Forceware Networking and Firewall Administrator'S Guide: Software Version 1.0 Fifth Edition Nvidia Corporation June 2004
Uploaded by
calenda2_361195693Forceware Networking and Firewall Administrator'S Guide: Software Version 1.0 Fifth Edition Nvidia Corporation June 2004
Uploaded by
calenda2_361195693ForceWare Networking and Firewall Administrators Guide
Software Version 1.0 Fifth Edition NVIDIA Corporation June 2004
NVIDIA ForceWare Networking
Administrators Guide
Published by NVIDIA Corporation 2701 San Tomas Expressway Santa Clara, CA 95050 Copyright 2004 NVIDIA Corporation. All rights reserved. This software may not, in whole or in part, be copied through any means, mechanical, electromechanical, or otherwise, without the express permission of NVIDIA Corporation. Information furnished is believed to be accurate and reliable. However, NVIDIA assumes no responsibility for the consequences of use of such information nor for any infringement of patents or other rights of third parties, which may result from its use. No License is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in the software are subject to change without notice. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation. NVIDIA, the NVIDIA logo, nForce, and ForceWare are registered trademarks or trademarks of NVIDIA Corporation in the United States and/or other countries. Microsoft, Windows, Windows logo and/or other Microsoft products referenced in this guide are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and/or other countries. Other company and product names may be trademarks or registered trademarks of the respective owners with which they are associated.
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Table of Contents
1. Introduction
Audience . . . . . . . . . . . . . . . . . . . . . . . 9 About NVIDIA ForceWare Network Access Manager . . . . . . . . . . . . . . . . . . . . . . . 9 Command Line Interface (CLI) . . . . . . . . . 10 Web-Based Interface. . . . . . . . . . . . . . . 10 Sample Web Pages. . . . . . . . . . . . . . 11 Specifying Another Language for Web Page Content. . . . . . . . . . . . . . . . . . . . . 12 WMI Script. . . . . . . . . . . . . . . . . . . . . 13 About Security . . . . . . . . . . . . . . . . . . . . 13 NVIDIA Firewall . . . . . . . . . . . . . . . . . . . 14 Key Features NVIDIA Firewall . . . . . . . . 14 System Requirements . . . . . . . . . . . . . . . . 15 General Requirements . . . . . . . . . . . . . . 15 Hardware Requirements. . . . . . . . . . . . . 16 Operating Systems . . . . . . . . . . . . . . . . 16 Software, Memory, and Disk Space Requirements . . . . . . . . . . . . . . . . . . 17 NVIDIA Firewall and Ethernet Parameters Reference . . . . . . . . . . . . . . . . . . . . . . 17 About the TCP Protocol. . . . . . . . About the UDP and ICMP Protocols UDP . . . . . . . . . . . . . . . . . ICMP . . . . . . . . . . . . . . . . Stateful Filtering . . . . . . . . . . . . . . Stateless Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 30 30 31 31 33 35 36 36 38 39 40 40 40 41 42 43 44 44 48
4. Configuring the NVIDIA Firewall
NVIDIA Firewall Parameters Reference . Using the Basic Configuration Page . . . Security Profile Settings . . . . . . . . Advanced Configuration . . . . . . . . . . Configuring Antihacking Features . . . About Working With Tables . . . . . . . . Specifying Actions . . . . . . . . . . . . About Table Sorting . . . . . . . . . . . Table Default Action Settings. . . . . Using the NVIDIA Firewall Wizards Page Configuration Dependencies. . . . . . . . Recommendations . . . . . . . . . . . NVIDIA Firewall Statistics . . . . . . . . . NVIDIA Firewall Logging . . . . . . . . . .
2. Installation Guidelines
Before Using the ForceWare Network Access Manager Installer . . . . . . . . . . . . . . . . . . 18 Installing ForceWare Network Access Manager . 19 Installing Network Access Manager in Silent Mode Optional . . . . . . . . . . . . . . . . . . . . . 20 Creating the Response File . . . . . . . . . . . 20 Running Installation in Silent Mode. . . . . . . 21 Launching the ForceWare Network Access Manager Web Interface . . . . . . . . . . . . . . 21 Trusting the Security Certificate For Remote Users Only. . . . . . . . . . . . . . . . . . . . 22 Importing the Certificate First Method . . 22 Importing the Certificate Second Method 25 Localizing the Web Interface . . . . . . . . . . 26 Configuration Deployment . . . . . . . . . . . . . 26 Before You Begin . . . . . . . . . . . . . . . . . 27
5. Administrative Tasks
Accessing the Administration Menu. . . . . . . . 50 Application Access Control Page . . . . . . . . . 51 Default Administrative Access Control Settings . 52 Command Line Access . . . . . . . . . . . . . 52 WMI Script . . . . . . . . . . . . . . . . . . . . 52 Local Web Access. . . . . . . . . . . . . . . . 53 Remote Web Access . . . . . . . . . . . . . . 53 Additional Notes . . . . . . . . . . . . . . . 53 Password . . . . . . . . . . . . . . . . . . . . . 54 IP Address and IP Address Mask (optional) . 54 Restore Factory Defaults. . . . . . . . . . . . . . 54 Display Settings . . . . . . . . . . . . . . . . . . . 55 Backup/Restore . . . . . . . . . . . . . . . . . . . 55 Backup Configuration . . . . . . . . . . . . . . 55 Restore User Configuration . . . . . . . . . . 56 ForceWare Network Access Manager Software Version . . . . . . . . . . . . . . . . . . . . . . . 56
3. NVIDIA Firewall: Basic Concepts
Types of Firewalls . . . . . . . . . . . . . . . . . . 28 Stateful vs. Stateless. . . . . . . . . . . . . . . . . 29 Inbound vs. Outbound Packets. . . . . . . . . . . 29
6. Using WMI Script
Before You Begin . . . . . . . . . . . . . . . . . . 57 Benefits of Using WMI Script . . . . . . . . . . . 58
NVIDIA Corporation
iii
NVIDIA ForceWare Networking
Overview . . . . . . . . Advanced Topics . . . . NVIDIA Namespace WMI Provider . . . . Synchronization. . . Sample Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 . 59 . 59 . 59 . 59 . 60
Administrators Guide
Example 2 . . . . . . . . . Current Working Directory . . Example. . . . . . . . . . . Context-Sensitive Operations Example. . . . . . . . . . . Text File Processing . . . . . . . Export . . . . . . . . . . . . . . Syntax . . . . . . . . . . . . Example. . . . . . . . . . . Import . . . . . . . . . . . . . . Syntax . . . . . . . . . . . . Selective Export . . . . . . . . Syntax . . . . . . . . . . . . Example. . . . . . . . . . . Context Export . . . . . . . . . Example. . . . . . . . . . . Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 74 74 74 74 75 75 76 76 76 76 77 77 77 78 78 78
7. Using The Command Line Interface (CLI)
Conventions Used . . . . . . . . . . About Examples Used . . . . . . . . Parameters . . . . . . . . . . . . . . Modes of Operation . . . . . . . . . Expert Mode . . . . . . . . . . . Interactive Mode . . . . . . . . . First Method . . . . . . . . . . Second Method . . . . . . . . Using Single Parameters . . . . . . Set (Expert Mode) . . . . . . . . Example . . . . . . . . . . . . Set (Interactive Mode) . . . . . . Example . . . . . . . . . . . . Get . . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . Help . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . Using Table Parameters. . . . . . . Add Row . . . . . . . . . . . . . . Example . . . . . . . . . . . . Edit Row . . . . . . . . . . . . . . Example . . . . . . . . . . . . Delete Row . . . . . . . . . . . . Example . . . . . . . . . . . . Help . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . Set Table . . . . . . . . . . . . . Examples . . . . . . . . . . . Get Table . . . . . . . . . . . . . Example . . . . . . . . . . . . About Expert Commands . . . . Syntax . . . . . . . . . . . . . Examples . . . . . . . . . . . About Other Table Commands . Syntax . . . . . . . . . . . . . Browsing the Parameter Structure . List . . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . Changing Directory. . . . . . . . Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 . 62 . 62 . 62 . 62 . 63 . 63 . 63 . 63 . 63 . 64 . 64 . 64 . 64 . 64 . 65 . 65 . 65 . 65 . 65 . 66 . 66 . 67 . 67 . 67 . 67 . 68 . 68 . 69 . 69 . 69 . 69 . 70 . 70 . 70 . 71 . 71 . 71 . 72 . 72
A. Ethernet Parameters Reference
Group: Remote Wakeup . . . . . . . . . . . . . . 79 Remote Wakeup . . . . . . . . . . . . . . . . . 79 Remote Wakeup by Magic Packet. . . . . . . 80 Remote Wakeup (Pattern Match) . . . . . . . 80 Remote Wakeup (Link State Change). . . . . 81 Remote Wake Up from Hibernate or Shutdown . 81 Group: Protocol Offload . . . . . . . . . . . . . . 82 Checksum Offload. . . . . . . . . . . . . . . . 82 IPv4 Transmit Checksum Offload . . . . . . . 82 IPv4 Receive Checksum Offload . . . . . . . 83 UDP Transmit Checksum Offload . . . . . . . 83 UDP Receive Checksum Offload . . . . . . . 84 TCP Transmit Checksum Offload . . . . . . . 84 TCP Receive Checksum Offload . . . . . . . 85 TCP Large Send Offlload . . . . . . . . . . . 85 Group: Microsoft Operating System VLAN (Virtual LAN) . . . . . . . . . . . . . . . . . . . . . . . . 86 Microsoft Operating System VLAN . . . . . . 86 Group: VLAN (Virtual LAN) . . . . . . . . . . . . 87 VLAN Support . . . . . . . . . . . . . . . . . . 87 VLAN ID . . . . . . . . . . . . . . . . . . . . . 87 Group: Jumbo Frame. . . . . . . . . . . . . . . . 88 Jumbo Frame Payload Size . . . . . . . . . . 88 Group: Driver Optimization . . . . . . . . . . . . 89 Ethernet Driver Optimization . . . . . . . . . 89 Group: Ethernet Performance . . . . . . . . . . . 90 Number of Receive Buffers . . . . . . . . . . 90 Number of Receive Buffer Descriptors . . . . 90 Number of Transmit Buffer Descriptors . . . . 91
iv
NVIDIA Corporation
NVIDIA ForceWare Networking
Maximum Transmit Frames Queued . . . . . . 91 Number of Receive Packets to Process per Interrupt . . . . . . . . . . . . . . . . . . . . . 92 Number of Transmit Packet to Process per Interrupt . . . . . . . . . . . . . . . . . . . . . 92 Interrupt Interval . . . . . . . . . . . . . . . . . 93 Group: Traffic Prioritization . . . . . . . . . . . . . 93 IEEE 802.1p Support . . . . . . . . . . . . . . 93 Group: Ethernet Speed/Duplex. . . . . . . . . . . 94 Configurable Ethernet Speed/Duplex Settings 94 Group: Ethernet Information . . . . . . . . . . . . 95 Link Speed . . . . . . . . . . . . . . . . . . . . 95 Maximum Link Speed . . . . . . . . . . . . . . 95 Duplex Setting . . . . . . . . . . . . . . . . . . 96 Link Status. . . . . . . . . . . . . . . . . . . . . 96 Promiscuous Mode . . . . . . . . . . . . . . . . 97 Permanent Ethernet Address . . . . . . . . . . 97 Group: Ethernet Address . . . . . . . . . . . . . . 98 Current Ethernet Address . . . . . . . . . . . . 98 Group: Network Interface information . . . . . . . 98 Computer (Machine) Name . . . . . . . . . . . 98 IP Address . . . . . . . . . . . . . . . . . . . . 99 IP Address Mask . . . . . . . . . . . . . . . . . 99 Group: Factory Default . . . . . . . . . . . . . . 100 Factory Default . . . . . . . . . . . . . . . . . 100 Table: Multicast Address List . . . . . . . . . . . 100 Multicast Address List . . . . . . . . . . . . . 100 Multicast Addresses (Single Parameter) . . 101 Group: Ethernet Statistics. . . . . . . . . . . . . 101 Frames Received with Alignment Error . . . 101 Frames Transmitted After One Collision . . . 102 Frames Transmitted After Two or More Collisions . . . . . . . . . . . . . . . . . . . 102 Frames Transmitted After Deferral . . . . . . 103 Display Name Frames Exceed Maximum Collision . . . . . . . . . . . . . . . . . . . . 103 Frames with Overrun Errors. . . . . . . . . . 104 Frames with Underrun Errors . . . . . . . . . 104 Frames with Heartbeat Failure . . . . . . . . 105 Carrier Sense (CRS) Signal Lost . . . . . . . 105 Late Collisions . . . . . . . . . . . . . . . . . 106 Group: General Networking Statistics . . . . . . 106 Successfully Transmitted Frames . . . . . . 106 Successfully Received Frames . . . . . . . . 107 Transmit Failures . . . . . . . . . . . . . . . . 107 Receive Failures . . . . . . . . . . . . . . . . 107 No Receive Buffers. . . . . . . . . . . . . . . 108 Direct Frames Received . . . . . . . . . . . . 108 Multicast Frames Received . . . . . . . . . . 108
Administrators Guide
Broadcast Frames Received . . . . . . . Group: Alert Standard Format . . . . . . . . ASF Support . . . . . . . . . . . . . . . . ASF Destination IP Address . . . . . . . ASF Send Count. . . . . . . . . . . . . . Group: ASF Information . . . . . . . . . . . ASF Destination MAC Address . . . . . Group: System Fails to Boot Alert . . . . . System Fails to Boot Alert . . . . . . . . Group: Fan Problem Alert . . . . . . . . . . Fan Problem Alert . . . . . . . . . . . . Group: ASF SMBus Error . . . . . . . . . . ASF SMBus Error . . . . . . . . . . . . . Group: ASF WOL Alert . . . . . . . . . . . . ASF Wake On Lan (WOL) Alert . . . . . Group: ASF Heartbeat Alert . . . . . . . . . ASF Heartbeat Alert Interval . . . . . . . Group: ASF Operating System Hung Alert. ASF Operating System Hung Alert . . . Group: ASF Power Button Alert . . . . . . . ASF Power Button Alert . . . . . . . . . Group: ASF System Hot Alert . . . . . . . . ASF System Hot Alert. . . . . . . . . . . Group: ASF CPU Overheated Alert . . . . . ASF CPU Overheat Alert . . . . . . . . . Group: ASF CPU Overheated Alert. . . . . ASF CPU Hot Alert . . . . . . . . . . . . Group: ASF Case Intrusion Alert . . . . . . ASF Case Intrusion Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 .109 .109 . 110 . 110 . 111 . 111 . 111 . 111 . 112 . 112 . 112 . 112 . 113 . 113 . 113 . 113 . 114 . 114 . 114 . 114 . 115 . 115 . 115 . 115 . 116 . 116 . 116 . 116
B. NVIDIA Firewall Parameters Reference
Group: Configure Firewall Security Level . Configure Firewall Security Level . . . . About the FwlProfiles Settings . . . . Group: Configure Firewall Options . . . . . Disallow Promiscuous Mode . . . . . . . Disallow DHCP Server . . . . . . . . . . Block Outbound Spoofed IP Packets . . Block Spoofed ARP Packets . . . . . . . Block UDPv4 with No UDP Checksum . Group: EtherType Default Rule . . . . . . . EtherType Default Rule . . . . . . . . . . Group: IP Address/Mask Default Rule . . . IP Address/Mask Default Action . . . . . Group: Domain Name Default Rule . . . . . Domain Name Default Rule . . . . . . . Group: IP Option Default Rule. . . . . . . . Inbound IP Option Default Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 . 117 . 118 .120 .120 .120 .121 .121 .122 .122 .122 .123 .123 .123 .123 .124 .124
NVIDIA Corporation
NVIDIA ForceWare Networking
Outbound IP Option Default Rule. . . Group: IP Protocol Default Rule . . . . . IP Protocol Default Rule . . . . . . . . Group: Port Number Default Rule . . . . Inbound Port Number Default Rule. . Outbound Port Number Default Rule. Group: TCP Options Default Rule . . . . TCP Options Default Rule . . . . . . . Group: ICMP Messages Default Rule . . Inbound ICMP Default Rule . . . . . . Outbound ICMP Default Rule . . . . . Group: Clear Firewall Statistics. . . . . . Clear Firewall Statistics . . . . . . . . Group: Firewall Statistics . . . . . . . . . Allowed Inbound UDP Datagrams . . Denied Inbound UDP Datagrams I . . Allowed Outbound UDP Datagrams . Denied Outbound UDP Datagrams. . Denied Inbound UDP Connections . . Allowed Outbound UDP Connections Denied Outbound UDP Connections . Allowed Inbound TCP Segments . . . Denied Inbound TCP Segments . . . Allowed Outbound TCP Segments . . Denied Outbound TCP Segments . . Allowed Inbound TCP Connections . Denied Inbound TCP Connections . . Allowed Outbound TCP Connections Denied Outbound TCP Connections Allowed Inbound ICMP Packets . . . Denied Inbound ICMP Packets . . . . Allowed Outbound ICMP Packets . . Denied Outbound ICMP Packets . . . Other Allowed Inbound Packets . . . Other Denied Inbound Packets . . . . Other Allowed Outbound Packets . . Other Denied Outbound Packets . . . Group: Factory Default . . . . . . . . . . Factory Default . . . . . . . . . . . . . Group: Flush DNS Cache . . . . . . . . . Flush DNS Cache . . . . . . . . . . . Table: EtherType Rules . . . . . . . . . . Ether Type. . . . . . . . . . . . . . . . EtherType Name . . . . . . . . . . . . EtherType Action . . . . . . . . . . . . Table: IP Address/Mask Rule . . . . . . . Remote IP Address . . . . . . . . . . Remote IP Address Mask . . . . . . . IP Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 125 125 125 125 126 126 126 127 127 127 128 128 128 128 129 129 129 130 130 130 131 131 131 132 132 132 133 133 133 134 134 134 135 135 135 136 136 136 137 137 137 138 138 138 139 139 140 140
Administrators Guide
Table: Domain Names Rule . . . . . Domain Name . . . . . . . . . . . Domain Action . . . . . . . . . . . Table: IP Option Rules . . . . . . . . IP Option Number . . . . . . . . . IP Option Name . . . . . . . . . . IP Version . . . . . . . . . . . . . IP Inbound Action . . . . . . . . . IP Outbound Action . . . . . . . . Table: IP Protocol Rule . . . . . . . . IP Protocol . . . . . . . . . . . . . IP Protocol Name . . . . . . . . . IP Protocol Action . . . . . . . . . Table: TCP/UDP Port Rule . . . . . TCP/UDP Port Outbound Action Remote IP Address . . . . . . . . Remote IP Subnet Mask . . . . . Port Name . . . . . . . . . . . . . Beginning Port Number . . . . . Ending Port Number . . . . . . . Port Protocol . . . . . . . . . . . Table: TCP Options Rule . . . . . . TCP Option Number . . . . . . . TCP Option Name I . . . . . . . . TCP Option Action . . . . . . . . Table: ICMP Rules . . . . . . . . . . Remote IP Address . . . . . . . . Remote IP Subnet Mask . . . . . ICMP Type . . . . . . . . . . . . . ICMP Code . . . . . . . . . . . . ICMP Name . . . . . . . . . . . . ICMP Version . . . . . . . . . . . ICMP Inbound Action . . . . . . . ICMP Outbound Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 .141 .142 .142 .143 .143 .144 .144 .144 .145 .145 .146 .146 .147 .148 .148 .148 .149 .149 .149 .150 .150 .151 .151 .151 .152 .152 .153 .153 .153 .154 .154 .154 .155
C. Glossary
vi
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
List of Tables
Table 1.1 Hardware and Software Features Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Table 1.2 Software, Memory, and Disk Space Requirements. . . . . . . . . . . . . . . . . . . . . . . . . 17 Table 5.1 NVIDIA Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
NVIDIA Corporation
vii
NVIDIA ForceWare Networking
Administrators Guide
List of Figures
Figure 1.1 ForceWare Network Access Manager Home Page. . . . . . . . . . . . . . . . . . . . . . . . . . 11 Figure 1.2 Figure 1.3 Ethernet Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Firewall Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Figure 2.1 Security Alert For Remote Users Only. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Figure 2.2 Certification Page For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Figure 2.3 Certification Page For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Figure 2.4 Certification Import Wizard For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . 24 Figure 2.5 Certificate Import Wizard Completion Page For Remote Users Only . . . . . . . . . . . . . . . . 24 Figure 2.6 Root Certificate Store For Remote Users Only . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 4.1 NVIDIA Firewall Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Figure 4.2 NVIDIA Firewall Options Configuring Antihacking Features . . . . . . . . . . . . . . . . . . . 39 Figure 4.3 Firewall Wizards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Figure 4.4 Graphical Information for Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Figure 4.5 Bar Graph of Packet Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Figure 4.6 Table (Statistics) of Packet Activity 1st section . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Figure 4.7 Table (Statistics) of Packet Activity 2nd section. . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Figure 4.8 Firewall Logging Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Figure 4.9 User Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Figure 5.1 Application Access Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
NVIDIA Corporation
viii
NVIDIA ForceWare Networking
Administrators Guide
H A P T E R
INTRODUCTION
This chapter contains the following major sections: Audience on page 9 About NVIDIA ForceWare Network Access Manager on page 9 About Security on page 13 NVIDIA Firewall on page 14
Audience
This guide is intended for the system or network Administrator of an organization as a guide to install and use the NVIDIA ForceWare Network Access Manager application. Note: This guide assumes the reader has Administrator access privileges. Exceptions are noted, where applicable.
About NVIDIA ForceWare Network Access Manager
Using the ForceWare Network Access Manager application, you can easily configure and control NVIDIA networking hardware and software, gather statistics, and monitor logs. ForceWare Network Access Manager gives you several choices in managing your networking hardware and software: Command Line Interface (CLI) on page 10 Web-Based Interface on page 10 WMI Script on page 13
NVIDIA Corporation
Chapter 1
Introduction
Command Line Interface (CLI)
The ForceWare Network Access Manager provides command line access through the nCLI program. The nCLI command can be run in either expert or interactive mode to configure and monitor NVIDIA networking components. Expert mode is suitable for deployment in an organization by running nCLI from a login script. To use nCLI in expert mode, you need to be familiar with the syntax and characteristics of configuration parameters. For details and examples of using the nCLI command with various Ethernet and NVIDIA Firewall parameters, see Ethernet Parameters Reference on page 79 and NVIDIA Firewall Parameters Reference on page 117. Interactive mode runs in a shell environment and is suitable for Administrators who do not have access to the syntax and characteristics of the nCLI configuration parameters. nCLI provides navigation feature to assist these users. Note: Extensive nCLI usage samples in batch file format are provided in the following subdirectories under the default path of c:\nvidia\ NetworkAccessManager, or a path you specify: samples\Eth (for Ethernet) samples\Firewall (for Firewall) You can cut and paste the appropriate command and use them in batch files or in command lines. Also see Using The Command Line Interface (CLI) on page 61.
