses a response (.iss) file that contains information similar to what you would enter as responses to dialog boxes when running a normal setup.
Creating the Response File From the directory where the ForceWare Network Access Manager installation program is located (<uncompressed directory_name>\Ethernet\NAM\NAMSetup.exe), follow these steps:1 Enter the following command:
NAMSetup.exe /r /f1"c:\nvidia_net.iss"
2 Go through the installation dialog boxes as you would in a normal auto-installation—explained in the previous section. Note that in this installation process, you will select the options to be used in subsequent silent installations. All choices are recorded in the response file named nvidia_net.iss.Note: You can change the path and name of the response file by replacing
c:\nvidia_net.iss with a drive letter and file name of your choice.The ForceWare Network Access Manager installation program runs and uncompresses all the relevant software in a directory you specify. By default, this directory is: c:\Program Files\NVIDIA Corporation\NetworkAccessManager.
Running Installation in Silent ModeFrom the directory where the ForceWare Network Access Manager installation program is located (<uncompressed directory_name>\Ethernet\NAM\NAMSetup.exe), enter the following command to run the installation program in silent mode. NAMSetup.exe /s /f1"c:\nvidia_net.iss"
N V I D I A C o r p o r a t i o n 23
C h a p t e r 2 I n s t a l l a t i o n G u i d e l i n e s
nViewGuide.book Page 24 Monday, September 19, 2005 6:01 PM
Launching the ForceWare Network Access Manager Web Interface
Before you launch the ForceWare Network Access Manager Web interface, make sure you have completed running the ForceWare Network Access Manager installer program using the instructions in the previous sections of this chapter.1 To launch the ForceWare Network Access Manager Web-based interface,
from your Windows taskbar, click Start > Programs > NVIDIA Corporation > Network Access Manager > Web-based Interface.To launch just the ActiveArmor Firewall Web interface, click on the ActiveArmor Firewall desktop link or from your Windows taskbar, click Start > Programs > NVIDIA Corporation > Network Access Manager > ActiveArmor Firewall.The ActiveArmor Web interface allows you to configure the ActiveArmor Firewall, ActiveArmor Secure Network Engine (SNE), and other general administrative features.
Note: If you are using the ForceWare Network Access Manager Web-based interface locally instead of remotely, you do not need to follow the instructions about working with security certificates as explained in the steps that follow.
2 Remote Users: If you are a “remote” user of the ForceWare Network Access Manager Web-based interface, before you can enter your user name and password, a Security Alert (Figure 2.1) page appears alerting you about the managed computer’s security certificate. The security certificate is generated by the Network Access Manager to enable Secure Sockets Layer (SSL) to secure the communications channel.
24 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 25 Monday, September 19, 2005 6:01 PM
Figure 2.1 Security Alert—For Remote Users Only
Note: You have to enable your browser to trust this security certificate before you can proceed. To avoid being prompted by the Web browser about the security certificate, you can choose to import the certificate in one of two ways, as explained in “Trusting the Security Certificate—For Remote Users Only” on page 25.
Trusting the Security Certificate—For Remote Users Only
Importing the Certificate—First Method 1 When you are prompted by the Web browser about the managed computer’s
security certificate (Figure 2.1), click View Certificate to display the Certificate page (Figure 2.2).
2 On the Certificate page, click Install Certificate to launch the Certificate Import Wizard page (Figure 2.3).
3 Click Next to display the Certification Store page (Figure 2.4).4 Select Automatically select the certificate store based on the type of
certificate (Figure 2.4) and click Next.
The completion page of the Certificate Import Wizard appears (Figure 2.5).5 Click Finish. The Root Certificate Store dialog box appears (Figure 2.6).
N V I D I A C o r p o r a t i o n 25
C h a p t e r 2 I n s t a l l a t i o n G u i d e l i n e s
nViewGuide.book Page 26 Monday, September 19, 2005 6:01 PM
Figure 2.2 Certification Page—For Remote Users Only
Figure 2.3 Certification Page—For Remote Users Only
26 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 27 Monday, September 19, 2005 6:01 PM
Figure 2.4 Certification Import Wizard—For Remote Users Only
Figure 2.5 Certificate Import Wizard Completion Page—For Remote Users Only
N V I D I A C o r p o r a t i o n 27
C h a p t e r 2 I n s t a l l a t i o n G u i d e l i n e s
nViewGuide.book Page 28 Monday, September 19, 2005 6:01 PM
Figure 2.6 Root Certificate Store—For Remote Users Only
6 Click Yes to add the certificate to the Root Store.
Importing the Certificate—Second Method This method is more secure than the “Importing the Certificate—First Method” on page 25 as you are assured that the certificate comes from the managed computer.Note that on the managed computer, the certificate is stored in:
<install directory>\Apache Group\Apache2\conf\ssl\server.crt
where <install directory> is the directory where Network Access Manager is installed. The “default” installation directory is c:\Program Files\NVIDIA Corporation\NetworkAccessManager. 1 Copy the server.crt certificate to the computer that is the remote Web
browser. 2 On the remote Web browser, launch Internet Explorer.3 Go to Tools > Internet Options > Content > Certificates and click Import
to launch the Certificate Import Wizard page (Figure 2.4).4 Click Next to display the Certification Store page (Figure 2.4).5 Select Automatically select the certificate store based on the type of
certificate (Figure 2.4) and click Next.The completion page of the Certificate Import Wizard appears (Figure 2.5).
6 Click Finish to display the Root Certificate Store dialog box (Figure 2.6).7 Click Yes to add the certificate to the Root Store.
28 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 29 Monday, September 19, 2005 6:01 PM
Localizing the Web InterfaceIf you have installed the “International” edition of the ForceWare Network software as explained in “Installing ForceWare Network Access Manager” on page 21, then follow these steps available from the Internet Explorer menu to enable one of the non-English languages supported by your ForceWare Network Access Manager Web browser.Note: The Network Access Manager has components that are applications
based on Windows, such as the NVIDIA System Tray or the IAM pop-up dialog. These application are only displayed in the language used by the Windows operating system.
1 In Internet Explorer, on the Tools menu, click Internet Options. 2 On the General tab, click Languages. 3 Click Add. 4 Select the language you want to add. The following languages are supported
by your ForceWare Network Access Manager Web browser:• Brazilian Portuguese• French• German• Italian• Spanish• Japanese• Korean• Simplified Chinese• Traditional Chinese
5 Click OK. The language you added appears in the Language: list.6 If more than one language appears in the list and you want to activate the
language you just added, move it to the top of the list.7 Click OK and click OK again to exit the Internet Options dialog box.8 Press F5 to refresh your screen.
The Web interface now appears in your chosen language.
N V I D I A C o r p o r a t i o n 29
C h a p t e r 2 I n s t a l l a t i o n G u i d e l i n e s
nViewGuide.book Page 30 Monday, September 19, 2005 6:01 PM
Configuration DeploymentConfiguration deployment means configuring multiple computers to use the same configuration through an “automated” procedure. You can use any one of the following configuration methods:• Run the nCLI command to change parameters during the login script. • Run nCLI to configure one parameter at a time or use the import command
for bulk configuration. Note: Sample command line access scripts can be found in the sample
directory, under the default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or the path you specified. See “Using The NVIDIA Command Line Interface (nCLI)” on page 86 section for more information.
• Create and run WMI scripts to change parameter when executing the login script.
Before You Begin• WMI script usage samples are provided in the following subdirectories:
samples\Eth
samples\Firewall
samples\ActiveArmor
under the default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or the path you specified.
• You can cut and paste the appropriate command and use them in a batch file or the command line. For further details, see “Using WMI Script” on page 84.
• To use WMI scripting, you must be familiar with the syntax and characteristics of configuration parameters. See the “Ethernet Parameters Reference” on page 104, “ActiveArmor Firewall Parameters Reference” on page 143, and “ActiveArmor Secure Network Engine (SNE) Parameters Reference” on page 183 for details.For additional details, refer to the Microsoft documentation on WMI scripting. Note: Many Ethernet parameters require restarting the network driver for
script changes to take effect. When the network driver is restarted, network connections will terminate, which will terminate the login
30 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 31 Monday, September 19, 2005 6:01 PM
C H A P T E R
ACTIVEARMOR FIREWALL: BASICCONCEPTS
Types of FirewallsThe ActiveArmor Firewall is a type of firewall that is typically referred to as a “PC firewall” or a “desktop firewall.” Another classification of firewalls is the “gateway firewall.”The main difference between the PC firewall and the gateway firewall is that while the gateway firewall monitors network traffic and controls access between two different networks or administrative domains, the PC firewall controls traffic generated or received by a single computer. Therefore, a gateway firewall is usually a dedicated computer, or a part of a network switch or router, with multiple interfaces through which certain traffic is allowed and other traffic is blocked. A PC firewall is usually software that is installed on the personal computer, or a combination of software and hardware that is integrated to the computer. In both types of firewalls, certain traffic is allowed and certain traffic is blocked according to the specific rules configured for the firewall.Firewalls just discussed can be further classified as one of two types —• Application layer • Packet-based firewalls are of two main sub-types:
• Stateful• Stateless
N V I D I A C o r p o r a t i o n 31
C h a p t e r 3 A c t i v e A r m o r F i r e w a l l : B a s i c C o n c e p t s
nViewGuide.book Page 32 Monday, September 19, 2005 6:01 PM
Note: The ActiveArmor Firewall is a “packet-based PC firewall” with both “stateful” and “stateless” features.
Stateful vs. Stateless Stateful and stateless are adjectives that describe whether a computer or computer program is designed to note and remember one or more preceding events in a given sequence of interactions with a user, another computer or program, a device, or other outside element. Stateful and stateless are derived from the usage of state as a set of conditions at a moment in time. Stateful means the computer or program keeps track of the state of interaction, usually by setting values in a storage field designated for that purpose.Stateless means there is no record of previous interactions and each interaction request has to be handled based entirely on information that comes with it.
Inbound vs. Outbound PacketsNetwork traffic is not inherently safe nor dangerous. In addition to the usual attributes of packets that can distinguish them from each other, such as IP addresses and TCP port numbers, one criterion that can be used to help discriminate traffic is the direction in which that traffic is flowing. For traffic arriving from the outside the PC, it is reasonable to presume that there is a chance that an attack may be present, whereas in traffic originated by the PC, it is less likely to be dangerous. The firewall rules consider the direction of traffic as an attribute when establishing the traffic that should be allowed (i.e., such traffic is deemed to be safe or to have an acceptable level of risk) versus the traffic that should be denied (i.e., such traffic is deemed to be unsafe). Note: The tolerance for risk will vary among users, so there is no universally
accepted definition of “dangerous” packets. However, the default configuration of the ActiveArmor Firewall represents industry-accepted best practices, and can be used as the basis for customized configurations that more closely match the end-user's specific requirements.
By defining the direction as part of the specification of a rule, the end-user can separate traffic that he/she considers to be safe enough from traffic considered unsafe. Most protocols exchange traffic bi-directionally; therefore, the “direction” of such exchanges is defined by the connection-initiation packet. For example, in the case of TCP packet, the first packet matching a new set of IP addresses and TCP ports for which the TCP SYN flag is set establishes the direction of that subsequent bi-directional flow.
32 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 33 Monday, September 19, 2005 6:01 PM
Other protocols, such as User Datagram Protocol (UDP) or Internet Control Message Protocol (ICMP), may not have the equivalent of the TCP “SYN” flag. Therefore, for those protocols, the ActiveArmor Firewall uses the direction of the first packet matching a given set of IP addresses and, for example, UDP ports, as the direction for the subsequent bi-directional flow.
About the TCP ProtocolSome network protocols, such as TCP, require an explicit connection initialization process. Firewall rules that apply to TCP typically depend partially on the direction of the connection establishment. When referring to protocols that involve establishment of a connection: • Inbound describes a connection attempt not originated by the local
computer.• Outbound describes a connection attempt that was originated by the local
computer.
About the UDP and ICMP ProtocolsUnlike TCP, other protocols, such as UDP and ICMP do not have an explicit connection establishment process. A computer can use protocols such as UDP and ICMP to send data packets to any other computer at any time, but the receiving computer, or an intervening firewall, can reject or accept the data on a per-packet basis.
UDP UDP is frequently used in a connection-like manner, but without the connection establishment process. In other words, UDP-based applications may rely on long-term computer-to-computer sessions. However, the meaning of the “direction of the connection” in the UDP context is broader than in the TCP context. • The direction of a packet is inbound if the initial packet matching this new
set of IP and UDP header field values was a received packet. • Similarly, a UDP connection is considered to be outbound if the initial
packet matching this new set of IP and UDP header field values was a transmitted packet.
Thus, firewall rules that apply to UDP typically also depend on the direction of the first packet of a new “connection.” UDP packets, like TCP packets, can be matched against a “connection table” by performing a hash function on certain fields in the packet to determine if there is a match in a table of hash values where there is at least one connection that corresponds to each hash value.
N V I D I A C o r p o r a t i o n 33
C h a p t e r 3 A c t i v e A r m o r F i r e w a l l : B a s i c C o n c e p t s
nViewGuide.book Page 34 Monday, September 19, 2005 6:01 PM
ICMP ICMP is an example of a protocol with neither a connection establishment process nor any connection-like functionality. Firewall rules relevant to these types of protocols are applied to every packet, and inbound and outbound respectively refer to packets (of one of these protocols) that are received and transmitted across any of the network interfaces that the firewall is protecting.
Stateful FilteringStateful filtering (also known as stateful inspection or dynamic packet filtering) provides enhanced security by monitoring network packets over the period of the connection for that particular traffic. Because stateful filtering can dynamically track each connection, compare packets against the connection's expected state, and drop the packets that don't conform to the protocol, it has replaced static filtering as the industry standard firewall solution for networks.
It is also the case that stateful filtering scales much better than stateless filtering because the firewall policy table is only consulted once per connection, instead of once per packet. This means that as the number of rules grows, the stateful firewall will use a lower percentage of CPU, because in a stateless design, each packet will have to be compared against half of the firewall rules, on average, until a matching rule is found that explicitly allows or denies the packet. However, an increase in the size of the firewall policy rule table does not impact the stateful firewall to such a large degree, since the majority of packets are not connection setup packets. A stateful firewall amortizes the CPU cycles that were used to do the firewall policy rule table lookup over the massive per-packet CPU savings due to having only a simple per-packet hash to compute, to determine if the current packet is associated with a previously allowed connection. In contrast, a stateless firewall must examine every packet against the complete firewall policy rule table, or until it finds a matching rule, so in essence, every packet is treated as a connection setup packet, incurring the associated processing penalty. As a result of the differences in processing required for stateful vs. stateless firewall lookups, latency due to stateful firewall operations is very small and nearly constant on a per-packet basis, whereas latency in a stateless firewall depends on the size of the firewall policy rule table, and is of a much larger magnitude.Once a TCP or UDP connection is established, a stateful firewall ensures that data traffic for that connection can flow in either direction—even if the rules
34 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 35 Monday, September 19, 2005 6:01 PM
governing the firewall limit such traffic to be only associated with remotely generated (i.e., inbound), or locally-originated (i.e., outbound) connections. When a stateful firewall has determined that a connection is being established by decoding each packet, it checks its policy table to find out whether the connection is allowed or denied. • In TCP, the connection establishment packet is a specially marked TCP
packet that the firewall can detect.• A UDP connection is initiated by the first packet matching a set of
identifying fields in the IP and UDP headers.If the firewall allows the new connection, the firewall saves a set of five values related to that connection’s establishment into its connection-tracking table during the lifetime of that connection. Every inbound and every outbound packet associated with a given connection contains the same five values. This allows the stateful firewall to quickly check whether or not the packet belongs to a connection that was previously granted permission and then deny or allow the packet accordingly. Note: Only TCP packets that match the connection-tracking table are allowed.
UDP packets that do not match the table may represent a new “connection” and are compared with the firewall rules in order to determine whether or not to add an entry to the connection-tracking table for this new connection.
The five “connection identifying” values saved into the connection-tracking table are:
• IP Source Address• IP Destination Address• IP Protocol• TCP or UDP Source Port• TCP or UDP Destination Port
For TCP, in addition to the five items in the list, the firewall tracks the state of the TCP connection (for example, the current stage of the connection establishment process) in order to enforce legal state transitions in the TCP protocol. The firewall also tracks the current TCP “sequence and acknowledgement” numbers and the most recent TCP window in order to determine whether to drop packets that fall outside the current valid TCP window. This kind of scrutiny prevents potential attackers from sending spurious TCP “reset” packets to the local computer in that the firewall prevents these reset packets to reach
N V I D I A C o r p o r a t i o n 35
C h a p t e r 3 A c t i v e A r m o r F i r e w a l l : B a s i c C o n c e p t s
nViewGuide.book Page 36 Monday, September 19, 2005 6:01 PM
the host if the TCP sequence number of the reset packet falls outside the current valid TCP receiving window.Some TCP options can also be used by the stateful firewall in determining whether to allow or deny TCP packets because certain TCP options can only be used if their use was negotiated during the connection establishment process. If such TCP options were negotiated during the connection establishment phase, then the TCP state will reflect the successfully negotiated TCP options for that connection. The TCP policy table can still override the peers and prevent certain TCP options from being negotiated at all.Note: Other TCP options are not pre-negotiated. Therefore, decisions about
whether to allow or deny TCP packets with such options must be based on the stateless (see “Stateless Filtering”) configuration of the firewall.
Stateless FilteringThe main difference between stateful filtering and stateless filtering is that contrary to the quick lookup-and-decide process enabled by the connection state tracking table that drives the decision making process in stateful filtering, all of the stateless filtering rules must be examined in sequence, for each packet, until a rule is found that either explicitly allows or denies that packet. Note: For protocols such as ICMP and other non-TCP and non-UDP protocols,
and for any non-IP protocols, the firewall performs stateless filtering but no stateful tracking or filtering.
In stateless filtering, the firewall can be configured to “allow in” or “deny in” certain kinds of traffic (from a specific protocol, with a particular option, etc.) on a given network interface. Similarly, the firewall can be configured to “allow out,” “deny out,” “allow in and out,” or “deny in and out” on the same traffic. Note that “in” implies the receive direction and “out” implies the transmit direction.On average, the firewall will need to search half of its rules list for any given packet in order to find an applicable rule. Therefore, in general, as the number of rules increases, the firewall consumes more time in determining the outcome of a given packet. On the other hand, the ActiveArmor Firewall has been optimized so that looking up certain commonly used parameters (for example, ICMP, TCP, and UDP in the IP protocol table) is much faster and independent of the table size.The firewall can be configured to perform stateless filtering based on: • EtherType values• Specific IPv4 or IPv6 addresses or address prefixes
36 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 37 Monday, September 19, 2005 6:01 PM
• Specific domain names contained within DNS name resolution queries or responses
• Specific IP options• Specific TCP options• Specific ICMP (Type, Code) pairs• Other relevant parameters In all cases, stateless filtering rules are specified in the appropriate firewall table in the ForceWare Network Access Manager Web-based interface.For example, when filtering ICMP traffic, the filtering rule is based on both the first three items (IP Source Address, IP Destination Address, and IP Protocol) as listed in the section on “Stateful Filtering” on page 34, as well as the particular ICMP (Type, Code) field values in each ICMP packet. In ICMP filtering, the IP Protocol is implicitly required to have a value of “0x01,” which is the protocol value for ICMPv4. A similar requirement is placed on ICMPv6, with its own unique identifying number in the IPv6 headers (i.e., 0x3A).In most situations involving stateless filtering, it is necessary to allow a given protocol to go both in and out on a given interface in order for the associated application to operate normally. However, it may also be the case that certain applications require that one type of traffic be allowed in, while another type is allowed out.One example of the latter case is “ping” because in order for the application process to complete successfully, the firewall must be configured to allow both an outbound ICMP Echo packet (Type = 0x08, Code = 0x00) and an inbound ICMP Echo Reply packet (Type = 0x00, Code = 0x00). These settings will allow the local PC to “ping” remote computers but will not necessarily allow remote computers to “ping” the local computer because inbound ICMP Echo packets and outbound ICMP Echo Reply packets are not necessarily allowed. Note: Based on the above values, note that the ICMP (Type, Code) pair values
for ICMP Echo and Echo Reply are, in fact, different.
N V I D I A C o r p o r a t i o n 37
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 38 Monday, September 19, 2005 6:01 PM
C H A P T E R
CONFIGURING THE ACTIVEARMORFIREWALL
ActiveArmor Firewall Parameters ReferenceAppendix B: “ActiveArmor Firewall Parameters Reference” on page 143 is an ActiveArmor Firewall Reference guide, categorizing the ActiveArmor Firewall parameters by group and table names.When you are using the Firewall parameters from the ForceWare Network Access Manager Web-based interface, you can easily access online Help by clicking the Help tab.
Using the Basic Configuration PageNote: ActiveArmor Firewall only operates on an NVIDIA Ethernet interface.
ActiveArmor Firewall will not protect network traffic/application on a system that uses a third-party Ethernet interface (for example 3Com, Intel, Broadcom, DLink, etc.) on an NVIDIA nForce motherboard.
1 Open the ActiveArmor Firewall desktop link or the ForceWare Network Access Manager Web-based interface. If you need help, see “Launching the ForceWare Network Access Manager Web Interface” on page 24.
2 From the Firewall menu, click the Basic Configuration option to open the Firewall Basic Configuration page (Figure 4.1).
3 Click the Security Profiles list to view the profiles, which are predefined sets of table rules.
38 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 39 Monday, September 19, 2005 6:01 PM
Note: You cannot edit these basic pre-defined profiles. To create custom profiles to define the sets of ActiveArmor Firewall rules, see “Advanced Configuration” on page 48 and “Using the ActiveArmor Firewall Wizards Page” on page 55.
N V I D I A C o r p o r a t i o n 39
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 40 Monday, September 19, 2005 6:01 PM
Figure 4.1 ActiveArmor Firewall—Basic Configuration
4 To enable a specific profile, click the Security profiles list and select the profile you want. See the next section, “Security Profile Settings” for an explanation of each setting.
5 Click Apply.6 To view the actual rules associated with a profile, repeat step 4 above. 7 From the Firewall > Advanced Configuration menu, click the appropriate
option to open a table. Using the table, you can determine whether the settings are appropriate at the level of protection you want for your application(s).
Security Profile SettingsNote: You cannot edit the pre-defined profile settings described below.
However, you can create custom profiles to define the sets of ActiveArmor Firewall rules, as explained in “Advanced Configuration” on page 48 and “Using the ActiveArmor Firewall Wizards Page” on page 55.
40 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 41 Monday, September 19, 2005 6:01 PM
For additional details about security profiles, see “Configure Firewall Security Level” on page 143 in Appendix B.
• Lockdown drops all traffic packets, except outbound Alert Standard Format (ASF) packets, and the ActiveArmor Firewall Intelligent Application Manager (IAM) is disabled.
• High is an extremely secure setting. However, due to the stringent filtering rules associated with this setting, many applications may not work as expected and some applications may not work at all.
