From 38533f4e85cdaee4b6264c3d9182dafd8756d0f9 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 30 Dec 2025 15:42:52 -0500 Subject: [PATCH 1/5] Add NetBT WARP setting --- .../configure-warp/warp-settings/index.mdx | 72 ++++++++++++++++++- .../deployment/mdm-deployment/parameters.mdx | 11 +++ 2 files changed, 81 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx index 6438739fd51420..10551fb4b4e81f 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx @@ -454,14 +454,14 @@ Assume you want to push software updates from a cloud based [distribution point] Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes - IPv6 Address. . . . . . . . . . . : 2606:4700:110:8f79:145:f180:fc4:8106(Preferred) + IPv6 Address. . . . . . . . . . . : 2001:db8:110:8f79:145:f180:fc4:8106(Preferred) Link-local IPv6 Address . . . . . : fe80::83b:d647:4bed:d388%49(Preferred) IPv4 Address. . . . . . . . . . . : 172.16.0.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 127.0.2.2 127.0.2.3 - NetBIOS over Tcpip. . . . . . . . : Enabled + NetBIOS over Tcpip. . . . . . . . : Disabled ``` @@ -476,3 +476,71 @@ Assume you want to push software updates from a cloud based [distribution point] b. Assign this boundary to one or more boundary groups. When the device is remote, the WARP interface description changes to `(SCCM) Cloudflare WARP Interface Tunnel` and the SCCM server will determine that the device belongs to the VPN boundary group. The device can now download updates from the distribution point assigned to this boundary group. When a network change occurs and WARP detects a managed network, it will revert the interface description to `Cloudflare WARP Interface Tunnel` and the boundary condition will no longer be satisfied. The device will match your local IP range and be considered as on-prem. + +### NetBIOS over TCPIP + +
+ +| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | +| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- | +| | All plans | + +| System | Availability | Minimum WARP version | +| -------- | ------------ | -------------------- | +| Windows | ✅ | 2025.5.735.1 | +| macOS | ❌ | | +| Linux | ❌ | | +| iOS | ❌ | | +| Android | ❌ | | +| ChromeOS | ❌ | | + +
+ +NetBIOS over TCPIP (NetBT) is a legacy protocol used for name resolution on Windows. NetBT has been deprecated for decades, but Windows has not removed it. Cloudflare WARP disables NetBT on the tunnel interface by default for security reasons and to align with modern best practices. This setting allows you to override the default behavior and enable NetBT over the WARP tunnel. + +#### When to enable NetBT + +You should turn on **NetBIOS over TCPIP** only if devices need to access internal resources over NetBT. Example scenarios include: + +- **Legacy name resolution**: You rely on NetBIOS names (such as `\\SERVER01`) rather than Fully Qualified Domain Names (such as `\\server01.corp.internal`) to access resources. +- **SMBv1**: You are accessing very old file shares or printers that do not support modern SMB (v2/v3) and require NetBT for discovery. +- **Legacy applications**: You use specialized internal software that hard-codes NetBIOS for node-to-node communication. + +Otherwise, the recommendation is to always disable **NetBIOS over TCPIP**. You can choose a different setting for [remote devices](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) vs [on-prem devices](/cloudflare-one/team-and-resources/devices/warp/configure-warp/managed-networks/#4-configure-device-profile). + +#### Verify NetBT settings + +To check if **NetBIOS over TCPIP** is enabled on the WARP tunnel interface, run the following command: + + ```cmd +warp-cli settings | findstr "NetBT" + ``` + +```cmd output +(network policy) NetBT: true +``` + +You can also verify network interface details for the `CloudflareWARP` adapter: + +```cmd +ipconfig /all +``` + +```cmd output {16} +Windows IP Configuration +... +Unknown adapter CloudflareWARP: + Connection-specific DNS Suffix . : + Description . . . . . . . . . . . : Cloudflare WARP Interface Tunnel + Physical Address. . . . . . . . . : + DHCP Enabled. . . . . . . . . . . : No + Autoconfiguration Enabled . . . . : Yes + IPv6 Address. . . . . . . . . . . : 2001:db8:110:8f79:145:f180:fc4:8106(Preferred) + Link-local IPv6 Address . . . . . : fe80::83b:d647:4bed:d388%49(Preferred) + IPv4 Address. . . . . . . . . . . : 172.16.0.2(Preferred) + Subnet Mask . . . . . . . . . . . : 255.255.255.255 + Default Gateway . . . . . . . . . : + DNS Servers . . . . . . . . . . . : 127.0.2.2 + 127.0.2.3 + NetBIOS over Tcpip. . . . . . . . : Enabled +``` diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx index b117491632feed..cfefc61ac83c56 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx @@ -99,6 +99,17 @@ Identifies a Zero Trust organization in the WARP GUI when WARP is deployed with **Value:** Organization nickname shown to users in the WARP GUI (for example, `Test environment`). +### `enable_netbt` + +NetBIOS over TCPIP (NetBT) is a legacy feature in Windows primarily used for name resolution in some [rare scenarios](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#when-to-enable-netbt). Cloudflare WARP disables NetBT on the tunnel interface by default for security reasons. If your organization still relies on legacy applications that require NetBT, you can override the default behavior and enable NetBT. + +**Value Type:** `boolean` + +**Value:** + +- `false` — (default) Disables NetBT on the WARP tunnel interface. +- `true` — Enables NetBT on the WARP tunnel interface. + ### `enable_pmtud` [Path MTU Discovery (PMTUD)](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/path-mtu-discovery/) allows WARP to discover the