Web-Based Interface
The ForceWare Network Access Manager Web-based interface (see Sample Web Pages on page 11) offers convenient access through several features: Wizards see Using the NVIDIA Firewall Wizards Page on page 42. Profiles Status summaries Help. Context-sensitive online Help is available on a wide range of features. From any ForceWare Network Access Manager Web page, click the Help tab, as shown in Figure 1.1, to access detailed Help on the parameters you are configuring. Tool tips. When your cursor rests on the name of a parameter, its description is displayed in a popup text window, called a tool tip.
10
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Sample Web Pages
Figure 1.1
ForceWare Network Access Manager Home Page
Figure 1.2
Ethernet Basic Configuration
NVIDIA Corporation
11
Chapter 1
Introduction
Figure 1.3
Firewall Wizards
Specifying Another Language for Web Page Content
ForceWare Network Access Manager supports viewing of the Web-based interface in the following languages: French German Italian Spanish Japanese Korean Simplified Chinese Traditional Chinese
12
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
For complete details, see Installing ForceWare Network Access Manager on page 19 and Localizing the Web Interface on page 26.
WMI Script
You can use the Microsoft Windows Management Instrumentation (WMI) script language to manage NVIDIA networking hardware and software. Using WMI script language is recommended only for Administrators who are already familiar with programming in WMI script and who have become familiar with the syntax and characteristics of configuration parameters. WMI script programming is being used by the IT staff of larger corporations to carry out day to day maintenance work. Overall benefits of using WMI scripts include: Industry standard WMI can be implemented using languages such as VBScript and JScript. Ease of use Common scripts allow access to ForceWare Network Access Manager data. Flexibility If you are a WMI script user, you can utilize the power of the script languages to meet almost any requirements. For example, as an Administrator, you can write a WMI script to scan for Yahoo Messenger on a computer and open the appropriate port if the computer user has sufficient rights. Remote use means you can run the WMI script language remotely and use it as a deployment tool in an organization. See Configuration Deployment on page 26. For further informations, see Using WMI Script on page 57.
About Security
Access control is based on the kind of application being run, whether you are an Administrator or non-Administrator user, and the kind of access needed i.e, local or remote. The ForceWare Network Access Manager Web-based Application Access Control page (Application Access Control Page on page 51) enables you to configure non-Administrator access to applications, including: nCLI (NVIDIA command line interface) WMI scripting interface
NVIDIA Corporation
13
Chapter 1
Introduction
Local and remote Web access Note: For applications that are accessed from the local computer, the application access rights depend on the current access rights for the Windows login session. Note: A non-Administrator user on a computer cannot access the NVIDIA Firewall parameters and modify the access control parameters. For further details on security and access control, see Application Access Control Page on page 51.
NVIDIA Firewall
NVIDIA Firewall the only native firewall in the market is optimized and integrated into the NVIDIA nForce systems that support ForceWare Network Access Manager. (See Table 1.1 for supported NVIDIA hardware and features.) The NVIDIA Firewall is a high performance, hardware-optimized firewall offering enhanced reliability and protection at the end-point i.e., the desktop. It incorporates firewall and antihacking technologies such as antispoofing, antisniffing, anti-ARP cache poisoning, and anti-DHCP server, which are important security controls for corporate network environments. For an explanation of firewall concepts and the NVIDIA Firewall, see Chapter 3 NVIDIA Firewall: Basic Concepts on page 28.
Key Features NVIDIA Firewall
User-friendly Web-based interface includes Wizards, charts, tables, and logging statistics. See Configuring the NVIDIA Firewall on page 35. ICSA certified See the following Web site for details: www.icsalabs.com. Antihacking features listed below provide important security controls for corporate network environments.
Antispoofing Antisniffing Anti-ARP cache poisoning Anti-DHCP (Dynamic Host Configuration Protocol) server process
Also see Table 1.1, Hardware and Software Features Support on page 16 and Configuring Antihacking Features on page 39.
14
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Comprehensive packet filtering see NVIDIA Firewall: Basic Concepts on page 28. Stateful and stateless packet inspections see NVIDIA Firewall: Basic Concepts on page 28. Predefined security profiles see Configuring the NVIDIA Firewall on page 35 include these key features:
User-customizable profiles Internet Protocol version 6 (IPv6) support Settings Lockdown, High, Medium, Low, Off
Advanced management features see Configuring the NVIDIA Firewall on page 35.
Remote administration Monitoring Configuration
NVIDIA command line interface (nCLI) support only for nForce 250 Professional systems. WMI scripting support only for nForce 250 Professional systems
System Requirements
General Requirements
WMI (Windows Management Instrumentation) service Note: WMI service is not automatically started on Windows 2000. The ForceWare Network Installer needs to change this service to run automatically on Windows startup. WMI MOF compiler (MOFCOMP) must be available on your computer. NTFS file system. It is recommended that you install the ForceWare Network Access Manager application on an NTFS file system so that sensitive information such as Firewall or access configuration data are protected from being changed by a non-Administrator user. Note: For further information on NTFS, refer to Windows online Help. Note: You are strongly encouraged to apply the latest Service Packs and Security patches from Microsoft. You can refer to Windows online Help for details on using Windows Update; or, from your Windows
NVIDIA Corporation
15
Chapter 1
Introduction
desktop, you can click Start > Windows Update (or Start > Programs > Windows Update).
Hardware Requirements
Support of ForceWare Network Access Manager features on NVIDIA nForce series personal computer systems is outlined in Table 1.1. Note: Miscellaneous features that are not listed (e.g., checksum off-load, segmentation off loads, etc.) are supported by all four nForce platforms listed in Table 1.1.
Table 1.1
Hardware and Software Features Support _________NVIDIA Hardware (Personal Computer)
NVIDIA Software Supported
NVIDIA Firewall ForceWare Network Access Manager Web-based interface ForceWare Network Access Manager Command line interface (CLI) and WMI Script support VLAN, IEEE 802.1Q Alert Standard Format (ASF)
nForce2 Gigabit MCP
Yes Yes No
nForce3 250 Gigabit
Yes Yes No
nForce3 Ultra
Yes Yes No
nForce3 250 Professional
Yes Yes Yes
No No
No No
No No
Yes Yes
Operating Systems
The ForceWare Network Access Manager application supports the following Microsoft operating systems: Windows XP Professional Service Pack 1 or later version Windows 2000
16
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Software, Memory, and Disk Space Requirements
Note: All figures in Table 1.2 are estimates based on default settings and a standard operating environment.
Table 1.2
Software, Memory, and Disk Space Requirements Memory
1 MB
Software
nForce Ethernet driver for Windows XP/2000 Note: To run the ForceWare Network Access Manager software, nForce Ethernet must be configured as a bridge device in the BIOS, which is the factory default. NVIDIA Firewall ForceWare Network Access Manager
Disk space for English
100 KB
Disk Space for NonEnglish Languages
Approximately 1.5 MB per language 4 MB 5 MB 200 KB 25 MB
For further information on driver installation, see Installation Guidelines on page 18.
NVIDIA Firewall and Ethernet Parameters Reference
Appendix A: Ethernet Parameters Reference on page 79 and Appendix B: NVIDIA Firewall Parameters Reference on page 117 provide detailed parameters reference and usage information. You can also obtain context-sensitive Help when using parameters by clicking the Help tab from any ForceWare Network Access Manager Web-based page.
NVIDIA Corporation
17
Chapter 2
Installation Guidelines
H A P T E R
INSTALLATION GUIDELINES
This chapter contains the following main topics: Before Using the ForceWare Network Access Manager Installer on page 18 Installing ForceWare Network Access Manager on page 19 Installing Network Access Manager in Silent Mode Optional on page 20 Launching the ForceWare Network Access Manager Web Interface on page 21 Configuration Deployment on page 26
Before Using the ForceWare Network Access Manager Installer
Before you run the ForceWare Network Access Manager installer program, NetworkAccessManagerSetup.exe, note the following: The nForce Ethernet driver must already be installed and operational on your computer. You must have Administrator access rights to do the following:
Run the Setup installation program. Uninstall and/or modify the ForceWare Network Access Manager
software, as needed.
18
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
If you are using the ForceWare Network Access Manager Web-based interface, note the following: Note: Microsoft Internet Explorer version 5 or later must be running on your computer. Note: The ForceWare Network Access Manager Web-based interface uses the NVIDIA registered TCP port 3476. Make sure no other network application uses port 3476.
Installing ForceWare Network Access Manager
The ForceWare Network Access Manager installation program (NetworkAccessManagerSetup.exe) and software are part of the basic nForce driver installation package, which you can usually obtain from the NVIDIA Web site (www.nvidia.com) or a partner OEM.
1 Download the nForce driver installation package.
Note: There are two basic language editions of the nForce driver installation package: English only and International. If your preferred language is one of the following, make sure you download the International edition
French German Italian Spanish Japanese Korean Simplified Chinese Traditional Chinese 2 Open or save the package to a specified directory. The directory root is
usually C:\NVIDIA\nForce....
3 If you have saved the package, manually start the setup.exe file or if you
chose to open the nForce package in step 2., the setup.exe program automatically starts running.
4 When the prompt appears to install the Network Access Manager and
Firewall, proceed as requested, unless you want to run a silent installation, in which case, go to Installing Network Access Manager in Silent Mode Optional on page 20.
NVIDIA Corporation
19
Chapter 2
Installation Guidelines
5 If you are proceeding with the auto-installation of the Network Access
Manager software, simply follow the prompts to complete the installation process.
The ForceWare Network Access Manager installation program (<uncompressed directory_name>\Ethernet\NAM\ NetworkAccessManagerSetup.exe) uncompresses and saves all the relevant software in a directory you specify. By default, this directory is: C:\ NVIDIA\NetworkAccessManager.
Installing Network Access Manager in Silent Mode Optional
The ForceWare Network Access Manager software supports the silent installation method, which means no user interaction is needed to install the software. For example, as an Administrator, you may want to create a custom silent installation script for end users to easily install Network Access Manager software. The silent installation process uses a response (.iss) file that contains information similar to what you would enter as responses to dialog boxes when running a normal setup.
Creating the Response File
From the directory where the ForceWare Network Access Manager installation program is located (<uncompressed directory_name>\Ethernet\NAM\ NetworkAccessManagerSetup.exe), follow these steps:
1 Enter the following command:
NetworkAccessManagerSetup.exe /r /f1 c:\nvidia_net.iss
2 Go through the installation dialog boxes as you would in a normal auto-
installation explained in the previous section. Note that in this installation process, you will select the options to be used in subsequent silent installations. All choices are recorded in the response file named nvidia_net.iss. Note: You can change the path and name of the response file by replacing c:\nvidia_net.iss with a drive letter and file name of your choice. The ForceWare Network Access Manager installation program runs and uncompresses all the relevant software in a directory you specify. By default, this directory is: C:\NVIDIA\NetworkAccessManager.
20
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Running Installation in Silent Mode
From the directory where the ForceWare Network Access Manager installation program is located (<uncompressed directory_name>\Ethernet\NAM\ NetworkAccessManagerSetup.exe), enter the following command to run the installation program in silent mode. NetworkAccessManagerSetup.exe /s1 /f1 c:\nvidia_net.iss
Launching the ForceWare Network Access Manager Web Interface
Before you launch the ForceWare Network Access Manager Web interface, make sure you have completed running the ForceWare Network Access Manager installer program using the instructions in the previous sections of this chapter.
1 To launch the ForceWare Network Access Manager Web-based interface,
you can do one of the following: based Interface icon
From your Windows desktop, double-click the ForceWare NVIDIA Web-
or
From your Windows taskbar, click Start > Programs > NVIDIA
Corporation > Network Access Manager > Web-based Interface
Note: If you are using the ForceWare Network Access Manager Web-based interface locally instead of remotely, you do not need to follow the instructions about working with security certificates as explained in the steps that follow.
2 Remote Users: If you are a remote user of the ForceWare Network Access
Manager Web-based interface, before you can enter your user name and password, a Security Alert (Figure 2.1) page appears alerting you about the managed computers security certificate.
The security certificate is generated by the Network Access Manager to enable Secure Sockets Layer (SSL) to secure the communications channel.
NVIDIA Corporation
21
Chapter 2
Installation Guidelines
Figure 2.1
Security Alert For Remote Users Only
Note: You have to enable your browser to trust this security certificate before you can proceed. To avoid being prompted by the Web browser about the security certificate, you can choose to import the certificate in one of two ways, as explained in Trusting the Security Certificate For Remote Users Only on page 22.
Trusting the Security Certificate For Remote Users Only
Importing the Certificate First Method
1 When you are prompted by the Web browser about the managed computers
security certificate (Figure 2.1), click View Certificate to display the Certificate page (Figure 2.2). Import Wizard page (Figure 2.3).
2 On the Certificate page, click Install Certificate to launch the Certificate 3 Click Next to display the Certification Store page (Figure 2.4). 4 Select Automatically select the certificate store based on the type of
certificate (Figure 2.4) and click Next.
The completion page of the Certificate Import Wizard appears (Figure 2.5).
5 Click Finish. The Root Certificate Store dialog box appears (Figure 2.6).
22
NVIDIA Corporation
Chapter 2
Installation Guidelines
Figure 2.2
Certification Page For Remote Users Only
Figure 2.3
Certification Page For Remote Users Only
23
NVIDIA Corporation
Chapter 2
Installation Guidelines
Figure 2.4
Certification Import Wizard For Remote Users Only
Figure 2.5
Certificate Import Wizard Completion Page For Remote Users Only
24
NVIDIA Corporation
Chapter 2
Installation Guidelines
Figure 2.6
Root Certificate Store For Remote Users Only
6 Click Yes to add the certificate to the Root Store.
Importing the Certificate Second Method
This method is more secure than the Importing the Certificate First Method on page 22 as you are assured that the certificate comes from the managed computer. Note that on the managed computer, the certificate is stored in: <install directory>\Apache Group\Apache2\conf\ssl\ server.crt where <install directory> is the directory where Network Access Manager is installed. The default installation directory is c:\NVIDIA\NetworkAccessManager.
1 Copy the server.crt certificate to the computer that is the remote Web
browser.
2 On the remote Web browser, launch Internet Explorer. 3 Go to Tools > Internet Options > Content > Certificates and click Import
to launch the Certificate Import Wizard page (Figure 2.4).
4 Click Next to display the Certification Store page (Figure 2.4). 5 Select Automatically select the certificate store based on the type of
certificate (Figure 2.4) and click Next.
The completion page of the Certificate Import Wizard appears (Figure 2.5).
6 Click Finish to display the Root Certificate Store dialog box (Figure 2.6). 7 Click Yes to add the certificate to the Root Store.
25
NVIDIA Corporation
Chapter 2
Installation Guidelines
Localizing the Web Interface
If you have installed the International edition of the ForceWare Network software as explained in Installing ForceWare Network Access Manager on page 19, then follow these steps available from the Internet Explorer menu to enable one of the non-English languages supported by your ForceWare Network Access Manager Web browser.
1 In Internet Explorer, on the Tools menu, click Internet Options. 2 On the General tab, click Languages. 3 Click Add. 4 Select the language you want to add. The following languages are supported
by your ForceWare Network Access Manager Web browser:
French German Italian Spanish Japanese Korean Simplified Chinese Traditional Chinese
5 Click OK. The language you added appears in the Language: list. 6 If more than one language appears in the list and you want to activate the
language you just added, move it to the top of the list.
7 Click OK and click OK again to exit the Internet Options dialog box. 8 Press F5 to refresh your screen.
The Web interface now appears in your chosen language.
Configuration Deployment
Configuration deployment means configuring multiple computers to use the same configuration through an automated procedure. You can use any one of the following configuration methods: Run the nCLI command to change parameters during the login script.
26
NVIDIA Corporation
Chapter 2
Installation Guidelines
Run nCLI to configure one parameter at a time or use the import command for bulk configuration. Note: Sample command line access scripts can be found in the sample directory, under the default path of c:\nvidia\NetworkAccess Manager, or the path you specified. See Using The Command Line Interface (CLI) on page 61 section for more information. Create and run WMI scripts to change parameter when executing the login script.
Before You Begin
WMI script usage samples are provided in the following subdirectories: samples\Eth samples\Firewall under the default path of c:\nvidia\NetworkAccess Manager, or the path you specified. You can cut and paste the appropriate command and use them in a batch file or the command line. For further details, see Using WMI Script on page 57. To use WMI scripting, you must be familiar with the syntax and characteristics of configuration parameters. See the Ethernet Parameters Reference on page 79 and NVIDIA Firewall Parameters Reference on page 117 for details. For additional details, refer to the Microsoft documentation on WMI scripting. Note: Many Ethernet parameters require restarting the network driver for script changes to take effect. When the network driver is restarted, network connections will terminate, which will terminate the login script. To get around the problem, you can utilize the NV_DriverRestartFlag to defer restarting the driver. However, keep in mind that a driver restart is still required for script changes to take effect.
27
NVIDIA Corporation
Chapter 3
NVIDIA Firewall: Basic Concepts
H A P T E R
NVIDIA FIREWALL: BASIC CONCEPTS
This chapter contains the following main topics: Types of Firewalls on page 28 Stateful vs. Stateless on page 29 Inbound vs. Outbound Packets on page 29 Stateful Filtering on page 31 Stateless Filtering on page 33
Types of Firewalls
The NVIDIA Firewall is a type of firewall that is typically referred to as a PC firewall or a desktop firewall. Another classification of firewalls is the gateway firewall. The main difference between the PC firewall and the gateway firewall is that while the gateway firewall monitors network traffic and controls access between two different networks or administrative domains, the PC firewall controls traffic generated or received by a single computer. Therefore, a gateway firewall is usually a dedicated computer, or a part of a network switch or router, with multiple interfaces through which certain traffic is allowed and other traffic is blocked. A PC firewall is usually software that is installed on the personal computer, or a combination of software and hardware that is integrated to the computer. In both types of firewalls, certain traffic is allowed and certain traffic is blocked according to the specific rules configured for the firewall.
28
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Firewalls just discussed can be further classified as one of two types Application layer Packet-based firewalls are of two main sub-types:
Stateful Stateless
Note: The NVIDIA Firewall is a packet-based PC firewall with both stateful and stateless features.
Stateful vs. Stateless
Stateful and stateless are adjectives that describe whether a computer or computer program is designed to note and remember one or more preceding events in a given sequence of interactions with a user, another computer or program, a device, or other outside element. Stateful and stateless are derived from the usage of state as a set of conditions at a moment in time. Stateful means the computer or program keeps track of the state of interaction, usually by setting values in a storage field designated for that purpose. Stateless means there is no record of previous interactions and each interaction request has to be handled based entirely on information that comes with it.
Inbound vs. Outbound Packets
Network traffic is not inherently safe nor dangerous. In addition to the usual attributes of packets that can distinguish them from each other, such as IP addresses and TCP port numbers, one criterion that can be used to help discriminate traffic is the direction in which that traffic is flowing. For traffic arriving from the outside the PC, it is reasonable to presume that there is a chance that an attack may be present, whereas in traffic originated by the PC, it is less likely to be dangerous. The firewall rules consider the direction of traffic as an attribute when establishing the traffic that should be allowed (i.e., such traffic is deemed to be safe or to have an acceptable level of risk) versus the traffic that should be denied (i.e., such traffic is deemed to be unsafe). Note: The tolerance for risk will vary among users, so there is no universally accepted definition of dangerous packets. However, the default configuration of the NVIDIA firewall represents industry-accepted best practices, and can be used as the basis for customized configurations that more closely match the end-user's specific requirements.
NVIDIA Corporation
29
Chapter 3
NVIDIA Firewall: Basic Concepts
By defining the direction as part of the specification of a rule, the end-user can separate traffic that he/she considers to be safe enough from traffic considered unsafe. Most protocols exchange traffic bi-directionally; therefore, the direction of such exchanges is defined by the connection-initiation packet. For example, in the case of TCP packet, the first packet matching a new set of IP addresses and TCP ports for which the TCP SYN flag is set establishes the direction of that subsequent bi-directional flow. Other protocols, such as User Datagram Protocol (UDP) or Internet Control Message Protocol (ICMP), may not have the equivalent of the TCP SYN flag. Therefore, for those protocols, the NVIDIA Firewall uses the direction of the first packet matching a given set of IP addresses and, for example, UDP ports, as the direction for the subsequent bi-directional flow.
About the TCP Protocol
Some network protocols, such as TCP, require an explicit connection initialization process. Firewall rules that apply to TCP typically depend partially on the direction of the connection establishment. When referring to protocols that involve establishment of a connection: Inbound describes a connection attempt not originated by the local computer. Outbound describes a connection attempt that was originated by the local computer.
About the UDP and ICMP Protocols
Unlike TCP, other protocols, such as UDP and ICMP do not have an explicit connection establishment process. A computer can use protocols such as UDP and ICMP to send data packets to any other computer at any time, but the receiving computer, or an intervening firewall, can reject or accept the data on a per-packet basis.
UDP
UDP is frequently used in a connection-like manner, but without the connection establishment process. In other words, UDP-based applications may rely on long-term computer-to-computer sessions. However, the meaning of the direction of the connection in the UDP context is broader than in the TCP context. The direction of a packet is inbound if the initial packet matching this new set of IP and UDP header field values was a received packet.
30
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Similarly, a UDP connection is considered to be outbound if the initial packet matching this new set of IP and UDP header field values was a transmitted packet. Thus, firewall rules that apply to UDP typically also depend on the direction of the first packet of a new connection. UDP packets, like TCP packets, can be matched against a connection table by performing a hash function on certain fields in the packet to determine if there is a match in a table of hash values where there is at least one connection that corresponds to each hash value.