• Medium (the default profile setting after installation) is intended to provide a good balance between usability and security, with an emphasis on security.
• Low is the least secure of the profile settings, but allows most applications to work properly.
• Antihacking only is a profile setting that enables only the antihacking features of the ActiveArmor Firewall and is useful in a dual firewall configuration—for example, if you want to use a third-party firewall product along with the antihacking features of the ActiveArmor Firewall. Note: The Antihacking only setting disables the IAM, ActiveArmor, and
the ActiveArmor Firewall, allowing most incoming and outgoing network traffic**. The logging of ActiveArmor Firewall messages will proceed as usual, as long as you have enabled one of the logging message types in the ActiveArmor Firewall Log Settings page.
** If you are using the Antihacking only setting with a third-party firewall, then this third-party firewall controls the incoming and outgoing network traffic; it will probably deny most incoming and outgoing network traffic. However, the ActiveArmor Firewall will still continue to log messages pertaining to the Antihacking only setting, as long as you have enabled one of the log message types in the ActiveArmor Firewall Log Settings page. For additional information, see “ActiveArmor Firewall Logging” on page 63.
• Off turns off the IAM, ActiveArmor, and the ActiveArmor Firewall, allowing all incoming and outgoing network traffic.
Using the Intelligent Application Manager (IAM)The initial release of the ActiveArmor Firewall was designed for applications that use well-defined ports. However, with more applications using dynamic ports and with many applications never registering their ports, the firewall software had to be able to make decisions based not only on the port information, but also on the application trying to access the network. This led to
N V I D I A C o r p o r a t i o n 41
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 42 Monday, September 19, 2005 6:01 PM
the development of the ActiveArmor Firewall Intelligent Application Manager (IAM).The IAM allows you to create firewall rules based on an application’s name. When an application attempts to open a new network connection (either as a client or as a server), you are prompted by a pop-up dialog to either allow or deny the application's access to the network (see “Basic Risk-Level Dialog Box” on page 45). An application-based firewall rule is then automatically created or modified based on your decision. Applications thus can be allowed or denied on the fly by you, and you have the ultimate control over whether an unknown application can, or cannot, access the network. Filtering by ports is still available, of course, augmenting the more user-friendly filtering based on application names the IAM provides in the ActiveArmor Firewall.A primary benefit of a firewall policy based on application names derives from the fact that many applications, such as Voice over IP and games, do not use well-defined ports. Such applications use unregistered or dynamically selected ports that cannot be predicted in advance. Filtering based on application names is preferable to filtering based on ports in this circumstance because you are more likely to know whether an application should be allowed network access, than to know whether the application should be able to use a given port. There is another large benefit of the IAM that derives from basing firewall filtering on application names. By making the application name the key factor in the allow/deny decision, and by only opening ports as they are requested by permitted applications, the firewall dynamically adjusts itself to allow only that traffic that is required at any given time. As soon as an application closes a socket, the IAM forgets that the port was ever open. By filtering based on application names, only those ports that an application actually uses are opened—in contrast to a port-based firewall that might have to open a large range of port numbers because it isn’t known in advance which ports the application will use at run-time (or at connect-time).
So, rather than opening large holes in the firewall configuration to support applications using dynamic ports, the firewall opens only “pinholes” for those ports that the application is actually using at any given time. You decide if an application is trustworthy, and, if so, the firewall opens only the minimum number of ports needed to ensure that the application can operate properly.
IAM Popup Dialog BoxesWhen you launch a network application, or when a local application attempts to access a remote device, the ActiveArmor Firewall IAM displays a pop-up dialog box that can be either of two types: Information or Risk-Level.
42 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 43 Monday, September 19, 2005 6:01 PM
Information Dialog BoxAn Information dialog box message (Figure 4.2) indicates that the detected
application is recognized by the ActiveArmor Firewall. A rule is automatically generated that either allows or denies the application's access to the network based on the factory default settings. No user interaction is required. Application. Information in this box identifies the application that is attempting to access the network, and provides a short description of the application. ActiveArmor Firewall IAM. This section indicates the type of Firewall application rule to be automatically created by the IAM. Do not display informational messages in the future. Selecting this check box disables pop-up dialog boxes for all applications recognized by the ActiveArmor Firewall IAM.
Risk-Level Warnings To help you decide if an application should be allowed to access the network, the ActiveArmor Firewall IAM classifies the risk levels associated with various network applications as Low, Medium, or High.
Figure 4.2 Information Dialog Box
N V I D I A C o r p o r a t i o n 43
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 44 Monday, September 19, 2005 6:01 PM
A Low Risk warning represents a common application that is attempting to access the network.
A Medium Risk warning is generated by a less common application that is attempting to access the network.
A High Risk warning is caused by an uncommon application’s attempt to use Raw Sockets (a potential high risk) to access the network.
A risk level message can appear under any of these four conditions:• The network application is attempting to access the network and a Firewall
rule does not exist for this application. • The network application is attempting to access the network and the Firewall
rule for this application says to prompt the user. • The network application has been modified due to an upgrade or virus
infection. • The risk level of the application has increased due to connection type
changes. Note: The risk level of the application increases by one level if the
connection type changes.Changes that can trigger an increased risk include the following:• An application moving from client-like to server-like behavior. • A modification of the protocol type from TCP to UDP, or TCP or UDP to
Raw Sockets.
Figure 4.3 Low Risk Warning
Figure 4.4 Medium Risk Warning
Figure 4.5 High Risk Warning
44 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 45 Monday, September 19, 2005 6:01 PM
• A change in the checksum of the application (which indicates that the executable application has changed, and thus might have been corrupted by a virus of some kind).
Two kinds of pop-up dialog boxes contain these risk-level warnings: Basic Risk-Level dialog boxes and Advanced Risk-Level dialog boxes. Based on your response to these dialog boxes, a rule is automatically generated that either allows or denies the application's access to the network
Basic Risk-Level Dialog BoxThe low, medium, and high risk warnings can appear in either a basic risk-level message (Figure 4.6) or in an advanced risk-level message (Figure 4.7). The Basic Risk-Level dialog box has these components:• Application. This area identifies the application that is attempting to access
the network and includes a short description of the application.
• Allow. Click to add an Allow entry to the Firewall Application table and to allow the application to access the network in the future. No more pop-ups will occur for this application—unless a High Risk warning is generated.
• Deny. Click to add a Deny entry to the Firewall Application table and deny this application access to the network in the future. No more pop-ups related to this application will occur.
• More Options. Click to launch the Advanced Risk Level dialog box.
Figure 4.6 Basic Risk-Level Dialog Box
N V I D I A C o r p o r a t i o n 45
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 46 Monday, September 19, 2005 6:01 PM
Advanced Risk-Level Dialog BoxThe Advanced Risk-Level dialog box has information and user choices beyond those of the Basic Risk-Level dialog box:• Company is the name of the company that developed the application. • Version is the version number of the application. • Path shows the application name and its directory location. • Application Type is a description of the application. • Protocol Type is information about the type of protocol that the application
is currently attempting to use. The choice is TCP/UDP or Raw Sockets. • Destination is the location to which the application is attempting to connect. • Source is the source of the application, such as the local computer's IP
address and the stack-assigned source port. • Allow adds an Allow entry to the Firewall Application table and allows the
application to access the network, as in the basic risk-level dialog box.
Figure 4.7 Advanced Risk-Level Dialog Box
46 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 47 Monday, September 19, 2005 6:01 PM
• Allow Once adds an Allow entry to the Firewall Application table and allows the application to access the network for only the current session. The next time the application is launched, the dialog box will be displayed again.
• Deny adds a Deny entry to the Firewall Application table and denies the application to access the network, as in the basic risk-level dialog box.
• Deny Once adds a Deny entry to the Firewall Application table and denies the application to access the network for only the current session. The next time the application is launched, the dialog box will be displayed again.
• Advanced Configuration launches the NVIDIA ForceWare Network Access Manager Web-based user interface to allow for advanced configuration of the Firewall rules.
Configuring the IAMWhen you launch an application that attempts to access the network, the IAM presents a popup dialog box that lets you allow or deny the application's access to the network — for example, see “Basic Risk-Level Dialog Box” on page 45.An application-based firewall rule is automatically created or modified in the ActiveArmor Firewall Application table — see Figure 4.8, “ActiveArmor Firewall Application Table”. Using the Web interface of the Application table (Firewall > Advanced Configuration > Application) you can change the rule for an application, disable the IAM, or disable the Information dialog box.On the IAM configuration part of page, you can control the following two IAM settings:• IAM (Intelligent Application Manager)
This option allow you to turn off the IAM. If you do, you do not see the pop-up dialog, and the rules in the Application Table are not enforced. Rules in the rest of the ActiveArmor Firewall such as the TCP/UDP Port table or the ICMP table are still enforced. The IAM is also disabled when the ActiveArmor Firewall profile is set to Off, Antihacking only, or Lockdown.Note: When the IAM is enabled, an IAM application-based rule has
precedence over an ActiveArmor Firewall port-based rule. For example, the Firewall port table could be configured to deny port 80, and the IAM application table could be configured to allow Internet Explorer (IE) network access. When you launch IE, it is able to access the network. The Firewall rule in the port table is overridden by the rule in the IAM application table.
N V I D I A C o r p o r a t i o n 47
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 48 Monday, September 19, 2005 6:01 PM
• Informational popup dialog You are given the choice to enable or disable the Information dialog box. The dialog box signifies that the detected application is recognized by the ActiveArmor Firewall, and that a rule will be automatically generated that either allows or denies the application's access to the network based on the factory default settings. No interaction is required by you. If the Information dialog box is disabled, you can still use the Firewall log to view the rules that are automatically created.
Advanced ConfigurationIf you want to create a custom profile, you can use any of the basic Lockdown, High, Medium, Low, Antihacking, or Off profiles discussed in “Using the Basic Configuration Page” on page 38 as a starting point. Note: You can define up to three independent custom profiles.
Figure 4.8 ActiveArmor Firewall Application Table
48 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 49 Monday, September 19, 2005 6:01 PM
To create or choose a custom profile, follow these steps:1 Open the ForceWare Network Access Manager Web browser interface.
If you need help, see “Launching the ForceWare Network Access Manager Web Interface” on page 24
2 From the Firewall menu, click Basic Configuration to open the Firewall Basic Configuration page.
3 Click the Security Profiles list to view the profiles. 4 Select one of the three Custom profiles.
Note: Whether the IAM and ActiveArmor are disabled depends on what the custom profile is based on. If the custom profile is based on the Medium (default) profile, the IAM and ActiveArmor are not disabled. If the custom profile is based on Off, they are disabled.
5 Specify a new name for each custom profile you select in step 4 in the Rename edit box.Note: You will probably choose to generate a custom profile based on one of
the pre-defined profiles, e.g., Lockdown, High, Low, etc.6 To edit the associated table rules, select the appropriate option under the
Advanced Configuration menu to perform any of the following actions:• To add a rule or purge all rules in a table, use the Add Rule or Purge
Table buttons in the corresponding table’s page.• To change only the “action” of an existing rule, follow these steps:
a) Click the drop-down menu in the corresponding table row under the “action” column and choose either Allow or Deny (for all tables) or Ignore (for the UDP/TCP Port table only). For further details, see “About Working With Tables” on page 51.b) Click Apply. Note: Multiple “actions” may be modified before you click Apply, which accepts all the changes at once.
• To edit any other parameter of an existing rule, or to delete a rule, click the icon in the corresponding row under the Edit column to open the Rule editing page.
For brief descriptions of each table parameter, click the Help button on the upper-right corner of either the Table page or the Rule editing page. For more detailed descriptions of each table parameter, refer to “ActiveArmor Firewall Parameters Reference” on page 143 in this guide.The ActiveArmor Firewall > Advanced Configuration page also allows you to toggle the more advanced security features of the ActiveArmor Firewall. For
N V I D I A C o r p o r a t i o n 49
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 50 Monday, September 19, 2005 6:01 PM
detailed information on these features, click the Help tab on the upper right corner of the page.
Configuring Antihacking Features The antihacking features of the ActiveArmor Firewall include antispoofing, antisniffing, anti-ARP cache poisoning, and anti-DHCP server, all of which provide important security controls for corporate network environments.You can configure antihacking features from the ActiveArmor Firewall Options page (Figure 4.9).Figure 4.9 ActiveArmor Firewall Options—Configuring Antihacking Features
Follow these steps to access the Firewall Options page:1 Open the ForceWare Network Access Manager Web-based interface. If you
need help, see “Launching the ForceWare Network Access Manager Web Interface” on page 24.
2 From the NVIDA Firewall menu, click Advanced Configuration, and then click Options to open the Firewall Options page (Figure 4.9).
50 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 51 Monday, September 19, 2005 6:01 PM
3 For detailed information about the options and how to configure them, see “Group: Configure Firewall Options” on page 146 in Appendix B: “ActiveArmor Firewall Parameters Reference” on page 143.
About Working With Tables
Specifying ActionsFor each rule, you can specify the action that the ActiveArmor Firewall should perform if a packet or connection matches that rule. • In the following three types of tables, where the direction of traffic is
important, each rule will let you set the Inbound action and the Outbound action separately. • IP Option table• UDP/TCP Port table • ICMP table
• In all other types of tables, the direction is not important. Therefore, each rule lets you set one action for both inbound and outbound. Every rule can either Allow or Deny traffic, while each rule in the UDP/TCP Port table has an additional action called Ignore.
The Ignore action is useful when you want a UDP/TCP Port rule to apply in only one direction. For example, setting a rule for HTTP (Web) port 80 to deny inbound and ignore outbound will always block Web connections in the inbound direction, but will let a more generic matching rule or the “default action” to determine the action for outbound Web connections.
About Table SortingYou can sort any table based on the contents of any column by simply clicking either the Up or Down arrows adjacent to the column name in the header at the top of each column. When you first view a table, the tables are sorted by default in the following ways:• In the IP Address table, the Domain Name table, and the UDP/TCP Port
table, the rules are normally sorted by the Rule Order column, which is both the order that the rules have been added and the order that they will be applied. Executing the rules in the order of their creation allows you to add overlapping rules that provide one action for a more generic range of IP addresses or domain names, while having a different action for a more specific IP or domain.
N V I D I A C o r p o r a t i o n 51
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 52 Monday, September 19, 2005 6:01 PM
For example, if you first create an IP Address table rule to allow address 10.1.1.2 and mask 255.255.255.255, and then create a rule to deny address 10.1.1.0 and mask 255.255.255.0, then the IP Address table will allow traffic to 10.1.1.2 but will block other IP address beginning with 10.1.1.x. Traffic to 10.1.1.2 will not be blocked by the second rule of this table because the first rule already matches it. You can similarly set up the Domain Name table to block a generic domain suffix (e.g., example.com) but allow specific domain names (e.g., foo.example.com).
• In all other tables, the rules are normally sorted by the most significant column. For example, EtherType rules are sorted by the EtherType value, the ICMP rules are sorted by the ICMP Type and then ICMP Code, etc.
• An exception to this behavior is that right after adding a rule to any table, the new rule appears at the bottom of the table so that it can be easily verified as having been added. When the table is viewed again (after navigating away to another page within the Web browser), the rules are back to the default sorting method.
Note: While every table has a Rule Order column, only in the IP Address table, the Domain Name table, and the TCP/UDP Port table mentioned above do you need to worry about the Rule Order when adding new rules, because they allow overlapping IP addresses or domain names.
Reordering ActiveArmor Firewall Rules Through the Web interface, the Network Access Manager lets you easily reorder NVDIA Firewall rules, using the steps that follow.Note: Firewall rules can be reordered for the following tables:
• Domain Name• UDP/TCP Port • IP Address
1 When a table is in Edit mode, click the column labeled Reorder (icon is a scissor); an example is shown in Figure 4.10. That row is then highlighted in red (Figure 4.11) and the reorder graphics is changed to a clipboard.
2 Then, click the clipboard icon of the row to which you want to move.
52 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 53 Monday, September 19, 2005 6:01 PM
Figure 4.10 Reordering ActiveArmor Firewall Rules — Cutting a Row
N V I D I A C o r p o r a t i o n 53
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 54 Monday, September 19, 2005 6:01 PM
Figure 4.11 Reordering ActiveArmor Firewall Rules — Pasting a Row
Table Default Action SettingsEach table has an associated default action, which may be set to Allow or Deny. Depending on the nature of the default action, a given individual rule may or may not have any effect. For example, if the TCP default action is to Allow packets associated with outbound connections and to Deny packets associated with inbound connections, then having a rule to allow outbound HTTP (i.e., TCP port 80) connections would be redundant, because that traffic would already have been allowed by the default action.The default action defines the action that will be performed when no other specific rules in that particular table applies to a given type of packet. • In general, if the default action of a table is to Deny, then most rules should
be set to Allow specific exceptions.• Similarly, if the default action is to Allow, then most rules should be to Deny
specific exceptions.
54 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 55 Monday, September 19, 2005 6:01 PM
Note: It is generally agreed that it is safer to discard traffic unless you specifically need to allow it, so a default action of Deny is likely to be more secure (or at least more convenient) than a default action of Allow. The ActiveArmor Firewall compares each packet to the firewall tables in the following order, from the lower-numbered, more fundamental parameters to the higher-numbered, more complex parameters.
a EtherType tableb IP Address tablec IP Option tabled IP Protocol tablee TCP Option tablef UDP/TCP Port tableg ICMP tableh Domain Name tableNote: Packets of a specific protocol, such as TCP, will not be processed by
the table of an unrelated protocol, such as ICMP.
Using the ActiveArmor Firewall Wizards PageAnother way to configure rules in your custom profile is through the Firewall Wizards page (Figure 4.12); from the main menu, click Firewall > Wizards. Using a questionnaire format, the wizards provide a simple, step-by-step method to configure the tables and, for convenience, are separated into different categories of commonly-used applications.You can use the Firewall Wizards page to configure the ActiveArmor Firewall to enable specific applications or classes of applications to work. There are wizards for various types of applications including Telnet, FTP, SSH, game servers, and so on.
N V I D I A C o r p o r a t i o n 55
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 56 Monday, September 19, 2005 6:01 PM
Figure 4.12 Firewall Wizards
These wizards will open the required network ports that are used by these applications. If the particular application you are using needs other non-specific network ports, you can use the Generic Port wizard to add those ports for the application to work.Note: Refer to your application documentation for information on the TCP/
UDP ports that are used, if applicable.
DHCP Server/Client configuration
DHCP Server1 Open the Firewall > Basic Configuration page and select a custom profile.2 To allow DHCP server traffic, you can do one of the following:
a From the Firewall menu, click Wizards to open the page.b Click DHCP (Dynamic Host Configuration Protocol) and then select the
server and finish.OR
56 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 57 Monday, September 19, 2005 6:01 PM
a From the NVIDA Firewall menu, click Advanced Configuration and then click Anti-Hacking to open the page.
b Clear the Disallow DHCP server check box and click Submit.c From the Firewall menu, click Advanced Configuration and then click
UDP/TCP Port to open the page.d Confirm that port 53 Domain Name Service UDP is set to Allow (inbound
and outbound)3 To deny DHCP server traffic, follow these steps:
a From the NVIDA Firewall menu, click Advanced Configuration and then click Anti-Hacking to open the page.
b Select the Disallow DHCP server check box so that a check mark appears in the check box and click Submit.
DHCP Client1 To allow DHCP client traffic, you can do one of the following:
a From the Firewall menu, click Wizards to open the page.b Click DHCP (Dynamic Host Configuration Protocol) and then select the
client and finish.OR
c From the Firewall menu, click Advanced Configuration and then click UDP/TCP Port to open the page.
d Confirm that port 53 Domain Name Service UDP is set to Allow (outbound only)
2 To deny DHCP client traffic, follow these steps:e From the Firewall menu, click Advanced Configuration and then click
UDP/TCP Port to open the page.f Confirm that port 53 Domain Name Service UDP is set to Deny
(outbound only)
Configuration DependenciesUnder certain configurations, the ActiveArmor Firewall might not function as expected even though its functionality is still consistent with the actual rules that were configured. In particular, it is possible to provide the firewall with conflicting configuration directives, yet it might not be obvious that this is the
N V I D I A C o r p o r a t i o n 57
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 58 Monday, September 19, 2005 6:01 PM
case. This situation may arise because of the many ways in which traffic can be allowed or denied and the overlapping scopes of the various firewall tables.For example, suppose that you had configured the ActiveArmor Firewall to allow certain types of ICMPv4 traffic but had also configured it to block all IPv4 packets. If you had forgotten that the latter was the case, you might wonder why the allowed ICMPv4 traffic was not getting through. In this case, you would have to realize that you cannot expect ICMPv4 traffic to flow unless you allow at least IP Protocol number 0x01 and EtherType 0x0800 for IPv4. Other less obvious cases are possible. For example, if all inbound packets with IP options are blocked, then IGMP Reports will not be received by the stack, since all IGMP Reports have an IP Router Alert option included in the packet.
RecommendationsNote: There are many ways to configure different parameters, which could
cause unintended and troublesome consequences. Therefore, it is best to work step-by-step through a configuration, building up one layer of rules at a time. Once a given configuration is known to be effective, then it is possible to amend the configuration slightly and re-verify the old configuration, while verifying the new configuration as well. Ultimately, the configuration will converge on a set of rules that meets the stated requirements.Note: Attempting to set up the final configuration in a single big step can
sometimes enable interdependencies that prevents things from working as intended and result in difficult troubleshooting.
58 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 59 Monday, September 19, 2005 6:01 PM
ActiveArmor Firewall StatisticsAll packets generate statistics when passing through the ActiveArmor Firewall, whether they are allowed or denied. Each packet increments one of these packet counts—UDP, TCP, ICMP, or Other—as well as one of the TCP and UDP connection counts if it is a connection-initiating packet. The ActiveArmor Firewall statistics allow you to do the following:• Determine the kind of traffic your computer is exchanging• Determine the amount of the traffic being allowed or denied• Enable verification of whether a recently changed firewall rule is operating as
intendedFor example, suppose that you wanted to add a rule to deny TCP packets to any port between 1002 and 1009. To do so you can use the ForceWare Network Access Manager Web interface and follow these steps:1 From the NVIDA Firewall > Information menu, click any of the graph or
table choices.2 For example, to see statistics about the Firewall interface presented in a
graphical format, click Graphical to display a page similar to Figure 4.13.For detailed Help on options, click the Help tab.a To view statistics based on the number of packets, click the Packets tab.b To view statistics based on the number of connections, click the
Connections tab.c After noting the current TCP statistics, you can add a TCP Port Rule to
block the 1002 to 1009 range.d Then you can send some test packets to verify that such packets were
actually blocked.
N V I D I A C o r p o r a t i o n 59
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 60 Monday, September 19, 2005 6:01 PM
Figure 4.13 Graphical Information for Packets
3 In order to send TCP traffic to a particular port, you can open a command prompt window and type:telnet foo.example.com 1003
where: foo.example.com is any valid domain name or IP address that will normally let a packet to be sent through the ActiveArmor Firewall.1003 is actually any number between 1002 and 1009 that should be blocked. The Telnet program will attempt to connect and the expected result (if the rule has been set up properly) is that the Telnet connection attempt should eventually time out because the packets associated with that connection have been blocked.