largest packet size that can be sent over the current network and optimize connection performance. From 9783f446f4ab98e934b70a8347768342be919d83 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 30 Dec 2025 15:45:11 -0500 Subject: [PATCH 2/5] Update src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx --- .../devices/warp/configure-warp/warp-settings/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx index 10551fb4b4e81f..d8f24dc3bbe2bb 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx @@ -506,7 +506,7 @@ You should turn on **NetBIOS over TCPIP** only if devices need to access interna - **SMBv1**: You are accessing very old file shares or printers that do not support modern SMB (v2/v3) and require NetBT for discovery. - **Legacy applications**: You use specialized internal software that hard-codes NetBIOS for node-to-node communication. -Otherwise, the recommendation is to always disable **NetBIOS over TCPIP**. You can choose a different setting for [remote devices](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) vs [on-prem devices](/cloudflare-one/team-and-resources/devices/warp/configure-warp/managed-networks/#4-configure-device-profile). +Otherwise, the recommendation is to always disable **NetBIOS over TCPIP**. You can choose a different setting for [remote devices](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) versus [on-prem devices](/cloudflare-one/team-and-resources/devices/warp/configure-warp/managed-networks/#4-configure-device-profile). #### Verify NetBT settings From 749224b19ae492001ec6f1125ad41eb7ddfca311 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:31:38 -0500 Subject: [PATCH 3/5] Update src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx Co-authored-by: Tommy Jensen <45110146+tojens-ietf@users.noreply.github.com> --- .../devices/warp/configure-warp/warp-settings/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx index d8f24dc3bbe2bb..0011d233cd47b6 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx @@ -496,7 +496,7 @@ When the device is remote, the WARP interface description changes to `(SCCM) Clo -NetBIOS over TCPIP (NetBT) is a legacy protocol used for name resolution on Windows. NetBT has been deprecated for decades, but Windows has not removed it. Cloudflare WARP disables NetBT on the tunnel interface by default for security reasons and to align with modern best practices. This setting allows you to override the default behavior and enable NetBT over the WARP tunnel. +NetBIOS over TCPIP (NetBT) is a legacy protocol used for name resolution and other features on Windows. NetBT has been deprecated for years, but Windows has not removed it. Cloudflare WARP disables NetBT on the tunnel interface by default for security reasons and to align with modern best practices. This setting allows you to override the default behavior and enable NetBT over the WARP tunnel. #### When to enable NetBT From 021abe48bc4b2f6ba26c0e6c739a08e3d3fe51d6 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:32:12 -0500 Subject: [PATCH 4/5] Update src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx Co-authored-by: Tommy Jensen <45110146+tojens-ietf@users.noreply.github.com> --- .../devices/warp/configure-warp/warp-settings/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx index 0011d233cd47b6..6d105c92ac0c82 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx @@ -502,7 +502,7 @@ NetBIOS over TCPIP (NetBT) is a legacy protocol used for name resolution and oth You should turn on **NetBIOS over TCPIP** only if devices need to access internal resources over NetBT. Example scenarios include: -- **Legacy name resolution**: You rely on NetBIOS names (such as `\\SERVER01`) rather than Fully Qualified Domain Names (such as `\\server01.corp.internal`) to access resources. +- **Legacy name resolution**: You rely on NetBIOS to resolve single-label names (such as `\\SERVER01`) to access resources, rather than relying on mDNS for single-label names or DNS using Fully Qualified Domain Names (such as `\\server01.corp.internal`). - **SMBv1**: You are accessing very old file shares or printers that do not support modern SMB (v2/v3) and require NetBT for discovery. - **Legacy applications**: You use specialized internal software that hard-codes NetBIOS for node-to-node communication. From 0f92f495b839fde3e24a961541f6b935233ab0d5 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:42:18 -0500 Subject: [PATCH 5/5] Update src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx --- .../devices/warp/configure-warp/warp-settings/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx index 6d105c92ac0c82..412eec9d78f504 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/index.mdx @@ -502,7 +502,7 @@ NetBIOS over TCPIP (NetBT) is a legacy protocol used for name resolution and oth You should turn on **NetBIOS over TCPIP** only if devices need to access internal resources over NetBT. Example scenarios include: -- **Legacy name resolution**: You rely on NetBIOS to resolve single-label names (such as `\\SERVER01`) to access resources, rather than relying on mDNS for single-label names or DNS using Fully Qualified Domain Names (such as `\\server01.corp.internal`). +- **Legacy name resolution**: You rely on NetBIOS to resolve single-label names (such as `\\SERVER01`), instead of modern alternatives like mDNS for single-label names or standard DNS for Fully Qualified Domain Names (such as `\\server01.corp.internal`). - **SMBv1**: You are accessing very old file shares or printers that do not support modern SMB (v2/v3) and require NetBT for discovery. - **Legacy applications**: You use specialized internal software that hard-codes NetBIOS for node-to-node communication.