ICMP
ICMP is an example of a protocol with neither a connection establishment process nor any connection-like functionality. Firewall rules relevant to these types of protocols are applied to every packet, and inbound and outbound respectively refer to packets (of one of these protocols) that are received and transmitted across any of the network interfaces that the firewall is protecting.
Stateful Filtering
Stateful filtering (also known as stateful inspection or dynamic packet filtering) provides enhanced security by monitoring network packets over the period of the connection for that particular traffic. Because stateful filtering can dynamically track each connection, compare packets against the connection's expected state, and drop the packets that don't conform to the protocol, it has replaced static filtering as the industry standard firewall solution for networks. It is also the case that stateful filtering scales much better than stateless filtering because the firewall policy table is only consulted once per connection, instead of once per packet. This means that as the number of rules grows, the stateful firewall will use a lower percentage of CPU, because in a stateless design, each packet will have to be compared against half of the firewall rules, on average, until a matching rule is found that explicitly allows or denies the packet. However, an increase in the size of the firewall policy rule table does not impact the stateful firewall to such a large degree, since the majority of packets are not connection setup packets. A stateful firewall amortizes the CPU cycles that were used to do the firewall policy rule table lookup over the massive per-packet CPU savings due to having only a simple per-packet hash to compute, to determine if the current packet is associated with a previously allowed connection. In contrast, a stateless firewall must examine every packet against the complete firewall policy rule table, or until it finds a matching rule, so in essence, every
NVIDIA Corporation
31
Chapter 3
NVIDIA Firewall: Basic Concepts
packet is treated as a connection setup packet, incurring the associated processing penalty. As a result of the differences in processing required for stateful vs. stateless firewall lookups, latency due to stateful firewall operations is very small and nearly constant on a per-packet basis, whereas latency in a stateless firewall depends on the size of the firewall policy rule table, and is of a much larger magnitude. Once a TCP or UDP connection is established, a stateful firewall ensures that data traffic for that connection can flow in either direction even if the rules governing the firewall limit such traffic to be only associated with remotely generated (i.e., inbound), or locally-originated (i.e., outbound) connections. When a stateful firewall has determined that a connection is being established by decoding each packet, it checks its policy table to find out whether the connection is allowed or denied. In TCP, the connection establishment packet is a specially marked TCP packet that the firewall can detect. A UDP connection is initiated by the first packet matching a set of identifying fields in the IP and UDP headers. If the firewall allows the new connection, the firewall saves a set of five values related to that connections establishment into its connection-tracking table during the lifetime of that connection. Every inbound and every outbound packet associated with a given connection contains the same five values. This allows the stateful firewall to quickly check whether or not the packet belongs to a connection that was previously granted permission and then deny or allow the packet accordingly. Note: Only TCP packets that match the connection-tracking table are allowed. UDP packets that do not match the table may represent a new connection and are compared with the firewall rules in order to determine whether or not to add an entry to the connection-tracking table for this new connection. The five connection identifying values saved into the connection-tracking table are:
IP Source Address IP Destination Address IP Protocol TCP or UDP Source Port TCP or UDP Destination Port
32
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
For TCP, in addition to the five items in the list, the firewall tracks the state of the TCP connection (for example, the current stage of the connection establishment process) in order to enforce legal state transitions in the TCP protocol. The firewall also tracks the current TCP sequence and acknowledgement numbers and the most recent TCP window in order to determine whether to drop packets that fall outside the current valid TCP window. This kind of scrutiny prevents potential attackers from sending spurious TCP reset packets to the local computer in that the firewall prevents these reset packets to reach the host if the TCP sequence number of the reset packet falls outside the current valid TCP receiving window. Some TCP options can also be used by the stateful firewall in determining whether to allow or deny TCP packets because certain TCP options can only be used if their use was negotiated during the connection establishment process. If such TCP options were negotiated during the connection establishment phase, then the TCP state will reflect the successfully negotiated TCP options for that connection. The TCP policy table can still override the peers and prevent certain TCP options from being negotiated at all. Note: Other TCP options are not pre-negotiated. Therefore, decisions about whether to allow or deny TCP packets with such options must be based on the stateless (see Stateless Filtering) configuration of the firewall.
Stateless Filtering
The main difference between stateful filtering and stateless filtering is that contrary to the quick lookup-and-decide process enabled by the connection state tracking table that drives the decision making process in stateful filtering, all of the stateless filtering rules must be examined in sequence, for each packet, until a rule is found that either explicitly allows or denies that packet. Note: For protocols such as ICMP and other non-TCP and non-UDP protocols, and for any non-IP protocols, the firewall performs stateless filtering but no stateful tracking or filtering. In stateless filtering, the firewall can be configured to allow in or deny in certain kinds of traffic (from a specific protocol, with a particular option, etc.) on a given network interface. Similarly, the firewall can be configured to allow out, deny out, allow in and out, or deny in and out on the same traffic. Note that in implies the receive direction and out implies the transmit direction. On average, the firewall will need to search half of its rules list for any given packet in order to find an applicable rule. Therefore, in general, as the number of rules increases, the firewall consumes more time in determining the outcome
NVIDIA Corporation
33
Chapter 3
NVIDIA Firewall: Basic Concepts
of a given packet. On the other hand, the NVIDIA Firewall has been optimized so that looking up certain commonly used parameters (for example, ICMP, TCP, and UDP in the IP protocol table) is much faster and independent of the table size. The firewall can be configured to perform stateless filtering based on: EtherType values Specific IPv4 or IPv6 addresses or address prefixes Specific domain names contained within DNS name resolution queries or responses Specific IP options Specific TCP options Specific ICMP (Type, Code) pairs Other relevant parameters In all cases, stateless filtering rules are specified in the appropriate firewall table in the ForceWare Network Access Manager Web-based interface. For example, when filtering ICMP traffic, the filtering rule is based on both the first three items (IP Source Address, IP Destination Address, and IP Protocol) as listed in the section on Stateful Filtering on page 31, as well as the particular ICMP (Type, Code) field values in each ICMP packet. In ICMP filtering, the IP Protocol is implicitly required to have a value of 0x01, which is the protocol value for ICMPv4. A similar requirement is placed on ICMPv6, with its own unique identifying number in the IPv6 headers (i.e., 0x3A). In most situations involving stateless filtering, it is necessary to allow a given protocol to go both in and out on a given interface in order for the associated application to operate normally. However, it may also be the case that certain applications require that one type of traffic be allowed in, while another type is allowed out. One example of the latter case is ping because in order for the application process to complete successfully, the firewall must be configured to allow both an outbound ICMP Echo packet (Type = 0x08, Code = 0x00) and an inbound ICMP Echo Reply packet (Type = 0x00, Code = 0x00). These settings will allow the local PC to ping remote computers but will not necessarily allow remote computers to ping the local computer because inbound ICMP Echo packets and outbound ICMP Echo Reply packets are not necessarily allowed. Note: Based on the above values, note that the ICMP (Type, Code) pair values for ICMP Echo and Echo Reply are, in fact, different.
34
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
H A P T E R
CONFIGURING THE NVIDIA FIREWALL
This chapter contains the following main topics: NVIDIA Firewall Parameters Reference on page 35 Using the Basic Configuration Page on page 36 Advanced Configuration on page 38 About Working With Tables on page 40 Using the NVIDIA Firewall Wizards Page on page 42 Configuration Dependencies on page 43 NVIDIA Firewall Statistics on page 44 NVIDIA Firewall Logging on page 48
NVIDIA Firewall Parameters Reference
Appendix B: NVIDIA Firewall Parameters Reference on page 117 is an NVIDIA Firewall Reference guide, categorizing the NVIDIA Firewall parameters by group and table names. When you are using the Firewall parameters from the ForceWare Network Access Manager Web-based interlace, you can easily access online Help by clicking the Help tab.
NVIDIA Corporation
35
Chapter 4
Configuring the NVIDIA Firewall
Using the Basic Configuration Page
1 Open the ForceWare Network Access Manager Web-based interface. If you
need help, see Launching the ForceWare Network Access Manager Web Interface on page 21.
2 From the Firewall menu, click the Basic Configuration option to open the
Firewall Basic Configuration page (Figure 4.1). of table rules.
3 Click the Security Profiles list to view the profiles, which are predefined sets
Note: You cannot edit these basic pre-defined profiles. To create custom profiles to define the sets of NVIDIA Firewall rules, see Advanced Configuration on page 38 and Using the NVIDIA Firewall Wizards Page on page 42.
4 To enable a specific profile, click the Security profiles list and select the
profile you want. See the next section, Security Profile Settings for an explanation of each setting.
5 Click Apply. 6 To view the actual rules associated with a profile, repeat step 4 above. 7 From the Firewall > Advanced Configuration menu, click the appropriate
option to open a table.
Using the table, you can determine whether the settings are appropriate at the level of protection you want for your application(s).
Security Profile Settings
Note: You cannot edit the pre-defined profile settings described below. However, you can create custom profiles to define the sets of NVIDIA Firewall rules, as explained in Advanced Configuration on page 38 and Using the NVIDIA Firewall Wizards Page on page 42. For additional details about security profiles, see Configure Firewall Security Level on page 117 in Appendix B. Lockdown drops all traffic packets, except outbound Alert Standard Format (ASF) packets. High is an extremely secure setting. However, due to the stringent filtering rules associated with this setting, many applications may not work as expected and some applications may not work at all. Medium (the default profile setting after installation) is intended to provide a good balance between usability and security, with an emphasis on security.
36
NVIDIA Corporation
NVIDIA ForceWare Networking
Figure 4.1
Administrators Guide
NVIDIA Firewall Basic Configuration
Low is the least secure of the profile settings, but allows most applications to work properly. Anti-hacking only is a profile setting that enables only the anti-hacking features of the NVIDIA Firewall and is useful in a dual firewall configuration for example, if you want to use a third-party firewall product along with the anti-hacking features of the NVIDIA Firewall. Note: The Anti-hacking only setting disables the NVIDIA Firewall, allowing most incoming and outgoing network traffic**. The logging of NVIDIA Firewall messages will proceed as usual, as long as you have enabled one of logging message types in the NVIDIA Firewall Log Setting page. ** If you are using the Anti-hacking only setting with another third-party firewall, then the third-party firewall controls the incoming and outgoing network traffic and will probably deny most incoming and outgoing network traffic. However, the NVIDIA Firewall will still continue to log messages pertaining to the Anti-hacking only setting, as long as you
NVIDIA Corporation
37
Chapter 4
Configuring the NVIDIA Firewall
have enabled one of the log message types in the NVIDIA Firewall Log Settings page. For additional information, see NVIDIA Firewall Logging on page 48. Off turns off the NVIDIA Firewall, allowing all incoming and outgoing network traffic.
Advanced Configuration
If you want to create a custom profile, you can use any of the basic Lockdown, High, Medium, Low, Anti-hacking, or Off profiles discussed in Using the Basic Configuration Page on page 36 as a starting point. Note: You can define up to three independent custom profiles. To create or choose a custom profile, follow these steps:
1 Open the ForceWare Network Access Manager Web browser interface.
If you need help, see Launching the ForceWare Network Access Manager Web Interface on page 21
2 From the Firewall menu, click Basic Configuration to open the Firewall
Basic Configuration page.
3 Click the Security Profiles list to view the profiles. 4 Then select on of the three Custom profiles. 5 Specify a new name for each custom profile you select in step 4 in the
Rename... edit box.
Note: You will probably choose to generate a custom profile based on one of the pre-defined profiles, e.g., Lockdown, High, Low, etc.
6 To edit the associated table rules, select the appropriate option under the To add a rule or purge all rules in a table, use the Add Rule or Purge
Advanced Configuration menu to perform any of the following actions: Table buttons in the corresponding tables page.
To change only the action of an existing rule, follow these steps:
a) Click the drop-down menu in the corresponding table row under the action column and choose either Allow or Deny (for all tables) or Ignore (for the UDP/TCP Port table only). For further details, see About Working With Tables on page 40. b) Click Apply. Note: Multiple actions may be modified before you click Apply, which accepts all the changes at once.
38
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
To edit any other parameter of an existing rule, or to delete a rule, click the
icon in the corresponding row under the Edit column to open the Rule editing page.
For brief descriptions of each table parameter, click the Help button on the upper-right corner of either the Table page or the Rule editing page. For more detailed descriptions of each table parameter, refer to NVIDIA Firewall Parameters Reference on page 117 in this guide. The NVIDIA Firewall > Advanced Configuration page also allows you to toggle the more advanced security features of the NVIDIA Firewall. For detailed information on these features, click the Help tab on the upper right corner of the page.
Configuring Antihacking Features
The antihacking features of the NVIDIA Firewall include antispoofing, antisniffing, anti-ARP cache poisoning, and anti-DHCP server, all of which provide important security controls for corporate network environments. You can configure antihacking features from the NVIDIA Firewall Options page (Figure 4.2).
Figure 4.2
NVIDIA Firewall Options Configuring Antihacking Features
Follow these steps to access the Firewall Options page:
NVIDIA Corporation
39
Chapter 4
Configuring the NVIDIA Firewall
1 Open the ForceWare Network Access Manager Web-based interface. If you
need help, see Launching the ForceWare Network Access Manager Web Interface on page 21. click Options to open the Firewall Options page (Figure 4.2).
2 From the NVIDA Firewall menu, click Advanced Configuration, and then 3 For detailed information about the options and how to configure them, see
Group: Configure Firewall Options on page 120 in Appendix B: NVIDIA Firewall Parameters Reference on page 117.
About Working With Tables
Specifying Actions
For each rule, you can specify the action that the NVIDIA Firewall should perform if a packet or connection matches that rule. In the following three types of tables, where the direction of traffic is important, each rule will let you set the Inbound action and the Outbound action separately.
IP Option table UDP/TCP Port table ICMP table
In all other types of tables, the direction is not important. Therefore, each rule lets you set one action for both inbound and outbound. Every rule can either Allow or Deny traffic, while each rule in the UDP/TCP Port table has an additional action called Ignore. The Ignore action is useful when you want a UDP/TCP Port rule to apply in only one direction. For example, setting a rule for HTTP (Web) port 80 to deny inbound and ignore outbound will always block Web connections in the inbound direction, but will let a more generic matching rule or the default action to determine the action for outbound Web connections.
About Table Sorting
You can sort any table based on the contents of any column by simply clicking either the Up or Down arrows adjacent to the column name in the header at the top of each column. When you first view a table, the tables are sorted by default in the following ways:
40
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
In the IP Address table, the Domain Name table, and the UDP/TCP Port table, the rules are normally sorted by the Rule Order column, which is both the order that the rules have been added and the order that they will be applied. Executing the rules in the order of their creation allows you to add overlapping rules that provide one action for a more generic range of IP addresses or domain names, while having a different action for a more specific IP or domain. For example, if you first create an IP Address table rule to allow address 10.1.1.2 and mask 255.255.255.255, and then create a rule to deny address 10.1.1.0 and mask 255.255.255.0, then the IP Address table will allow traffic to 10.1.1.2 but will block other IP address beginning with 10.1.1.x. Traffic to 10.1.1.2 will not be blocked by the second rule of this table because the first rule already matches it. You can similarly set up the Domain Name table to block a generic domain suffix (e.g., example.com) but allow specific domain names (e.g., foo.example.com). In all other tables, the rules are normally sorted by the most significant column. For example, EtherType rules are sorted by the EtherType value, the ICMP rules are sorted by the ICMP Type and then ICMP Code, etc An exception to this behavior is that right after adding a rule to any table, the new rule appears at the bottom of the table so that it can be easily verified as having been added. When the table is viewed again (after navigating away to another page within the Web browser), the rules are back to the default sorting method. Note: While every table has a Rule Order column, only in the IP Address table, the Domain Name table, and the TCP/UDP Port table mentioned above do you need to worry about the Rule Order when adding new rules, because they allow overlapping IP addresses or domain names.
Table Default Action Settings
Each table also has an associated default action, which may be set to Allow or Deny. Depending on the nature of the default action, a given individual rule may or may not have any effect. For example, if the TCP default action is to Allow packets associated with outbound connections and to Deny packets associated with inbound connections, then having a rule to allow outbound HTTP (i.e., TCP port 80) connections would be redundant, because that traffic would already have been allowed by the default action. The default action defines the action that will be performed when no other specific rules in that particular table applies to a given type of packet.
NVIDIA Corporation
41
Chapter 4
Configuring the NVIDIA Firewall
In general, if the default action of a table is to Deny, then most rules should be set to Allow specific exceptions. Similarly, if the default action is to Allow, then most rules should be to Deny specific exceptions. Note: It is generally agreed that it is safer to discard traffic unless you specifically need to allow it, so a default action of Deny is likely to be more secure (or at least more convenient) than a default action of Allow. The NVIDIA Firewall will compare each packet to the firewall tables in the following order, from the lower-numbered, more fundamental parameters to the higher-numbered, more complex parameters.
a EtherType table b IP Address table c IP Option table d IP Protocol table e TCP Option table f UDP/TCP Port table g ICMP table h Domain Name table
Note: Packets of a specific protocol, such as TCP, will not be processed by the table of an unrelated protocol, such as ICMP.
Using the NVIDIA Firewall Wizards Page
Another way to configure rules in your custom profile is through the Firewall Wizards page (Figure 4.3); from the main menu, click Firewall > Wizards. Using a questionnaire format, the wizards provide a simple, step-by-step method to configure the tables and, for convenience, are separated into different categories of commonly-used applications. You can use the Firewall Wizards page to configure the NVIDIA Firewall to enable specific applications or classes of applications to work. There are wizards for various types of applications including Telnet, FTP, SSH, game servers, and so on. These wizards will open the required network ports that are used by these applications. If the particular application you are using needs other non-specific network ports, you can use the Generic Port wizard to add those ports for the application to work.
42
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Note: Refer to your application documentation for information on the TCP/ UDP ports that are used, if applicable.
Figure 4.3
Firewall Wizards
Configuration Dependencies
Under certain configurations, the NVIDIA Firewall might not function as expected even though its functionality is still consistent with the actual rules that were configured. In particular, it is possible to provide the firewall with conflicting configuration directives, yet it might not be obvious that this is the case. This situation may arise because of the many ways in which traffic can be allowed or denied and the overlapping scopes of the various firewall tables. For example, suppose that you had configured the NVIDIA Firewall to allow certain types of ICMPv4 traffic but had also configured it to block all IPv4 packets. If you had forgotten that the latter was the case, you might wonder why the allowed ICMPv4 traffic was not getting through. In this case, you would
NVIDIA Corporation
43
Chapter 4
Configuring the NVIDIA Firewall
have to realize that you cannot expect ICMPv4 traffic to flow unless you allow at least IP Protocol number 0x01 and EtherType 0x0800 for IPv4. Other less obvious cases are also possible. For example, if all inbound packets with IP options are blocked, then IGMP Reports will not be received by the stack, since all IGMP Reports have an IP Router Alert option included in the packet.
Recommendations
Note: There are many ways to configure different parameters, which could cause unintended and troublesome consequences. Therefore, it is best to work step-by-step through a configuration, building up one layer of rules at a time. Once a given configuration is known to be effective, then it is possible to amend the configuration slightly and re-verify the old configuration, while verifying the new configuration as well. Ultimately, the configuration will converge on a set of rules that meets the stated requirements. Note: Attempting to set up the final configuration in a single big step can sometimes enable interdependencies that prevents things from working as intended and result in difficult troubleshooting.
NVIDIA Firewall Statistics
All packets generate statistics when passing through the NVIDIA Firewall, whether they are allowed or denied. Each packet increments one of these packet counts UDP, TCP, ICMP, or Otheras well as one of the TCP and UDP connection counts if it is a connection-initiating packet. The NVIDIA Firewall statistics allow you to do the following: Determine the kind of traffic your computer is exchanging Determine the amount of the traffic being allowed or denied Enable verification of whether a recently changed firewall rule is operating as intended For example, suppose that you wanted to add a rule to deny TCP packets to any port between 1002 and 1009. To do so you can use the ForceWare Network Access Manager Web interface and follow these steps:
1 From the NVIDA Firewall > Information menu, click any of the graph or
table choices.
44
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
2 For example, to see statistics about the Firewall interface presented in a
graphical format, click Graphical to display a page similar to Figure 4.4. For detailed Help on options, click the Help tab.
a To view statistics based on the number of packets, click the Packets tab. b To view statistics based on the number of connections, click the
Connections tab.
c After noting the current TCP statistics, you can add a TCP Port Rule to
block the 1002 to 1009 range. actually blocked.
d Then you can send some test packets to verify that such packets were
Figure 4.4
Graphical Information for Packets
Firewall
Red arrows represent packets or Arrows pointing to the computer icon represent connections that are stopped by received packets or incoming connections. . the NVIDIA Firewall. Arrows originating from the computer icon represent transmit packets or outgoing connections.
NVIDIA Corporation
45
Chapter 4
Configuring the NVIDIA Firewall
3 In order to send TCP traffic to a particular port, you can open a command
prompt window and type: where:
telnet foo.example.com 1003 foo.example.com is any valid domain name or IP address that will normally let a packet to be sent through the NVIDIA Firewall. 1003 is actually any number between 1002 and 1009 that should be blocked. The Telnet program will attempt to connect and the expected result (if the rule has been set up properly) is that the Telnet connection attempt should eventually time out because the packets associated with that connection have been blocked.
4 After performing the above test, you can click the Bar graph or Table option
from the Information menu to verify whether the Outbound TCP connections denied count or the Outbound TCP packets denied count has increased by an amount consistent with the tests that were performed. A sample bar graph is shown in Figure 4.5.
Bar Graph of Packet Activity
Figure 4.5
A sample table of Firewall statistics is shown in Figure 4.6 and Figure 4.7.
46
NVIDIA Corporation
NVIDIA ForceWare Networking
Figure 4.6
Administrators Guide
Table (Statistics) of Packet Activity 1st section
Figure 4.7
Table (Statistics) of Packet Activity 2nd section
NVIDIA Corporation
47
Chapter 4
Configuring the NVIDIA Firewall
NVIDIA Firewall Logging
In addition to statistics, the NVIDIA Firewall generates log entries depending on the log filter. When a packet is dropped by the firewall, the log message saved by the firewall corresponds to the first table or rule that denied the packet, as described in the Advanced Configuration on page 38 section. For example, if the NVIDIA Firewall generates a Blocked IP option message because a TCP packet has a disallowed IP option, the dropped packet might not have passed the TCP rules, but since it was blocked by the IP option table first, Blocked IP option is the message saved by the firewall. In the previous section NVIDIA Firewall Statistics on page 44, the Telnet packet that was generated also causes a Blocked port message for port 1003 unless another table blocks it first, in which case a log message for that table will be generated. In the latter case, the timestamps in the log messages can be used to correlate those log entries that were created during the test. Other events that generate log entries include changing to a different profile, packets dropped by an advanced NVIDIA Firewall security option, enabling and disabling an NVIDIA network interface, and any other changes to the NVIDIA Firewall configuration. Note: Log entries are saved in batches so that the most recent logs may take a short time to appear in the ForceWare Network Access Manager Web interface. Note: Logging all successful packets may degrade network performance.