Arrows pointing to the computer icon represent . received packets or incoming connections.
Arrows originating from the computericon represent transmit packets or
Red arrows represent packets or connections that are stopped by
outgoing connections.
the ActiveArmor Firewall.
Firewall
60 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 61 Monday, September 19, 2005 6:01 PM
4 After performing the above test, you can click the Bar graph or Table option from the Information menu to verify whether the “Outbound TCP connections denied” count or the “Outbound TCP packets denied” count has increased by an amount consistent with the tests that were performed.A sample bar graph is shown in Figure 4.14.
Figure 4.14 Bar Graph of Packet Activity
A sample table of Firewall statistics is shown in Figure 4.15 and Figure 4.16.
N V I D I A C o r p o r a t i o n 61
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 62 Monday, September 19, 2005 6:01 PM
Figure 4.15 Table (Statistics) of Packet Activity—First Section
Figure 4.16 Table (Statistics) of Packet Activity—Second Section
62 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 63 Monday, September 19, 2005 6:01 PM
ActiveArmor Firewall LoggingIn addition to statistics, the ActiveArmor Firewall generates log entries depending on the log filter. When a packet is dropped by the firewall, the log message saved by the firewall corresponds to the first table or rule that denied the packet, as described in the “Advanced Configuration” on page 48 section. For example, if the ActiveArmor Firewall generates a “Blocked IP option” message because a TCP packet has a disallowed IP option, the dropped packet might not have passed the TCP rules, but since it was blocked by the IP option table first, “Blocked IP option” is the message saved by the firewall.In the previous section “ActiveArmor Firewall Statistics” on page 59, the Telnet packet that was generated also causes a “Blocked port” message for port 1003—unless another table blocks it first, in which case a log message for that table is generated. In the latter case, the timestamps in the log messages can be used to correlate those log entries that were created during the test.Whenever a network application is set to Allow/Deny access to the network through the Intelligent Application Manager, a log is also created. Activities related to remote Web interface access are also logged; for example, when a user enters an incorrect password.Other events that generate log entries include changing to a different profile, packets dropped by an advanced ActiveArmor Firewall security option, enabling and disabling an NVIDIA network interface, and any other changes to the ActiveArmor Firewall configuration. Note: Log entries are saved in batches so that the most recent logs may take a
short time to appear in the ForceWare Network Access Manager Web interface.
Note: To increase the frequency of saving log message, select the Log each message immediately setting. Use this setting only for the purpose of debugging in order to avoid lowering system performance.
Note: Logging all successful packets may degrade network performance.1 To open the Log Settings page, choose Log Settings from the menu.2 Confirm that the None option is not selected.3 To view the log page (Figure 4.17), click Log from the menu.4 Then use the links at the bottom of the page (First, Previous, Next, and
Last) to navigate. 5 If you see too many log entries being generated, you can do one of the
following:
N V I D I A C o r p o r a t i o n 63
C h a p t e r 4 C o n f i g u r i n g t h e A c t i v e A r m o r F i r e w a l l
nViewGuide.book Page 64 Monday, September 19, 2005 6:01 PM
Figure 4.17 Firewall Logging Messages
• Click Clear All Logs or • Choose Log Settings from the menu to open the Log Settings page again.
Then consider changing the type of log messages to one of several options provided, as shown in Figure 4.18
64 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 65 Monday, September 19, 2005 6:01 PM
Figure 4.18 User Log Settings
N V I D I A C o r p o r a t i o n 65
C h a p t e r 5 C o n f i g u r i n g N V I D I A A c t i v e A r m o r
nViewGuide.book Page 66 Monday, September 19, 2005 6:01 PM
C H A P T E R
CONFIGURING NVIDIA ACTIVEARMOR
NVIDIA ActiveArmor Parameters ReferenceAppendix C: “ActiveArmor Secure Network Engine (SNE) Parameters Reference” on page 183 is an NVIDIA ActiveArmor Reference guide, categorizing the ActiveArmor parameters by group and table names.When you are using the ActiveArmor parameters from the ForceWare Network Access Manager Web-based interface, you can easily access online Help by clicking the Help tab.
Understanding NVIDIA ActiveArmor NVIDIA ActiveArmor is software that controls the NVIDIA ActiveArmor Secure Networking Engine (SNE), which offloads CPU-intensive aspects of firewall and TCP processing. By processing the packets of those connections that are offloaded, the SNE significantly reduces CPU usage and accelerates firewall throughput. The ActiveArmor offloading policy is defined using the Web-based Network Access Manager (NAM), and configuring ActiveArmor is similar to the process used for the ActiveArmor Firewall. Under the Firewall menu is the ActiveArmor menu, which can be clicked to obtain links to Web pages that allow you to configure ActiveArmor and to observe its operation.The NVIDIA ActiveArmor SNE is enabled whenever the ActiveArmor Firewall is installed. ActiveArmor, by its default configuration, offloads all connections from the ActiveArmor Firewall.
66 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 67 Monday, September 19, 2005 6:01 PM
Note: You have to define a policy that controls those connections that you do not want to be offloaded to ActiveArmor.
NVIDIA ActiveArmor and the ActiveArmor FirewallActiveArmor supports only the ActiveArmor Firewall. All software-based firewalls, including the ActiveArmor Firewall, intercept not only network traffic, but also the software interfaces between applications and the networking software stack. Firewalls also need to communicate between their own layers to coordinate the operation of their software components—when setting up and tearing down filtering information for a given connection, for example. As a result, it is extremely unlikely that two software-only firewalls can happily co-exist within a single system. The simplified diagram in Figure 5.1, “Four Software Layering Scenarios” shows how the ActiveArmor Firewall (and ActiveArmor) might be installed with a single third-party firewall. Even in this simple case, there are at least four possible ways that the software components could be layered with respect to the core Windows elements: the Windows Sockets API, the Windows TCP/IP stack, and the Windows Network Device Interface Specification (NDIS) API.In each of the four scenarios, the software layering arrangement has a different effect, depending on what traffic is allowed (or blocked) by each layer and on what interprocess communication is intercepted (or allowed to pass) by each layer. In some scenarios, both firewalls may appear to work, but they may cause unusual side-effects that affect each other, up to and including system crashIn most cases, you would be best served by picking your favorite firewall and using it alone, rather than trying to make multiple firewalls work together. Keep in mind that the software-based ActiveArmor Firewall is feature-rich and offers excellent performance and low CPU utilization with ActiveArmor.
N V I D I A C o r p o r a t i o n 67
C h a p t e r 5 C o n f i g u r i n g N V I D I A A c t i v e A r m o r
nViewGuide.book Page 68 Monday, September 19, 2005 6:01 PM
Figure 5.1 Four Software Layering Scenarios
Windows Sockets API Layer
Third-Party WinSock Filter Layer
NVIDIA WinSock Filter Layer
Windows Sockets API Layer
Third-Party WinSock Filter Layer
NVIDIA WinSock Filter Layer
Windows TCP/IP Stack
Windows NDIS API Layer
Windows TCP/IP Stack
Windows NDIS API Layer
Third-Party NDIS Filter Layer
Ethernet Driver Ethernet DriverNVIDIA
Firewall
Third-Party NDIS Filter Layer
NVIDIA
Firewall
Third-Party TDI Filter Layer
NVIDIA TDI Filter Layer
Windows Sockets API Layer
Third-Party WinSock Filter Layer
NVIDIA WinSock Filter Layer
Windows TCP/IP Stack
Windows NDIS API Layer
Ethernet DriverNVIDIA
Firewall
Third-Party NDIS Filter Layer
Third-Party TDI Filter Layer
NVIDIA TDI Filter Layer
Third-Party TDI Filter Layer
NVIDIA TDI Filter Layer
Windows Sockets API Layer
Third-Party WinSock Filter Layer
NVIDIA WinSock Filter Layer
Windows TCP/IP Stack
Windows NDIS API Layer
Third-Party NDIS Filter Layer
Ethernet DriverNVIDIA
Firewall
Third-Party TDI Filter Layer
NVIDIA TDI Filter Layer
Application Software Application Software
Application Software Application Software
68 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 69 Monday, September 19, 2005 6:01 PM
Configuring ActiveArmor to Offload All Connections1 From the ActiveArmor menu, click the Application option to open the
ActiveArmor Configuration and Application Table page (Figure 5.2).
2 Ensure ActiveArmor is enabled and that the Offload Default is Offloadable. 3 Click the Purge Table button to remove all rules from the Application Table.
With no more-specific rules in force, the Offload Default controls all traffic.4 Click Apply in the Application Table section of the Web page to confirm
the change.5 From the ActiveArmor menu, click the Port option to open the
ActiveArmor Configuration and Port Table page (Figure 5.3).
Figure 5.2 ActiveArmor Configuration and Application Table
N V I D I A C o r p o r a t i o n 69
C h a p t e r 5 C o n f i g u r i n g N V I D I A A c t i v e A r m o r
nViewGuide.book Page 70 Monday, September 19, 2005 6:01 PM
6 Again, click the Purge Table button, and then click the Apply button that is to the left of the Purge Table button.
Tracking ActiveArmor Connections1 From the ActiveArmor menu, click Connection Table (see Figure 5.4).2 Observe if any connections have been offloaded along with their lifetimes,
TCP states, and so on.
Figure 5.3 ActiveArmor Configuration and Port Tables
70 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 71 Monday, September 19, 2005 6:01 PM
Because ActiveArmor works in conjunction with the ActiveArmor Firewall, only those connections that are permitted by the firewall’s policy rules are offloaded (even if ActiveArmor has been configured to offload everything).
Tracking ActiveArmor StatisticsAnother way to monitor ActiveArmor is to examine the statistics page.1 From the ActiveArmor menu, click Global Statistics (see Figure 5.5).2 As you may have noticed, this page updates itself regularly (every 10 seconds
by default).
Figure 5.4 ActiveArmor Connections Table
N V I D I A C o r p o r a t i o n 71
C h a p t e r 5 C o n f i g u r i n g N V I D I A A c t i v e A r m o r
nViewGuide.book Page 72 Monday, September 19, 2005 6:01 PM
3 You can change the update frequency by clicking the Change Refresh Rate button, entering another value, and then clicking Apply.
4 Click the browser’s Back button to return to the statistics page.
Using ActiveArmor as a TCP/IP AcceleratorWhen the ActiveArmor Firewall is turned off (that is, when the selected security profile is the Off profile), ActiveArmor is also turned off. However, provided that no other firewall is active on the machine—which should only be considered on isolated networks with highly trusted neighbor machines!—it is possible to use ActiveArmor independently of the ActiveArmor Firewall to accelerate TCP/IP traffic.If you are using ActiveArmor in this way, without the policy rules of the ActiveArmor Firewall controlling which connections are permitted, you may want to be more specific about configuring which applications (and/or which TCP ports) may be offloaded.
Figure 5.5 ActiveArmor Connection Statistics
72 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 73 Monday, September 19, 2005 6:01 PM
Configuring ActiveArmor to Offload One ApplicationBecause an application may open several TCP ports and you may not know in advance what ports it will use, the ActiveArmor Web pages permit you to allow an application to be permitted or denied based on nothing more than its name.1 From the ActiveArmor menu, click the Application option to open the
ActiveArmor Configuration and Application Table page.2 Ensure that ActiveArmor is enabled and that Offload Default is set to Not
Offloadable. In this mode, only application executable files that you specifically enumerate are offloaded.
3 Click Add Rule to open the ActiveArmor Application – add rule page. See Figure 5.6, “ActiveArmor Application – add rule” on page 73.
4 Click Browse to open a Choose file dialog box.5 Navigate the file system to the directory in which the desired executable is
located, select that file, and then click Open.6 Finally, specify whether connections related to this application should be
offloaded for incoming connections (to this PC), outgoing connections (from this PC), or both.
7 Click Apply once the configuration is satisfactory.
Figure 5.6 ActiveArmor Application – add rule
N V I D I A C o r p o r a t i o n 73
C h a p t e r 5 C o n f i g u r i n g N V I D I A A c t i v e A r m o r
nViewGuide.book Page 74 Monday, September 19, 2005 6:01 PM
Repeat steps 3–7 to add a rule for a different application executable file.
Configuring ActiveArmor to Offload One TCP PortIt is also possible to configure ActiveArmor to offload traffic associated with certain TCP ports, regardless of which application is using those ports. This is useful when you know in advance which ports an application will be using.1 From the ActiveArmor menu, click the Port option to open the
ActiveArmor Configuration and Port Table page.2 Ensure that ActiveArmor is enabled.3 Click the Add Rule button to open the ActiveArmor Port – add rule page
(Figure 5.7, “ActiveArmor Port – add rule”).
4 Select which remote IP address pertains to this rule (use a mask of 255.255.255.255 for a single IP address, or use a wider mask to permit more IP addresses). Usually Any Remote IP address is a fine choice, unless you only want to offload connections to a certain address or a range of addresses.
5 Enter a Beginning port number and an Ending port number to establish a range of ports for which offloads will be possible.
Figure 5.7 ActiveArmor Port – add rule
74 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 75 Monday, September 19, 2005 6:01 PM
6 Finally, specify whether connections related to these ports should be offloaded for incoming connections (to this PC), outgoing connections (from this PC), or both.
7 Click Apply once the configuration is satisfactory.Repeat steps 3 through 7 to add a different port-based rule.
N V I D I A C o r p o r a t i o n 75
C h a p t e r 6 A d m i n i s t r a t i v e T a s k s
nViewGuide.book Page 76 Monday, September 19, 2005 6:01 PM
C H A P T E R
ADMINISTRATIVE TASKS
Accessing the Administration Menu1 Open the ForceWare Network Access Manager Web menu.2 Click the Administration menu on the left of the window to expand it so that
you can see the various menu choices.3 Click the menu item to display its associated page on the right.
Application Access Control PageFrom the Administration menu, click Access Control to display the Application Access Control page (Figure 6.1).You can use the Application Access Control page to configure the application access permissions. Note the following about these permissions:• Permissions apply only to non-Administrator and remote users.• You must have Administrator rights to configure permissions from the local
computer. An Administrator on a local computer has access to all applications and configuration information—WMI scripts, the command line, and the Web interfaces—provided they are installed on the computer. The access control settings do not affect the Administrator.
76 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 77 Monday, September 19, 2005 6:01 PM
Figure 6.1 Application Access Control Settings
• These permissions cannot be viewed, accessed, or configured remotely, even by an Administrator.
Note: Most of the access control in place will work only if the applications are installed on the NTFS file system, so it is recommended that you use NTFS, however the application will still function if installed on a FAT file system.
Default Administrative Access Control SettingsFigure 6.1 shows the “default” access settings of the ForceWare Network Access Manager software.
N V I D I A C o r p o r a t i o n 77
C h a p t e r 6 A d m i n i s t r a t i v e T a s k s
nViewGuide.book Page 78 Monday, September 19, 2005 6:01 PM
Note: You can also control access by using nCLI parameters such as AccessCLI, AccessWMIScript, etc.
Command Line AccessNote: The Access to CLI parameter is displayed only if the nCLI program is
installed on the computer. Default: Allow accessThis field lets you specify whether to Allow or Deny command line access to the non-Administrator users.
If local command line access is denied, non-Administrator users cannot access the Network Access Manager. Regardless of this setting, users with Administrator privileges can always access the Web interface.
Table 6.1 ActiveArmor Firewall Features
Feature Type of Access
nCLI WMI Script Web Local Web Remote
Ethernet andActiveArmor
——— Any user ——— Any user with the correct password and IP address/mask pair will be granted remote Web access with Administrator rights.
Firewall ——— Administrator only
——— Any user with the correct password and IP address/mask pair will be granted remote Web access with Administrator rights.
Ability to change access settings
——— Administrator only
——— NA
78 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 79 Monday, September 19, 2005 6:01 PM
WMI ScriptDefault: Allow accessThis field lets you specify whether to Allow or Deny WMI scripting access to the non-Administrator users. If disabled, no instances of WMI classes, which are part of the NVIDIA namespace, will be available through WMI script or other third party WMI application. Administrator users can always access WMI using scripts.
Local Web Access Default: Local Web access is Allow.This options allows or denies access to the Web interface from the local computer. If local Web access is denied, non-Administrator users cannot access the Network Access Manager. Regardless of this setting, users with Administrator privileges can always access the Web interface.
Remote Web Access Default: Remote Web access is Deny. Note: Communication between remote Web client and Network Access
Manager is protected by SSL. For maximum security, you are encouraged to disable remote Web access.
When connecting to the Web interface from a remote computer using the following command:
https://<computer name>:3476
type admin as the user name, as shown below: username: adminpassword: ______ (password is blank by default)Note: The password for this account can be changed. The password must be
less than 255 characters. Valid characters are a through z, A through Z, 0 through 9, and space.
N V I D I A C o r p o r a t i o n 79
C h a p t e r 6 A d m i n i s t r a t i v e T a s k s
nViewGuide.book Page 80 Monday, September 19, 2005 6:01 PM
Additional Notes• Remote access to Network Access Manager is most suitable from a home
environment.• Remote access to Network Access Manager provides limited access to the IP
address/mask and can also be restricted based on the IP address or subnet address.
• Remote Web access activities are stored in the Log. • To view the log from the Web interface, select Log from the ActiveArmor
Firewall > Information menu.• To save unsuccessful remote Web access messages, follow these steps:
a From the Web interface, select Log Settings from the ActiveArmor Firewall > Information menu
b Select the Resource, error, and warning option to log warning messages.• To save successful remote Web access message, follow these steps:
a Select the Resource, error, warning, and informational option.a Select the Successful packets check box to insert a check mark.
PasswordDefault: No password—the password string is empty. When you enable remote Web access, you can set a password. Note: The user name for remote access is “admin”.
IP Address and IP Address Mask — optional Default: No IP address or maskAn IP address or a subnet (specified as a combination of an IP address and an IP address mask) can be used to restrict remote access to the computer such that access is limited to computers on the indicated IP subnet.Note: To restrict access to only one computer, you can specify an IP address
and no IP address mask. Specifying an IP address mask without an IP address is invalid.
80 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 81 Monday, September 19, 2005 6:01 PM
Restore Factory DefaultsNote: Only Administrator users can restore factory default values to the
firewall.1 Click Ethernet, Firewall, or ActiveArmor to enable one of these options:
• Click Ethernet to restore factory default values to all the Ethernet-related parameters.
• Click Firewall to restore factory default values to all the firewall-related parameters.
• Click ActiveArmor to restore factory default values to all the ActiveArmor parameters.
2 After you make a selection, click Start Restore to restore the selected factory default values.An alert appears asking you to confirm whether you want to wipe out your current settings and replace them with the default values.
3 To proceed click OK. To cancel the operation, click Cancel.
Display SettingsThe Display Settings page allows you to configure the font size for the pages and the refresh rate for the statistics pages. Note: You can also view tooltip Help when you move the mouse over a
parameter name.• Statistics refresh rate (Min 1, Max 65535) controls the refresh rate of all
the statistics pages in the Web interface. • Range of values: 1 to 65535 seconds • Default: 10 seconds
• Font size controls the font size used in the Web interface. The options are:• Default font • Small font
Note: Click Apply for the changes to take effect.
N V I D I A C o r p o r a t i o n 81
C h a p t e r 6 A d m i n i s t r a t i v e T a s k s
nViewGuide.book Page 82 Monday, September 19, 2005 6:01 PM
Backup/RestoreThe Backup/Restore page allows you to backup your configuration to a file or restore your configuration from a file you specify.• Click Backup to launch the “Backup Configuration” page described below,
which will allow you to backup your configuration to a file.• Click Restore to launch the “Restore User Configuration” page described
below, which will allow you to restore the configuration you have backed up in a file.
Backup ConfigurationThe Backup Configuration page will allow you to export the current configuration into a file. You can select the filename and also provide a brief description to be added to the top of the file. Once the backup is completed, a link to the file will be provided. You can right click on the link and save the file to any folder you want.Note: Only Administrator users can backup the firewall configuration.• Backup filename is the filename of the backup file created.
Note: The default file name is export.txt• Description. You can enter a short description of the configuration you are
backing up. This description will be added to the top of the file along with the date and time of the backup.
• Configuration. You can choose any combination of the Ethernet, Firewall, and ActiveArmor components to back up. Note: If you don't choose one of the components, you will get an empty
backup file.• Backup. Click Backup to start backing up the configuration settings for the
selected components.
Restore User ConfigurationNote: Only an Administrator users can restore the firewall configurations.This Restore User Configuration page lets you restore or import the configuration settings from a backup file, which will replace all your current configuration with the values is the file. • Configuration File to Upload. Browse the folders in your computer and
choose the backup file with the configuration you want to restore.
82 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 83 Monday, September 19, 2005 6:01 PM
Note: If you don’t specify a file, the last configuration you exported will be restored.
• Restore. Click Restore to restore configuration values contained in the specified file.Note: A warning will be displayed indicating that the network interface
might have to be restarted for these settings to take effect. You might lose connection to the server but can get back to the page by clicking the Refresh once the changes are applied. To proceed click OK; to cancel the operation, click Cancel.
At the end of the restore operation, a log appears indicating any errors in the restore operation. You can restore the previous settings by clicking Restore Backup.
ForceWare Network Access Manager Software VersionFrom the main ForceWare Network Access Manager menu, click Administration - Software Version to display the Network Access Manager Software Version page. This page displays the version information for all the ForceWare Network Access Manager files you have installed on this computer.This page displays the version information of the NVIDIA networking software you have installed on this computer, which includes the NVIDIA display and networking drivers, ActiveArmor, and Network Access Manager.
N V I D I A C o r p o r a t i o n 83
C h a p t e r 7 U s i n g W M I S c r i p t
nViewGuide.book Page 84 Monday, September 19, 2005 6:01 PM
C H A P T E R
USING WMI SCRIPT
Before You BeginUsing WMI script language is recommended only for Administrators who are already familiar with programming in WMI script and who have become familiar with the syntax and characteristics of configuration parameters—see “Ethernet Parameters Reference” on page A-104 and “ActiveArmor Firewall Parameters Reference” on page B-143.Note: For further information, you may want to consult the Microsoft
documentation on WMI scripting.
Benefits of Using WMI Script WMI script programming is being used by the IT staff of larger corporations to carry out day to day maintenance work. The overall benefits of using WMI scripts include:• Industry standard—WMI can be implemented using languages such as
Visual Basic Script and JavaScript.• Ease of use
• Common scripts—allow access to NVIDIA ForceWare Network Access Manager data.
• Flexibility—The WMI script user can utilize the power of the script languages to meet almost any requirements. For example, as an Administrator, you can write a WMI script to scan for Yahoo Messenger on a computer and open the appropriate port if the computer user has sufficient rights.