1 To open the Log Settings page, choose Log Settings from the menu. 2 Make sure the None option is not selected. 3 To view the log page (Figure 4.8), click Log from the menu. 4 Then use the links at the bottom of the page (First, Previous, Next, and
Last) to navigate. following:
5 If you see too many log entries being generated, you can do one of the Click Clear All Logs or Choose Log Settings from the menu to open the Log Settings page again.
Then consider changing the type of log messages to one of several options provided, as shown in Figure 4.9.
48
NVIDIA Corporation
NVIDIA ForceWare Networking
Figure 4.8
Administrators Guide
Firewall Logging Messages
Figure 4.9
User Log Settings
NVIDIA Corporation
49
Chapter 5
Administrative Tasks
H A P T E R
ADMINISTRATIVE TASKS
This chapter contains the following topics: Accessing the Administration Menu on page 50 Application Access Control Page on page 51 Restore Factory Defaults on page 54 Display Settings on page 55 Backup/Restore on page 55 ForceWare Network Access Manager Software Version on page 56
Accessing the Administration Menu
1 Open the ForceWare Network Access Manager Web menu. 2 Click the Administration menu on the left of the window to expand it so that
you can see the various menu choices.
3 Click the menu item to display its associated page on the right.
50
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Application Access Control Page
From the Administration menu, click Access Control to display the Application Access Control page (Figure 5.1).
Figure 5.1
Application Access Control Settings
You can use the Application Access Control page to configure the application access permissions. Note the following about these permissions: Permissions apply only to non-Administrator and remote users. You must have Administrator rights to configure permissions from the local computer. An Administrator on a local computer has access to all applications and configuration information i.e., WMI scripts, the command line, and the Web interfaces, provided they are installed on the computer. The access control settings do not affect the Administrator. These permissions cannot be viewed, accessed, or configured remotely, even by an Administrator. Note: Most of the access control in place will work only if the applications are installed on the NTFS file system, so it is recommended that you use
NVIDIA Corporation
51
Chapter 5
Administrative Tasks
NTFS, however the application will still function if installed on a FAT file system.
Default Administrative Access Control Settings
Figure 5.1 shows the default access settings of the ForceWare Network Access Manager software. Note: You can also control access by using nCLI parameters such as AccessCLI, AccessWMIScript, etc.
Table 5.1
NVIDIA Firewall Features Type of Access nCLI
Feature
Ethernet
WMI Script
Any user
Web Local
Web Remote
Any user with the correct password and IP address/mask pair will be granted remote Web access with Administrator rights. Any user with the correct password and IP address/mask pair will be granted remote Web access with Administrator rights. NA
Firewall
Administrator only
Ability to change access settings
Administrator only
Command Line Access
Note: The Access to CLI parameter is displayed only if the nCLI program is installed on the computer. Default: Allow access This field lets you specify whether to Allow or Deny command line access to the non-Administrator users. If local command line access is denied, non-Administrator users cannot access the Network Access Manager. Regardless of this setting, users with Administrator privileges can always access the Web interface.
WMI Script
Default: Allow access This field lets you specify whether to Allow or Deny WMI scripting access to the non-Administrator users.
52
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
If disabled, no instances of WMI classes, which are part of the NVIDIA namespace, will be available through WMI script or other third party WMI application. Administrator users can always access WMI using scripts.
Local Web Access
Default: Local Web access is Allow. This options allows or denies access to the Web interface from the local computer. If local Web access is denied, non-Administrator users cannot access the Network Access Manager. Regardless of this setting, users with Administrator privileges can always access the Web interface.
Remote Web Access
Default: Remote Web access is Deny. Note: Communication between remote Web client and Network Access Manager is protected by SSL. For maximum security, you are encouraged to disable remote Web access. When connecting to the Web interface from a remote computer using the following command: https://<computer name>:3476 type admin as the user name, as shown below: username: admin password: ______ (password is blank by default) Note: The password for this account can be changed. The password must be less than 255 characters. Valid characters are a through z, A through Z, 0 through 9, and space.
Additional Notes
Remote access to Network Access Manager is most suitable from a home environment. Remote access to Network Access Manager provides limited access to the IP address/mask and can also be restricted based on the IP address or subnet address.
NVIDIA Corporation
53
Chapter 5
Administrative Tasks
Password
Default: No password the password string is empty. When you enable remote Web access, you can set a password. Note: The user name for remote access is admin.
IP Address and IP Address Mask (optional)
Default: No IP address or mask An IP address or a subnet (specified as a combination of an IP address and an IP address mask) can be used to restrict remote access to the computer such that access is limited to computers on the indicated IP subnet. Note: To restrict access to only one computer, you can specify an IP address and no IP address mask. Specifying an IP address mask without an IP address is invalid.
Restore Factory Defaults
Note: Only Administrator users can restore factory default values to the firewall.
1 Click Ethernet or Firewall to enable one of these options: Click Ethernet to restore factory default values to all the Ethernet-related
parameters.
Click Firewall to restore factory default values to all the Firewall-related
parameters.
2 After you select either Ethernet or Firewall, click Start Restore to restore
the Ethernet or Firewall factory default values.
An alert appears asking you to confirm whether you want to wipe out your current settings and replace them with the default values.
3 To proceed click OK. To cancel the operation, click Cancel.
54
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Display Settings
The Display Settings page allows you to configure the font size for the pages and the refresh rate for the statistics pages. Statistics refresh rate (Min 1, Max 65535) controls the refresh rate of all the statistics pages in the Web interface.
Range of values: 1 to 65535 seconds Default: 10 seconds
Font size controls the font size used in the Web interface. The options are:
Default font Small font
Click Apply for the changes to take effect.
Backup/Restore
The Backup/Restore page allows you to backup your configuration to a file or restore your configuration from a file you specify. Click Backup to launch the Backup Configuration page described below, which will allow you to backup your configuration to a file. Click Restore to launch the Restore User Configuration page described below, which will allow you to restore the configuration you have backed up in a file.
Backup Configuration
The Backup Configuration page will allow you to export the current configuration into a file. You can select the filename and also provide a brief description to be added to the top of the file. Once the backup is completed, a link to the file will be provided. You can right click on the link and save the file to any folder you want. Note: Only Administrator users can backup the firewall configuration. Backup filename is the filename of the backup file created. Note: The default file name is export.txt Description. You can enter a short description of the configuration you are backing up. This description will be added to the top of the file along with the date and time of the backup.
NVIDIA Corporation
55
Chapter 5
Administrative Tasks
Configuration. You can choose either the Ethernet or the Firewall component to backup. Note: If you don't choose one of the components, you will get an empty backup file. Backup. Click Backup to start backing up the configuration settings for the selected components.
Restore User Configuration
Note: Only an Administrator users can restore the firewall configurations. This Restore User Configuration page lets you restore or import the configuration settings from a backup file, which will replace all your current configuration with the values is the file. Configuration File to Upload. Browse the folders in your computer and choose the backup file with the configuration you want to restore. Note: If you dont specify a file, the last configuration you exported will be restored. Restore. Click Restore to restore configuration values contained in the specified file. Note: A warning will be displayed indicating that the network interface might have to be restarted for these settings to take effect. You might lose connection to the server but can get back to the page by clicking the Refresh once the changes are applied. To proceed click OK; to cancel the operation, click Cancel. At the end of the restore operation, a log appears indicating any errors in the restore operation. You can restore the previous settings by clicking Restore Backup.
ForceWare Network Access Manager Software Version
From the main ForceWare Network Access Manager menu, click Administration - Software Version to display the Network Access Manager Software Version page. This page displays the version information for all the ForceWare Network Access Manager files you have installed on this computer. Note: The version information is useful when you contact the computer manufacturer for technical support.
56
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
H A P T E R
USING WMI SCRIPT
This chapter contains the following topics: Before You Begin on page 57 Benefits of Using WMI Script on page 58 Overview on page 58 Advanced Topics on page 59 Sample Scripts on page 60
Before You Begin
Using WMI script language is recommended only for Administrators who are already familiar with programming in WMI script and who have become familiar with the syntax and characteristics of configuration parameters see Ethernet Parameters Reference on page A-79 and NVIDIA Firewall Parameters Reference on page B-117. Note: For further information, you may want to consult the Microsoft documentation on WMI scripting.
NVIDIA Corporation
57
Chapter 6
Using WMI Script
Benefits of Using WMI Script
WMI script programming is being used by the IT staff of larger corporations to carry out day to day maintenance work. The overall benefits of using WMI scripts include: Industry standard WMI can be implemented using languages such as Visual Basic Script and JavaScript. Ease of use Common scripts allow access to NVIDIA ForceWare Network Access Manager data. Flexibility The WMI script user can utilize the power of the script languages to meet almost any requirements. For example, as an Administrator, you can write a WMI script to scan for Yahoo Messenger on a computer and open the appropriate port if the computer user has sufficient rights. Remote use you can run WMI script remotely and use it as a deployment tool in an organization. See Configuration Deployment on page 26.
Overview
WMI technology is Microsoft Windowss implementation of Web-Based Enterprise Management (WBEM), an industry standard for management infrastructure that supports Common Information Model (CIM), Managed Object Format (MOF), and a common programming interface. WMI consists of a management infrastructure (CIM object manager) and WMI custom Providers that communicate with each other through a common programming interface using Component Object Model (COM). The WMI technology also provides support for third-party Custom Providers. Custom Providers can be used to service requests related to managed objects that are environment-specific. Providers typically do the following: Use the MOF language to define and create classes. Use the WMI API to
access the CIM Object Manager (CIMOM) object repository respond to CIMOM requests made initially by applications.
The ForceWare Network Access Manager solutions supports
58
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
CIM extension schemas Custom Providers. For further details. see the following Web site: http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/dnwmi/html/wmiscript.asp
Advanced Topics
NVIDIA Namespace
NVIDIA ForceWare Network Access Manager classes are located under root/ NVIDIA namespace in the WMI repository. Note: It is strongly recommended that you do not modify anything in the NVIDIA namespace; for example, do not add or remove classes, or update their qualifiers. Modifying these items can prevent the proper functioning of the ForceWare Network Access Manager software.
WMI Provider
NVIDIA implements an extensible instance provider to manage the NVIDIAspecific objects. It is a COM in-proc server.
Synchronization
NVIDIA management framework ensures that only one Web, nCLI, or WMI script user interface is running at any given time. This feature is implemented to avoid data synchronization problems and improve the user experience. Note: Within the WMI script, you can execute more than one script at any given time. However, doing so can potentially introduce data inconsistency. NVIDIA recommends that you run only one script at a time.
NVIDIA Corporation
59
Chapter 6
Using WMI Script
Sample Scripts
WMI script usage samples are provided in the following subdirectories under the default path of c:\nvidia\NetworkAccessManager, or your userspecified path: samples\Eth samples\Firewall For example, Firewall WMI script examples are in: sample\Firewall\PerFireWMIScriptExamples.js You can cut and paste the appropriate command and use them in a batch file or the command line.
60
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
H A P T E R
USING THE COMMAND LINE INTERFACE (CLI)
This chapter contains the following major sections: Conventions Used on page 61 About Examples Used on page 62 Parameters on page 62 Modes of Operation on page 62 Using Single Parameters on page 63 Using Table Parameters on page 65 Browsing the Parameter Structure on page 71 Text File Processing on page 75 Glossary on page 78
Conventions Used
Text in code font (this is code font) means it is text that is displayed on your screen. Text in bold code font (bold code font) indicates text you type on your computer.
NVIDIA Corporation
61
Chapter 7
Using The Command Line Interface (CLI)
About Examples Used
Examples are used to show how to use the nCLI command and parameters in Expert mode (not Interactive mode) to configure some of the networking features of the ForceWare Network Access Manager application. You can simplify the example to suit your needs. Note: Examples are also provided in the samples subdirectory, under the default path of c:\nvidia\NetworkAccessManager, or your userspecified path.
Parameters
The nCLI command accepts the following classes of parameters: Single parameters contain a single value of some type. Table parameters contain data grouped in rows. Each row follows a fixed structure. You can only perform row operations on tables. Group parameters, such as Group get is useful in that you can view the value of all parameters inside a group with one command. Namespace parameters are a collection of tables and other parameters. Namespace is a way to group parameters. You can only browse into a namespace. No Set or Get commands are allowed on namespace parameters.
Modes of Operation
You can run nCLI in either Expert Mode or Interactive Mode. nCLI also supports import/export functions and expert commands grouped in batch files. The key difference between expert mode and interactive mode is whether the control is switched back to command prompt when a command has completed.
Expert Mode
In expert mode, the control is switched back to the command prompt after a command has completed executing. From the command prompt, if you type ncli followed by a parameter, you exit to the command prompt after the command has completed.
62
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Interactive Mode
In interactive mode, the control remains in nCLI until you type quit to exit nCLI. You remain in the nCLI shell during interactive operations. You can enter interactive mode in two ways:
First Method
1 From the command prompt, type ncli and press Enter.
The nCLI command prompt (nCLI>) appears to indicate nCLI is ready to accept a command.
2 You can now type commands in the nCLI mode without having to prefix the
keyword ncli.
Second Method
Enter an incomplete command from the command prompt. For example: ncli set ASFSupport nCLI automatically enters interactive mode. When this command completes, you will exit to the command prompt.
Using Single Parameters
Get and Set are the two most frequently used nCLI operations. Get is used to retrieve the setting of a parameter and can be invoked on single, group, and table parameters. Set is used to change or update the current setting of a parameter. It can be used in an expert mode, where the command is done in one line, or it can be used in interactive mode. Single parameter Get and Set operations are discussed with examples in the sections that follow.
Set (Expert Mode)
Using the Set command in expert mode is intended for expert users to set a single parameter on a single computer. Using expert set requires knowing the correct (error-free) format or selection for the parameter and, therefore, requires familiarity with the distinguished name of the single parameter.
NVIDIA Corporation
63
Chapter 7
Using The Command Line Interface (CLI)
Some frequently set parameters, such as ASFSupport enable or ASFSupport disable, are usually set using expert mode. Note: These commands can also be included in script or batch files.
Example
C:\nvidia\NetworkAccessManager\bin>ncli set ASFSupport enable
Set (Interactive Mode)
Using interactive set doesnt require too much prior knowledge of the parameter. In the following case, the parameter to be set, ASFSupport, is a selection, so the two choices are shown to help you select a value.
Example
C:\nvidia\NetworkAccessManager\bin>ncli set ASFSupport NVIDIA ForceWare Network Access Manager Framework Version 01.00 ASFSupport: 1 Disable 2 Enable choose one (Enable: 1
Get
Example
C:\nvidia\NetworkAccessManager\bin>ncli get ASFSupport NVIDIA ForceWare Network Access Manager Framework Version 01.00 ASFSupport enable
64
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Help
Example
C:\nvidia\NetworkAccessManager\bin>ncli help ASFSupport NVIDIA ForceWare Network Access Manager Framework Version 01.00 Enable or disable ASF (Alert Standard Format). ASF is an industry specification that defines alerting capability in both OS-present and OS-absent environments.
Using Table Parameters
A table is a collection of groups (rows) that share the same fields (columns). Tables are frequently used to store the settings for firewall rules, filters, and statistics. Each row inside the table is uniquely identified by a key. A key is composed of one or more of fields of a row. Note: Only expert users need to know the key format and composition. nCLI supports both interactive and expert operations on tables. Interactive mode is recommended for average users. Expert operations on tables are usually executed through batch files. Expert users can also use the export/import method and text file to set up tables quickly.
Add Row
The following example shows how to add three rows to an empty table (NV_FwlEtherType), edit the table (see Edit Row on page 66), and then delete (see Delete Row on page 67) one row.
Example
C:\nvidia\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType NVIDIA ForceWare Network Access Manager Framework Version 01.00 EtherType:2048 EtherTypeName:IP
NVIDIA Corporation
65
Chapter 7
Using The Command Line Interface (CLI)
EtherTypeRule 1 Deny 2 Allow choose one: 2 C:\nvidia\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType NVIDIA ForceWare Network Access Manager Framework Version 01.00 EtherType:2054 EtherTypeName:ARP EtherTypeRule 1 Deny 2 Allow choose one: 2 C:\nvidia\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType NVIDIA ForceWare Network Access Manager Framework Version 01.00 EtherType:32923 EtherTypeName:AppleTalk EtherTypeRule 1 Deny 2 Allow choose one: 1
Edit Row
Example
C:\nvidia\NetworkAccessManager\bin>ncli editrow
NV_FwlEtherType
NVIDIA ForceWare Network Access Manager Framework Version 01.00
66
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
# 1 2 3
EtherType 2048 2054 32923
EtherTypeName EtherTypeRule IP Allow ARP Allow AppleTalk Deny
Select a row to edit: 3 EtherType(32923)=2056 EtherTypeName(AppleTalk)=Frame Relay ARP / Inverse ARP EtherTypeRule: 1 Deny 2 Allow choose one(Deny): 2
Delete Row
Example
C:\nvidia\NetworkAccessManager\bin>ncli delrow NV_FwlEtherType NVIDIA ForceWare Network Access Manager Framework Version 01.00
# 1 2 3 EtherType 2048 2054 2056 EtherTypeName IP ARP Frame Relay A.. EtherTypeRule Allow Allow Allow
Select a row to delete: 3 Are you sure? (y/n): Y
Help
Example
C:\nvidia\NetworkAccessManager\bin>ncli help NV_FwlEtherType NVIDIA ForceWare Network Access Manager Framework Version 01.00 Firewall rules for different Data Link Layer protocols
NVIDIA Corporation
67
Chapter 7
Using The Command Line Interface (CLI)
Firewall rules for different Data Link Layer protocols (identified by Ethernet type) including IP, IPX, NetBEUI, AppleTalk and other protocols.
Set Table
Invoking the nCLI set command on table parameters guides you through different operations that can be performed on a table. In the following example, a row is added to the table, then edited, and finally deleted. Note: The Set table command does not require that you to know the addRow, delRow, and editRow command names.
Examples
C:\nvidia\NetworkAccessManager\bin>ncli set NV_FwlEtherType NVIDIA ForceWare Network Access Manager Framework Version 01.00 Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):A EtherType:32923 EtherTypeName:AppleTalk EtherTypeRule 1 Deny 2 Allow choose one: 1 C:\nvidia\NetworkAccessManager\bin>ncli set NV_FwlEtherType NVIDIA ForceWare Network Access Manager Framework Version 01.00 Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):E EtherType(32923)=33079 EtherTypeName(AppleTalk)=IPX EtherTypeRule: 1 Deny 2 Allow choose one(Deny): 2 C:\nvidia\NetworkAccessManager\bin>ncli set NV_FwlEtherType
68
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
NVIDIA ForceWare Network Access Manager Framework Version 01.00 Select an option: AddRow(A), EditRow(E), Purge(P), DeleteRow(D), Quit(Q):D
# 1 2 3 EtherType 2048 2054 33079 EtherTypeName IP ARP IPX EtherTypeRule Allow Allow Allow
Select a row to delete: 3 Are you sure? (y/n): y
Get Table
Example
C:\nvidia\NetworkAccessManager\bin>ncli get NV_FwlEtherType NVIDIA ForceWare Network Access Manager Framework Version 01.00
# 1 2 Et h er T yp e 20 4 8 20 5 4 E t he r Ty pe N am e IP ARP Et h er T yp eR u le Al l ow Al l ow
About Expert Commands
Due to the inherent complexity, expert commands are not as intuitive as interactive commands.The syntax of an expert command is shown below. Examples are also provided in the samples subdirectory, under the default path of c:\nvidia\NetworkAccessManager, or your user-specified path.
Syntax
_______________________________________________________________ ncli addrow <tablename> <column1>=<column1value>,<column2>=<column2value>,.. ncli editrow <tablename>.<key1>=<key1value>,<key2>=<key2value>,.. <column1>=<column1value>,<column2>=<column2value>,.. ncli delrow <tablename>.<key1>=<key1value>,<key2>=<key2value>,.. _______________________________________________________________
NVIDIA Corporation
69
Chapter 7
Using The Command Line Interface (CLI)
Examples
In the examples in this section: A new row for IPv6 EtherType is added and initially set to Allow. The table is then edited with the IPv6 EtherType rule set to Deny. Finally, the entire row is deleted. _______________________________________________________________
C:\nvidia\NetworkAccessManager\bin>ncli addrow NV_FwlEtherType EtherType=34525,EtherTypeName=IPv6,EtherTypeRule=Allow C:\nvidia\NetworkAccessManager\bin>ncli editrow NV_FwlEtherType.EtherType=34525 EtherType=34525,EtherTypeName=IPv6,EtherTypeRule=Deny C:\nvidia\NetworkAccessManager\bin>ncli delrow NV_FwlEtherType.EtherType=34525
_______________________________________________________________
About Other Table Commands
Note: The purge command is used to delete all the rows in the table; i.e., the entire table. Please use this command cautiously.
Syntax
_______________________________________________________________ purge <tablename>
______________________________________________________________
Note: If the table has read-only access, the purge action will fail.
70
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Browsing the Parameter Structure
The ForceWare networking parameters are organized in a tree structure. You can explore the tree structure. The browsing capability of nCLI is a powerful tool for non-expert use as one does not have to know the parameters distinguished name before using the command.
List
The ls or dir command lists the children of the current parameter, as shown in the next example.
Example
C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>ls NS_Eth NS_NvConfig NS_Firewall NS_UserLog NS_Security ncli>ls ns_eth NS_EthStat NS_EthConfig NS_ASF NV_DriverRestartCmd NV_DriverRestartFlag ncli>
NVIDIA Corporation
71
Chapter 7
Using The Command Line Interface (CLI)
Changing Directory
The cd command lets you browse through the parameter tree structure.