84 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 85 Monday, September 19, 2005 6:01 PM
• Remote use—you can run WMI script remotely and use it as a deployment tool in an organization. See “Configuration Deployment” on page 30.
Overview WMI technology is Microsoft Windows’s implementation of Web-Based Enterprise Management (WBEM), an industry standard for management infrastructure that supports Common Information Model (CIM), Managed Object Format (MOF), and a common programming interface. WMI consists of a management infrastructure (CIM object manager) and WMI custom Providers that communicate with each other through a common programming interface using Component Object Model (COM). The WMI technology also provides support for third-party Custom Providers. Custom Providers can be used to service requests related to managed objects that are environment-specific. Providers typically do the following:• Use the MOF language to define and create classes. • Use the WMI API to
• access the CIM Object Manager (CIMOM) object repository • respond to CIMOM requests made initially by applications.
The ForceWare Network Access Manager solutions supports • CIM extension schemas • Custom Providers.For further details. see the following Web site: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmi/html/wmiscript.asp
Advanced Topics
NVIDIA NamespaceNVIDIA ForceWare Network Access Manager classes are located under root/NVIDIA namespace in the WMI repository. Note: It is strongly recommended that you do not modify anything in the
NVIDIA namespace; for example, do not add or remove classes, or
N V I D I A C o r p o r a t i o n 85
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 86 Monday, September 19, 2005 6:01 PM
C H A P T E R
USING THE NVIDIA COMMAND LINEINTERFACE (NCLI)
Conventions UsedText in “code” font (this is code font) means it is text that is displayed on your screen. Text in bold “code” font (bold code font) indicates text you type on your computer.
About Examples UsedExamples are used to show how to use the nCLI (NVIDIA Command Line Interface) command and parameters in “Expert” mode (not Interactive mode) to configure some of the networking features of the ForceWare Network Access Manager application. You can simplify the example to suit your needs. Note: Examples are also provided in the samples subdirectory, under the
default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or your user-specified path.
ParametersThe nCLI command accepts the following classes of parameters:• Single parameters contain a single value of some type.• Table parameters contain data grouped in rows. Each row follows a fixed
structure. You can only perform row operations on tables.
86 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 87 Monday, September 19, 2005 6:01 PM
• Group parameters, such as Group get is useful in that you can view the value of all parameters inside a group with one command.
• Namespace parameters are a collection of tables and other parameters. Namespace is a way to group parameters. You can only browse into a namespace. No Set or Get commands are allowed on namespace parameters.
Modes of OperationYou can run nCLI in either “Expert Mode” or “Interactive Mode”. nCLI also supports import/export functions and expert commands grouped in batch files. The key difference between expert mode and interactive mode is whether the control is switched back to command prompt when a command has completed.
Expert Mode In expert mode, the control is switched back to the command prompt after a command has completed executing.From the command prompt, if you type ncli followed by a parameter, you exit to the command prompt after the command has completed.
Interactive ModeIn interactive mode, the control remains in nCLI until you type quit to exit nCLI. You remain in the nCLI shell during interactive operations.You can enter interactive mode in two ways:
First Method1 From the command prompt, type ncli and press Enter.
The nCLI command prompt (nCLI>) appears to indicate nCLI is ready to accept a command.
2 You can now type commands in the nCLI mode without having to prefix the keyword ncli.
Second MethodEnter an incomplete command from the command prompt. For example:
ncli set ASFSupport
N V I D I A C o r p o r a t i o n 87
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 88 Monday, September 19, 2005 6:01 PM
nCLI automatically enters interactive mode. When this command completes, you will exit to the command prompt.
Using Single ParametersGet and Set are the two most frequently used nCLI operations. • Get is used to retrieve the setting of a parameter and can be invoked on
single, group, and table parameters. • Set is used to change or update the current setting of a parameter. It can be
used in an “expert” mode, where the command is done in one line, or it can be used in “interactive” mode.
Single parameter Get and Set operations are discussed with examples in the sections that follow.
Set Using the Set command in expert mode is intended for expert users to set a single parameter on a single computer. Using expert set requires knowing the correct (error-free) format or selection for the parameter and, therefore, requires familiarity with the distinguished name of the single parameter.Some frequently set parameters, such as ASFSupport enable or ASFSupport disable, are usually set using expert mode. Note: These commands can also be included in script or batch files.
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli set ASFSupport enable
Set Using interactive set doesn’t require too much prior knowledge of the parameter. In the following case, the parameter to be set, FwlDHCPServer, is a selection, so the two choices are shown to help you select a value.
Example — (Interactive Mode)C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA Network Management Framework Version 01.00
ncli>set fwldhcpserver
88 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 89 Monday, September 19, 2005 6:01 PM
FwlDHCPServer:
1 Disable
2 Enable
choose one(Enable): 1
ncli>quit
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>
Get
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli get ASFSupport
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ASFSupport enable
Example — (Interactive Mode)C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA Network Management Framework Version 01.00
ncli>get nv_fwlstat
FwlStatICMPInPktsAllowed 29303
FwlStatICMPInPktsDenied 19203
FwlStatICMPOutPktsAllowed 783847
FwlStatICMPOutPktsDenied 37487
FwlStatOtherInPktsAllowed 949849
FwlStatOtherInPktsDenied 389238
FwlStatOtherOutPktsAllowed 34343
FwlStatOtherOutPktsDenied 343423893
FwlStatTCPInConnectionsAllowed 123124
FwlStatTCPInConnectionsDenied 999999
FwlStatTCPInPktsAllowed 44444444049
FwlStatTCPInPktsDenied 9
FwlStatTCPOutConnectionsAllowed 10202
FwlStatTCPOutConnectionsDenied 37437
FwlStatTCPOutPktsAllowed 0
FwlStatTCPOutPktsDenied 3243244012
N V I D I A C o r p o r a t i o n 89
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 90 Monday, September 19, 2005 6:01 PM
FwlStatUDPInConnectionsAllowed 405
FwlStatUDPInConnectionsDenied 4046
FwlStatUDPInPktsAllowed 34343
FwlStatUDPInPktsDenied 2222
FwlStatUDPOutConnectionsAllowed 4047
FwlStatUDPOutConnectionsDenied 440040048
FwlStatUDPOutPktsAllowed 4444
FwlStatUDPOutPktsDenied 5555
ncli>quit
Help
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli help ASFSupport
NVIDIA ForceWare Network Access Manager Framework Version 01.00
Enable or disable ASF (Alert Standard Format). ASF is an industry specification that defines alerting capability in both OS-present and OS-absent environments.
Using Table ParametersA table is a collection of groups (rows) that share the same fields (columns). Tables are frequently used to store the settings for firewall rules, filters, and statistics. Each row inside the table is uniquely identified by a key. A key is composed of one or more of fields of a row.
Interactive and Expert CommandsnCLI supports both interactive and expert operations on tables. • Interactive mode is recommended for average users. • Expert operations on tables are usually executed through batch files. Expert
users can also use the export/import method and text file to set up tables quickly.Note: Only expert users need to know the key format and composition.
90 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 91 Monday, September 19, 2005 6:01 PM
Expert CommandsDue to the inherent complexity, expert commands are not as intuitive as interactive commands. The syntax of an expert command is shown below. Examples are also provided in the samples subdirectory, under the default path of c:\Program Files\NVIDIA Corporation\NetworkAccessManager, or your user-specified path.
Syntaxncli addrow <tablename> <column1>=<column1value>,<column2>=<column2value>,..î
ncli editrow <tablename>.<key1>=<key1value>,<key2>=<key2value>,..î <column1>=<column1value>,<column2>=<column2value>,..î
ncli delrow <tablename>.<key1>=<key1value>,<key2>=<key2value>,..î
ExamplesIn the examples in this section:• A new row for IPv6 EtherType is added and initially set to Allow.• The table is then edited with the IPv6 EtherType rule set to Deny. • Finally, the entire row is deleted.
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType “EtherType=34525,EtherTypeName=IPv6,EtherTypeRule=Allow”
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli editrow NV_FwlEtherType.EtherType=34525” “EtherType=34525,EtherTypeName=IPv6,EtherTypeRule=Deny”
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli delrow NV_FwlEtherType.EtherType=34525
Add RowThe following example shows how to add three rows to an empty table (NV_FwlEtherType), edit the table (see “Edit Row” on page 94), and then delete (see “Delete Row” on page 94) one row.
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
EtherType:2048
N V I D I A C o r p o r a t i o n 91
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 92 Monday, September 19, 2005 6:01 PM
EtherTypeName:IP
EtherTypeRule
1 Deny
2 Allow
choose one: 2
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
EtherType:2054
EtherTypeName:ARP
EtherTypeRule
1 Deny
2 Allow
choose one: 2
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
EtherType:32923
EtherTypeName:AppleTalk
EtherTypeRule
1 Deny
2 Allow
choose one: 1
Get RowThe command getrow displays table data one row at a time without any text being truncated.
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli getrow nv_fwlapp
. . .
. . . .
92 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 93 Monday, September 19, 2005 6:01 PM
Example — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>getrow nv_fwlappFwlAppCheckSum 38297wlAppCompany Microsoft CorporationwlAppCurrentLevels 16wlAppDescription LSA Shell (Export Version)wlAppName lsass.exewlAppPath c:\windows\system32\lsass.exewlAppRiskLevels 75492wlAppRule AllowwlAppRulePrompt falsewlAppVersion 5.1.2600.1106 (xpsp1.020828-1920)
Press Enter to see the next rowPress 'q' followed by Enter to exit:
FwlAppCheckSum 462721wlAppCompany Trend Micro Inc.wlAppCurrentLevels 8wlAppDescriptionwlAppName tmlisten.exewlAppPath c:\officescan nt\tmlisten.exewlAppRiskLevels 75492wlAppRule AllowwlAppRulePrompt falsewlAppVersion 6.5.0.1030
Press Enter to see the next rowPress 'q' followed by Enter to exit:
N V I D I A C o r p o r a t i o n 93
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 94 Monday, September 19, 2005 6:01 PM
Edit Row
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli editrow NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
Select a row to edit: 3
EtherType(32923)=2056
EtherTypeName(AppleTalk)=Frame Relay ARP / Inverse ARP
EtherTypeRule:
1 Deny
2 Allow
choose one(Deny): 2
Delete Row
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli delrow NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
Select a row to delete: 3
Are you sure? (y/n): Y
Help
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli help NV_FwlEtherType
# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow 3 32923 AppleTalk Deny
# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow 3 2056 Frame Relay A.. Allow
94 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 95 Monday, September 19, 2005 6:01 PM
NVIDIA ForceWare Network Access Manager Framework Version 01.00
Firewall rules for different Data Link Layer protocols
Firewall rules for different Data Link Layer protocols (identified by Ethernet type) including IP, IPX, NetBEUI, AppleTalk and other protocols.
Set TableInvoking the nCLI set command on table parameters guides you through different operations that can be performed on a table. In the following example, a row is added to the table, then edited, and finally deleted.Note: The Set table command does not require that you to know the
addRow, delRow, and editRow command names.
Examples — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli set NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):A
EtherType:32923
EtherTypeName:AppleTalk
EtherTypeRule
1 Deny
2 Allow
choose one: 1
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli set NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):E
EtherType(32923)=33079
EtherTypeName(AppleTalk)=IPX
EtherTypeRule:
1 Deny
2 Allow
choose one(Deny): 2
N V I D I A C o r p o r a t i o n 95
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 96 Monday, September 19, 2005 6:01 PM
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli set NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):D
Select a row to delete: 3
Are you sure? (y/n): y
Get Table
Example — (Expert Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli get NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
About Other Table CommandsNote: The purge command is used to delete all the rows in the table; i.e., the
entire table. Use this command cautiously.Note: If the table has read-only access, the purge action will fail.
Syntaxpurge <tablename>
Browsing the Parameter StructureThe ForceWare networking parameters are organized in a tree structure. You can explore the tree structure. The browsing capability of nCLI is a powerful tool for non-expert use as one does not have to know the parameter’s distinguished name before using the command.
# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow 3 33079 IPX Allow
# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow
96 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 97 Monday, September 19, 2005 6:01 PM
ListThe ls or dir command lists the children of the current parameter, as shown in the next example.
Example — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>ls
NS_Eth
NS_NvConfig
NS_Firewall
NS_UserLog
NS_Security
ncli>ls ns_eth
NS_EthStat
NS_EthConfig
NS_ASF
NV_DriverRestartCmd
NV_DriverRestartFlag
ncli>
Changing Directory
The cd command lets you browse through the parameter tree structure.
Example 1 — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>ls
NS_Eth
NS_NvConfig
NS_Firewall
NS_UserLog
N V I D I A C o r p o r a t i o n 97
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 98 Monday, September 19, 2005 6:01 PM
NS_Security
ncli>cd NS_Eth
ncli>ls
NS_EthStat
NS_EthConfig
NS_ASF
NV_DriverRestartCmd
NV_DriverRestartFlag
ncli>cd ns_ethstat
ncli>ls
NV_NetworkGenStat
NV_EthStat
ncli>
Example 2 — (Interactive Mode)Invoking the cd command by itself will bring you to the root level, as shown in the following example.
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>cd ns_eth
ncli>cd ns_ethstat
ncli>cd
ncli>
Each ForceWare Network Access Manager parameter has a unique name, which can be used within ncli> to access each individual parameter. Therefore, you do not need the complete path to get to a single parameter. The example below shows how this can help you quickly access a parameter.
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>cd ASFSupport
ncli>pwd
<root>/NS_Eth/NS_ASF/NV_ASF/ASFSupport
ncli>
98 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 99 Monday, September 19, 2005 6:01 PM
Current Working Directory
The pwd command is used to display the path to the current parameter.
Example — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>cd ns_ethstat
ncli>pwd
<root>/NS_Eth/NS_EthStat
ncli>cd
ncli>pwd
<root>
ncli>
Context-Sensitive Operationsls, cd, and pwd commands allow you to browse through the parameters. When you have entered a current parameter, all the operations you invoke will be in the context of that parameter.
Example — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>cd NV_FwlEtherTypencli>get
ncli>help
Firewall rules for different Data Link Layer protocols
Firewall rules for different Data Link Layer protocols (identified by Ethernet type) including IP, IPX, NetBEUI, AppleTalk and other protocols.
EtherType EtherTypeName EtherTypeRule 2048 IP Allow 2054 ARP Allow
N V I D I A C o r p o r a t i o n 99
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 100 Monday, September 19, 2005 6:01 PM
ncli>addrow
EtherType:2056
EtherTypeName:FrameRelay ARP/Inverse IP
EtherTypeRule
1 Deny
2 Allow
choose one: 2
ncli>get
ncli>
Text File ProcessingText file processing is intended for expert users to quickly update complex parameters and perform large configurations. For example, you can use the nCLI command line to perform interactive settings only on tables. Text file processing offers an alternative to the Get and Set parameter values in a flat text format.
ExportExport files follow a standard format that will make it compatible with Web-based management. That is, export files from nCLI can be imported using the Web-based management and export files from Web-based management can be imported using nCLI.
Syntaxexport /f <filename> <parameter_name>
Note: Either one or both of /f <filename> and <parameter_name> may be omitted.
If /f <filename> is omitted, the output of the export will be stored in frontend\backup\cliexport.txt under the directory where ForceWare Network Access Manager software is installed.
# EtherType EtherTypeName EtherTypeRule 1 2048 IP Allow 2 2054 ARP Allow 3 2056 FrameRelay AR.. Allow
100 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 101 Monday, September 19, 2005 6:01 PM
If <parameter_name> is omitted, only the current parameter and its children will be exported. An example is shown below.
Example 1 — (Interactive Mode)c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>export
............................................................
.....Finished
ncli>
Example 2 — (Interactive Mode)Selective export allows you to export only the parameter branch specified. The sample command below can be used to export only the ns_xxxx namespace.
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli export /f c:\xxxx_export.txt ns_xxxx
NVIDIA ForceWare Network Access Manager Framework Version 01.00
..Finished
Example 3 — (Interactive Mode)nCLI enables you to browse into a parameter branch and export it. The sample commands below can be used to export only the NS_Eth branch.
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli
NVIDIA ForceWare Network Access Manager Framework Version 01.00
ncli>cd ns_eth
ncli>export
ncli>
ImportBefore importing new parameter settings, old parameter settings are backed up to prevent any problems during import that could throw the system into an unknown state. If necessary, the backup file can be used to restore the system to the previous state.
N V I D I A C o r p o r a t i o n 101
C h a p t e r 8 U s i n g T h e N V I D I A C o m m a n d L i n e I n t e r f a c e ( n C L I )
nViewGuide.book Page 102 Monday, September 19, 2005 6:01 PM
Note: If nCLI encounters problems in importing parameters, it will stop processing and instruct you to restore to the previous state. Use the restore to restore to the previous state.
Syntaximport /f <filename>
If /f <filename> is omitted, the default file frontend\backup\cliexport.txt under the directory where ForceWare Network Access Manager software will be read and imported.
Support for Multiple Ethernet InterfacesSome systems have multiple NVIDIA Ethernet interfaces. Using nCLI, you can specify the command for an interface by entering the full path of the parameter, including the namespace.Note: The namespace for the first Ethernet interface is NS_Eth. Namespaces
for the second, third and forth Ethernet interfaces are NS_Eth1, NS_Eth2, NS_Eth3.
Example 1To get Ethernet information on the second Ethernet interface, the command is:
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli get NS_Eth2\NS_EthConfig:NV_Eth_Jumbo.EthJumboSize
NVIDIA ForceWare Network Access Manager Framework Version 01.00
EthJumboSize 1500
Example 2To get Ethernet information on the second Ethernet interface, the command is:
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin>ncli get NS_Eth1\NS_EthConfig:NV_EthInfo
NVIDIA ForceWare Network Access Manager Framework Version 01.00
EthAddressPermanent 00:12:34:56:78:9A
EthConnectStatus Connected
EthDuplex Full Duplex
EthLinkMaxSpeed 1000
EthLinkSpeed 1000
EthPromiscuous Enable
102 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 103 Monday, September 19, 2005 6:01 PM
GlossarySee “Glossary” on page 201.
N V I D I A C o r p o r a t i o n 103
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 104 Monday, September 19, 2005 6:01 PM
A P P E N D I X
ETHERNET PARAMETERS REFERENCENote: For references to all the individual parameters, categorized by group, see
the entries listed for this appendix—A. Ethernet Parameters Reference—in the “Table of Contents” on page iii.
Group: Remote Wakeup
Remote Wakeup
Parameter WakeUp
Description Enables or disables Ethernet remote wake up capability. When enabled, the user can remotely turn on the power of systems across the network. For example, a network administrator can use Remote Wake Up to perform after-hours maintenance from a remote location without requiring a technician to be physically present.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthWakeUp Single: WakeUp
Usage example: nCLI Set "WakeUp" "Enable"
Access ReadWrite
Data type Selection
User selection Disable or Enable
104 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 105 Monday, September 19, 2005 6:01 PM
Remote Wakeup by Magic Packet
Remote Wakeup (Pattern Match)
Parameter WakeUpMagic
Description Enables or disables the magic packet wake-up feature. When this feature is enabled, networked computers that are in a low power state receive the “magic packet” to wake up.
Comment If WakeUp is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthWakeUp Single: WakeUpMagic
Usage example: nCLI Set "WakeUpMagic" "Enable"
Access ReadWrite
Restart network: Network restart is required.
Data type Selection
User selection Disable Enable
Parameter WakeUpPattern
Description Enables or disables the pattern match remote wakeup feature. When this feature is enabled, networked computers that are in a low power state receive a packet that contains a pattern specified by the operating system's network protocol to wake up.
Comment If WakeUp is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthWakeUp Single: WakeUpPattern
Usage example: nCLI Set "WakeUpPattern" "Enable"
Access ReadWrite
Restart network: Network restart is required.
Data type Selection
User selection Disable Enable
N V I D I A C o r p o r a t i o n 105
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 106 Monday, September 19, 2005 6:01 PM
Remote Wakeup (Link State Change)
Remote Wake Up from Hibernate or Shutdown
Parameter: WakeUpLink
Description
Enables or disables the WakeUpLink feature. Change in the link state refers to the connection or disconnection of the Ethernet network cable. When a networked computer is in a low power state, a change in the link state wakes up the computer.
Comment If WakeUp is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthWakeUp Single: WakeUpLink
Usage example: nCLI Set "WakeUpLink" "Enable"
Access ReadWrite
Network restart: Required
Data type Selection
User selection Disable Enable
Parameter WakeUpS4S5
Description Enables or disables the Remote Wake Up from Hibernate or Shutdown feature. Hibernate means that all devices in a networked computer are turned off. This state is saved to the computer's hard disk and is then used for a fast startup. Shutdown means that the operating system will shut down and the BIOS will be re-initialized during wake up.
Comment If WakeUp is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthWakeUp Single: WakeUp S4S5
Usage example: nCLI Set "WakeUpS4S5" "Enable"
Access ReadWrite
Network restart: Required
Data type Selection
User selection Disable Enable
106 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 107 Monday, September 19, 2005 6:01 PM
Group: Protocol Offload
Checksum Offload
IPv4 Transmit Checksum Offload
Parameter EthOffloadChkSum
Description Enables or disables the Ethernet checksum offload feature. Offloads increase the system performance by offloading TCP/IP CPU-intensive tasks to hardware.
Comment This feature is not supported by WMI scripting.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_Offload Single: EthOffloadChkSum
Usage example nCLI Set "EthOffloadChkSum" "Enable"
Access ReadWrite
Network restart Required
Data type Selection
User selection Disable Enable
Parameter EthOffloadIPv4TxChkSum
Description Enables or disables the IPv4 Transmit Checksum Offload feature. When this feature is enabled, the operating system passes the task of calculating IP (Internet Protocol) checksums for transmitted packets to the Ethernet hardware.
Comment This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group : NV_Eth_Offload Single: EthOffloadIPv4TxChkSum
Usage example: nCLI Set "EthOffloadIPv4TxChkSum" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
N V I D I A C o r p o r a t i o n 107
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 108 Monday, September 19, 2005 6:01 PM
IPv4 Receive Checksum Offload
UDP Transmit Checksum Offload
Parameter: EthOffloadIPv4RxChkSum
Description Enables or disables the IPv4 Receive Checksum Offload feature. When this feature is enabled, the operating system passes the task of calculating IP checksums for received packets to the Ethernet hardware.
Comment This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_Offload Single: EthOffloadIPv4RxChkSum
Usage example: nCLI Set "EthOffloadIPv4RxChkSum" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter EthOffloadUDPTxChkSum
Description Enable or disables the UDP (User Datagram Protocol) Transmit Checksum Offload feature. When this feature is enabled, the operating system can use the Ethernet hardware to calculate UDP checksums for transmitted packets.
Comment Not supported through WMI script. If EthOffloadChkSum is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group : NV_Eth_Offload Single: EthOffloadUDPTxChkSum
Usage example: nCLI Set "EthOffloadUDPTxChkSum" "Enable"
Access ReadWrite
Data type Selection
User selection Enable Disable
108 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 109 Monday, September 19, 2005 6:01 PM
UDP Receive Checksum Offload
TCP Transmit Checksum Offload
Parameter EthOffloadUDPRxChkSum
Description Enables or disables the UDP Receive Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate UDP checksums for received packets.