Example 1
C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>ls NS_Eth NS_NvConfig NS_Firewall NS_UserLog NS_Security ncli>cd NS_Eth ncli>ls NS_EthStat NS_EthConfig NS_ASF NV_DriverRestartCmd NV_DriverRestartFlag ncli>cd ns_ethstat ncli>ls NV_NetworkGenStat NV_EthStat ncli> _______________________________________________________________
72
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Example 2
Note: Invoking the cd command by itself will bring you to the root level, as shown in the following example. _______________________________________________________________ C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>cd ns_eth ncli>cd ns_ethstat ncli>cd ncli> _______________________________________________________________ Each ForceWare Network Access Manager parameter has a unique name, which can be used within ncli> to access each individual parameter. Therefore, you do not need the complete path to get to a single parameter. The example below shows how this can help you quickly access a parameter. _______________________________________________________________ C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>cd ASFSupport ncli>pwd <root>/NS_Eth/NS_ASF/NV_ASF/ASFSupport ncli>
NVIDIA Corporation
73
Chapter 7
Using The Command Line Interface (CLI)
Current Working Directory
The pwd command is used to display the path to the current parameter.
Example
C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>cd ns_ethstat ncli>pwd <root>/NS_Eth/NS_EthStat ncli>cd ncli>pwd <root> ncli> _______________________________________________________________
Context-Sensitive Operations
ls, cd, and pwd commands allow you to browse through the parameters. When you have entered a current parameter, all the operations you invoke will be in the context of that parameter.
Example
C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>cd NV_FwlEtherType ncli>get
EtherType 2048 2054 EtherTypeName IP ARP EtherTypeRule Allow Allow
ncli>help
74
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Firewall rules for different Data Link Layer protocols Firewall rules for different Data Link Layer protocols (identified by Ethernet type) including IP, IPX, NetBEUI, AppleTalk and other protocols. ncli>addrow EtherType:2056 EtherTypeName:FrameRelay ARP/Inverse IP EtherTypeRule 1 Deny 2 Allow choose one: 2 ncli>get
# 1 2 3 EtherType 2048 2054 2056 EtherTypeName IP ARP FrameRelay AR.. EtherTypeRule Allow Allow Allow
ncli> _______________________________________________________________
Text File Processing
Text file processing is intended for expert users to quickly update complex parameters and perform large configurations. For example, you can use the nCLI command line to perform interactive settings only on tables. Text file processing offers an alternative to the Get and Set parameter values in a flat text format.
Export
Export files follow a standard format that will make it compatible with Webbased management. That is, export files from nCLI can be imported using the Web-based management and export files from Web-based management can be imported using nCLI.
NVIDIA Corporation
75
Chapter 7
Using The Command Line Interface (CLI)
Syntax
_______________________________________________________________ export /f <filename> <parameter_name> _______________________________________________________________ Note: Either one or both of /f <filename> and <parameter_name> may be omitted. If /f <filename> is omitted, the output of the export will be stored in frontend\backup\cliexport.txt under the directory where ForceWare Network Access Manager software is installed. If <parameter_name> is omitted, only the current parameter and its children will be exported. An example is shown below.
Example
C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>export ......................................................... .....................Finished ncli>
Import
Before importing new parameter settings, old parameter settings are backed up to prevent any problems during import that could throw the system into an unknown state. If necessary, the backup file can be used to restore the system to the previous state. Note: If nCLI encounters problems in importing parameters, it will stop processing and instruct you to restore to the previous state. Use the restore to restore to the previous state.
Syntax
_______________________________________________________________ import /f <filename> _______________________________________________________________
76
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
If /f <filename> is omitted, the default file frontend\backup\ cliexport.txt under the directory where ForceWare Network Access Manager software will be read and imported. Example C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>import Reading text and importing ......................................................... ...............Backing up to clibackup.txt in case of failure ......................................................... ........ Finished Import. ncli>
Selective Export
Selective export allows you to export only the parameter branch specified.
Syntax
_______________________________________________________________ export /f <file name> <parameter_name> _______________________________________________________________
Example
To export only the ns_xxxx namespace, the following command can be used: _______________________________________________________________ ncli export /f c:\xxxx_export.txt ns_xxxx NVIDIA ForceWare Network Access Manager Framework Version 01.00 ..Finished _______________________________________________________________
NVIDIA Corporation
77
Chapter 7
Using The Command Line Interface (CLI)
Context Export
nCLI lets you browse into a parameter branch and export it. As a result of the below commands, only the NS_Eth branch is exported.
Example
C:\nvidia\NetworkAccessManager\bin>ncli NVIDIA ForceWare Network Access Manager Framework Version 01.00 ncli>cd ns_eth ncli>export ncli>
Glossary
See Glossary on page 156.
78
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
P P E N D I X
ETHERNET PARAMETERS REFERENCE
Note: For references to all the individual parameters, categorized by group, see the entries listed for this appendix A. Ethernet Parameters: Reference in the Table of Contents on page iii.
Group: Remote Wakeup
Remote Wakeup
Parameter Description WakeUp Enables or disables Ethernet remote wake up capability. When enabled, the user can remotely turn on the power of systems across the network. For example, a network administrator can use Remote Wake Up to perform after-hours maintenance from a remote location without requiring a technician to be physically present. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthWakeUp Single: WakeUp nCLI Set "WakeUp" "Enable" ReadWrite Selection Disable or Enable
Hierarchy
Usage example: Access Data type User selection
NVIDIA Corporation
79
Appendix A
Ethernet Parameters Reference
Remote Wakeup by Magic Packet
Parameter Description WakeUpMagic Enables or disables the magic packet wake-up feature. When this feature is enabled, networked computers that are in a low power state receive the magic packet to wake up. If WakeUp is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthWakeUp Single: WakeUpMagic nCLI Set "WakeUpMagic" "Enable" ReadWrite Network restart is required. Selection Disable Enable
Comment Hierarchy
Usage example: Access Restart network: Data type User selection
Remote Wakeup (Pattern Match)
Parameter Description WakeUpPattern Enables or disables the pattern match remote wakeup feature. When this feature is enabled, networked computers that are in a low power state receive a packet that contains a pattern specified by the operating system's network protocol to wake up. If WakeUp is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthWakeUp Single: WakeUpPattern nCLI Set "WakeUpPattern" "Enable" ReadWrite Network restart is required. Selection Disable Enable
Comment Hierarchy
Usage example: Access Restart network: Data type User selection
80
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Remote Wakeup (Link State Change)
Parameter: Description WakeUpLink Enables or disables the WakeUpLink feature. Change in the link state refers to the connection or disconnection of the Ethernet network cable. When a networked computer is in a low power state, a change in the link state wakes up the computer. If WakeUp is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthWakeUp Single: WakeUpLink nCLI Set "WakeUpLink" "Enable" ReadWrite Required Selection Disable Enable
Comment Hierarchy
Usage example: Access Network restart: Data type User selection
Remote Wake Up from Hibernate or Shutdown
Parameter Description WakeUpS4S5 Enables or disables the Remote Wake Up from Hiberate or Shutdown feature. Hibernate means that all devices in a networked computer are turned off. This state is saved to the computer's hard disk and is then used for a fast startup. Shutdown means that the operating system will shut down and the BIOS will be re-initialized during wake up. If WakeUp is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthWakeUp Single: WakeUp S4S5 nCLI Set "WakeUpS4S5" "Enable" ReadWrite Required Selection Disable Enable
Comment Hierarchy
Usage example: Access Network restart: Data type User selection
NVIDIA Corporation
81
Appendix A
Ethernet Parameters Reference
Group: Protocol Offload
Checksum Offload
Parameter Description EthOffloadChkSum Enables or disables the Ethernet checksum offload feature. Offloads increase the system performance by offloading TCP/IP CPU-intensive tasks to hardware. This feature is not supported by WMI scripting. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Offload Single: EthOffloadChkSum nCLI Set "EthOffloadChkSum" "Enable" ReadWrite Required Selection Disable Enable
Comment Hierarchy
Usage example Access Network restart Data type User selection
IPv4 Transmit Checksum Offload
Parameter Description EthOffloadIPv4TxChkSum Enables or disables the IPv4 Transmit Checksum Offload feature. When this feature is enabled, the operating system passes the task of calculating IP (Internet Protocol) checksums for transmitted packets to the Ethernet hardware. This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Offload Single: EthOffloadIPv4TxChkSum nCLI Set "EthOffloadIPv4TxChkSum" "Enable" ReadWrite Selection Disable Enable
Comment Hierarchy
Usage example: Access Data type User selection
82
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
IPv4 Receive Checksum Offload
Parameter: Description EthOffloadIPv4RxChkSum Enables or disables the IPv4 Receive Checksum Offload feature. When this feature is enabled, the operating system passes the task of calculating IP checksums for received packets to the Ethernet hardware. This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Offload Single: EthOffloadIPv4RxChkSum nCLI Set "EthOffloadIPv4RxChkSum" "Enable" ReadWrite Selection Disable Enable
Comment Hierarchy
Usage example: Access Data type User selection
UDP Transmit Checksum Offload
Parameter Description EthOffloadUDPTxChkSum Enable or disables the UDP (User Datagram Protocol) Transmit Checksum Offload feature. When this feature is enabled, the operating system can use the Ethernet hardware to calcu late UDP checksums for transmitted packets. Not supported through WMI script. If EthOffloadChkSum is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Offload Single: EthOffloadUDPTxChkSum nCLI Set "EthOffloadUDPTxChkSum" "Enable" ReadWrite Selection Enable Disable
Comment Hierarch y
Usage example: Access Data type User selection
NVIDIA Corporation
83
Appendix A
Ethernet Parameters Reference
UDP Receive Checksum Offload
Parameter Description EthOffloadUDPRxChkSum Enables or disables the UDP Receive Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate UDP checksums for received packets. This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Offload Single: EthOffloadUDPRxChkSum nCLI Set "EthOffloadUDPRxChkSum" "Enable" ReadWrite Selection Disable Enable
Comment Hierarchy
Usage example: Access Data type User selection
TCP Transmit Checksum Offload
Parameter Description EthOffloadTCPTxChkSum Enables or disables the TCP Transmit Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate TCP checksums for transmitted packets. This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored.
Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Offload Single: EthOffloadTCPTxChkSum
Comment Hierarchy
Usage example: Access Data type User selection
nCLI Set "EthOffloadTCPTxChkSum" "Enable" ReadWrite Selection Disable Enable
84
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
TCP Receive Checksum Offload
Parameter Description EthOffloadTCPRxChkSum Enables or disables the TCP Receive Checksum Offload feature. When the feature is enabled, the operating system can use the Ethernet hardware to calculate TCP checksums for received packets. This parameter is not supported by WMI scripting. If EthOffloadChkSum is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Offload Single: EthOffloadTCPRxChkSum nCLI Set "EthOffloadTCPxChkSum" "Enable" ReadWrite Selection Disable Enable
Comment Hierarchy
Usage example: Access Data type User selection
TCP Large Send Offlload
Parameter Description EthOffloadTxLargeSend Enables or disables the TCP Large Send OfflLoad feature. When the feature is enabled, the operating system can utilize the Ethernet hardware capabilities to segment large TCP packets into smaller packets. Note: This feature applies to packet transmissions only. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Offload Single: EthOffloadTxLargeSend nCLI Set "EthOffloadTxLargeSend" "Enable" ReadWrite Required. Selection Disable Enable
Hierarchy
Usage example: Access Network restart Data type User selection
NVIDIA Corporation
85
Appendix A
Ethernet Parameters Reference
Group: Microsoft Operating System VLAN (Virtual LAN)
Microsoft Operating System VLAN
Parameter Description EthMSVLAN Specifies the Virtual LAN (VLAN) ID returned by the Microsoft operating system. The VLAN ID is an identifier used by a networked computer to determine its associated VLAN. VLAN allows a set of networked computers to function as if they were not connected to the same wire even though they may be physically connected to the same segments of a Local Area Network (LAN). The Microsoft VLAN ID overrides the NVIDIA EthVLAN and EthVLANID settings. When the Microsoft VLAN ID is 0 (zero), the NVIDIA EthVLAN and EthVLANID are used. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_MSVLAN Single: EthMSVLAN nCLI Get "EthMSVLAN" Read Number ( 32 bit ) 4095 Minimum Value: 0
Comment
Hierarchy
Usage example: Access Data type Maximum value
86
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: VLAN (Virtual LAN)
VLAN Support
P a ra m eter D escrip tio n E th V L A N E n ab les o r d isab les V LAN su p p o rt. V L AN allo ws a n etwo rk o f co mp u ters to fu n ctio n as if they are n o t co n n ected to the sa me wire e ven th o u gh the y m a y b e p h ysically lo cated o n d iffe ren t seg m en ts o f a L AN . Th e M icro so ft V L AN ID o verrid es th e N V ID IA E th V L AN an d E th V L AN ID values. W h en th e M icro so ft V L A N ID is 0 (zero ), th e N V ID IA E th V L AN an d E th V L AN ID are u sed . N a m esp a ce: N S _E th N a m esp ace: N S _ E th C o n fig G ro u p: N V _ E th _ M S V LAN _ S ettin g S ing le: E th V LAN n C L I S et "E t hV L AN " " D is a bl e " R ead W rite S electio n D isab le E n able
C o m m en t
H iera rch y
U sa g e ex a m p le: A ccess D a ta ty p e U ser selection
VLAN ID
Parameter Description EthVLANID The VLA N ID is an identifier used by a computer to determine its associated VLAN. A value of 0 (zero) means VLAN is disab led. VLAN allows a set of networked computers to function as if they were not connected to the same wire even though they may be physically connected to same segments of a LAN. The M icrosoft VLAN ID overrides the NVIDIA EthVLAN and EthVLANID values. When the Microsoft VLAN ID is 0 (zero), the NVID IA EthVLAN and EthVLANID are used. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_MSVLAN_Setting Single: EthVLANID nCLI Set "EthVLANID" "0" ReadWrite Number ( 32 bit ) 4095 Minimum value: 0
Comment
Hierarchy
Usage example: Access Data type Maximum value
NVIDIA Corporation
87
Appendix A
Ethernet Parameters Reference
Group: Jumbo Frame
Jumbo Frame Payload Size
Parameter Description EthJumboSize Specify the Ethernet jumbo frame payload size. Jumbo frame supports larger Ethernet packet sizes to reduce server overhead and increase throughput. Payload size of 1,500 means Jumbo Frame is disabled. Jumbo frame is supported only when the connection speed is 1000 Mbps. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_EthJumbo Single: EthJumboSize nCLI Set "EthJumboSize" "1500" ReadWrite Required. Selection 1500 2500 4500 9000
Comment Hierarchy
Usage example: Access Network restart: Data type User selection
88
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: Driver Optimization
Ethernet Driver Optimization
Parameter Description Comment Hierarchy EthOptimization Allows Ethernet driver optimization by adjusting Ethernet driver operating parameters to suit different needs. This parameter is not supported through WMI Script. WMI Script users need to configure each parameter individually in the Ethernet Performance class Namespace: NS_Eth Namespace: NS_ Eth_Optimization Group: NV_ EthOptimization Single: EthJumboSize nCLI Set "EthOptimization" "CPU Utilization" ReadWrite Selection CPU Utilization is a setting that optimizes to lower the amount of time CPU spent in processing network traffic. Note: This is the recommended and default setting. Throughput is a setting that maximizes the amount of network traffic sent and received. Multimedia is a setting that reduces the time spent per network interrupt to allow timecritical media devices to be serviced.
Usage example: Access Data type User selection
NVIDIA Corporation
89
Appendix A
Ethernet Parameters Reference
Group: Ethernet Performance
Number of Receive Buffers
Parameter Description Comment Hierarchy EthNoOfRxBuff Specifies the number of receive buffers allocated by the NVIDIA Ethernet driver. Receive buffers are memory blocks used to store packets received from the network. For optimal performance, the number of receive buffers need to be at least TWICE the number of receive descriptors. Namespace: NS_Eth Namespace: NS_ Eth_Config Group: NV_ Eth_Performance Single: EthNoOfRxBuff nCLI Set "EthNoOfRxBuff" "512" ReadWrite Restarting the network is required.. Selection 2 4 8 16 32 64 128 256 512
Usage example: Access Network connection: Data type User selection
Number of Receive Buffer Descriptors
Parameter Description EthNoOfRxDes c Number of receive buffer descriptors available to the Ethernet hardware. Th is value determ ines the number of receive buffers that m ay be queued for the hardware. For optim al perform ance, the number of receive buffers need to be set to at least twice the num ber of receive descriptors. Nam espace: NS_Eth Namespace: NS_ Eth_Config Group : NV_ Eth_Perform ance Single: EthNoNoOfRxDesc nCLI Set "EthNoOfRxDesc" "64" ReadW rite Restarting the network is required. Selection 2, 4 8 16 32 64 128 256
Com ment Hierarch y
Usage example: Access Netwrork connection: Data type User selection
90
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Number of Transmit Buffer Descriptors
Parameter Description EthNoOfTxDesc Specifies the number of transmit buffer descriptors available to the Ethernet hardware. This value determines the number of transmit buffers that may be queued for the hardware. Namespace: NS_Eth Namespace: NS_ Eth_Config Group: NV_ Eth_Performance Single: EthNoNoOfRxDesc nCLI Set "EthNoOfTxDesc" "256" ReadWrite Yes, required for setting to take effect. Selection 2 4 8 16 32 64 128 256 512 1024
Hierarchy
Usage example Access Restart network Data type User selection
Maximum Transmit Frames Queued
Parameter Description Hierarchy EthMaxTxPktQueue Specifies the maximum number of frames which may be queued by the Ethernet driver. Namespace: NS_Eth Namespace: NS_ Eth_Config Group: NV_ Eth_Performance Single: EthMaxTxPktQueue nCLI Set "EthMaxTxPktQueue" "1024" ReadWrite Restarting network is required. Selection 2 4 8 16 32 64 128 256 512 1024
Usage example: Access Network Connection: Data type User selection
NVIDIA Corporation
91
Appendix A
Ethernet Parameters Reference
Number of Receive Packets to Process per Interrupt
Parameter Description Hierarchy EthNoOfRxPktToProcessEachTime Specifies the number of receive packet to process per interrupt. Namespace: NS_Eth Namespace: NS_ Eth_Config Group: NV_ Eth_Performance Single: EthNoOfRxPktToProcessEachTime nCLI Set "EthNoOfRxPktToProcessEachTime" "1280" ReadWrite Restarting network is required. Selection 10 20 40 80 160 320 640 1280
Usage example: Access Network Connection: Data type User selection
Number of Transmit Packet to Process per Interrupt
Parameter Description Hierarchy EthNoOfTxPktToProcessEachTime Specifies the number of transmit packet to process per interrupt. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_ Eth_Performance Single: EthNoOfTxPktToProcessEachTime nCLI Set "EthNoOfTxPktToProcessEachTime" "1280" ReadWrite Restarting the network is required. Selection 5 10 20 40 80 160 320 640 1280
Usage example: Access Network connection: Data type User selection
92
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Interrupt Interval
Parameter Description Hierarchy EthPollingInterval Specifies the time (in milliseconds) between hardware interrupts in the hardware polling mode. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Performance Single: EthPollingInterval nCLI Set "EthPollingInterval" "425" ReadWrite Restarting the network is required.. Selection 0, 425
Usage example: Access Network connection: Data type User selection
Group: Traffic Prioritization
IEEE 802.1p Support
Parameter Description Hierarchy Eth8021p Enables or disables Ethernet IEEE 802.1p support. IEEE 802.1p allows frames to be grouped into priority classes. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_8021p Single: Eth8021p nCLI Set "Eth8021p" "Disable" ReadWrite Restarting the network is required. Selection Disable Enable
Usage example: Access Network connection: Data type User selection
NVIDIA Corporation
93
Appendix A
Ethernet Parameters Reference
Group: Ethernet Speed/Duplex
Configurable Ethernet Speed/Duplex Settings
Parameter Description Comment EthSpeed Specifies the configurable Ethernet speed/duplex settings. For systems equipped with Gigabit Ethernet PHY (physical layer transceivers), the Autonegotiate for 1000 Mbps selection is available. Otherwise, only the 100/10 Mbps selections are available. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Speed Single: EthSpeed nCLI Set "EthSpeed" "Full Autonegotion" ReadWrite Yes, required for changes to take effect. Selection Full Autonegotiation Autonegotiate for 1000 mbps Full Duplex Autonegotiate for 100 mbps Full Duplex Autonegotiate for 100 mbps Half Duplex Autonegotiate for 10 mbps Full Duplex Autonegotiate for 10 mbps Half Duplex Force 100 mbps Full Duplex Force 100 mbps Half Duplex Force 10 mbps Full Duplex Force 10 mbps Half Duplex
Hierarchy
Usage example: Access Restart network? Data type User selection
94
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: Ethernet Information
Link Speed
Parameter Description Hierarchy EthLinkSpeed Specifies the current speed (in Mbps) of the Ethernet device. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthInfo Single: EthLinkSpeed nCLI Get "EthLinkSpeed" Read Number ( 32 bit ) 10000 0
Usage example: Access Data type Maximum Value Minimum Value
Maximum Link Speed
Parameter Description Hierarchy EthLinkMaxSpeed Specifies the maximum speed (in Mbps) at which the Ethernet interface can operate. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthInfo Single: EthLinkMaxSpeed nCLI Get "EthLinkMaxSpeed" Read Number ( 32 bit ) 10000 0
Usage example: Access Data type Maximum Value Minimum Value
NVIDIA Corporation
95
Appendix A
Ethernet Parameters Reference
Duplex Setting
Parameter Description EthDuplex Specifies the current Ethernet interface duplex setting. Full duplex means that the Ethernet interface on both ends of a link can receive and transmit data simultaneously over the cable. Half duplex means that either the transmit or the receive operation can occur at a given time. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthInfo Single: EthDuplex nCLI Get "EthDuplex" Read Selection Half Duplex Full Duplex
Hierarchy
Usage example: Access Data type User selection
Link Status
Parameter Description Hierarchy EthConnectStatus Displays the current Ethernet link status. When the Ethernet link is disconnected, the remote configuration tool will not function. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthInfo Single: EthConnectStatus nCLI Get "EthConnectStatus" Read Selection Connected Disconnected
Usage example: Access Data type User selection
96
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Promiscuous Mode
Parameter Description Hierarchy EthPromiscuous When this parameter is enabled, all packets (including frames addressed for other stations) that arrive at this Ethernet interface are received. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthInfo Single: EthPromiscuous nCLI Get "EthPromiscuous" Read Selection Disable Enable
Usage example: Access Data type User selection
Permanent Ethernet Address
Parameter Description Hierarchy EthAddressPermanent Specifies the fixed Ethernet address encoded in the hardware. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_EthInfo Single: EthAddressPermanent nCLI Get "EthAddressPermanent" Read MAC Address
Usage example: Access Data type
NVIDIA Corporation
97
Appendix A
Ethernet Parameters Reference
Group: Ethernet Address
Current Ethernet Address
Parameter Description Comment Hierarchy EthAddressCurrent Specifies the Ethernet address currently being used. The Ethernet interface then uses the Current Ethernet Address in place of the Permanent Ethernet Address. Format of Ethernet address should be: XX:XX:XX:XX:XX:XX Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_Address Single: EthAddressCurrent nCLI Set "EthAddressCurrent" "0C:12:34:56:78:9A" ReadWrite Restarting the network is required. MAC Address
Usage example: Access Network connection: Data type
Group: Network Interface information
Computer (Machine) Name
Parameter Description MachineName Specifies the unique name that is used to identify a computer on the network domain. The computer (machine) name is specified through the operating system and must be unique within a network domain. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_InterfaceInfo Single: MachineName nCLI Get "MachineName" Read String 64
Hierarchy
Usage example: Access Data type Maximum length
98
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
IP Address
Parameter Description Comment Hierarchy IPAddress Specifies the IP address of the current Ethernet interface. If an interface has multiple IP addresses and masks, only the first set returned by the operating system is shown. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_InterfaceInfo Single: IPAddress nCLI Get "IPAddress" Read String 64
Usage example: Access Data type Maximum length
IP Address Mask
Parameter Description Comment Hierarchy IPAddressMask Specifies the IP address mask of the current Ethernet interface. If an interface has multiple IP addresses and masks, only the first set returned by the operating system is shown. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_InterfaceInfo Single: IPAddressMask nCLI Get "IPAddressMask" Read String 64
Usage example: Access Data type Maximum length
NVIDIA Corporation
99
Appendix A
Ethernet Parameters Reference
Group: Factory Default
Factory Default
Parameter Description Comment Hierarchy EthDefault Restores the Ethernet factory default settings. Restore factory default feature is not available through WMI scripting. Namespace: NS_Eth Namespace: NS_EthConfig Group: NV_Eth_FactoryDefault Single: EthDefault nCLI Set "EthDefault" "Restore" ReadWrite Selection NoRestore Restore
Usage example: Access Data type User selection
Table: Multicast Address List
Multicast Address List
Table Parameter Description NV_Eth_MulticastAddress Specifies a list of multicast addresses from which the Ethernet interface will receive frames. The Ethernet multicast packet refers to packets addressed to a group of recipients.
Namespace: NS_Eth Namespace: NS_EthConfig
Hierarchy
Table: NV_Eth_MulticastAddress
Usage example: nCLI Get "NV_Eth_MulticastAddress" Access Single parameter Read EthMulticast (See the next tabe for details on the EthMulticast parameter.)
100
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Multicast Addresses (Single Parameter)
Parameter Description Hierarchy EthMulticast The Ethernet multicast packet refers to packets addressed to a group of recipients.
Namespace: NS_Eth Namespace: NS_EthConfig
Table: NV_Eth_MulticastAddress Single: EthMulticast Access Table key Data type Read This parameter is a key to the table MAC Address
Group: Ethernet Statistics
Frames Received with Alignment Error
Parameter Description H*ierarchy EthReceiveErrorAlign
Specifies the number of received frames with alignment errors.
Namespace: NS_Eth Namespace: NS_EthStat
Group: NV_EthStat Single: EthReceiveErrorAlign Usage example: nCLI Get "EthReceiveErrorAlign" Access Data type
Read Number ( 64 bit )
NVIDIA Corporation
101
Appendix A
Ethernet Parameters Reference
Frames Transmitted After One Collision
Parameter Description Hierarchy EthTransmitOneCollision Specifies the number of frames that successfully transmitted after encountering one collision. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_EthStat Single: EthTransmitOneCollision nCLI Get "EthTransmitOneCollision" Read Number ( 64 bit )
Usage example: Access Data type
Frames Transmitted After Two or More Collisions
Parameter Description Hierarchy EthTransmitMoreCollision Specifies the number of frames that successfully transmitted after encountering two or more collisions. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_EthStat Single: EthTransmitMoreCollision nCLI Get "EthTransmitMoreCollision" Read Number ( 64 bit )
Usage example: Access Data type
102
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Frames Transmitted After Deferral
Parameter Description Hierarchy EthTransmitDeferred Specifies the number of frames that successfully transmitted after the Ethernet hardware defers transmission at least once. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_EthStat Single: EthTransmitDeferred nCLI Get "EthTransmitDeferred" Read Number ( 64 bit )
Usage example: Access Data type
Display Name Frames Exceed Maximum Collision
Parameter Description Hierarchy EthTransmitMaxCollision Specifies the number of frames not transmitted because of excessive collisions. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_EthStat Single: EthTransmitMaxCollision nCLI Get "EthTransmitMaxCollision" Read Number ( 64 bit )
Usage example: Access Data type
NVIDIA Corporation
103
Appendix A
Ethernet Parameters Reference
Frames with Overrun Errors
Parameter Description EthReceiveOverrun Specifies the number of frames not received because of overrun errors. An overrun error occurs when the Ethernet hardware receives more data than it can process. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_EthStat Single: EthReceiveOverrun nCLI Get "EthReceiveOverrun" Read Number ( 64 bit )
Hierarchy
Usage example: Access Data type
Frames with Underrun Errors
Parameter Description EthTransmitUnderrun Specifies the number of frames not transmitted because of underrun errors. An underrun error occurs when the Ethernet hardware cannot transmit frames because the data is not available within the expected time. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_EthStat Single: EthTransmitUnderrun nCLI Get "EthTransmitUnderrun" Read Number (64 bit )
Hierarchy
Usage example: Access Data type
104
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Frames with Heartbeat Failure
Parameter Description Hierarchy EthTransmitHeartbeatFail Specifies the number of frames transmitted without detection of the collisiondetect heartbeat. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_EthStat Single: EthTransmitHeartbeatFail
Usage example: Access Data type
nCLI Get "EthTransmitHeartbeatFail"
Read Number ( 64 bit )
Carrier Sense (CRS) Signal Lost
Parameter Description Hierarchy EthTransmitTimesCRSLost Specifies the number of times the CRS signal has been lost during packet transmission. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_EthStat Single: EthTransmitTimesCRSLost nCLI Get "EthTransmitTimesCRSLost" Read Number ( 64 bit )
Usage example: Access Data type
NVIDIA Corporation
105
Appendix A
Ethernet Parameters Reference
Late Collisions
Parameter Description Hierarchy EthTransmitLateCollisions The number of collisions detected after the normal detection period. Namespace: NS_Eth Namespace: NS_EthStat\ Group: NV_EthStat Single: EthTransmitLateCollisions nCLI Get "EthTransmitLateCollisions" Read Number ( 64 bit )
Usage example: Access Data type
Group: General Networking Statistics
Successfully Transmitted Frames
Parameter Description Hierarchy TransmitOK Specifies the number of frames transmitted without errors. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_ NetworkGenStat Single: TransmitOK nCLI Get "TransmitOK" Read Number ( 64 bit )
Usage example: Access Data type
106
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Successfully Received Frames
Parameter Description Hierarchy ReceiveOK Specifies the number of frames that the network card has received without errors. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_NetworkGenStat Single: ReceiveOK nCLI Get "ReceiveOK" Read Number ( 64 bit )
Usage example: Access Data type
Transmit Failures
Parameter Description Hierarchy TransmitError Specifies the number of frames that failed to transmit. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_NetworkGenStat Single: TransmitError nCLI Get "TransmitError" Read Number ( 64 bit )
Usage example: Access Data type
Receive Failures
Parameter Description Hierarchy ReceiveError Specifies the number of frames that are received but not passed to the operating system because of errors. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_NetworkGenStat Single: ReceiveError nCLI Get "ReceiveError" Read Number ( 64 bit )
Usage example: Access Data type
NVIDIA Corporation
107
Appendix A
Ethernet Parameters Reference
No Receive Buffers
Parameter Description Hierarchy ReceiveNoBuffer The number of frames that are dropped because of lack of space for receive buffers. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_NetworkGenStat Single: ReceiveNoBuffer nCLI Get "ReceiveNoBuffer" Read Number ( 64 bit )
Usage example: Access Data type
Direct Frames Received
Parameter Description Hierarch y ReceiveFramesDirect The num ber of packets received w ithout errors and addressed to the local Ethernet address. Namespace: NS_Eth Namespace: NS_EthStat Group : NV_NetworkGenStat Single: ReceiveFram esD irect nCLI Get "ReceiveFramesDirect" Read Number ( 64 bit )
Usage example: Access Data type
Multicast Frames Received
Parameter Description Hierarchy ReceivedFramesM ulticast Specifies the number of multicast frames received without errors. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_NetworkGenStat Single: ReceiveFramesMulticast nCLI Get "ReceiveFramesMulticast" Read Number ( 64 bit )
Usage example: Access Data type
108
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Broadcast Frames Received
Parameter Description Hierarchy ReceiveFramesBroadcast Specifies the number of broadcast frames received without errors. Namespace: NS_Eth Namespace: NS_EthStat Group: NV_NetworkGenStat Single: ReceiveFramesBroadcast nCLI Get "ReceiveFramesBroadcast" Read Number ( 64 bit )
Usage example: Access Data type
Group: Alert Standard Format
ASF Support
Parameter Description ASFSupport Enables or disables the ASF (Alert Standard Format) feature. ASF is a industry specification that defines alerting capability in both operating system-present and operating system-absent environments. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASF Single: ASFSupport nCLI Set "ASFSupport" "Disable" ReadWrite Selection Disable Enable
Hierarchy
Usage example: Access Data type User selection
NVIDIA Corporation
109
Appendix A
Ethernet Parameters Reference
ASF Destination IP Address
Parameter Description Comment ASFDestIPAddr Specifies the IP address of the managing station computer that is receiving the ASF alert frames. For ASF to be functional, the destination IP address must be specified. Only the IPv4 (not IPv6) address is supported. Note: If ASFSupport is set to Disab le, th is parameter value is ignored. Hierarchy Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASF Single: ASFDestIPAddr nCLI Set "ASFDestIPAddr" "" ReadWrite String 15
Usage example: Access Data type Maximum length
ASF Send Count
Parameter Description ASFSendCount Specifies the number of times an ASF alert will be sent out for a given event. If the value is more than one, the alert is sent at an interval of approximately 1 second. This is a global setting applied across all events. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASF Single: ASFSendCount nCLI Set "ASFSendCount" "1" ReadWrite Selection 0 1 2 3
Comment Hierarchy
Usage example: Access Data type User selection
110
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: ASF Information
ASF Destination MAC Address
Parameter Description Comment Hierarchy ASFDestMACAddr Displays the MAC address of the managing station computer that is receiving the ASF alert frames. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventInfo Single: ASFDestNACAddr nCLI Get "ASFDestMACAddr" Read MAC Address
Usage example: Access Data type
Group: System Fails to Boot Alert
System Fails to Boot Alert
Parameter Description Comment Hierarchy ASFEventBootFailure This ASF alert is triggered when the operating system fails to start up. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventBootFailure Single: ASFEventootFailure nCLI Set "ASFEventBootFailure" "Disable" ReadWrite Selection Disable Enable
Usage example: Access Data type User selection
NVIDIA Corporation
111
Appendix A
Ethernet Parameters Reference
Group: Fan Problem Alert
Fan Problem Alert
P aram eter Des cription Com m ent Hie rarch y ASF EventF anP roblem Th is alert is triggered if the C P U fan is running at a low speed or has stopped, which can cause the C PU or system temperature to increase. If ASFSupport is set to Disable, this param eter va lue is ignored. Nam es pace: NS_Eth Nam es pace: NS_ASF Group : NV_ASFEventFanProblem Single: ASFEventFanProblem nCLI Set "ASFEventFanProblem" "Disable" R eadW rite Selection D isable Enable
Us age exam ple: Access Data type Us er s election
Group: ASF SMBus Error
ASF SMBus Error
P arameter Des cription ASF EventSM BusError Th is alert packet is sent when there is a SM Bus (System Managem ent Bus) error. The SM Bus is a two-wire interface through which the system can comm unicate with sim ple power-related chips. If ASFSupport is set to Disable, this param eter value is ignored. Nam es pace: NS_Eth Nam es pace: NS_ASF Group : NV_ASFEventSM BusError Single: ASFEventSMBusError nCLI Set "ASFEventSMBusError" "Disable" ReadW rite Selection Disable Enable
Com ment Hierarch y
Us age exam ple: Access Data type Us er selection
112
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: ASF WOL Alert
ASF Wake On Lan (WOL) Alert
Parameter Description Comment Hierarchy ASFEventWOL Th is alert is triggered when the system is wakened through the wake on LAN feature. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventWOL Single: ASFEventWOL nCLI Set "ASFEventWOL" "Disable" ReadWrite Selection Disable Enable
Usage example: Access Data type User selection
Group: ASF Heartbeat Alert
ASF Heartbeat Alert Interval
Parameter Description Comment Hierarchy ASFHeartbeatInterval Set the interval (in seconds) between ASF heartbeat alerts. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventHeartbeatInterval Single: ASFEventHeartbeatInterval nCLI Set "ASFHeartbeatInterval" "10 seconds" ReadWrite Selection 10 seconds 20 seconds 30 seconds 45 seconds 1 minute 2 minutes 3 minutes 5 minutes 7.5 minutes 10 minutes
Usage example: Access Data type User selection
NVIDIA Corporation
113
Appendix A
Ethernet Parameters Reference
Group: ASF Operating System Hung Alert
ASF Operating System Hung Alert
Parameter Description Comment Hierarchy ASFEventOSHung This alert is triggered when the operating system is hung and the driver software or the operating system is not servicing the interrupts generated by the network interfaces. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventOSHung Single: ASFEventOSHung nCLI Set "ASFEventOSHung" "Enable" ReadWrite Selection Disable Enable
Usage example: Access Data type User selection
Group: ASF Power Button Alert
ASF Power Button Alert
Parameter Description Comment Hierarchy ASFEventPowerButton Enables or disables the power button alert. This alert is triggered each time the user presses the power button for shutting down or turning on the computer. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventPowerButton Single: ASFEventPowerButton nCLI Set "ASFEventPowerButton" "Enable" ReadWrite Selection Disable Enable
Usage example: Access Data type User selection
114
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: ASF System Hot Alert
ASF System Hot Alert
Parameter Description Comment Hierarchy ASFEventSystemHot This alert is triggered when the temperature in the computer has exceeded a threshold limit. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventSystemHot Single: ASFEventSystemHot nCLI Set "ASFEventSystemHot" "Enable" ReadWrite Selection Disable Enable
Usage example: Access Data type User selection
Group: ASF CPU Overheated Alert
ASF CPU Overheat Alert
Parameter Description Comment Hierarchy ASFEventCPUOverheated This alert is triggered when the temperature of the CPU exceeds a threshold. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventCPUOverheated Single: ASFEventCPUOverheated nCLI Set "ASFEventCPUOverheated" "Enable" ReadWrite Selection Disable Enable
Usage example: Access Data type User selection
NVIDIA Corporation
115
Appendix A
Ethernet Parameters Reference
Group: ASF CPU Overheated Alert
ASF CPU Hot Alert
Parameter Description Comment Hierarchy ASFEventCPUHot This alert is triggered when the fan in the CPU is not functioning or the CPU temperature is increasing. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventCPUHot Single: ASFEventCPUHot nCLI Set "ASFEventCPUHot" "Enable" ReadWrite Selection Disable Enable
Usage example: Access Data type User selection
Group: ASF Case Intrusion Alert
ASF Case Intrusion Alert
Parameter Description Comment Hierarchy ASFEventCaseIntrusion This alert is triggered when the computers case is opened. If ASFSupport is set to Disable, this parameter value is ignored. Namespace: NS_Eth Namespace: NS_ASF Group: NV_ASFEventCaseIntrusion Single: ASFEventCaseIntrusion nCLI Set "ASFEventCaseIntrusion" "Disable" ReadWrite Selection Disable Enable
Usage example: Access Data type User selection
116
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
P P E N D I X
NVIDIA FIREWALL PARAMETERS REFERENCE
Note: For references to all the individual parameters, categorized by group, see the entries listed for this appendix B. NVIDIA Firewall Parameters: Reference in the Table of Contents on page iii.
Group: Configure Firewall Security Level
Configure Firewall Security Level
P ara m eter D escription C om m en t Fw lP rofiles S elects a default security level or configure a custom security level, w hich is a set of rules that determ ines the policy that the firew all follow s. This param eter is not supported through W M I script. F or C LI user w ho w ants to custom ize the firew all settings and not use a pre-defined profile, change the firew all security level to one of the custom levels: N ote: F or details on the settings, see the next section. N am esp ace: N S_F irew all G rou p: N V _F w lP rofiles Single: F w lP rofiles n CL I S e t " Fw l P ro f il e s" "M e d iu m " R eadW rite S election O ff A nti-hacking only Low C ustom 1 M edium C ustom 2 H igh C ustom 3 Lockdow n
H ierarchy
U sage ex am ple A ccess D ata type U ser selection
NVIDIA Corporation
117
Appendix B
NVIDIA Firewall Parameters Reference
About the FwlProfiles Settings
The FwlProfiles parameter is supported through the WMI scripting language. If you are a CLI user and want to customize the NVIDIA Firewall settings without using a pre-defined profile, change the firewall security level to one of the custom levels described below. The Lockdown profile settings blocks all incoming and outgoing traffic, except locally generated ASF alerts. High is an extremely secure setting. However, due to the stringent filtering rules associated with this setting, many applications may not work as expected and some applications may not work at all. This setting has the following features and functionality:
Allows the least amount of traffic through. Only outbound connections may be established. Inbound connections are
not allowed. Inbound traffic is allowed only if it is in response to an outbound packet that was seen previously on a valid connection.
Encompasses what is commonly known as stealth mode in which the
station cannot be pinged and is not allowed to generate any ICMP error messages, except where necessary for normal operation.
Allows VPNs, including those based on IPsec (requiring AH, ESP, L2TP,
IKE, UDP port 500), as well as those that rely on point-to-point punneling protocol (PPTP), which uses generic routing encapsulation (GRE). which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.
Restricts network traffic by preventing the use of IP and/or TCP options,
Medium (the default profile setting after installation) is intended to provide a good balance between usability and security, with an emphasis on security. This setting has the following features and functionality:
It is the factory default profile setting when the NVIDIA Firewall is
enabled.
It does not have the stealth features associated with the High profile
setting and therefore allows most (but not all) ICMP error messages to be sent and received. order to allow file transfers through MSN Messenger and Yahoo! Messenger, incoming connections to port 80 must be allowed.
Blocks most incoming connections with the default action of Deny. In
Note: MSN Messenger and Yahoo! Messenger will not work with the High setting.
118
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Allows dynamic ports to be opened up from the inside only:
Default in: Deny Default out: Allow
Supports outgoing NetMeeting calls. Allows VPNs based on both IPsec and on PPTP. Restricts network traffic by preventing the use of IP and/or TCP options,
which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.
Low is the least secure of the profile settings, but allows most applications to work properly. This setting allows safe incoming connections, denies those that are known to be dangerous, and defaults to allow TCP or UDP connections for which a rule has not been specified. Additional features and functionality of this setting include the following:
Allows mostly all ICMP traffic, except for sending router-oriented (e.g.,
router advertisement) or deprecated (e.g., source quench) (Type, Code) pairs.
Allows bi-directional dynamic ports to be opened.
Default in: Allow Default out: Allow For example, the Low setting supports the NetMeeting application in either direction.
Allows VPNs based on both IPsec and PPTP. Restricts network traffic by preventing the use of IP and/or TCP options,
which might otherwise be misused, as well as by preventing the spoofing of IP source addresses for both IPv4 and IPv6.
The Anti-hacking only profile setting enables only the anti-hacking features of the NVIDIA Firewall and is useful in a dual firewall configuration for example, if you want to use a third-party firewall product along with the antihacking features of the NVIDIA Firewall.
Note: The Anti-hacking only setting disables the NVIDIA Firewall, allowing most incoming and outgoing network traffic.
Off turns off the NVIDIA Firewall, allowing all incoming and outgoing network traffic.