Comment This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_Offload Single: EthOffloadUDPRxChkSum
Usage example: nCLI Set "EthOffloadUDPRxChkSum" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter EthOffloadTCPTxChkSum
Description Enables or disables the TCP Transmit Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate TCP checksums for transmitted packets.
Comment This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_Offload Single: EthOffloadTCPTxChkSum
Usage example: nCLI Set "EthOffloadTCPTxChkSum" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
N V I D I A C o r p o r a t i o n 109
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 110 Monday, September 19, 2005 6:01 PM
TCP Receive Checksum Offload
TCP Large Send Offlload
Parameter EthOffloadTCPRxChkSum
Description Enables or disables the TCP Receive Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate TCP checksums for received packets.
Comment This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_Offload Single: EthOffloadTCPRxChkSum
Usage example: nCLI Set "EthOffloadTCPxChkSum" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter EthOffloadTxLargeSend
Description Enables or disables the TCP Large Send OfflLoad feature. When the feature is enabled, the operating system can utilize the Ethernet hardware capabilities to segment large TCP packets into smaller packets. Note: This feature applies to packet transmissions only.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_Offload Single: EthOffloadTxLargeSend
Usage example: nCLI Set "EthOffloadTxLargeSend" "Enable"
Access ReadWrite
Network restart Required.
Data type Selection
User selection
Disable Enable
110 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 111 Monday, September 19, 2005 6:01 PM
Group: Microsoft Operating System VLAN (Virtual LAN)
Microsoft Operating System VLAN
Parameter EthMSVLAN
Description Specifies the Virtual LAN (VLAN) ID returned by the Microsoft operating system. The VLAN ID is an identifier used by a networked computer to determine its associated VLAN. VLAN allows a set of networked computers to function as if they were not connected to the same wire even though they may be physically connected to the same segments of a Local Area Network (LAN).
Comment The Microsoft VLAN ID overrides the NVIDIA EthVLAN and EthVLANID settings. When the Microsoft VLAN ID is 0 (zero), the NVIDIA EthVLAN and EthVLANID are used.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_MSVLAN Single: EthMSVLAN
Usage example: nCLI Get "EthMSVLAN"
Access Read
Data type Number ( 32 bit )
Maximum value 4095 Minimum Value: 0
N V I D I A C o r p o r a t i o n 111
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 112 Monday, September 19, 2005 6:01 PM
Group: VLAN (Virtual LAN)
VLAN Support
VLAN ID
P arameter E th V L A N
D escrip tion Enables or d isables V LAN support. V LAN allows a netwo rk of co mputers to function as if they are not connected to the same wire even though they m ay be ph ysically located on diffe rent segments of a LAN .
C om m en t The M icrosoft V LAN ID o verrides the N V ID IA E thV LAN and E thV LAN ID values. W hen the M icrosoft V LA N ID is 0 (zero), the N V ID IA E thV LAN and E thV LAN ID are used.
H ierarch y N amesp ace: N S _Eth N amesp ace: N S _EthC onfig
G rou p : N V _Eth_M S V LAN _S etting S ingle: E thV LAN
U sage examp le: nCLI Set "EthVLAN" "Disable"
A ccess R eadW rite
D ata typ e S election
U ser selection D isable Enable
Parameter EthVLANID
Description The VLAN ID is an identifier used by a computer to determine its associated VLAN. A value of 0 (zero) means VLAN is disabled. VLAN allows a set of networked computers to function as if they were not connected to the same wire even though they may be physically connected to same segments of a LAN.
Comment The Microsoft VLAN ID overrides the NVIDIA EthVLAN and EthVLANID values. When the Microsoft VLAN ID is 0 (zero), the NVIDIA EthVLAN and EthVLANID are used.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group : NV_Eth_MSVLAN_Setting Single: EthVLANID
Usage example: nCLI Set "EthVLANID" "0"
Access ReadWrite
Data type Number ( 32 bit )
Maximum value 4095 Minimum value: 0
112 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 113 Monday, September 19, 2005 6:01 PM
Group: Jumbo Frame
Jumbo Frame Payload Size
Parameter EthJumboSize
Description Specify the Ethernet jumbo frame payload size. Jumbo frame supports larger Ethernet packet sizes to reduce server overhead and increase throughput. Payload size of 1,500 means Jumbo Frame is disabled.
Comment Jumbo frame is supported only when the connection speed is 1000 Mbps.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_EthJumbo Single: EthJumboSize
Usage example: nCLI Set "EthJumboSize" "1500"
Access ReadWrite
Network restart: Required.
Data type Selection
User selection 1500 2500 4500 9000
N V I D I A C o r p o r a t i o n 113
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 114 Monday, September 19, 2005 6:01 PM
Group: Driver Optimization
Ethernet Driver Optimization
Parameter EthOptimization
Description Allows Ethernet driver optimization by adjusting Ethernet driver operating parameters to suit different needs.
Comment This parameter is not supported through WMI Script. WMI Script users need to configure each parameter individually in the Ethernet Performance class
Hierarchy Namespace: NS_Eth Namespace: NS_ Eth_Optimization
Group: NV_ EthOptimization Single: EthJumboSize
Usage example: nCLI Set "EthOptimization" "CPU Utilization"
Access ReadWrite
Data type Selection
User selection CPU Utilization is a setting that optimizes to lower the amount of time CPU spent in processing network traffic. Note: This is the recommended and default setting. Throughput is a setting that maximizes the amount of network traffic sent and received. Multimedia is a setting that reduces the time spent per network interrupt to allow time-critical media devices to be serviced.
114 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 115 Monday, September 19, 2005 6:01 PM
Group: Ethernet Performance
Number of Receive Buffers
Number of Receive Buffer Descriptors
Parameter EthNoOfRxBuff
Description Specifies the number of receive buffers allocated by the NVIDIA Ethernet driver. Receive buffers are memory blocks used to store packets received from the network.
Comment For optimal performance, the number of receive buffers need to be at least TWICE the number of receive descriptors.
Hierarchy Namespace: NS_Eth Namespace: NS_ Eth_Config
Group: NV_ Eth_Performance Single: EthNoOfRxBuff
Usage example: nCLI Set "EthNoOfRxBuff" "512"
Access ReadWrite
Network connection: Restarting the network is required..
Data type Selection
User selection 2 4 8 16 32 64 128 256 512
Parameter EthNoOfRxDesc
Description Number of receive buffer descriptors available to the Ethernet hardware. Th is value determines the number of receive buffers that may be queued for the hardware.
Comment For optimal performance, the number of receive buffers need to be set to at least twice the number of receive descriptors.
Hierarchy Namespace: NS_Eth Namespace: NS_ Eth_Config
Group : NV_ Eth_Performance Single: EthNoNoOfRxDesc
Usage example: nCLI Set "EthNoOfRxDesc" "64"
Access ReadWrite
Netwrork connection: Restarting the network is required.
Data type Selection
User selection 2, 4 8 16 32 64 128 256
N V I D I A C o r p o r a t i o n 115
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 116 Monday, September 19, 2005 6:01 PM
Number of Transmit Buffer Descriptors
Maximum Transmit Frames Queued
Parameter EthNoOfTxDesc
Description Specifies the number of transmit buffer descriptors available to the Ethernet hardware. This value determines the number of transmit buffers that may be queued for the hardware.
Hierarchy Namespace: NS_Eth Namespace: NS_ Eth_Config
Group: NV_ Eth_Performance Single: EthNoNoOfRxDesc
Usage example nCLI Set "EthNoOfTxDesc" "256"
Access ReadWrite
Restart network Yes, required for setting to take effect.
Data type Selection
User selection
2 4
8 16
32 64 128 256 512 1024
Parameter EthMaxTxPktQueue
Description Specifies the maximum number of frames which may be queued by the Ethernet driver.
Hierarchy Namespace: NS_Eth Namespace: NS_ Eth_Config
Group: NV_ Eth_Performance Single: EthMaxTxPktQueue
Usage example: nCLI Set "EthMaxTxPktQueue" "1024"
Access ReadWrite
Network Connection: Restarting network is required.
Data type Selection
User selection 2 4
8 16
32 64
128 256
512 1024
116 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 117 Monday, September 19, 2005 6:01 PM
Number of Receive Packets to Process per Interrupt
Number of Transmit Packet to Process per Interrupt
Parameter EthNoOfRxPktToProcessEachTime
Description Specifies the number of receive packet to process per interrupt.
Hierarchy Namespace: NS_Eth Namespace: NS_ Eth_Config
Group: NV_ Eth_Performance Single: EthNoOfRxPktToProcessEachTime
Usage example: nCLI Set "EthNoOfRxPktToProcessEachTime" "1280"
Access ReadWrite
Network Connection:
Restarting network is required.
Data type Selection
User selection 10 20 40 80 160 320 640 1280
Parameter EthNoOfTxPktToProcessEachTime
Description Specifies the number of transmit packet to process per interrupt.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_ Eth_Performance Single: EthNoOfTxPktToProcessEachTime
Usage example: nCLI Set "EthNoOfTxPktToProcessEachTime" "1280"
Access ReadWrite
Network connection: Restarting the network is required.
Data type Selection
User selection 5 10 20 40 80 160 320 640 1280
N V I D I A C o r p o r a t i o n 117
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 118 Monday, September 19, 2005 6:01 PM
Interrupt Interval
Group: Traffic Prioritization
IEEE 802.1p Support
Parameter EthPollingInterval
Description Specifies the time (in milliseconds) between hardware interrupts in the hardware polling mode.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_Performance Single: EthPollingInterval
Usage example: nCLI Set "EthPollingInterval" "425"
Access ReadWrite
Network connection: Restarting the network is required..
Data type Selection
User selection 0, 425
Parameter Eth8021p
Description Enables or disables Ethernet IEEE 802.1p support. IEEE 802.1p allows frames to be grouped into priority classes.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_8021p Single: Eth8021p
Usage example: nCLI Set "Eth8021p" "Disable"
Access ReadWrite
Network connection: Restarting the network is required.
Data type Selection
User selection • Disable • Enable
118 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 119 Monday, September 19, 2005 6:01 PM
Group: Ethernet Speed/Duplex
Configurable Ethernet Speed/Duplex Settings
Parameter EthSpeed
Description — Specifies the configurable Ethernet speed/duplex settings. Three types of configuration supported by the nForce built-in Ethernet controller are explained below:• Full Autonegotiation — In this configuration, the link speed and duplex settings are
adjusted automatically for maximum performance based on the advertised capabilities of both peer devices.
• Chosen Autonegotiation for a chosen speed and duplex setting — The Ethernet controller will perform autonegotiation but will only accept an outcome that matches a user selection — other possibilities will be ignored if they exist. • Note: If the user-specified combination of speed and duplex is not supported, the
link will not be established and the Ethernet controller will not drop down to the next lowest speed.
• Notes: Chosen Autonegotiation selections are listed in the “User selection” section of this table. For systems equipped with Gigabit Ethernet PHY (physical layer transceivers), the Autonegotiate for 1000 Mbps selection is available. Otherwise, only the 100/10 Mbps selections are available.Autonegotiate for 1000 Mbps Half Duplex is not available as it is not supported by the nForce Ethernet controller.
• Forced Configuration to a chosen speed and duplex setting— The Ethernet controller will not perform autonegotiation but will be programmed according to user specification, even if the peer device does not support the “forced configuration” setting. Forced Configuration is useful for situations where the network speed and duplex modes are static and the Ethernet controller settings have to be forced to match, or for situations in which the peer device may not properly support autonegotiation or support it at all. Also, when the nForce Ethernet controller is connected to a managed switch that can be configured for a particular speed and duplex setting, using the Forced Configuration setting avoids wasted time in autoconfiguration when the link is being established. • Note: Regardless of the situation, you must be sure to configure both devices with
the same link parameters. • Notes: Forced Configuration selections are listed in the “User selection” section of
this table. Force to 1000 Mbps full duplex is not an available selection because Gigabit Ethernet connections require autonegotiation.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfigGroup: NV_Eth_SpeedSingle: EthSpeed
Usage example nCLI Set "EthSpeed" "Full Autonegotiation"
Access ReadWrite
Restart network? Yes, required for changes to take effect.
N V I D I A C o r p o r a t i o n 119
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 120 Monday, September 19, 2005 6:01 PM
Link Speed
Data type Selection
User selections • Full Autonegotiation• Chosen Autonegotiation
• Autonegotiate for 1000 mbps Full Duplex• Autonegotiate for 100 mbps Full Duplex• Autonegotiate for 100 mbps Half Duplex• Autonegotiate for 10 mbps Full Duplex• Autonegotiate for 10 mbps Half Duplex
• Forced Autonegotiation• Force 100 mbps Full Duplex• Force 100 mbps Half Duplex• Force 10 mbps Full Duplex• Force 10 mbps Half Duplex
Parameter EthLinkSpeed
Description Specifies the current speed (in Mbps) of the Ethernet device.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthInfo Single: EthLinkSpeed
Usage example: nCLI Get "EthLinkSpeed"
Access Read
Data type Number ( 32 bit )
Maximum Value 10000
Minimum Value 0
120 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 121 Monday, September 19, 2005 6:01 PM
Maximum Link Speed
Duplex Setting
Parameter EthLinkMaxSpeed
Description Specifies the maximum speed (in Mbps) at which the Ethernet interface can operate.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthInfo Single: EthLinkMaxSpeed
Usage example: nCLI Get "EthLinkMaxSpeed"
Access Read
Data type Number ( 32 bit )
Maximum Value 10000
Minimum Value 0
Parameter EthDuplex
Description Specifies the current Ethernet interface duplex setting. Full duplex means that the Ethernet interface on both ends of a link can receive and transmit data simultaneously over the cable. Half duplex means that either the transmit or the receive operation can occur at a given time.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthInfo Single: EthDuplex
Usage example: nCLI Get "EthDuplex"
Access Read
Data type Selection
User selection Half Duplex Full Duplex
N V I D I A C o r p o r a t i o n 121
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 122 Monday, September 19, 2005 6:01 PM
Link Status
Promiscuous Mode
Parameter EthConnectStatus
Description Displays the current Ethernet link status. When the Ethernet link is disconnected, the remote configuration tool will not function.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthInfo Single: EthConnectStatus
Usage example: nCLI Get "EthConnectStatus"
Access Read
Data type Selection
User selection Connected Disconnected
Parameter EthPromiscuous
Description When this parameter is enabled, all packets (including frames addressed for other stations) that arrive at this Ethernet interface are received.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthInfo Single: EthPromiscuous
Usage example: nCLI Get "EthPromiscuous"
Access Read
Data type Selection
User selection Disable Enable
122 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 123 Monday, September 19, 2005 6:01 PM
Permanent Ethernet Address
Group: Ethernet Address
Current Ethernet Address
Parameter EthAddressPermanent
Description Specifies the fixed Ethernet address encoded in the hardware.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_EthInfo Single: EthAddressPermanent
Usage example: nCLI Get "EthAddressPermanent"
Access Read
Data type MAC Address
Parameter EthAddressCurrent
Description Specifies the Ethernet address currently being used. The Ethernet interface then uses the Current Ethernet Address in place of the Permanent Ethernet Address.
Comment Format of Ethernet address should be: XX:XX:XX:XX:XX:XX
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_Address Single: EthAddressCurrent
Usage example: nCLI Set "EthAddressCurrent" "0C:12:34:56:78:9A"
Access ReadWrite
Network connection: Restarting the network is required.
Data type MAC Address
N V I D I A C o r p o r a t i o n 123
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 124 Monday, September 19, 2005 6:01 PM
Group: Network Interface information
Computer (Machine) Name
IP Address
Parameter MachineName
Description Specifies the unique name that is used to identify a computer on the network domain. The computer (machine) name is specified through the operating system and must be unique within a network domain.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_InterfaceInfo Single: MachineName
Usage example: nCLI Get "MachineName"
Access Read
Data type String
Maximum length 64
Parameter IPAddress
Description Specifies the IP address of the current Ethernet interface.
Comment If an interface has multiple IP addresses and masks, only the first set returned by the operating system is shown.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_InterfaceInfo Single: IPAddress
Usage example: nCLI Get "IPAddress"
Access Read
Data type String
Maximum length 64
124 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 125 Monday, September 19, 2005 6:01 PM
IP Address Mask
Parameter IPAddressMask
Description Specifies the IP address mask of the current Ethernet interface.
Comment If an interface has multiple IP addresses and masks, only the first set returned by the operating system is shown.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_InterfaceInfo Single: IPAddressMask
Usage example: nCLI Get "IPAddressMask"
Access Read
Data type String
Maximum length 64
N V I D I A C o r p o r a t i o n 125
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 126 Monday, September 19, 2005 6:01 PM
Group: Factory Default
Factory Default
Table: Multicast Address List
Multicast Address List
Parameter EthDefault
Description Restores the Ethernet factory default settings.
Comment Restore factory default feature is not available through WMI scripting.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Group: NV_Eth_FactoryDefault Single: EthDefault
Usage example: nCLI Set "EthDefault" "Restore"
Access ReadWrite
Data type Selection
User selection NoRestore Restore
Table Parameter
NV_Eth_MulticastAddress
Description Specifies a list of multicast addresses from which the Ethernet interface will receive frames. The Ethernet multicast packet refers to packets addressed to a group of recipients.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Table: NV_Eth_MulticastAddress
Usage example: nCLI Get "NV_Eth_MulticastAddress"
Access Read
Single parameter
EthMulticast (See the next tabe for details on the EthMulticast parameter.)
126 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 127 Monday, September 19, 2005 6:01 PM
Multicast Addresses (Single Parameter)
Group: Ethernet Statistics
Frames Received with Alignment Error
Parameter EthMulticast
Description The Ethernet multicast packet refers to packets addressed to a group of recipients.
Hierarchy Namespace: NS_Eth Namespace: NS_EthConfig
Table: NV_Eth_MulticastAddress Single: EthMulticast
Access Read
Table key This parameter is a key to the table
Data type MAC Address
Parameter EthReceiveErrorAlign
Description Specifies the number of received frames with alignment errors.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthReceiveErrorAlign
Usage example: nCLI Get "EthReceiveErrorAlign"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 127
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 128 Monday, September 19, 2005 6:01 PM
Frames Transmitted After One Collision
Frames Transmitted After Two or More Collisions
Parameter EthTransmitOneCollision
Description Specifies the number of frames that successfully transmitted after encountering one collision.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthTransmitOneCollision
Usage example: nCLI Get "EthTransmitOneCollision"
Access Read
Data type Number ( 64 bit )
Parameter EthTransmitMoreCollision
Description Specifies the number of frames that successfully transmitted after encountering two or more collisions.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthTransmitMoreCollision
Usage example: nCLI Get "EthTransmitMoreCollision"
Access Read
Data type Number ( 64 bit )
128 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 129 Monday, September 19, 2005 6:01 PM
Frames Transmitted After Deferral
Display Name Frames Exceed Maximum Collision
Parameter EthTransmitDeferred
Description Specifies the number of frames that successfully transmitted after the Ethernet hardware defers transmission at least once.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthTransmitDeferred
Usage example: nCLI Get "EthTransmitDeferred"
Access Read
Data type Number ( 64 bit )
Parameter EthTransmitMaxCollision
Description Specifies the number of frames not transmitted because of excessive collisions.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthTransmitMaxCollision
Usage example: nCLI Get "EthTransmitMaxCollision"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 129
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 130 Monday, September 19, 2005 6:01 PM
Frames with Overrun Errors
Frames with Underrun Errors
Parameter EthReceiveOverrun
Description Specifies the number of frames not received because of overrun errors. An overrun error occurs when the Ethernet hardware receives more data than it can process.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthReceiveOverrun
Usage example: nCLI Get "EthReceiveOverrun"
Access Read
Data type Number ( 64 bit )
Parameter EthTransmitUnderrun
Description Specifies the number of frames not transmitted because of underrun errors. An underrun error occurs when the Ethernet hardware cannot transmit frames because the data is not available within the expected time.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthTransmitUnderrun
Usage example: nCLI Get "EthTransmitUnderrun"
Access Read
Data type Number (64 bit )
130 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 131 Monday, September 19, 2005 6:01 PM
Frames with Heartbeat Failure
Carrier Sense (CRS) Signal Lost
Parameter EthTransmitHeartbeatFail
Description Specifies the number of frames transmitted without detection of the collision-detect heartbeat.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthTransmitHeartbeatFail
Usage example: nCLI Get "EthTransmitHeartbeatFail"
Access Read
Data type Number ( 64 bit )
Parameter EthTransmitTimesCRSLost
Description Specifies the number of times the CRS signal has been lost during packet transmission.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthTransmitTimesCRSLost
Usage example: nCLI Get "EthTransmitTimesCRSLost"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 131
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 132 Monday, September 19, 2005 6:01 PM
Late Collisions
Group: General Networking Statistics
Successfully Transmitted Frames
Parameter EthTransmitLateCollisions
Description The number of collisions detected after the normal detection period.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat\
Group: NV_EthStat Single: EthTransmitLateCollisions
Usage example: nCLI Get "EthTransmitLateCollisions"
Access Read
Data type Number ( 64 bit )
Parameter TransmitOK
Description Specifies the number of frames transmitted without errors.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_ NetworkGenStat Single: TransmitOK
Usage example: nCLI Get "TransmitOK"
Access Read
Data type Number ( 64 bit )
132 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 133 Monday, September 19, 2005 6:01 PM
Successfully Received Frames
Transmit Failures
Receive Failures
Parameter ReceiveOK
Description Specifies the number of frames that the network card has received without errors.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_NetworkGenStat Single: ReceiveOK
Usage example: nCLI Get "ReceiveOK"
Access Read
Data type Number ( 64 bit )
Parameter TransmitError
Description Specifies the number of frames that failed to transmit.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_NetworkGenStat Single: TransmitError
Usage example: nCLI Get "TransmitError"
Access Read
Data type Number ( 64 bit )
Parameter ReceiveError
Description Specifies the number of frames that are received but not passed to the operating system because of errors.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group : NV_NetworkGenStat Single: ReceiveError
Usage example: nCLI Get "ReceiveError"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 133
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 134 Monday, September 19, 2005 6:01 PM
No Receive Buffers
Direct Frames Received
Multicast Frames Received
Parameter ReceiveNoBuffer
Description The number of frames that are dropped because of lack of space for receive buffers.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group : NV_NetworkGenStat Single: ReceiveNoBuffer
Usage example: nCLI Get "ReceiveNoBuffer"
Access Read
Data type Number ( 64 bit )
Parameter ReceiveFramesDirect
Description The number of packets received without errors and addressed to the local Ethernet address.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group : NV_NetworkGenStat Single: ReceiveFramesDirect
Usage example: nCLI Get "ReceiveFramesDirect"
Access Read
Data type Number ( 64 bit )
Parameter ReceivedFramesMulticast
Description Specifies the number of multicast frames received without errors.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group : NV_NetworkGenStat Single: ReceiveFramesMulticast
Usage example: nCLI Get "ReceiveFramesMulticast"
Access Read
Data type Number ( 64 bit )
134 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 135 Monday, September 19, 2005 6:01 PM
Broadcast Frames Received
Group: Alert Standard Format
ASF Support
Parameter ReceiveFramesBroadcast
Description Specifies the number of broadcast frames received without errors.