NVIDIA Corporation
119
Appendix B
NVIDIA Firewall Parameters Reference
Group: Configure Firewall Options
Disallow Promiscuous Mode
Parameter Description FwlPromiscuous When this parameter is enabled, the firewall prevents applications from setting the NVIDIA network interface to promiscuous mode. Promiscuous mode is primarily used by packet sniffing software. Namespace: NS_Firewall Group: NV_FwlOptions Single: FwlPromiscuous nCLI Set "FwlPromiscuous" "Enable" ReadWrite Selection Enable Disable
Hierarchy
Usage example: Access Data type User selection
Disallow DHCP Server
Parameter Description FwlDHCPServer When this option is enabled, the firewall prevents a DHCP (Dynamic Host Configuration Protocol) server process in the computer from using the NVIDIA network interface to communicate using the DHCP protocol. The DHCP server is used to assign IP addresses to client computers. Namespace: NS_Firewall Group: NV_FwlOptions Single: FwlDHCPServer nCLI Set "FwlDHCPServer" "Enable" ReadWrite Selection Disable Enable
Hierarchy
Usage example: Access Data type User selection
120
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Block Outbound Spoofed IP Packets
Parameter Description FwlAntiIPSpoofing When this parameter is enabled, the firewall blocks any application on the NVIDIA network interface from sending network traffic using an IP address different than the one assigned to the interface. Such network packets are called spoofed IP packets, and this feature, also known as anti-IP-spoofing, is intended to prevent the NVIDIA network interface from participating in distributed denial of service attacks. Namespace: NS_Firewall Group: NV_FwlOptions Single: FwlAntiIPSpoofing nCLI Set "FwlAntiIPSpoofing" "Enable" ReadWrite Selection Disable Enable
Hierarchy
Usage example: Access Data type User selection
Block Spoofed ARP Packets
Parameter Description FwlAntiARPSpoofing When this parameter is enabled, the firewall filters out any ARP packets sent by an offending computer (i.e, a computer that pretends to be another computer by altering the local ARP cache). Such network packets are called spoofed ARP packets and this feature is also known as anti-ARP-spoofing. Namespace: NS_Firewall Group: NV_FwlOptions Single: FwlAntiARPSpoofing nCLI Set "FwlAntiARPSpoofing" "Enable" ReadWrite Selection Disable Enable
Hierarchy
Usage example: Access Data type User selection
NVIDIA Corporation
121
Appendix B
NVIDIA Firewall Parameters Reference
Block UDPv4 with No UDP Checksum
Parameter Description FwlChecksumUDP When this parameter is enabled, the firewall drops any UDP datagram that has no UDP checksum if it is inside an IPv4 packet (UDP checksums are optional when used over IPv4, but are mandatory when used over IPv6). Namespace: NS_Firewall Group: NV_FwlOptions Single: FwlChecksumUDP nCLI Set "FwlChecksumUDP" "Enable" ReadWrite Selection Disable Enable
Hierarchy
Usage example: Access Data type User selection
Group: EtherType Default Rule
EtherType Default Rule
Parameter Description Hierarchy FwlEtherTypeDefault This rule is applied when a packet contains an EtherType that does not match any rule in the EtherType rule table. Namespace: NS_Firewall Group: NV_FwlEtherTypeDefault Single: FwlEtherTypeDefault nCLI Set "FwlEtherTypeDefault" "Deny" ReadWrite Selection Deny Allow
Usage example: Access Data type User selection
122
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: IP Address/Mask Default Rule
IP Address/Mask Default Action
Parameter Description Hierarchy FwlIPDefault This action is applied when a packet contains an IP address/mask that does not match any rule in the IP rule table. Namespace: NS_Firewall Group: NV_FwlIPDefault Single: FwlIPDefault nCLI Set "FwlIPDefault" "Allow" ReadWrite Selection Deny Allow
Usage example: Access Data type User selection
Group: Domain Name Default Rule
Domain Name Default Rule
Parameter Description Hierarchy FwlDomainDefault This rule is applied when a DNS packet contains a domain name that does not match any rule in the domain name rule table. Namespace: NS_Firewall Group: NV_FwlDomainDefault Single: FwlDomainDefault nCLI Set "FwlDomainDefault" "Allow" ReadWrite Selection Deny Allow
Usage example: Access Data type User selection
NVIDIA Corporation
123
Appendix B
NVIDIA Firewall Parameters Reference
Group: IP Option Default Rule
Inbound IP Option Default Rule
Parameter Description Hierarchy FwlIPOptionDefaultIn This rule is applied when an inbound packet contains an IP option that does not match any rule in the IP option rule table. Namespace: NS_Firewall Group: NV_FwlIPOptionDefault Single: FwlIPOptionDefaultIn nCLI Set "FwlIPOptionDefaultIn" "Deny" ReadWrite Selection Deny Allow
Usage example: Access Data type User selection
Outbound IP Option Default Rule
Parameter Description Hierarchy FwlIPOptionDefaultOut This rule is applied when an outbound packet contains an IP option that does not match any rule in the IP option rule table. Namespace: NS_Firewall Group: NV_FwlIPOptionDefault Single: FwlIPOptionDefaultOut nCLI Set "FwlIPOptionDefaultOut" "Deny" ReadWrite Selection Deny Allow
Usage example: Access Data type User selection
124
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: IP Protocol Default Rule IP Protocol Default Rule
Parameter Description Hierarchy FwlIPProtocolDefault This rule is applied when a packet contains an IP protocol that does not match any rule in the IP protocol rule table Namespace: NS_Firewall Group: NV_FwlIPProtocolDefault Single: FwlIPProtocolDefault
Usage example: Access Data type User selection
nCLI Set "FwlIPProtocolDefault" "Deny"
ReadWrite Selection Deny Allow
Group: Port Number Default Rule
Inbound Port Number Default Rule
Parameter Description Hierarchy FwlPortDefaultIn This rule is applied when an inbound packet contains a UDP or TCP port that does not match any rule in the Port rule table. Namespace: NS_Firewall Group: NV_FwlPortDefault Single: FwlPortDefaultIn
Usage example Access Data type User selection
nCLI Set "FwlPortDefaultIn" "Deny"
ReadWrite Selection Deny Allow
NVIDIA Corporation
125
Appendix B
NVIDIA Firewall Parameters Reference
Outbound Port Number Default Rule
Parameter Description Hierarchy FwlPortDefaultOut This rule is applied when an outbound packet contains a UDP or TCP port that does not match any rule in the Port rule table. Namespace: NS_Firewall Group: NV_FwlPortDefault Single: FwlPortDefaultOut
Usage example: Access Data type User selection
nCLI Set "FwlPortDefaultOut" "Allow"
ReadWrite Selection Deny Allow
Group: TCP Options Default Rule
TCP Options Default Rule
Parameter Description Hierarchy FwlTCPOptionDefault This rule is applied when a packet contains a TCP option that does not match any rule in the TCP option rule table. Namespace: NS_Firewall Group: NV_FwlTCPOptionDefault Single: FwlTCPOptionDefault nCLI Set "FwlTCPOptionDefault" "Deny" ReadWrite Selection Deny Allow
Usage example: Access Data type User selection
126
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: ICMP Messages Default Rule Inbound ICMP Default Rule
Parameter Description Hierarchy FwlICMPDefaultIn This rule is applied when an inbound packet contains an ICMP type/code pair that does not match any rule in the ICMP rule table. Namespace: NS_Firewall Group: NV_FwlICMPDefault Single: FwlICMPDefaultIn nCLI Set "FwlICMPDefaultIn" "Deny" ReadWrite Selection Deny Allow
Usage example: Access Data type User selection
Outbound ICMP Default Rule
Parameter Description Hierarchy FwlICM PDefaultOut This rule is applied when an outbound packet contains an ICMP type/code pair that does not match any rule in the ICM P rule table. Namespace: NS_Firewall Group: NV_FwlICM PDefault Single: FwlICM PDefaultOut nCLI Set "FwlICMPDefaultOut" "Deny" ReadW rite Selection Deny Allow
Usage example: Access Data type User selection
NVIDIA Corporation
127
Appendix B
NVIDIA Firewall Parameters Reference
Group: Clear Firewall Statistics
Clear Firewall Statistics
Parameter Description Hierarchy FwlStatClearAll Clears all firewall statistics. Namespace: NS_Firewall Group: NV_FwlStatClear Single: FwlStatClearAll
nCLI Set "FwlStatClearAll" "Clear"
Usage example: Access Data type User selection
ReadWrite Selection Clear
Group: Firewall Statistics
Allowed Inbound UDP Datagrams
Parameter Description Hierarchy FwlStatUDPInPktsAllowed Specifies the number of inbound UDP datagrams allowed by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatUDPInPktsAllowed nCLI Get "FwlStatUDPInPktsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
128
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Denied Inbound UDP Datagrams I
Parameter Description Hierarchy FwlStatUDPInPktsDenied Number of inbound UDP datagrams denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatUDPInPktsDenied nCLI Get "FwlStatUDPInPktsDenied" Read Number ( 64 bit )
Usage example Access Data type
Allowed Outbound UDP Datagrams
Parameter Description Hierarchy FwlStatUDPOutPktsAllowed Number of outbound UDP datagrams allowed by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatUDPOutPktsAllowed nCLI Get "FwlStatUDPOutPktsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
Denied Outbound UDP Datagrams
Parameter Description Hierarchy FwlStatUDPOutPktsDenied Number of outbound UDP datagrams denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatUDPOutPktsDenied nCLI Get "FwlStatUDPOutPktsDenied" Read Number ( 64 bit )
Usage example: Access Data type
NVIDIA Corporation
129
Appendix B
NVIDIA Firewall Parameters Reference
Denied Inbound UDP Connections
Parameter Description Hierarchy FwlStatUDPInConnectionsDenied Number of inbound UDP connections denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatUDPInConnectionsDenied nCLI Get "FwlStatUDPInConnectionsDenied" Read Number ( 64 bit )
Usage example: Access Data type
Allowed Outbound UDP Connections
Parameter Description Hierarch y FwlStatUDPOutConnectionsAllowed Number of outbound UDP connections allowed by the firewall. Namespace: NS_Firewall Group : NV_Fw lStat Single: FwlStatUDPOutConnectionsAllowed nCLI Get "FwlStatUDPOutConnectionsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
Denied Outbound UDP Connections
Parameter Description Hierarchy FwlStatUDPOutConnectionsDenied Number of outbound UDP connections denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatUDPOutConnectionsDenied nCLI Get "FwlStatUDPOutConnectionsDenied" Read Number ( 64 bit )
Usage example: Access Data type
130
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Allowed Inbound TCP Segments
Parameter Description Hierarchy FwlStatTCPInPktsAllowed Number of inbound TCP segments allowed by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatTCPInPktsAllowed nCLI Get "FwlStatTCPInPktsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
Denied Inbound TCP Segments
Parameter Description Hierarchy FwlStatTCPInPktsDenied Number of inbound TCP segments denied by the firewall. Namespace: NS_Firewall Namespace: NS_Firewall Single: FwlStatTCPInPktsDenied nCLI Get "FwlStatTCPInPktsDenied" Read Number ( 64 bit )
Usage example: Access Data type
Allowed Outbound TCP Segments
Parameter Description Hierarchy FwlStatTCPOutPktsAllowed Number of outbound TCP segments allowed by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatTCPOutPktsAllowed nCLI Get "FwlStatTCPOutPktsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
NVIDIA Corporation
131
Appendix B
NVIDIA Firewall Parameters Reference
Denied Outbound TCP Segments
Parameter Description Hierarchy FwlStatTCPOutPktsDenied Number of outbound TCP segments denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatTCPOutPktsDenied nCLI Get "FwlStatTCPOutPktsDenied" Read Number ( 64 bit )
Usage example: Access Data type
Allowed Inbound TCP Connections
Parameter Description Hierarchy FwlStatTCPInConnectionsAllowed Number of inbound TCP connections allowed by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatTCPInConnectionsAllowed nCLI Get "FwlStatTCPInConnectionsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
Denied Inbound TCP Connections
Parameter Description Hierarchy FwlStatTCPInConnectionsDenied Number of inbound TCP connections denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatTCPInConnectionsDenied nCLI Get "FwlStatTCPInConnectionsDenied" Read Number ( 64 bit )
Usage example: Access Data type
132
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Allowed Outbound TCP Connections
Parameter Description Hierarchy FwlStatTCPOutConnectionsAllowed Number of outbound TCP connections allowed by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatTCPOutConnectionsAllowed nCLI Get "FwlStatTCPOutConnectionsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
Denied Outbound TCP Connections
Parameter Description Hierarchy FwlStatTCPOutConnectionsDenied Number of outbound TCP connections denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatTCPOutConnectionsDenied nCLI Get "FwlStatTCPOutConnectionsDenied" Read Number ( 64 bit )
Usage example: Access Data type
Allowed Inbound ICMP Packets
Parameter Description Hierarchy Fw lStatICM PInPktsAllow ed Number of inbound ICMP packets allowed by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatICMPInPktsAllowed nCLI Get "FwlStatICMPInPktsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
NVIDIA Corporation
133
Appendix B
NVIDIA Firewall Parameters Reference
Denied Inbound ICMP Packets
Parameter Description Hierarchy FwlStatICMPInPktsDenied Number of inbound ICMP packets denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatICMPInPktsDenied nCLI Get "FwlStatICMPInPktsDenied" Read Number ( 64 bit )
Usage example: Access Data type
Allowed Outbound ICMP Packets
Parameter Description Hierarchy FwlStatICMPOutPktsAllowed Number of outbound ICMP packets allowed by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatICMPOutPktsAllowed nCLI Get "FwlStatICMPOutPktsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
Denied Outbound ICMP Packets
Parameter Description Hierarchy FwlStatICMPOutPktsDenied Specifies the number of outbound ICMP packets denied by the firewall. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatICMPOutPktsDenied nCLI Get "FwlStatICMPOutPktsDenied" Read Number ( 64 bit )
Usage example: Access Data type
134
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Other Allowed Inbound Packets
Parameter Description Hierarchy FwlStatOtherInPktsAllowed Specifies the number of inbound packets allowed by the firewall that are not UDP, TCP, or ICMP. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatOtherInPktsAllowed nCLI Get "FwlStatOtherInPktsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
Other Denied Inbound Packets
Parameter Description Hierarchy FwlStatOtherInPktsDenied Number of inbound packets denied by the firewall that are not UDP, TCP, or ICMP. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatOtherInPktsDenied nCLI Get "FwlStatOtherInPktsDenied" Read Number ( 64 bit )
Usage example: Access Data type
Other Allowed Outbound Packets
Parameter Description Hierarchy FwlStatOtherOutPktsAllowed Number of outbound packets allowed by the firewall that are not UDP, TCP, or ICMP. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatOtherOutPktsAllowed nCLI Get "FwlStatOtherOutPktsAllowed" Read Number ( 64 bit )
Usage example: Access Data type
NVIDIA Corporation
135
Appendix B
NVIDIA Firewall Parameters Reference
Other Denied Outbound Packets
Parameter Description Hierarchy FwlStatOtherOutPktsDenied Specifies the number of outbound packets denied by the firewall that are not UDP, TCP, or ICMP. Namespace: NS_Firewall Group: NV_FwlStat Single: FwlStatOtherOutPktsDenied nCLI Get "FwlStatOtherOutPktsDenied" Read Number ( 64 bit )
Usage example: Access Data type
Group: Factory Default
Factory Default
Parameter Description Comment Hierarchy FwlDefault Specifies to restore all firewall settings to the factory default. This parameter is not supported through WMI scripting. Namespace: NS_Firewall Group: NV_Fwl_Default Single: FwlDefault nCLI Set "FwlDefault" "NoRestore" ReadWrite Selection NoRestore Restore
Usage example: Access Data type User selection
136
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Group: Flush DNS Cache
Flush DNS Cache
Parameter Description Comment Hierarchy Fw lFlushDNS Specifies to flush the operating system DNS cache. DNS cache needs to be flushed when Firewall Domain Name configuration is changed. Namespace: NS_Firewall Group: NV_FwlFlushDNS Single: FwlFlushDNS nCLI Set "FwlFlushDNS" "Clear" ReadWrite Selection Clear
Usage example Access Data type User selection
Table: EtherType Rules
Table p arameter Description NV_FwlEtherType Specifies table to configure EtherType firewall ru les. As part of the Ethernet header, the EtherType is used to identify the type of Ethernet payload. Exam ple payloads include IP v4, AppleTalk, IPX, and NetBE UI. For EtherType that does not m atch any rule in the table, default setting in FwlEtherTypeDefault w ill be used. Namespace: NS_Firewall Table: NV_FwlEtherType nCLI AddRow "NV_FwlEtherType" "EtherType=2048,EtherTypeName=Internet Protocol version 4 (IPv4) (RFC 791),EtherTypeAction=Allow" _______________________________________________________ nCLI EditRow "NV_FwlEtherType.EtherType=2048" "EtherTypeName=Address Resolution Protocol (ARP) (RFC 826),EtherTypeAction=Allow" _______________________________________________________ nCLI DelRow "NV_FwlEtherType.EtherType=2048" Access Single parameters ReadW rite EtherType EtherTypeNam e EtherTypeAction
Com ment Hierarch y Usage example
NVIDIA Corporation
137
Appendix B
NVIDIA Firewall Parameters Reference
Ether Type
Param eter D escription E therT ype The EtherType identifies the type of Ethernet payload. Some exam ples and their hexadecimal values include IP v4 (0x0800), AppleTalk (0x809B ), IPX (0x8137) and N etB EU I (0x8191). N amespace: N S_Firewall T able: N V _FwlEtherType Single: EtherType R eadW rite This parameter is a key to the table N umber ( 32 bit ) 65535 1501
H ierarchy
A ccess T able key D ata type M axim um value M inimu m value
EtherType Name
Parameter Description Hierarchy EtherTypeN ame Name associated with the EtherType. Namespace: NS_Firewall Table: NV _FwlEtherType Single: EtherTypeName ReadW rite String 60
Access Data type M aximum Length
EtherType Action
Parameter D escription H ierarchy EtherTypeAction Specifies action for the EtherType. N am espace: N S_Firew all Table: N V _FwlEtherType Single: EtherTypeAction ReadW rite Selection D eny Allow
A ccess D ata type U ser selection
138
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Table: IP Address/Mask Rule
Table parameter Description Comment Hierarchy Usage example NV_FwlIP Specifies table to configure firewall rules based on IP addresses/masks. For IP address/mask pair that does not match any rule in the table, default setting in FwlIPDefault will be used. Namespace: NS_Firewall Table: NV_FwlIP nCLI AddRow "NV_FwlIP" "IPRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,IPRemote IPMask=32,IPAction=Allow" ___________________________________________________________ nCLI DelRow "NV_FwlIP.IPRemoteIP='0000:0000:0000:0000:0000:FFFF:0000:000 0',IPRemoteIPMask='32'" Access Single parameter ReadWrite IPRemoteIP IPRemoteIPMask IPLocalIP IPLocalIPMask IPAction
Remote IP Address
Parameter Description Tree IPRemoteIP IP address of the remote machine or subnet. Namespace: NS_Firewall Table: NV_FwlIP Single: IPRemoteIP ReadWrite This parameter is a key to the table IP Address
Access Table key Data type
NVIDIA Corporation
139
Appendix B
NVIDIA Firewall Parameters Reference
Remote IP Address Mask
Parameter Description Tree IPRemoteIPMask IP address mask of the remote machine or subnet. Namespace: NS_Firewall Table: NV_FwlIP Single: IPRemoteIPMask ReadWrite This parameter is a key to the table IP Mask Length
Access Table key Data type
IP Action
Parameter Description Hierarchy IPAction Specifies the action for network traffic. Namespace: NS_Firewall Table: NV_FwlIP Single: IPAction ReadWrite Selection Deny Allow
Access Data type User selection
140
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Table: Domain Names Rule
Table parameter: Description NV_FwlDomain Specifies the table to configure domain name rules. Domain name is a user-friendly name used to identify a Web site; for example, www.nvidia.com. The firewall blocks DNS lookups of domain names. You can bypass this filter by directly entering an IP address (if the IP address is known) instead of a domain name to access a Web site. CLI users need to flush DNS cache for domain name rules to take effect. To flush DNS cache, set FwlFlushDNS. For a given domain name that does not match any rule in the table, the default setting in FwlDomainDefault will be used. Namespace: NS_Firewall Table: NV_FwlDomain nCLI AddRow "NV_FwlDomain" "DomainName=www.dummy.com,DomainAction=Deny" _______________________________________________________ nCLI EditRow "NV_FwlDomain.DomainName='www.dummy.com'" "DomainAction=Deny" ________________________________________________________ nCLI DelRow "NV_FwlDomain.DomainName='www.dummy.com'" Access Single Parameter ReadWrite DomainName DomainAction DomainLocalIP DomainLocalIPMask
Comment
Hierarchy Usage example:
Domain Name
Parameter Description Hierarchy DomainName Domain name of the computer or Web site Namespace: NS_Firewall Table: NV_FwlDomain Single: DomainName ReadWrite This parameter is a key to the table String 127
Access Table key Data type Maximum Length
NVIDIA Corporation
141
Appendix B
NVIDIA Firewall Parameters Reference
Domain Action
Parameter Description Hierarchy DomainAction Specifies action for network traffic. Namespace: NS_Firewall Table: NV_FwlDomain Single: DomainAction ReadWrite Selection Deny Allow
Access Data type User selection
Table: IP Option Rules
Table parameter Description NV_FwlIPOption Specifies the table to configure IP option rules. IPv4 options are added to the basic IPv4 header to provide additional features beyond those that are supported by the standard IPv4 packet's header. The standard 20-byte IPv4 header can be expanded to have up to 40 bytes of options. IPv6 options have no fixed size, but are otherwise similar to IPv4 options and provide for many of the same features. For an IP option that does not match any rule in the table, the default setting in FwlIPOptionDefault will be used. Namespace: NS_Firewall Table: NV_FwlIPOption nCLI AddRow "NV_FwlIPOption" "IPOptionNumber=0,IPOptionName=End of Option List,IPOptionVersion=IPv4,IPOptionActionIn=Allow,IPOptionA ctionOut=Allow" _________________________________________________________ nCLI EditRow "NV_FwlIPOption.IPOptionNumber=0,IPOptionVersion=4" "IPOptionName=Pad-1 (i.e., one octet of padding),IPOptionActionIn=Allow,IPOptionActionOut=Allow" ________________________________________________________ nCLI DelRow "NV_FwlIPOption.IPOptionNumber=0,IPOptionVersion=4" Access Single parameter ReadWrite IPOptionNumber IPOptionName IPOptionVersion IPOptionActionIn IPOptionActionOut
Comment Hierarchy Usage example
142
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
IP Option Number
Parameter Description IPOptionNumber IP option number. IPv4 options are added to the basic IPv4 header to provide additional features beyond those that are supported by the standard IPv4 packet's header. The standard 20-byte IPv4 header can be expanded to have up to 40 bytes of options. IPv6 options have no fixed size, but are otherwise similar to IPv4 options and provide for many of the same features. Namespace: NS_Firewall Table: NV_FwlIPOption Single: IPOptionNumber ReadWrite This parameter is a key to the table Number ( 32 bit ) 255 Minimum Value: 0