Hierarchy Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_NetworkGenStat Single: ReceiveFramesBroadcast
Usage example: nCLI Get "ReceiveFramesBroadcast"
Access Read
Data type Number ( 64 bit )
Parameter ASFSupport
Description Enables or disables the ASF (Alert Standard Format) feature. ASF is a industry specification that defines alerting capability in both operating system-present and operating system-absent environments.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASF Single: ASFSupport
Usage example: nCLI Set "ASFSupport" "Disable"
Access ReadWrite
Data type Selection
User selection Disable Enable
N V I D I A C o r p o r a t i o n 135
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 136 Monday, September 19, 2005 6:01 PM
ASF Destination IP Address
ASF Send Count
Parameter ASFDestIPAddr
Description Specifies the IP address of the managing station computer that is receiving the ASF alert frames. For ASF to be functional, the destination IP address must be specified.
Comment Only the IPv4 (not IPv6) address is supported. Note: If ASFSupport is set to Disable, th is parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group : NV_ASF Single: ASFDestIPAddr
Usage example: nCLI Set "ASFDestIPAddr" ""
Access ReadWrite
Data type String
Maximum length 15
Parameter ASFSendCount
Description Specifies the number of times an ASF alert will be sent out for a given event. If the value is more than one, the alert is sent at an interval of approximately 1 second. This is a global setting applied across all events.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASF Single: ASFSendCount
Usage example: nCLI Set "ASFSendCount" "1"
Access ReadWrite
Data type Selection
User selection 0 1 2 3
136 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 137 Monday, September 19, 2005 6:01 PM
Group: ASF Information
ASF Destination MAC Address
Group: System Fails to Boot Alert
System Fails to Boot Alert
Parameter ASFDestMACAddr
Description Displays the MAC address of the managing station computer that is receiving the ASF alert frames.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventInfo Single: ASFDestNACAddr
Usage example: nCLI Get "ASFDestMACAddr"
Access Read
Data type MAC Address
Parameter ASFEventBootFailure
Description This ASF alert is triggered when the operating system fails to start up.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventBootFailure Single: ASFEventootFailure
Usage example: nCLI Set "ASFEventBootFailure" "Disable"
Access ReadWrite
Data type Selection
User selection Disable Enable
N V I D I A C o r p o r a t i o n 137
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 138 Monday, September 19, 2005 6:01 PM
Group: Fan Problem Alert
Fan Problem Alert
Group: ASF SMBus Error
ASF SMBus Error
Param eter ASFEventFanProblem
Description Th is alert is triggered if the CP U fan is running at a low speed or has stopped, which can cause the CPU or system temperature to increase.
Comm ent If ASFSupport is set to Disable, this param eter value is ignored.
Hierarch y Nam espace: NS_Eth Nam espace: NS_ASF
Group : NV_ASFEventFanProblem Single: ASFEventFanProblem
Usage exam ple: nCLI Set "ASFEventFanProblem" "Disable"
Access ReadW rite
Data type Selection
User selection Disable Enable
Parameter ASFEventSMBusError
Description This alert packet is sent when there is a SM Bus (System Management Bus) error. The SM Bus is a two-wire interface through which the system can communicate with simple power-related chips.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group : NV_ASFEventSM BusError Single: ASFEventSMBusError
Usage example: nCLI Set "ASFEventSMBusError" "Disable"
Access ReadWrite
Data type Selection
User selection Disable Enable
138 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 139 Monday, September 19, 2005 6:01 PM
Group: ASF WOL Alert
ASF Wake On Lan (WOL) Alert
Group: ASF Heartbeat Alert
ASF Heartbeat Alert Interval
Parameter ASFEventWOL
Description This alert is triggered when the system is wakened through the wake on LAN feature.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group : NV_ASFEventWOL Single: ASFEventWOL
Usage example: nCLI Set "ASFEventWOL" "Disable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter ASFHeartbeatInterval
Description Set the interval (in seconds) between ASF heartbeat alerts.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventHeartbeatInterval Single: ASFEventHeartbeatInterval
Usage example: nCLI Set "ASFHeartbeatInterval" "10 seconds"
Access ReadWrite
Data type Selection
User selection 10 seconds 20 seconds
30 seconds 45 seconds
1 minute 2 minutes
3 minutes 5 minutes
7.5 minutes 10 minutes
N V I D I A C o r p o r a t i o n 139
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 140 Monday, September 19, 2005 6:01 PM
Group: ASF Operating System Hung Alert
ASF Operating System Hung Alert
Group: ASF Power Button Alert
ASF Power Button Alert
Parameter ASFEventOSHung
Description This alert is triggered when the operating system is hung and the driver software or the operating system is not servicing the interrupts generated by the network interfaces.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventOSHung Single: ASFEventOSHung
Usage example: nCLI Set "ASFEventOSHung" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter ASFEventPowerButton
Description Enables or disables the power button alert. This alert is triggered each time the user presses the power button for shutting down or turning on the computer.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventPowerButton Single: ASFEventPowerButton
Usage example: nCLI Set "ASFEventPowerButton" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
140 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 141 Monday, September 19, 2005 6:01 PM
Group: ASF System Hot Alert
ASF System Hot Alert
Group: ASF CPU Overheated Alert
ASF CPU Overheat Alert
Parameter ASFEventSystemHot
Description This alert is triggered when the temperature in the computer has exceeded a threshold limit.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventSystemHot Single: ASFEventSystemHot
Usage example: nCLI Set "ASFEventSystemHot" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter ASFEventCPUOverheated
Description This alert is triggered when the temperature of the CPU exceeds a threshold.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventCPUOverheated Single: ASFEventCPUOverheated
Usage example: nCLI Set "ASFEventCPUOverheated" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
N V I D I A C o r p o r a t i o n 141
A p p e n d i x A E t h e r n e t P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 142 Monday, September 19, 2005 6:01 PM
Group: ASF CPU Overheated Alert
ASF CPU Hot Alert
Group: ASF Case Intrusion Alert
ASF Case Intrusion Alert
Parameter ASFEventCPUHot
Description This alert is triggered when the fan in the CPU is not functioning or the CPU temperature is increasing.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventCPUHot Single: ASFEventCPUHot
Usage example: nCLI Set "ASFEventCPUHot" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter ASFEventCaseIntrusion
Description This alert is triggered when the computer’s case is opened.
Comment If ASFSupport is set to Disable, this parameter value is ignored.
Hierarchy Namespace: NS_Eth Namespace: NS_ASF
Group: NV_ASFEventCaseIntrusion Single: ASFEventCaseIntrusion
Usage example: nCLI Set "ASFEventCaseIntrusion" "Disable"
Access ReadWrite
Data type Selection
User selection Disable Enable
142 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 143 Monday, September 19, 2005 6:01 PM
A P P E N D I X
ACTIVEARMOR FIREWALL PARAMETERSREFERENCE
Note: For references to all the individual parameters, categorized by group, see the entries listed for this appendix—B. ActiveArmor Firewall Parameters Reference—in the “Table of Contents” on page iii.
Group: Configure Firewall Security Level
Configure Firewall Security Level
Parameter Fw lProfiles
Description Selects a default security level or configure a custom security level, which is a set of rules that determines the policy that the firewall follows.
Com ment This parameter is not supported through W M I script. For CLI user who wants to customize the firewall settings and not use a pre-defined profile, change the firewall security level to one of the custom levels: Note: For details on the settings, see the next section.
H ierarchy N am espace: N S_Firew all G roup: N V _FwlProfiles
Single: FwlProfiles
Usage example nCLI Set "FwlProfiles" "Medium"
Access ReadW rite
Data type Selection
O ff Low M edium H igh Lockdown User selection
Anti-hacking only Custom1 Custom2 Custom3
N V I D I A C o r p o r a t i o n 143
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 144 Monday, September 19, 2005 6:01 PM
About the FwlProfiles SettingsThe FwlProfiles parameter is supported through the WMI scripting language. If you are a CLI user and want to customize the ActiveArmor Firewall settings without using a pre-defined profile, change the firewall security level to one of the custom levels described below. • The Lockdown profile settings blocks all incoming and outgoing traffic,
except locally generated ASF alerts. Lockdown drops all traffic packets, except outbound Alert Standard Format (ASF) packets, and the ActiveArmor Firewall Intelligent Application Manager (IAM) is disabled.
• High is an extremely secure setting. However, due to the stringent filtering rules associated with this setting, many applications may not work as expected and some applications may not work at all. This setting has the following features and functionality:• Allows the least amount of traffic through. • Only outbound connections may be established. Inbound connections are
not allowed. Inbound traffic is allowed only if it is in response to an outbound packet that was seen previously on a valid connection.
• Encompasses what is commonly known as “stealth mode” in which the station cannot be “pinged” and is not allowed to generate any ICMP error messages, except where necessary for normal operation.
• Allows VPNs, including those based on IPsec (requiring AH, ESP, L2TP, IKE, UDP port 500), as well as those that rely on point-to-point punneling protocol (PPTP), which uses generic routing encapsulation (GRE).
• Restricts network traffic by preventing the use of IP and/or TCP options, which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.
• Medium (the default profile setting after installation) is intended to provide a good balance between usability and security, with an emphasis on security.This setting has the following features and functionality:• It is the factory “default” profile setting when the ActiveArmor Firewall is
enabled.• It does not have the “stealth” features associated with the High profile
setting and therefore allows most (but not all) ICMP error messages to be sent and received.
• Blocks most incoming connections with the “default” action of Deny. In order to allow file transfers through MSN Messenger and Yahoo! Messenger, incoming connections to port 80 must be allowed.
144 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 145 Monday, September 19, 2005 6:01 PM
Note: MSN Messenger and Yahoo! Messenger will not work with the High setting.
• Allows dynamic ports to be opened up from the inside only: Default in: DenyDefault out: Allow
• Supports outgoing NetMeeting calls. • Allows VPNs based on both IPsec and on PPTP. • Restricts network traffic by preventing the use of IP and/or TCP options,
which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.
• Low is the least secure of the profile settings, but allows most applications to work properly. This setting allows “safe” incoming connections, denies those that are known to be dangerous, and defaults to allow TCP or UDP connections for which a rule has not been specified. Additional features and functionality of this setting include the following:• Allows mostly all ICMP traffic, except for sending router-oriented (e.g.,
router advertisement) or deprecated (e.g., source quench) (Type, Code) pairs.
• Allows bi-directional dynamic ports to be opened. Default in: AllowDefault out: AllowFor example, the Low setting supports the NetMeeting application in either direction.
• Allows VPNs based on both IPsec and PPTP.• Restricts network traffic by preventing the use of IP and/or TCP options,
which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.
• The Anti-hacking only profile setting enables only the anti-hacking features of the ActiveArmor Firewall and is useful in a dual firewall configuration—for example, if you want to use a third-party firewall product along with the anti-hacking features of the ActiveArmor Firewall. Note: The Antihacking only setting disables the IAM, ActiveArmor, and
the ActiveArmor Firewall, allowing most incoming and outgoing network traffic**. The logging of ActiveArmor Firewall messages will proceed as usual, as long as you have enabled one of the logging message types in the ActiveArmor Firewall Log Settings page.
N V I D I A C o r p o r a t i o n 145
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 146 Monday, September 19, 2005 6:01 PM
** If you are using the Antihacking only setting with a third-party firewall, then this third-party firewall controls the incoming and outgoing network traffic; it will probably deny most incoming and outgoing network traffic. However, the ActiveArmor Firewall will still continue to log messages pertaining to the Antihacking only setting, as long as you have enabled one of the log message types in the ActiveArmor Firewall Log Settings page. For additional information, see “ActiveArmor Firewall Logging” on page 63.
• Off turns off the IAM, ActiveArmor, and the ActiveArmor Firewall, allowing all incoming and outgoing network traffic.
Group: Configure Firewall Options
Disallow Promiscuous Mode
Parameter FwlPromiscuous
Description When this parameter is enabled, the firewall prevents applications from setting the NVIDIA network interface to promiscuous mode. Promiscuous mode is primarily used by packet sniffing software.
Hierarchy Namespace: NS_Firewall Group: NV_FwlOptions
Single: FwlPromiscuous
Usage example: nCLI Set "FwlPromiscuous" "Enable"
Access ReadWrite
Data type Selection
User selection Enable Disable
146 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 147 Monday, September 19, 2005 6:01 PM
Disallow DHCP Server
Block Outbound Spoofed IP Packets
Parameter FwlDHCPServer
Description When this option is enabled, the firewall prevents a DHCP (Dynamic Host Configuration Protocol) server process in the computer from using the NVIDIA network interface to communicate using the DHCP protocol. The DHCP server is used to assign IP addresses to client computers.
Hierarchy Namespace: NS_Firewall Group: NV_FwlOptions
Single: FwlDHCPServer
Usage example: nCLI Set "FwlDHCPServer" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter FwlAntiIPSpoofing
Description When this parameter is enabled, the firewall blocks any application on the NVIDIA network interface from sending network traffic using an IP address different than the one assigned to the interface. Such network packets are called spoofed IP packets, and this feature, also known as “anti-IP-spoofing,” is intended to prevent the NVIDIA network interface from participating in distributed denial of service attacks.
Hierarchy Namespace: NS_Firewall Group: NV_FwlOptions
Single: FwlAntiIPSpoofing
Usage example: nCLI Set "FwlAntiIPSpoofing" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
N V I D I A C o r p o r a t i o n 147
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 148 Monday, September 19, 2005 6:01 PM
Block Spoofed ARP Packets
Block UDPv4 with No UDP Checksum
Parameter FwlAntiARPSpoofing
Description When this parameter is enabled, the firewall filters out any ARP packets sent by an offending computer (i.e, a computer that pretends to be another computer by altering the local ARP cache). Such network packets are called spoofed ARP packets and this feature is also known as “anti-ARP-spoofing”.
Hierarchy Namespace: NS_Firewall Group: NV_FwlOptions
Single: FwlAntiARPSpoofing
Usage example: nCLI Set "FwlAntiARPSpoofing" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
Parameter FwlChecksumUDP
Description When this parameter is enabled, the firewall drops any UDP datagram that has no UDP checksum if it is inside an IPv4 packet (UDP checksums are optional when used over IPv4, but are mandatory when used over IPv6).
Hierarchy Namespace: NS_Firewall Group: NV_FwlOptions
Single: FwlChecksumUDP
Usage example: nCLI Set "FwlChecksumUDP" "Enable"
Access ReadWrite
Data type Selection
User selection Disable Enable
148 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 149 Monday, September 19, 2005 6:01 PM
Group: EtherType Default Rule
EtherType Default Rule
Group: IP Address/Mask Default Rule
IP Address/Mask Default Action
Parameter FwlEtherTypeDefault
Description This rule is applied when a packet contains an EtherType that does not match any rule in the EtherType rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlEtherTypeDefault
Single: FwlEtherTypeDefault
Usage example: nCLI Set "FwlEtherTypeDefault" "Deny"
Access ReadWrite
Data type Selection
User selection Deny Allow
Parameter FwlIPDefault
Description This action is applied when a packet contains an IP address/mask that does not match any rule in the IP rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlIPDefault
Single: FwlIPDefault
Usage example: nCLI Set "FwlIPDefault" "Allow"
Access ReadWrite
Data type Selection
User selection Deny Allow
N V I D I A C o r p o r a t i o n 149
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 150 Monday, September 19, 2005 6:01 PM
Group: Domain Name Default Rule
Domain Name Default Rule
Group: IP Option Default Rule
Inbound IP Option Default Rule
Parameter FwlDomainDefault
Description This rule is applied when a DNS packet contains a domain name that does not match any rule in the domain name rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlDomainDefault
Single: FwlDomainDefault
Usage example: nCLI Set "FwlDomainDefault" "Allow"
Access ReadWrite
Data type Selection
User selection Deny Allow
Parameter FwlIPOptionDefaultIn
Description This rule is applied when an inbound packet contains an IP option that does not match any rule in the IP option rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlIPOptionDefault
Single: FwlIPOptionDefaultIn
Usage example: nCLI Set "FwlIPOptionDefaultIn" "Deny"
Access ReadWrite
Data type Selection
User selection Deny Allow
150 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 151 Monday, September 19, 2005 6:01 PM
Outbound IP Option Default Rule
Group: IP Protocol Default Rule
IP Protocol Default Rule
Parameter FwlIPOptionDefaultOut
Description This rule is applied when an outbound packet contains an IP option that does not match any rule in the IP option rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlIPOptionDefault
Single: FwlIPOptionDefaultOut
Usage example: nCLI Set "FwlIPOptionDefaultOut" "Deny"
Access ReadWrite
Data type Selection
User selection Deny Allow
Parameter FwlIPProtocolDefault
Description This rule is applied when a packet contains an IP protocol that does not match any rule in the IP protocol rule table
Hierarchy Namespace: NS_Firewall Group: NV_FwlIPProtocolDefault
Single: FwlIPProtocolDefault
Usage example: nCLI Set "FwlIPProtocolDefault" "Deny"
Access ReadWrite
Data type Selection
User selection Deny Allow
N V I D I A C o r p o r a t i o n 151
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 152 Monday, September 19, 2005 6:01 PM
Group: Port Number Default Rule
Inbound Port Number Default Rule
Outbound Port Number Default Rule
Parameter FwlPortDefaultIn
Description This rule is applied when an inbound packet contains a UDP or TCP port that does not match any rule in the Port rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlPortDefault
Single: FwlPortDefaultIn
Usage example nCLI Set "FwlPortDefaultIn" "Deny"
Access ReadWrite
Data type Selection
User selection Deny Allow
Parameter FwlPortDefaultOut
Description This rule is applied when an outbound packet contains a UDP or TCP port that does not match any rule in the Port rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlPortDefault
Single: FwlPortDefaultOut
Usage example: nCLI Set "FwlPortDefaultOut" "Allow"
Access ReadWrite
Data type Selection
User selection Deny Allow
152 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 153 Monday, September 19, 2005 6:01 PM
Group: TCP Options Default Rule
TCP Options Default Rule
Group: ICMP Messages Default Rule
Inbound ICMP Default Rule
Parameter FwlTCPOptionDefault
Description This rule is applied when a packet contains a TCP option that does not match any rule in the TCP option rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlTCPOptionDefault
Single: FwlTCPOptionDefault
Usage example: nCLI Set "FwlTCPOptionDefault" "Deny"
Access ReadWrite
Data type Selection
User selection Deny Allow
Parameter FwlICMPDefaultIn
Description This rule is applied when an inbound packet contains an ICMP type/code pair that does not match any rule in the ICMP rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlICMPDefault
Single: FwlICMPDefaultIn
Usage example: nCLI Set "FwlICMPDefaultIn" "Deny"
Access ReadWrite
Data type Selection
User selection Deny Allow
N V I D I A C o r p o r a t i o n 153
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 154 Monday, September 19, 2005 6:01 PM
Outbound ICMP Default Rule
Group: Clear Firewall Statistics
Clear Firewall Statistics
Parameter FwlICMPDefaultOut
Description This rule is applied when an outbound packet contains an ICMP type/code pair that does not match any rule in the ICMP rule table.
Hierarchy Namespace: NS_Firewall Group: NV_FwlICMPDefault
Single: FwlICMPDefaultOut
Usage example: nCLI Set "FwlICMPDefaultOut" "Deny"
Access ReadWrite
Data type Selection
User selection Deny Allow
Parameter FwlStatClearAll
Description Clears all firewall statistics.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStatClear
Single: FwlStatClearAll
Usage example: nCLI Set "FwlStatClearAll" "Clear"
Access ReadWrite
Data type Selection
User selection Clear
154 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 155 Monday, September 19, 2005 6:01 PM
Group: Firewall Statistics
Allowed Inbound UDP Datagrams
Denied Inbound UDP Datagrams I
Allowed Outbound UDP Datagrams
Parameter FwlStatUDPInPktsAllowed
Description Specifies the number of inbound UDP datagrams allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatUDPInPktsAllowed
Usage example: nCLI Get "FwlStatUDPInPktsAllowed"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatUDPInPktsDenied
Description Number of inbound UDP datagrams denied by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatUDPInPktsDenied
Usage example nCLI Get "FwlStatUDPInPktsDenied"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatUDPOutPktsAllowed
Description Number of outbound UDP datagrams allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatUDPOutPktsAllowed
Usage example: nCLI Get "FwlStatUDPOutPktsAllowed"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 155
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 156 Monday, September 19, 2005 6:01 PM
Denied Outbound UDP Datagrams
Denied Inbound UDP Connections
Allowed Outbound UDP Connections
Parameter FwlStatUDPOutPktsDenied
Description Number of outbound UDP datagrams denied by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatUDPOutPktsDenied
Usage example: nCLI Get "FwlStatUDPOutPktsDenied"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatUDPInConnectionsDenied
Description Number of inbound UDP connections denied by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatUDPInConnectionsDenied
Usage example: nCLI Get "FwlStatUDPInConnectionsDenied"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatUDPOutConnectionsAllowed
Description Number of outbound UDP connections allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group : NV_FwlStat
Single: FwlStatUDPOutConnectionsAllowed
Usage example: nCLI Get "FwlStatUDPOutConnectionsAllowed"
Access Read
Data type Number ( 64 bit )
156 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 157 Monday, September 19, 2005 6:01 PM
Denied Outbound UDP Connections
Allowed Inbound TCP Segments
Denied Inbound TCP Segments
Parameter FwlStatUDPOutConnectionsDenied
Description Number of outbound UDP connections denied by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatUDPOutConnectionsDenied
Usage example: nCLI Get "FwlStatUDPOutConnectionsDenied"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatTCPInPktsAllowed
Description Number of inbound TCP segments allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatTCPInPktsAllowed
Usage example: nCLI Get "FwlStatTCPInPktsAllowed"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatTCPInPktsDenied
Description Number of inbound TCP segments denied by the firewall.
Hierarchy Namespace: NS_Firewall Namespace: NS_Firewall
Single: FwlStatTCPInPktsDenied
Usage example: nCLI Get "FwlStatTCPInPktsDenied"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 157
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 158 Monday, September 19, 2005 6:01 PM
Allowed Outbound TCP Segments
Denied Outbound TCP Segments
Allowed Inbound TCP Connections
Parameter FwlStatTCPOutPktsAllowed
Description Number of outbound TCP segments allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatTCPOutPktsAllowed
Usage example: nCLI Get "FwlStatTCPOutPktsAllowed"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatTCPOutPktsDenied
Description Number of outbound TCP segments denied by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatTCPOutPktsDenied
Usage example: nCLI Get "FwlStatTCPOutPktsDenied"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatTCPInConnectionsAllowed
Description Number of inbound TCP connections allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatTCPInConnectionsAllowed
Usage example: nCLI Get "FwlStatTCPInConnectionsAllowed"
Access Read
Data type Number ( 64 bit )
158 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 159 Monday, September 19, 2005 6:01 PM
Denied Inbound TCP Connections
Allowed Outbound TCP Connections
Denied Outbound TCP Connections
Parameter FwlStatTCPInConnectionsDenied
Description Number of inbound TCP connections denied by the firewall.
Hierarchy Namespace: NS_Firewall Group : NV_FwlStat
Single: FwlStatTCPInConnectionsDenied
Usage example: nCLI Get "FwlStatTCPInConnectionsDenied"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatTCPOutConnectionsAllowed
Description Number of outbound TCP connections allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group : NV_FwlStat
Single: FwlStatTCPOutConnectionsAllowed
Usage example: nCLI Get "FwlStatTCPOutConnectionsAllowed"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatTCPOutConnectionsDenied
Description Number of outbound TCP connections denied by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatTCPOutConnectionsDenied
Usage example: nCLI Get "FwlStatTCPOutConnectionsDenied"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 159
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 160 Monday, September 19, 2005 6:01 PM
Allowed Inbound ICMP Packets
Denied Inbound ICMP Packets
Allowed Outbound ICMP Packets
Parameter FwlStatICMPInPktsAllowed
Description Number of inbound ICMP packets allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatICMPInPktsAllowed
Usage example: nCLI Get "FwlStatICMPInPktsAllowed"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatICMPInPktsDenied
Description Number of inbound ICMP packets denied by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatICMPInPktsDenied
Usage example: nCLI Get "FwlStatICMPInPktsDenied"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatICMPOutPktsAllowed
Description Number of outbound ICMP packets allowed by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatICMPOutPktsAllowed
Usage example: nCLI Get "FwlStatICMPOutPktsAllowed"
Access Read
Data type Number ( 64 bit )
160 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 161 Monday, September 19, 2005 6:01 PM
Denied Outbound ICMP Packets
Other Allowed Inbound Packets
Other Denied Inbound Packets
Parameter FwlStatICMPOutPktsDenied
Description Specifies the number of outbound ICMP packets denied by the firewall.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatICMPOutPktsDenied
Usage example: nCLI Get "FwlStatICMPOutPktsDenied"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatOtherInPktsAllowed
Description Specifies the number of inbound packets allowed by the firewall that are not UDP, TCP, or ICMP.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatOtherInPktsAllowed
Usage example: nCLI Get "FwlStatOtherInPktsAllowed"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatOtherInPktsDenied
Description Number of inbound packets denied by the firewall that are not UDP, TCP, or ICMP.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatOtherInPktsDenied
Usage example: nCLI Get "FwlStatOtherInPktsDenied"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 161
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 162 Monday, September 19, 2005 6:01 PM
Other Allowed Outbound Packets
Other Denied Outbound Packets
Parameter FwlStatOtherOutPktsAllowed
Description Number of outbound packets allowed by the firewall that are not UDP, TCP, or ICMP.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatOtherOutPktsAllowed
Usage example: nCLI Get "FwlStatOtherOutPktsAllowed"
Access Read
Data type Number ( 64 bit )
Parameter FwlStatOtherOutPktsDenied
Description Specifies the number of outbound packets denied by the firewall that are not UDP, TCP, or ICMP.
Hierarchy Namespace: NS_Firewall Group: NV_FwlStat
Single: FwlStatOtherOutPktsDenied
Usage example: nCLI Get "FwlStatOtherOutPktsDenied"
Access Read
Data type Number ( 64 bit )
162 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 163 Monday, September 19, 2005 6:01 PM
Group: Factory Default
Factory Default
Group: Flush DNS Cache
Flush DNS Cache
Parameter FwlDefault
Description Specifies to restore all firewall settings to the factory default.
Comment This parameter is not supported through WMI scripting.
Hierarchy Namespace: NS_Firewall Group: NV_Fwl_Default
Single: FwlDefault
Usage example: nCLI Set "FwlDefault" "NoRestore"
Access ReadWrite
Data type Selection
User selection NoRestore Restore
Parameter FwlFlushDNS
Description Specifies to flush the operating system DNS cache.
Comment DNS cache needs to be flushed when Firewall Domain Name configuration is changed.
Hierarchy Namespace: NS_Firewall Group: NV_FwlFlushDNS
Single: FwlFlushDNS
Usage example nCLI Set "FwlFlushDNS" "Clear"
Access ReadWrite
Data type Selection
User selection Clear
N V I D I A C o r p o r a t i o n 163
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 164 Monday, September 19, 2005 6:01 PM
Table: EtherType Rules
Ether Type
Table parameter NV_FwlEtherType
Description Specifies table to configure EtherType firewall ru les. As part of the Ethernet header, the EtherType is used to identify the type of Ethernet payload. Example payloads include IPv4, AppleTalk, IPX, and NetBEUI.
Comment For EtherType that does not match any rule in the table, default setting in FwlEtherTypeDefault w ill be used.
Hierarchy Namespace: NS_Firewall Table: NV_FwlEtherType
Usage example nCLI AddRow "NV_FwlEtherType" "EtherType=2048,EtherTypeName=Internet Protocol version 4 (IPv4) (RFC 791),EtherTypeAction=Allow" _______________________________________________________ nCLI EditRow "NV_FwlEtherType.EtherType=2048" "EtherTypeName=Address Resolution Protocol (ARP) (RFC 826),EtherTypeAction=Allow" _______________________________________________________ nCLI DelRow "NV_FwlEtherType.EtherType=2048"
Access ReadWrite
Single parameters EtherType
EtherTypeName EtherTypeAction
Parameter EtherType
Description The EtherType identifies the type of Ethernet payload. Some exam ples and their hexadecimal values include IPv4 (0x0800), AppleTalk (0x809B), IPX (0x8137) and NetBEUI (0x8191).
Hierarchy Namespace: NS_Firewall Table: NV_FwlEtherType
Single: EtherType
Access ReadW rite
Table key This parameter is a key to the table
Data type Number ( 32 bit )
M aximum value 65535
M inimum value 1501
164 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 165 Monday, September 19, 2005 6:01 PM
EtherType Name
EtherType Action
Parameter EtherTypeName
Description Name associated with the EtherType.
Hierarchy Namespace: NS_Firewall Table: NV_FwlEtherType
Single: EtherTypeName
Access ReadWrite
Data type String
M aximum Length 60
Parameter EtherTypeAction
Description Specifies action for the EtherType.
Hierarchy Namespace: NS_Firewall Table: NV_FwlEtherType
Single: EtherTypeAction
Access ReadW rite
Data type Selection
User selection Deny Allow
N V I D I A C o r p o r a t i o n 165
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 166 Monday, September 19, 2005 6:01 PM
Table: IP Address/Mask Rule
Remote IP Address
Table parameter NV_FwlIP
Description Specifies table to configure firewall rules based on IP addresses/masks.
Comment For IP address/mask pair that does not match any rule in the table, default setting in FwlIPDefault will be used.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIP
Usage example nCLI AddRow "NV_FwlIP" "IPRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,IPRemoteIPMask=32,IPAction=Allow" ___________________________________________________________ nCLI DelRow "NV_FwlIP.IPRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',IPRemoteIPMask='32'"
Access ReadWrite
Single parameter IPRemoteIP IPRemoteIPMask IPLocalIP IPLocalIPMask IPAction
Parameter IPRemoteIP
Description IP address of the remote machine or subnet.
Tree Namespace: NS_Firewall Table: NV_FwlIP
Single: IPRemoteIP
Access ReadWrite
Table key This parameter is a key to the table
Data type IP Address
166 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 167 Monday, September 19, 2005 6:01 PM
Remote IP Address Mask
IP Action
Parameter IPRemoteIPMask
Description IP address mask of the remote machine or subnet.
Tree Namespace: NS_Firewall Table: NV_FwlIP
Single: IPRemoteIPMask
Access ReadWrite
Table key This parameter is a key to the table
Data type IP Mask Length
Parameter IPAction
Description Specifies the action for network traffic.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIP Single: IPAction
Access ReadWrite
Data type Selection
User selection Deny Allow
N V I D I A C o r p o r a t i o n 167
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 168 Monday, September 19, 2005 6:01 PM
Table: Domain Names Rule
Domain Name
Table parameter: NV_FwlDomain
Description Specifies the table to configure domain name rules. Domain name is a user-friendly name used to identify a Web site; for example, www.nvidia.com. The firewall blocks DNS lookups of domain names. You can bypass this filter by directly entering an IP address (if the IP address is known) instead of a domain name to access a Web site.
Comment CLI users need to flush DNS cache for domain name rules to take effect. To flush DNS cache, set FwlFlushDNS. For a given domain name that does not match any rule in the table, the default setting in FwlDomainDefault will be used.
Hierarchy Namespace: NS_Firewall Table: NV_FwlDomain
Usage example: nCLI AddRow "NV_FwlDomain" "DomainName=www.dummy.com,DomainAction=Deny" _______________________________________________________ nCLI EditRow "NV_FwlDomain.DomainName='www.dummy.com'" "DomainAction=Deny" ________________________________________________________ nCLI DelRow "NV_FwlDomain.DomainName='www.dummy.com'"
Access ReadWrite
Single Parameter DomainName DomainAction
DomainLocalIP DomainLocalIPMask
Parameter DomainName
Description Domain name of the computer or Web site
Hierarchy Namespace: NS_Firewall Table: NV_FwlDomain
Single: DomainName
Access ReadWrite
Table key This parameter is a key to the table
Data type String
Maximum Length 127
168 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 169 Monday, September 19, 2005 6:01 PM
Domain Action
Table: IP Option Rules
Parameter DomainAction
Description Specifies action for network traffic.
Hierarchy Namespace: NS_Firewall Table: NV_FwlDomain
Single: DomainAction
Access ReadWrite
Data type Selection
User selection Deny Allow
Table parameter NV_FwlIPOption
Description Specifies the table to configure IP option rules. IPv4 options are added to the basic IPv4 header to provide additional features beyond those that are supported by the standard IPv4 packet's header. The standard 20-byte IPv4 header can be expanded to have up to 40 bytes of options. IPv6 options have no fixed size, but are otherwise similar to IPv4 options and provide for many of the same features.
Comment For an IP option that does not match any rule in the table, the default setting in FwlIPOptionDefault will be used.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPOption
Usage example nCLI AddRow "NV_FwlIPOption" "IPOptionNumber=0,IPOptionName=End of Option List,IPOptionVersion=IPv4,IPOptionActionIn=Allow,IPOptionActionOut=Allow" _________________________________________________________ nCLI EditRow "NV_FwlIPOption.IPOptionNumber=0,IPOptionVersion=4" "IPOptionName=Pad-1 (i.e., one octet of padding),IPOptionActionIn=Allow,IPOptionActionOut=Allow" ________________________________________________________ nCLI DelRow "NV_FwlIPOption.IPOptionNumber=0,IPOptionVersion=4"
Access ReadWrite
Single parameter IPOptionNumber IPOptionName
IPOptionVersion IPOptionActionIn
IPOptionActionOut
N V I D I A C o r p o r a t i o n 169
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 170 Monday, September 19, 2005 6:01 PM
IP Option Number
IP Option Name
Parameter IPOptionNumber
Description IP option number. IPv4 options are added to the basic IPv4 header to provide additional features beyond those that are supported by the standard IPv4 packet's header. The standard 20-byte IPv4 header can be expanded to have up to 40 bytes of options. IPv6 options have no fixed size, but are otherwise similar to IPv4 options and provide for many of the same features.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPOption
Single: IPOptionNumber
Access ReadWrite
Table key This parameter is a key to the table
Data type Number ( 32 bit )
Maximum Value 255 Minimum Value: 0
Parameter IPOptionName
Description Specifies name associated with the IP option number.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPOption
Single: IPOptionName
Access ReadWrite
Data type String
Maximum Length 60
170 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 171 Monday, September 19, 2005 6:01 PM
IP Version
IP Inbound Action
IP Outbound Action
Parameter IPOptionVersion
Description Specifies whether ru le is for IPv4 or IPv6.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPOption
Single: IPOptionVersion
Access ReadWrite
Table key This parameter is a key to the table
Data type Selection
User selection IPv4 IPv6
Parameter IPOptionActionIn
Description Specifies action for inbound network traffic.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPOption
Single: IPOptionActionIn
Access ReadWrite
Data type Selection
User selection Allow Deny
Parameter IPOptionActionOut
Description Specifies action for outbound network traffic.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPOption
Single: IPOptionActionOut
Access ReadWrite
Data type Selection
User selection Allow Deny
N V I D I A C o r p o r a t i o n 171
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 172 Monday, September 19, 2005 6:01 PM
Table: IP Protocol Rule
IP Protocol
Table parameter NV_FwlIPProtocol
Description Specifies table to configure IP protocol rules. IP protocol identifies the type of IP payload. ICMP, TCP and UDP are examples of common IP payloads.
Comment For an IP protocol that does not match any rule in the table, the default setting in FwlIPProtocolDefault will be used.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPProtocol
Usage example: nCLI AddRow "NV_FwlIPProtocol" "IPProtocol=1,IPProtocolName=Internet Control Message Protocol for IPv4 (ICMP),IPProtocolAction=Allow" _____________________________________________________ nCLI EditRow "NV_FwlIPProtocol.IPProtocol=1" "IPProtocolName=Internet Group Management Protocol for IPv4 (IGMP),IPProtocolAction=Allow" ______________________________________________________ nCLI DelRow "NV_FwlIPProtocol.IPProtocol=1"
Access ReadWrite
Single Parameters IPProtocol IPProtocolName IPProtocolAction
Parameter IPProtocol
Description Specifies the IP protocol number. IP protocol identifies the type of IP payload. Common protocols and their decimal values include ICMP (1), TCP (6), and UDP (17).
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPProtocol
Single: IPProtocol
Access ReadWrite
Table key This parameter is a key to the table
Data type Number ( 32 bit )
Maximum Value 255
Minimum Value 0
172 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 173 Monday, September 19, 2005 6:01 PM
IP Protocol Name
IP Protocol Action
Parameter IPProtocolName
Description Specifies a name for an IP protocol.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPProtocol
Single: IPProtocolName
Access ReadWrite
Data type String
Maximum Length 60
Parameter IPProtocolAction
Description Specifies the action for network traffic.
Hierarchy Namespace: NS_Firewall Table: NV_FwlIPProtocol
Single: IPProtocolAction
Access ReadWrite
Data type Selection
User selection Deny Allow
N V I D I A C o r p o r a t i o n 173
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 174 Monday, September 19, 2005 6:01 PM
Table: TCP/UDP Port Rule Parameter name NV_FwlPort
Description Specifies the table to configure TCP or UDP port rules. Port numbers are used by TCP or UDP to identify sending and receiving applications. Some common ports include HTTP (80), TELNET (23) and SMTP (25).
Comment For a TCP/UDP port that does not match any rule in the table, the default setting in FwlPortDefault will be used.
Hierarchy Namespace: NS_Firewall Table: NV_FwlPort
Usage examples nCLI AddRow "NV_FwlPort" "PortActionIn=Deny,PortActionOut=Deny,PortRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,PortRemoteIPMask=32,PortName=Reserved,PortRangeBegin=0,PortRangeEnd=0,PortProtocol=Both" ________________________________________________________ nCLI EditRow "NV_FwlPort.PortRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',PortRemoteIPMask='32',PortRangeBegin=0,PortRangeEnd=0,PortProtocol=0" "PortActionIn=Deny,PortActionOut=Allow,PortName=Time (RFC 868)" ________________________________________________________ nCLI DelRow "NV_FwlPort.PortRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',PortRemoteIPMask='32',PortRangeBegin=0,PortRangeEnd=0,PortProtocol=0"
Access ReadWrite
Single parameter PortActionIn PortActionOut PortRemoteIP
PortRemoteIPMask PortLocalIP PortRangeBegin
PortRangeEnd PortLocalIPMask
PortName PortProtocol
174 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 175 Monday, September 19, 2005 6:01 PM
TCP/UDP Port Outbound Action
Remote IP Address
Remote IP Subnet Mask
Parameter PortActionOut
Description Specifies outbound action for the network connection.
Hierarchy Namespace: NS_Firewall Table: NV_FwlPort
Single: PortActionOut
Access ReadWrite
Data type Selection
User selection Deny Allow
Parameter PortRemoteIP
Description IP address of the remote machine or subnet.
Hierarchy Namespace: NS_Firewall Table: NV_FwlPort
Single: PortRemoteIP
Access ReadWrite
Table key This parameter is a key to the table
Data type IP Address
Parameter PortRemoteIPMask
Description Specifies the IP address mask of the remote machine or subnet.
Hierarchy Namespace: NS_Firewall Table: NV_FwlPort
Single: PortRemoteIPMask
Access ReadWrite
Table key This parameter is a key to the table
Data type IP Mask Length
N V I D I A C o r p o r a t i o n 175
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 176 Monday, September 19, 2005 6:01 PM
Port Name
Beginning Port Number
Ending Port Number
Parameter PortName
Description Specifies thename associated with the TCP or UDP port range.
Hierarchy Namespace: NS_Firewall Table: NV_FwlPort
Single: PortName
Access ReadWrite
Data type String
Maximum Length 100
Parameter PortRangeBegin
Description Specifies the first UDP or TCP port in the range.
Hierarchy Namespace: NS_Firewall Table: NV_FwlPort
Single: PortRangeBegin
Access ReadWrite
Table key This parameter is a key to the table
Data type Number ( 32 bit )
Maximum Value 65535
Parameter PortRangeEnd
Description Specifies the last UDP or TCP port in the range.
Hierarchy Namespace: NS_Firewall Table: NV_FwlPort
Single: PortRangeEnd
Access ReadWrite
Table key This parameter is a key to the table
Data type Number ( 32 bit )
Maximum Value 65535
176 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 177 Monday, September 19, 2005 6:01 PM
Port Protocol
Table: TCP Options Rule
Parameter PortProtocol
Description Specifies whether the port protocol is UDP, TCP, or both.
Hierarchy Namespace: NS_Firewall Table: NV_FwlPort
Single: PortProtocol
Access ReadWrite
Table key This parameter is a key to the table
Data type Selection
User selection UDP TCP
Table parameter NV_FwlTCPOption
Description Specifies the table to configure the TCP options rule. TCP options are added to the standard 20-byte TCP header to provide additional features that typically can only be used if they are negotiated at the beginning of a TCP connection.
Comment For a given TCP option that does not match any rule in the table, the default setting in FwlTCPOptionDefault will be used.
Hierarchy Namespace: NS_Firewall Table: NV_FwlTCPOption
Usage examples: nCLI AddRow "NV_FwlTCPOption" "TCPOptionNumber=0,TCPOptionName=End of Option List (RFC 793),TCPOptionAction=Allow" _______________________________________________________ nCLI EditRow "NV_FwlTCPOption.TCPOptionNumber=0" "TCPOptionName=No Operation (RFC 793),TCPOptionAction=Allow" _______________________________________________________ nCLI DelRow "NV_FwlTCPOption.TCPOptionNumber=0"
Access ReadWrite
Single parameters TCPOptionNumber TCPOptionName TCPOptionAction
N V I D I A C o r p o r a t i o n 177
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 178 Monday, September 19, 2005 6:01 PM
TCP Option Number
TCP Option Name I
TCP Option Action
Parameter TCPOptionNumber
Description Represents the TCP option number. TCP options are added to the standard 20-byte TCP header to provide additional features that typically can only be used if they are negotiated at the beginning of a TCP connection.
Hierarchy Namespace: NS_Firewall Table: NV_FwlTCPOption
Single: TCPOptionNumber
Access ReadWrite
Table key This parameter is a key to the table
Data type Number (32 bit)
Maximum Value 255 Minimum Value: 0
P aram eter T C P O p tion N am e
D es crip tion S p ecif ies a n am e asso cia ted w ith a TC P o p tio n n um b er.
H ie rarch y S in g le : TC P O p tio n N am e N am es p ace : N S _ F irew all T ab le: N V _ F w lTC P O p tio n
S in g le : TC P O p tio n N am e
A ccess R ead W rite
D ata typ e S trin g
M ax im u m L eng th 60
Parameter TCPOptionAction
Description Specifies the action for network traffic containing a given TCP option number.
Hierarchy Namespace: NS_Firewall Table: NV_FwlTCPOption
Single: TCPOptionAction
Access ReadW rite
Data type Selection
User selection Deny Allow
178 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 179 Monday, September 19, 2005 6:01 PM
Table: ICMP Rules
Remote IP Address
Table parameter NV_Fw lICM P
Description Specifies the table to configure ICMP message rules. ICM P communicates error, diagnostic and control messages. Examples of ICM P messages include echo (i.e., ping) and 'destination unreachable'.
Comment For an ICMP message that does not match any rule in the table, the default setting in FwlICM PDefault will be used.
Hierarchy Namespace: NS_Firewall Table: NV_FwlICM P
Usage examples: nCLI AddRow "NV_FwlICMP" "ICMPRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,ICMPRemoteIPMask=32,ICMPType=0,ICMPCode=0,ICMPName=Echo reply (RFC792),ICMPVersion=ICMPv4,ICMPActionIn=Allow,ICMPActionOut=Allow" _______________________________________________________ nCLI EditRow "NV_FwlICMP.ICMPRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',ICMPRemoteIPMask='32',ICMPType=0,ICMPCode=0,ICMPVersion=4" "ICMPName=Not assigned,ICMPActionIn=Deny,ICMPActionOut=Deny _______________________________________________________ nCLI DelRow "NV_FwlICMP.ICMPRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',ICMPRemoteIPMask='32',ICMPType=0,ICMPCode=0,ICMPVersion=4"
Access ReadWrite
Single Parameters ICMPRemoteIP ICMPRemoteIPM ask ICMPLocalIP
ICMPLocalIPM ask ICMPType ICMPCode
ICMPName ICMPVersion
ICMPActionIn ICMPActionOut
Parameter ICMPRemoteIP
Description Specifies the IP address of the remote machine or subnet.
Hierarchy Namespace: NS_Firewall Table: NV_FwlICMP
Single: ICMPRemoteIP
Access ReadWrite
Table key This parameter is a key to the table
Data type IP Address
N V I D I A C o r p o r a t i o n 179
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 180 Monday, September 19, 2005 6:01 PM
Remote IP Subnet Mask
ICMP Type
ICMP Code
Parameter ICMPRemoteIPMask
Description Specifies the IP address mask of the remote machine or subnet.
Hierarchy Namespace: NS_Firewall Table: NV_FwlICMP
Single: ICMPRemoteIPMask
Access ReadWrite
Table key This parameter is a key to the table
Data type IP Mask Length
Parameter ICM PType
Description Specifies the ICMP type
Hierarch y Namespace: NS_Firewall Table: NV_FwlICMP
Single: ICMP Type
Access ReadW rite
Table key Th is param eter is a key to the table
Data type Number (32 bit)
M aximum value 255 M inimum Value: 0
Parameter ICM PCode
Description Specifies the ICMP code.