Hierarchy
Access Table key Data type Maximum Value
IP Option Name
Parameter Description Hierarchy IPOptionName Specifies name associated with the IP option number. Namespace: NS_Firewall Table: NV_FwlIPOption Single: IPOptionName ReadWrite String 60
Access Data type Maximum Length
NVIDIA Corporation
143
Appendix B
NVIDIA Firewall Parameters Reference
IP Version
Param eter Description Hierarch y IPOptionVersion Specifies whether ru le is for IPv4 or IP v6. Nam espace: NS_F irewall Table: NV_FwlIPOption Single: IPOptionVersion ReadW rite Th is param eter is a key to the table Selection IPv4 IPv6
Access Table key Data type User selection
IP Inbound Action
Parameter Description Hierarchy IPOptionActionIn Specifies action for inbound network traffic. Namespace: NS_Firewall Table: NV_FwlIPOption Single: IPOptionActionIn ReadW rite Selection Allow Deny
Access Data type User selection
IP Outbound Action
Parameter Description Hierarchy IPOptionActionOut Specifies action for outbound network traffic. Namespace: NS_Firewall Table: NV_FwlIPOption Single: IPOptionActionOut ReadWrite Selection Allow Deny
Access Data type User selection
144
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Table: IP Protocol Rule
Table parameter Description Comment Hierarchy Usage example: NV_FwlIPProtocol Specifies table to configure IP protocol rules. IP protocol identifies the type of IP payload. ICMP, TCP and UDP are examples of common IP payloads. For an IP protocol that does not match any rule in the table, the default setting in FwlIPProtocolDefault will be used. Namespace: NS_Firewall Table: NV_FwlIPProtocol nCLI AddRow "NV_FwlIPProtocol" "IPProtocol=1,IPProtocolName=Internet Control Message Protocol for IPv4 (ICMP),IPProtocolAction=Allow" _____________________________________________________ nCLI EditRow "NV_FwlIPProtocol.IPProtocol=1" "IPProtocolName=Internet Group Management Protocol for IPv4 (IGMP),IPProtocolAction=Allow" ______________________________________________________ nCLI DelRow "NV_FwlIPProtocol.IPProtocol=1" Access Single Parameters ReadWrite IPProtocol IPProtocolName IPProtocolAction
IP Protocol
Parameter Description Hierarchy IPProtocol Specifies the IP protocol number. IP protocol identifies the type of IP payload. Common protocols and their decimal values include ICMP (1), TCP (6), and UDP (17). Namespace: NS_Firewall Table: NV_FwlIPProtocol Single: IPProtocol ReadWrite This parameter is a key to the table Number ( 32 bit ) 255 0
Access Table key Data type Maximum Value Minimum Value
NVIDIA Corporation
145
Appendix B
NVIDIA Firewall Parameters Reference
IP Protocol Name
Parameter Description Hierarchy IPProtocolName Specifies a name for an IP protocol. Namespace: NS_Firewall Table: NV_FwlIPProtocol Single: IPProtocolName ReadWrite String 60
Access Data type Maximum Length
IP Protocol Action
Parameter Description Hierarchy IPProtocolAction Specifies the action for network traffic. Namespace: NS_Firewall Table: NV_FwlIPProtocol Single: IPProtocolAction ReadWrite Selection Deny Allow
Access Data type User selection
146
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Table: TCP/UDP Port Rule
Parameter name Description NV_FwlPort Specifies the table to configure TCP or UDP port rules. Port numbers are used by TCP or UDP to identify sending and receiving applications. Some common ports include HTTP (80), TELNET (23) and SMTP (25). For a TCP/UDP port that does not match any rule in the table, the default setting in FwlPortDefault will be used. Namespace: NS_Firewall Table: NV_FwlPort nCLI AddRow "NV_FwlPort" "PortActionIn=Deny,PortActionOut=Deny,PortRemoteIP=0000: 0000:0000:0000:0000:FFFF:0000:0000,PortRemoteIPMask=32,P ortName=Reserved,PortRangeBegin=0,PortRangeEnd=0,PortPro tocol=Both" ________________________________________________________ nCLI EditRow "NV_FwlPort.PortRemoteIP='0000:0000:0000:0000:0000:FFFF: 0000:0000',PortRemoteIPMask='32',PortRangeBegin=0,PortRa ngeEnd=0,PortProtocol=0" "PortActionIn=Deny,PortActionOut=Allow,PortName=Time (RFC 868)" ________________________________________________________ nCLI DelRow "NV_FwlPort.PortRemoteIP='0000:0000:0000:0000:0000:FFFF: 0000:0000',PortRemoteIPMask='32',PortRangeBegin=0,PortRa ngeEnd=0,PortProtocol=0" Access Single parameter ReadWrite PortActionIn PortActionOut PortRemoteIP PortRemoteIPMask PortLocalIP PortRangeBegin PortRangeEnd PortLocalIPMask PortName PortProtocol
Comment Hierarchy Usage examples
NVIDIA Corporation
147
Appendix B
NVIDIA Firewall Parameters Reference
TCP/UDP Port Outbound Action
Parameter Description Hierarchy PortActionOut Specifies outbound action for the network connection. Namespace: NS_Firewall Table: NV_FwlPort Single: PortActionOut ReadWrite Selection Deny Allow
Access Data type User selection
Remote IP Address
Parameter Description Hierarchy PortRemoteIP IP address of the remote machine or subnet. Namespace: NS_Firewall Table: NV_FwlPort Single: PortRemoteIP ReadWrite This parameter is a key to the table IP Address
Access Table key Data type
Remote IP Subnet Mask
Parameter Description Hierarchy PortRemoteIPMask Specifies the IP address mask of the remote machine or subnet. Namespace: NS_Firewall Table: NV_FwlPort Single: PortRemoteIPMask ReadWrite This parameter is a key to the table IP Mask Length
Access Table key Data type
148
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Port Name
Parameter Description Hierarchy PortName Specifies thename associated with the TCP or UDP port range. Namespace: NS_Firewall Table: NV_FwlPort Single: PortName ReadWrite String 100
Access Data type Maximum Length
Beginning Port Number
Parameter Description Hierarchy PortRangeBegin Specifies the first UDP or TCP port in the range. Namespace: NS_Firewall Table: NV_FwlPort Single: PortRangeBegin ReadWrite This parameter is a key to the table Number ( 32 bit ) 65535
Access Table key Data type M aximum Value
Ending Port Number
Parameter Description Hierarchy PortRangeEnd Specifies the last UDP or TCP port in the range. Namespace: NS_Firewall Table: NV_FwlPort Single: PortRangeEnd ReadWrite This parameter is a key to the table Number ( 32 bit ) 65535
Access Table key Data type Maximum Value
NVIDIA Corporation
149
Appendix B
NVIDIA Firewall Parameters Reference
Port Protocol
Parameter Description Hierarchy PortProtocol Specifies whether the port protocol is UDP, TCP, or both. Namespace: NS_Firewall Table: NV_FwlPort Single: PortProtocol ReadWrite This parameter is a key to the table Selection UDP TCP
Access Table key Data type User selection
Table: TCP Options Rule
Table parameter Description NV_FwlTCPOption Specifies the table to configure the TCP options rule. TCP options are added to the standard 20-byte TCP header to provide additional features that typically can only be used if they are negotiated at the beginning of a TCP connection. For a given TCP option that does not match any rule in the table, the default setting in FwlTCPOptionDefault will be used. Namespace: NS_Firewall Table: NV_FwlTCPOption nCLI AddRow "NV_FwlTCPOption" "TCPOptionNumber=0,TCPOptionName=End of Option List (RFC 793),TCPOptionAction=Allow" _______________________________________________________ nCLI EditRow "NV_FwlTCPOption.TCPOptionNumber=0" "TCPOptionName=No Operation (RFC 793),TCPOptionAction=Allow" _______________________________________________________ nCLI DelRow "NV_FwlTCPOption.TCPOptionNumber=0" Access Single parameters ReadWrite TCPOptionNumber TCPOptionName TCPOptionAction
Comment Hierarchy Usage examples:
150
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
TCP Option Number
Parameter Description TCPOptionNumber Represents the TCP option number. TCP options are added to the standard 20-byte TCP header to provide additional features that typically can only be used if they are negotiated at the beginning of a TCP connection. Namespace: NS_Firewall Table: NV_FwlTCPOption Single: TCPOptionNumber ReadWrite This parameter is a key to the table Number (32 bit) 255 Minimum Value: 0
Hierarchy
Access Table key Data type Maximum Value
TCP Option Name I
P a r a m e te r D es c r ip tio n H ie r a r c h y T C P O p tio n N a m e S p e cif ie s a n a m e a s s o c ia te d w ith a TC P o p tio n n u m b e r. S in g le : TC P O p tio n N a m e N a m e s p a c e : N S _ F irew a ll T a b le : N V _ F w lTC P O p tio n S in g le : TC P O p tio n N a m e R e a d W rite S trin g 60
A cc e s s D a ta ty p e M a x im u m L e ng th
TCP Option Action
P aram eter Des cription Hierarch y TCP OptionAction Specifies the action for network traffic containing a given TCP option num ber. Nam es pace: NS_Firewall Table: NV_FwlTCPOption Single: TCPOptionAction ReadW rite Selection Deny Allow
Access Data type Us er s election
NVIDIA Corporation
151
Appendix B
NVIDIA Firewall Parameters Reference
Table: ICMP Rules
Table parameter Description N V_Fw lICM P Specifies the table to configure ICM P message rules. ICM P com m unicates error, diagnostic and control messages. Examples of ICM P messages include echo (i.e., ping) and 'destination unreachable'. For an ICM P message that does not match any rule in the table, the default setting in FwlICM PDefault will be used. N amespace: NS_Firewall Table: NV _FwlICM P nCLI AddRow "NV_FwlICMP" "ICMPRemoteIP=0000:0000:0000:0000:0000:FFFF:0000:0000,ICM PRemoteIPMask=32,ICMPType=0,ICMPCode=0,ICMPName=Echo reply (RFC792),ICMPVersion=ICMPv4,ICMPActionIn=Allow,ICMPAction Out=Allow" _______________________________________________________ nCLI EditRow "NV_FwlICMP.ICMPRemoteIP='0000:0000:0000:0000:0000:FFFF:0 000:0000',ICMPRemoteIPMask='32',ICMPType=0,ICMPCode=0,ICM PVersion=4" "ICMPName=Not assigned,ICMPActionIn=Deny,ICMPActionOut=Deny _______________________________________________________ nCLI DelRow "NV_FwlICMP.ICMPRemoteIP='0000:0000:0000:0000:0000:FFFF:0 000:0000',ICMPRemoteIPMask='32',ICMPType=0,ICMPCode=0,ICM PVersion=4" Access Single Parameters ReadW rite IC M PRemoteIP IC M PRemoteIPM ask IC M PLocalIP ICM PLocalIPM ask ICM PType ICM PCode ICM PNam e ICM PV ersion ICM PActionIn ICM PActionO ut
Com ment H ierarchy Usage examples:
Remote IP Address
Parameter Description Hierarchy ICMPRemoteIP Specifies the IP address of the remote machine or subnet. Namespace: NS_Firewall Table: NV_FwlICMP Single: ICMPRemoteIP ReadWrite This parameter is a key to the table IP Address
Access Table key Data type
152
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Remote IP Subnet Mask
Parameter Description Hierarchy ICMPRemoteIPMask Specifies the IP address mask of the remote machine or subnet. Namespace: NS_Firewall Table: NV_FwlICMP Single: ICMPRemoteIPMask ReadWrite This parameter is a key to the table IP Mask Length
Access Table key Data type
ICMP Type
P aram eter Des cription Hie rarch y ICM P Type Specifies the ICM P type Nam es pace: NS_Firewa ll Table: NV_FwlICM P Single: IC M P Type R eadW rite Th is param eter is a key to the table Number (32 bit) 255 M inim um Value: 0
Access Table ke y Data type M axim um value
ICMP Code
P aram eter Des cription Hierarch y ICM P Code Specifies the IC M P code. Nam es pace: NS_Firewall Table: NV_FwlIC M P Single: IC M PC ode R eadW rite Th is param eter is a key to the table Number ( 32 bit ) 255 M inim um Value: 0
Access Table key Data type M axim um value
NVIDIA Corporation
153
Appendix B
NVIDIA Firewall Parameters Reference
ICMP Name
Parameter Des cription Hierarch y ICM PName Specifies a nam e for the ICMP type/code pair. Namespace: NS_Firewall Table: NV_FwlICMP Single: ICMPNam e ReadW rite String 120
Access Data type M aximum Length
ICMP Version
Parameter Description Hierarchy ICMPVersion Specifies whether the rule is for ICMPv4 or ICMPv6. Namespace: NS_Firewall Table: NV_FwlICMP Single: ICMPVersion ReadWrite Th is parameter is a key to the table Selection ICMPv4 ICMPv6
Access Table key Data type User selection
ICMP Inbound Action
Parameter Description Hierarchy ICMPActionIn Specifies the action for inbound network traffic. Namespace: NS_Firewall Table: NV_FwlICMP Single: ICMPActionIn ReadWrite Selection Deny Allow
Access Data type User selection
154
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
ICMP Outbound Action
Parameter Description Hierarchy ICMPActionOut Specifies the action for outbound network traffic. Namespace: NS_Firewall Table: NV_FwlICMP Single: ICMPActionOut ReadWrite Selection Deny Allow
Access Data type User selection
NVIDIA Corporation
155
Appendix C
Glossary
P P E N D I X
GLOSSARY
distinguished name. In reference to the ForceWare Network Access Manager application, a distinguished name is the name that uniquely identifies a parameter. Each parameter has a distinguished name. group parameter. In reference to the ForceWare Network Access Manager application, a group parameter is a collection of single parameters that belong to a functionality set. ICMP (Internet Control Message Protocol) is a message control and
error-reporting protocol between a host server and a gateway to the Internet. ICMP uses IP datagrams, but the messages are processed by the IP software and are not necessarily directly apparent to the application user.
IP (Internet Protocol) is the method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it from all other computers on the Internet. When you send or receive data (for example, an e-mail note or a Web page), the message gets divided into little chunks called packets. Each of these packets contains the sender's Internet address and the receiver's Internet address.
When the sender needs to send a packet to a receiver on a different subnetwork, the packet is sent first to a to the sender's default gateway computer that understands a small part of the Internet. The gateway computer reads the destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain. That gateway then forwards the packet directly to the computer whose address is specified.
156
NVIDIA Corporation
NVIDIA ForceWare Networking
Administrators Guide
Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet. Packets can arrive in a different order than the order in which they were sent. The Internet Protocol just delivers them. For applications requiring in-order delivery, it's up to a higher-layer protocol to ensure proper sequencing across a packet stream. IP is a connectionless protocol, which means that there is no continuing connection between the end points that are communicating. Each packet that travels through the Internet is treated as an independent unit of data without any relation to any other unit of data.In the Open Systems Interconnection (OSI) communication model, IP is in layer 3, the Networking Layer. The most widely used version of IP today is IPv4. However, IPv6 is also beginning to be supported. IPv6 provides for much longer addresses and therefore for the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets often can also support IPv4 packets. namespace parameter. In reference to the ForceWare Network Access Manager application, a namespace parameter is the largest container of parameters. A namespace parameter contains multiple group parameters and/ or table parameters. nCLI (NVIDIA command line interface). In ForceWare Network Access Manager, nCLI is a command line interface that can be used to configure and monitor NVIDIA networking components. nCLI can run in either export or interactive mode. SSL (Secure Sockets Layer) is the industry-standard method for protecting Web communications. Built upon public key encryption technology, SSL provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. When you come across a Web page that is secured, the browser will usually display a closed lock or other symbol to inform you that SSL has been enabled. At this point, the Web site address will also start with <https:// > instead of the normal <http://>.
Note: NVIDIA ForceWare Network Access Manager uses SSL when the Web-based interface is remotely accessed.
single parameter. In ForceWare Network Access Manager, a single parameter is the smallest parameter unit. It contains a name and value pair. table parameter. In ForceWare Network Access Manager, a table parameter is a collection of group parameters (rows) that share the same fields (columns). Table parameters are frequently used as place holders for NVIDIA Firewall rules, filters, and statistics. Each row inside the table is
NVIDIA Corporation
157
Appendix C
Glossary
uniquely identified by a key. A key is composed of one or more of fields of a row. TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the IP to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called segments) that a message is divided into for efficient routing through the Internet. TCP is known as a connection-oriented protocol, which means that a connection is established and maintained until such time as the message or messages to be exchanged by the application programs at each end have been exchanged. TCP is responsible for ensuring that a message is divided into the packets that IP manages and for reassembling the packets back into the complete message at the other end. In the OSI communication model, TCP is in layer 4, the Transport Layer. UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the IP. UDP is an alternative to the TCP and, together with the IP, is sometimes referred to as UDP/IP. Like the TCP, the UDP uses the IP to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in. This means that the application program that uses UDP must be able to make sure that the entire message has arrived and is in the right order. To save processing time, network applications that have very small data units to exchange (and therefore very little message reassembling to do) may choose UDP instead of TCP. The Trivial File Transfer Protocol (TFTP) uses UDP instead of TCP. UDP provides two services not provided by the IP layer. It provides port numbers to help distinguish different user requests, and, optionally, a checksum capability to verify that the data arrived intact In the Open Systems Interconnection (OSI) communication model, UDP, like TCP, is in layer 4, the Transport Layer.
158
NVIDIA Corporation
You might also like
- Study Material Notes UGC NET Communication Paper 1 - New Syllabus100% (6)Study Material Notes UGC NET Communication Paper 1 - New Syllabus13 pages
- Nvidia Forceware Networking and Firewall Administrator'S GuideNo ratings yetNvidia Forceware Networking and Firewall Administrator'S Guide149 pages
- Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsFrom EverandSecuring ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsNo ratings yet
- McAfee NGFW Reference Guide For Firewall VPN Role v5-7No ratings yetMcAfee NGFW Reference Guide For Firewall VPN Role v5-7424 pages
- Cybersecurity for Executives: A Guide to Protecting Your BusinessFrom EverandCybersecurity for Executives: A Guide to Protecting Your BusinessNo ratings yet
- Mcafee NGFW Installation Guide For Firewall/Vpn Role 5 - 7No ratings yetMcafee NGFW Installation Guide For Firewall/Vpn Role 5 - 7166 pages
- En - Security Center Administrator Guide 5.2No ratings yetEn - Security Center Administrator Guide 5.2901 pages
- The Linux Terminal for Advanced Users - The Command Line Made Easy: First EditionFrom EverandThe Linux Terminal for Advanced Users - The Command Line Made Easy: First EditionNo ratings yet
- Utm Guide: Fortios™ Handbook V3 For Fortios 4.0 Mr3No ratings yetUtm Guide: Fortios™ Handbook V3 For Fortios 4.0 Mr3313 pages
- En - Security Center Administrator Guide 5.2100% (1)En - Security Center Administrator Guide 5.2892 pages
- Routing Route Maps Prefix List PBR Route Redistribution MplsNo ratings yetRouting Route Maps Prefix List PBR Route Redistribution Mpls24 pages
- Citrix Access Gateway Enterprise Edition Administrator's GuideNo ratings yetCitrix Access Gateway Enterprise Edition Administrator's Guide308 pages
- Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ ScriptingFrom EverandAdvanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ ScriptingNo ratings yet
- Linux Network Administration II, Network Security and Firewalls - Student Notebook (IBM Learning, 2003, Course Code LX24)No ratings yetLinux Network Administration II, Network Security and Firewalls - Student Notebook (IBM Learning, 2003, Course Code LX24)382 pages
- on-premises-analytics-hyper-v-deployment-guideNo ratings yeton-premises-analytics-hyper-v-deployment-guide69 pages
- Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter FM:xiNo ratings yetComplete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter FM:xi14 pages
- Microsoft - Press.transitioning - your.MCSA - Mcse.to - windows.server.2008.Mar.2009.eBook LiB100% (1)Microsoft - Press.transitioning - your.MCSA - Mcse.to - windows.server.2008.Mar.2009.eBook LiB975 pages
- Ethernid™ Administrator'S Guide: For The Ethernid™ Ee Ethernid™ Ge Metronid™ Te Metronid™ Te-RNo ratings yetEthernid™ Administrator'S Guide: For The Ethernid™ Ee Ethernid™ Ge Metronid™ Te Metronid™ Te-R166 pages
- SonicWALL_Aventail_10.5.2_Getting_Started_GuideNo ratings yetSonicWALL_Aventail_10.5.2_Getting_Started_Guide93 pages
- Questionnaire: Techers' Perception Regarding Motivational Techniques in Personality Development100% (1)Questionnaire: Techers' Perception Regarding Motivational Techniques in Personality Development4 pages
- Martin Fog Dust System: Technical Data SheetNo ratings yetMartin Fog Dust System: Technical Data Sheet2 pages
- Demurrer To Evidence Motion To Dismiss Demurrer To Evidence100% (1)Demurrer To Evidence Motion To Dismiss Demurrer To Evidence2 pages
- Code Requirements and NDE Inspection for Refrigerant Piping & DemonstrationNo ratings yetCode Requirements and NDE Inspection for Refrigerant Piping & Demonstration16 pages
- Hong Kong and Bollywood: Globalization of Asian Cinemas 1st Edition Joseph Tse-Hei Lee - The complete ebook is available for download with one click100% (2)Hong Kong and Bollywood: Globalization of Asian Cinemas 1st Edition Joseph Tse-Hei Lee - The complete ebook is available for download with one click55 pages
- Lecture 6 - Linear Regression and CorrelationNo ratings yetLecture 6 - Linear Regression and Correlation40 pages
- Competition Concerns in Shipping ConferencesNo ratings yetCompetition Concerns in Shipping Conferences125 pages
- Read Chapter 6: AP Physics Week 5 Homework KeyNo ratings yetRead Chapter 6: AP Physics Week 5 Homework Key10 pages
- ISA 77.43 Fossil Fuel Power Plant Unit-Plant Demand Development Drum TypeNo ratings yetISA 77.43 Fossil Fuel Power Plant Unit-Plant Demand Development Drum Type26 pages
- Friday Lunchtime Lecture: What Open Data Do We Need For A Greener, Cleaner World?No ratings yetFriday Lunchtime Lecture: What Open Data Do We Need For A Greener, Cleaner World?35 pages
- Disaster Awareness and Preparedness of PNo ratings yetDisaster Awareness and Preparedness of P5 pages
- Facilities MGMT Work Order Workpalce Writing Minor 4No ratings yetFacilities MGMT Work Order Workpalce Writing Minor 41 page
- The Perspective of Senior High School Student On Social MediaNo ratings yetThe Perspective of Senior High School Student On Social Media3 pages
- Gender Politics and The Critical Gaze: Jean-Luc Godard's Masculin-FemininNo ratings yetGender Politics and The Critical Gaze: Jean-Luc Godard's Masculin-Feminin7 pages
- Study On Customer Satisfaction.....................No ratings yetStudy On Customer Satisfaction.....................76 pages
- Bom of Povidone Iodine Solution 5% 2040LtrNo ratings yetBom of Povidone Iodine Solution 5% 2040Ltr1 page