Hierarchy Namespace: NS_Firewall Table: NV_FwlICMP
Single: ICMPCode
Access ReadW rite
Table key This parameter is a key to the table
Data type Number ( 32 bit )
M aximum value 255 M inimum Value: 0
180 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 181 Monday, September 19, 2005 6:01 PM
ICMP Name
ICMP Version
ICMP Inbound Action
Parameter ICMPName
Description Specifies a name for the ICMP type/code pair.
Hierarchy Namespace: NS_Firewall Table: NV_FwlICMP
Single: ICMPName
Access ReadWrite
Data type String
Maximum Length 120
Parameter ICMPVersion
Description Specifies whether the rule is for ICMPv4 or ICMPv6.
Hierarchy Namespace: NS_Firewall Table: NV_FwlICMP
Single: ICMPVersion
Access ReadWrite
Table key This parameter is a key to the table
Data type Selection
User selection ICMPv4 ICMPv6
Parameter ICMPActionIn
Description Specifies the action for inbound network traffic.
Hierarchy Namespace: NS_Firewall Table: NV_FwlICMP
Single: ICMPActionIn
Access ReadWrite
Data type Selection
User selection Deny Allow
N V I D I A C o r p o r a t i o n 181
A p p e n d i x B A c t i v e A r m o r F i r e w a l l P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 182 Monday, September 19, 2005 6:01 PM
ICMP Outbound Action
Parameter ICMPActionOut
Description Specifies the action for outbound network traffic.
Hierarchy Namespace: NS_Firewall Table: NV_FwlICMP
Single: ICMPActionOut
Access ReadWrite
Data type Selection
User selection Deny Allow
182 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 183 Monday, September 19, 2005 6:01 PM
A P P E N D I X
ACTIVEARMOR SECURE NETWORKENGINE (SNE) PARAMETERS REFERENCENote: For references to all the individual parameters, categorized by group, see
the entries listed for this appendix—C. NVIDIA ActiveArmor Parameters Reference—in the “Table of Contents” on page iii.
Group: Feature ControlsThese are the overall controls for high-level ActiveArmor functions. They determine which connections are handled by ActiveArmor. ActiveArmor Secure Network Engine (SNE)
ActiveArmor SNE
Parameter HOT
Description Enables or disables all ActiveArmor functionality.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTControls
Single: HOT
Usage example nCLI Set "HOT" "Enabled"
Access ReadWrite
Factory default value Enabled
Data type Selection
N V I D I A C o r p o r a t i o n 183
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 184 Monday, September 19, 2005 6:01 PM
Group: Offload Default
Offload Default
Group: ActiveArmor Factory Default
Factory Default
User Selection Disabled
User Selection Enabled
Parameter HOTAppDefault
Description Configure the default offload behavior of any connections not listed in the ActiveArmor application table or the port table.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTAppDefault
Single: HOTAppDefault
Usage example nCLI Set "HOTAppDefault" "Offloadable"
Access ReadWrite
Factory default value Offloadable
Data type Selection
User Selection NotOffloadable
User Selection Offloadable
Parameter HOTDefault
Description Restores the ActiveArmor factory default settings
External Comment Restore factory default feature is not available through WMI Script.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOT_FactoryDefault
Single: HOTDefault
Usage example nCLI Set "HOTDefault" "NoRestore"
Access ReadWrite
184 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 185 Monday, September 19, 2005 6:01 PM
Table: Offloadable IP Address and Port Ranges
Offloadable IP Address and Port Ranges
Factory default value NoRestore
Data type Selection
User Selection NoRestore
User Selection Restore
Table Parameter NV_HOTPort
Description Defines the offload behavior of specific IP addresses and ports.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Usage example nCLI AddRow "NV_HOTPort" "HOTPortLo-calIP=0000:0000:0000:0000:0000:FFFF:0000:0000,HOTPortLo-calIPMask=32,HOTPortRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,HOTPortRemoteIPMask=32,HOTPortRangeBegin=0,HOT-PortRangeEnd=0,HOTPortOffloadPriority=Default,HOTPortOff-loadIn=NotOffloadable,HOTPortOffloadOut=NotOffloadable" nCLI DelRow "NV_HOTPort.HOTPortLo-calIP='0000:0000:0000:0000:0000:FFFF:0000:0000',HOTPortLo-calIPMask='32',HOTPortRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:0000',HOTPortRemoteIPMask='32',HOTPortRangeBe-gin=0,HOTPortRangeEnd=0"
Access ReadWrite
Single Parameter HOTPortLocalIP (See “Local IP Address” on page 186.)
Single Parameter HOTPortLocalIPMask (See “Local IP Subnet Mask” on page 186.)
Single Parameter HOTPortRemoteIP (See “Remote IP Address” on page 186.)
Single Parameter HOTPortRemoteIPMask (See “Remote IP Subnet Mask” on page 187.)
Single Parameter HOTPortRangeBegin (See “Beginning Port Number” on page 187.)
Single Parameter HOTPortRangeEnd (See “Ending Port Number” on page 188.)
Single Parameter HOTPortOffloadIn (See “Offload Setting for Inbound Connection” on page 188.)
Single Parameter HOTPortOffloadOut (See “Offload Setting for Outbound Connection” on page 189.)
N V I D I A C o r p o r a t i o n 185
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 186 Monday, September 19, 2005 6:01 PM
Local IP Address
Local IP Subnet Mask
Remote IP Address
Parameter HOTPortLocalIP
Description Specifies the local or source IP address.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Row:Single: HOTPortLocalIP
Access ReadWrite
Factory default value 0000:0000:0000:0000:0000:FFFF:0000:0000
Table key This parameter is a key to the table
Data type IP Address
Parameter HOTPortLocalIPMask
Description Specifies the local or source IP subnet mask
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Row:Single: HOTPortLocalIPMask
Access ReadWrite
Factory default value 32
Table key This parameter is a key to the table
Data type IP Mask Length
Parameter HOTPortRemoteIP
Description IP address of the remote machine or subnet.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Row: Single: HOTPortRemoteIP
186 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 187 Monday, September 19, 2005 6:01 PM
Remote IP Subnet Mask
Beginning Port Number
Access ReadWrite
Factory default value 0000:0000:0000:0000:0000:FFFF:0000:0000
Table key This parameter is a key to the table
Data type IP Address
Parameter HOTPortRemoteIPMask
Description IP address mask of the remote machine or subnet.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Row: Single: HOTPortRemoteIPMask
Access ReadWrite
Factory default value 32
Table key This parameter is a key to the table
Data type IP Mask Length
Parameter HOTPortRangeBegin
Description First UDP or TCP port in the range.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Row: Single: HOTPortRangeBegin
Access ReadWrite
Factory default value 0
Table key This parameter is a key to the table
Data type Number ( 32 bit )
Maximum Value 65535
N V I D I A C o r p o r a t i o n 187
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 188 Monday, September 19, 2005 6:01 PM
Ending Port Number
Offload Setting for Inbound Connection
Parameter HOTPortRangeEnd
Description Last UDP or TCP port in the range.
External Comment Ending port number value should be equal or greater than starting port number.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Row: Single: HOTPortRangeEnd
Access ReadWrite
Factory default value 0
Table key This parameter is a key to the table
Data type Number ( 32 bit )
Maximum Value 65535
Parameter HOTPortOffloadIn
Description Specifies if the inbound connection within this port number range will be handled by ActiveArmor.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Row: Single: HOTPortOffloadIn
Access ReadWrite
Factory default value NotOffloadable
Data type Selection
User Selection NotOffloadable
User Selection Offloadable
188 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 189 Monday, September 19, 2005 6:01 PM
Offload Setting for Outbound Connection
Table: Application Offload Control
Application Offload Control Table
Parameter HOTPortOffloadOut
Description Specifies if the outbound connection within this port number range will be handled by ActiveArmor.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTPort
Row: Single: HOTPortOffloadOut
Access ReadWrite
Factory default value NotOffloadable
Data type Selection
User Selection NotOffloadable
User Selection Offloadable
Table Parameter NV_HOTApp
Description Defines the offload behavior of specified applications.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTApp
Usage example nCLI AddRow "NV_HOTApp" "HOTAppIPAd-dress=0000:0000:0000:0000:0000:FFFF:0000:0000,HOTAppIP-Mask=32,HOTAppFileName=example.exe,HOTAppPath=c:,HOTAppOffloadPriority=Default,HOTAppOffloadIn=NotOffloadable,HOTAp-pOffloadOut=NotOffloadable" nCLI DelRow "NV_HOTApp.HOTAp-pIPAddress='0000:0000:0000:0000:0000:FFFF:0000:0000',HOTAppIPMask='32',HOTAppFileName='example.exe',HOTAppPath='c:'"
Access ReadWrite
Single Parameter HOTAppIPAddress (See “IP Address” on page 190.)
Single Parameter HOTAppIPMask (See “IP Subnet Mask” on page 190.)
Single Parameter HOTAppFileName (See “Application Filename” on page 191.)
N V I D I A C o r p o r a t i o n 189
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 190 Monday, September 19, 2005 6:01 PM
IP Address
IP Subnet Mask
Single Parameter HOTAppPath (See “Application Path” on page 191.)
Single Parameter HOTAppOffloadIn (See “Offload Enable/Disable for Inbound Connection” on page 192.)
Single Parameter HOTAppOffloadOut (See “Offload Enable/Disable for Outbound Connection” on page 192.)
Parameter HOTAppIPAddress
Description Defines the remote IP address or subnet.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTApp
Row: Single: HOTAppIPAddress
Access ReadWrite
Factory default value 0000:0000:0000:0000:0000:FFFF:0000:0000
Table key This parameter is a key to the table
Data type IP Address
Parameter HOTAppIPMask
Description Remote IP subnet mask applied to the remote IP address.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTApp
Row: Single: HOTAppIPMask
Access ReadWrite
Factory default value 32
Table key This parameter is a key to the table
Data type IP Mask Length
190 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 191 Monday, September 19, 2005 6:01 PM
Application Filename
Application Path
Parameter HOTAppFileName
Description The name of the application (up to 255 characters). The name is used by ActiveArmor to identify an application that will be handled by ActiveArmor.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTApp
Row: Single: HOTAppFileName
Access ReadWrite
Factory default value example.exe
Table key This parameter is a key to the table
Data type String
Maximum Length 255
Parameter HOTAppPath
Description Directory where the application file resides.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTApp
Row: Single: HOTAppPath
Access ReadWrite
Factory default value c:
Table key This parameter is a key to the table
Data type String
Maximum Length 255
N V I D I A C o r p o r a t i o n 191
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 192 Monday, September 19, 2005 6:01 PM
Offload Enable/Disable for Inbound Connection
Offload Enable/Disable for Outbound Connection
Group: ActiveArmor StatisticsThese are global statistics pertaining to ActiveArmor that are designed to aid performance monitoring and tuning. The statistics are derived from all connections maintained by ActiveArmor.
Parameter HOTAppOffloadIn
Description Specifies if this application's inbound connection will be handled by ActiveArmor.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTApp
Row: Single: HOTAppOffloadIn
Access ReadWrite
Factory default value NotOffloadable
Data type Selection
User Selection NotOffloadable
User Selection Offloadable
Parameter HOTAppOffloadOut
Description Specifies if this application's outbound connection will be handled by ActiveArmor.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTApp
Row: Single: HOTAppOffloadOut
Access ReadWrite
Factory default value NotOffloadable
Data type Selection
User Selection NotOffloadable
User Selection Offloadable
192 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 193 Monday, September 19, 2005 6:01 PM
Received TCP Payload Bytes
Transmitted TCP Payload Bytes
Received TCP Segments
Parameter HotStatTotalRxBytes
Description The total number of data bytes that have been received.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatTotalRxBytes
Usage example nCLI Get "HotStatTotalRxBytes"
Access Read
Data type Number ( 64 bit )
Parameter HotStatTotalTxBytes
Description The total number of data bytes that have been transmitted.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatTotalTxBytes
Usage example nCLI Get "HotStatTotalTxBytes"
Access Read
Data type Number ( 64 bit )
Parameter HotStatTotalRxSegments
Description The total number of TCP segments that have been received.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatTotalRxSegments
Usage example nCLI Get "HotStatTotalRxSegments"
Access Read
Data type Number ( 64 bit )
N V I D I A C o r p o r a t i o n 193
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 194 Monday, September 19, 2005 6:01 PM
Transmitted TCP Segments
Retransmitted TCP Segments
Total ICMP “Destination Unreachable” Packets Received
Parameter HotStatTotalTxSegments
Description The total number of TCP segments that have been transmitted.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatTotalTxSegments
Usage example nCLI Get "HotStatTotalTxSegments"
Access Read
Data type Number ( 64 bit )
Parameter HotStatTotalReTxSegments
Description The total number of TCP segments that have been retransmitted.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatTotalReTxSegments
Usage example nCLI Get "HotStatTotalReTxSegments"
Access Read
Data type Number ( 64 bit )
Parameter HotStatICMPDestUnreachable
Description The total number of ICMP “Destination Unreachable” packets that were received.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatICMPDestUnreachable
Usage example nCLI Get "HotStatICMPDestUnreachable"
Access Read
Data type Number ( 64 bit )
194 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 195 Monday, September 19, 2005 6:01 PM
IP Fragments Received
IP Packets Received with Options
TCP Segments Received with Valid Reset Flag Set
Parameter HotStatIPv4FragmentsRx
Description The total number of IP fragments, which were re-assembled into TCP segments.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatIPv4FragmentsRx
Usage example nCLI Get "HotStatIPv4FragmentsRx"
Access Read
Data type Number ( 64 bit )
Parameter HotStatIPv4OptionsRx
Description The total number of IP packets received with any IP options.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatIPv4OptionsRx
Usage example nCLI Get "HotStatIPv4OptionsRx"
Access Read
Data type Number ( 64 bit )
Parameter HotStatValidResetsRx
Description The total number of valid TCP segments with the RST flag set that were received.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatValidResetsRx
Usage example nCLI Get "HotStatValidResetsRx"
N V I D I A C o r p o r a t i o n 195
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 196 Monday, September 19, 2005 6:01 PM
TCP Segments Transmitted with the Reset Flag Set
Auto-ACKs Transmitted
Table: Connection Table Information
Connection Table Information
Access Read
Data type Number ( 64 bit )
Parameter HotStatValidResetsTx
Description The total number of TCP segments with the RST flag set that were transmitted.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatValidResetsTx
Usage example nCLI Get "HotStatValidResetsTx"
Access Read
Data type Number ( 64 bit )
Parameter HotStatAutoAckTx
Description The total number of TCP acknowledgements that have been generated by the ActiveArmor SNE (Secure Networking Engine) hardware.
Hierarchy Namespace: NS_Eth_HOTGroup: NV_HOTStat
Single: HotStatAutoAckTx
Usage example nCLI Get "HotStatAutoAckTx"
Access Read
Data type Number ( 64 bit )
Table Parameter NV_HOTCon
Description This table lists all the connections that are handled by ActiveArmor.
196 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 197 Monday, September 19, 2005 6:01 PM
Connection Lifetime
TCP State
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon
Usage example nCLI Get "NV_HOTCon"
Access Read
Single Parameter ConLifetime (See “Connection Lifetime” on page 197.)
Single Parameter ConTCPState (See “TCP State” on page 197.)
Single Parameter ConHardware (See “Hardware Offload” on page 198.)
Single Parameter ConLocalIP (See “Local IP Address” on page 198.)
Single Parameter ConLocalTCPPort (See “Local TCP Port” on page 199.)
Single Parameter ConRemoteIP (See “Remote IP Address” on page 199.)
Single Parameter ConRemoteTCPPort (See “Remote TCP Port” on page 199.)
Parameter ConLifetime
Description Time in seconds since the connection was established.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon
Row: Single: ConLifetime
Access Read
Data type Number ( 32 bit )
Parameter ConTCPState
Description Indicates the TCP State of the connection.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon
Row: Single: ConTCPState
Access Read
Data type Selection
N V I D I A C o r p o r a t i o n 197
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 198 Monday, September 19, 2005 6:01 PM
Hardware Offload
Local IP Address
User Selection CLOSED
User Selection LISTENING
User Selection SYN_SENT
User Selection SYN_RECEIVED
User Selection ESTABLISHED
User Selection CLOSE_WAIT
User Selection FIN_WAIT1
User Selection FIN_WAIT2
User Selection CLOSING
User Selection LAST_ACK
User Selection TIME_WAIT
Parameter ConHardware
Description Indicates if the connection is currently offloaded to the ActiveArmor hardware.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon
Row: Single: ConHardware
Access Read
Data type Selection
User Selection Not Offloaded
User Selection Offloaded
Parameter ConLocalIP
Description The IP Address of the local machine for the connection.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon
Row: Single: ConLocalIP
198 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 199 Monday, September 19, 2005 6:01 PM
Local TCP Port
Remote IP Address
Remote TCP Port
Access Read
Data type IP Address
Parameter ConLocalTCPPort
Description The TCP port used by the local machine for this connection.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon
Row: Single: ConLocalTCPPort
Access Read
Data type Number ( 16 bit )
Parameter ConRemoteIP
Description The IP address of the remote machine for this connection.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon
Row: Single: ConRemoteIP
Access Read
Table key This parameter is a key to the table
Data type IP Address
Parameter ConRemoteTCPPort
Description The TCP port used by the remote machine for this connection.
Hierarchy Namespace: NS_Eth_HOTTable: NV_HOTCon
Row: Single: ConRemoteTCPPort
N V I D I A C o r p o r a t i o n 199
A p p e n d i x C A c t i v e A r m o r S e c u r e N e t w o r k E n g i n e ( S N E ) P a r a m e t e r s R e f e r e n c e
nViewGuide.book Page 200 Monday, September 19, 2005 6:01 PM
Access Read
Table key This parameter is a key to the table
Data type Number ( 16 bit )
200 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 201 Monday, September 19, 2005 6:01 PM
A P P E N D I X
GLOSSARY
• ActiveArmor. NVIDIA ActiveArmor is software that controls the NVIDIA ActiveArmor Secure Networking Engine (SNE), which offloads CPU-intensive aspects of firewall and TCP processing (see “Understanding NVIDIA ActiveArmor” on page 66).
• distinguished name. In reference to the ForceWare Network Access Manager application, a distinguished name is the name that uniquely identifies a parameter. Each parameter has a distinguished name.
• group parameter. In reference to the ForceWare Network Access Manager application, a group parameter is a collection of single parameters that belong to a functionality set.
• IAM (Intelligent Application Manager). The IAM is part of the ActiveArmor Firewall allows you to create firewall rules based on an application’s name (see “Using the Intelligent Application Manager (IAM)” on page 41).
• ICMP (Internet Control Message Protocol) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses IP datagrams, but the messages are processed by the IP software and are not necessarily directly apparent to the application user.
• IP (Internet Protocol) is the method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it from all other computers on the Internet. When you send or receive data (for example, an e-mail note or a Web page), the message gets divided into little chunks called packets. Each of these packets contains the sender's Internet address and the receiver's Internet address.
N V I D I A C o r p o r a t i o n 201
A p p e n d i x D G l o s s a r y
nViewGuide.book Page 202 Monday, September 19, 2005 6:01 PM
When the sender needs to send a packet to a receiver on a different subnetwork, the packet is sent first to a to the sender's “default gateway” computer that understands a small part of the Internet. The gateway computer reads the destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain. That gateway then forwards the packet directly to the computer whose address is specified. Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet. Packets can arrive in a different order than the order in which they were sent. The Internet Protocol just delivers them. For applications requiring in-order delivery, it's up to a higher-layer protocol to ensure proper sequencing across a packet stream.IP is a connectionless protocol, which means that there is no continuing connection between the end points that are communicating. Each packet that travels through the Internet is treated as an independent unit of data without any relation to any other unit of data.In the Open Systems Interconnection (OSI) communication model, IP is in layer 3, the Networking Layer. The most widely used version of IP today is IPv4. However, IPv6 is also beginning to be supported. IPv6 provides for much longer addresses and therefore for the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets often can also support IPv4 packets.
• namespace parameter. In reference to the ForceWare Network Access Manager application, a namespace parameter is the largest container of parameters. A namespace parameter contains multiple group parameters and/or table parameters.
• nCLI (NVIDIA command line interface). In ForceWare Network Access Manager, nCLI is a command line interface that can be used to configure and monitor NVIDIA networking components. nCLI can run in either export or interactive mode.
• SSL (Secure Sockets Layer) is the industry-standard method for protecting Web communications. Built upon public key encryption technology, SSL provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. When you come across a Web page that is secured, the browser will usually display a “closed lock” or other symbol to inform you that SSL has been enabled. At this point, the Web site address will also start with “<https://>” instead of the normal “<http://>.”
202 N V I D I A C o r p o r a t i o n
N V I D I A F o r c e W a r e N e t w o r k i n g A d m i n i s t r a t o r ’ s G u i d e
nViewGuide.book Page 203 Monday, September 19, 2005 6:01 PM
Note: NVIDIA ForceWare Network Access Manager uses SSL when the Web-based interface is remotely accessed.
• single parameter. In ForceWare Network Access Manager, a single parameter is the smallest parameter unit. It contains a name and value pair.
• table parameter. In ForceWare Network Access Manager, a table parameter is a collection of group parameters (rows) that share the same fields (columns). Table parameters are frequently used as place holders for ActiveArmor Firewall rules, filters, and statistics. Each row inside the table is uniquely identified by a key. A key is composed of one or more of fields of a row.
• TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the IP to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called segments) that a message is divided into for efficient routing through the Internet.
TCP is known as a connection-oriented protocol, which means that a connection is established and maintained until such time as the message or messages to be exchanged by the application programs at each end have been exchanged. TCP is responsible for ensuring that a message is divided into the packets that IP manages and for reassembling the packets back into the complete message at the other end. In the OSI communication model, TCP is in layer 4, the Transport Layer.
• UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the IP. UDP is an alternative to the TCP and, together with the IP, is sometimes referred to as UDP/IP. Like the TCP, the UDP uses the IP to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in. This means that the application program that uses UDP must be able to make sure that the entire message has arrived and is in the right order. To save processing time, network applications that have very small data units to exchange (and therefore very little message reassembling to do) may choose UDP instead of TCP. The Trivial File Transfer Protocol (TFTP) uses UDP instead of TCP.
N V I D I A C o r p o r a t i o n 203
A p p e n d i x D G l o s s a r y
nViewGuide.book Page 204 Monday, September 19, 2005 6:01 PM
UDP provides two services not provided by the IP layer. It provides port numbers to help distinguish different user requests, and, optionally, a checksum capability to verify that the data arrived intact In the Open Systems Interconnection (OSI) communication model, UDP, like TCP, is in layer 4, the Transport Layer.
204 N V I D I A C o r p o r a t i o n