Fortinet Patent Applications

COMPUTERIZED SYSTEM AND METHOD FOR DEPLOYMENT OF MANAGEMENT TUNNELS

Granted: July 13, 2017
Application Number: 20170201488
Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, the use of PKI-authenticated serial numbers within network devices manufactured by a particular manufacturer enables one-step provisioning of one or more managed devices. A managed device is provisioned with the serial number of a management device manufactured by the particular manufacturer. When the managed device is installed within a network, the…

EFFICIENT DATA TRANSFER IN A VIRUS CO-PROCESSING SYSTEM

Granted: July 6, 2017
Application Number: 20170193231
Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a processor maintains a page directory and a page table within a system memory for use in connection with translating virtual addresses to physical addresses. Content scanning of a content object is offloaded to a hardware accelerator coupled to the processor by storing content scanning parameters, including the content object and a type of the content object, to…

SYSTEM AND METHOD FOR SECURING VIRTUALIZED NETWORKS

Granted: July 6, 2017
Application Number: 20170195207
Systems and methods for securing a dynamic virtualized network are provided. According to one embodiment, a network policy of a dynamic virtualized network is received by an SDN controller of the dynamic virtualized network. The network policy includes network policy elements which each identify (i) an authorized endpoint, (ii) a network access device, and (iii) a port of the network access device with which the authorized endpoint is associated. A test network access device is selected…

FLEXIBLE PIPELINE ARCHITECTURE FOR MULTI-TABLE FLOW PROCESSING

Granted: July 6, 2017
Application Number: 20170195253
Methods and systems for implementing scalable SDN devices having a flexible data path pipeline having multiple flow tables and a hybrid memory approach are provided. According to one embodiment, an SDN switch performs a method of storing a flow table within a memory device most suitable for the type of rules contained within the flow table. A flow table for use in connection with determining how to process a packet received by the SDN switch is received by the SDN switch. The flow table…

APPLICATION BASED CONDITIONAL FORWARDING AND LOAD BALANCING IN A SOFTWARE DEFINED NETWORKING (SDN) ARCHITECTURE

Granted: July 6, 2017
Application Number: 20170195254
Systems and methods for an SDN switch that provides application-based conditional forwarding and session-aware load balancing are provided. According to one embodiment, a packet is received at an input port of a Software Defined Networking (SDN) switch. The packet is forwarded by the SDN switch to a first flow processing unit (FPU) of multiple FPUs of the SDN switch. The first FPU determines whether the packet is to be tracked. And, if so, the received packet is transmitted to a second…

PACKET ROUTING USING A SOFTWARE-DEFINED NETWORKING (SDN) SWITCH

Granted: July 6, 2017
Application Number: 20170195255
Systems and methods for an SDN switch that facilitates forwarding/differential routing decision determination are provided. A packet is received at an input port of the SDN switch. The switch includes a first and second set of flow processing units (FPUs). The packet is forwarded to a first FPU of the first set. Based on a flow table associated with the first FPU, it is determined whether the packet is to be forwarded to a network device or an output port. The packet is received from the…

CARDINALITY BASED PACKET PROCESSING IN SOFTWARE-DEFINED NETWORKING (SDN) SWITCHES

Granted: July 6, 2017
Application Number: 20170195257
Systems and methods for scalable SDN devices having ports/network interfaces mapped to cardinal flow processing (CFP) units are provided. According to one embodiment, an incoming packet is received, at a software-defined networking (SDN) switch. An ingress port on which the incoming packet was received is determined. A cardinal direction to which the ingress port is mapped is determined. Based on the determined cardinal direction, the SDN switch identifies a cardinal flow processing…

TUNNEL INTERFACE FOR SECURING TRAFFIC OVER A NETWORK

Granted: July 6, 2017
Application Number: 20170195289
Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second…

SEQUENTIALLY SERVING NETWORK SECURITY DEVICES USING A SOFTWARE DEFINED NETWORKING (SDN) SWITCH

Granted: July 6, 2017
Application Number: 20170195292
Systems and methods for an SDN switch that provides service group chaining for sequentially serving multiple network security devices are provided. According to one embodiment, a packet received by the switch is processed by a first FPU based on a first set of rules and forwarded conditionally to a first security device. The packet is security processed, including dropping it or forwarding it to an egress port or forwarding it to a second FPU. When forwarded to the second FPU, the packet…

DETECTING MALICIOUS RESOURCES IN A NETWORK BASED UPON ACTIVE CLIENT REPUTATION MONITORING

Granted: July 6, 2017
Application Number: 20170195351
Systems and methods for detecting malicious resources by analyzing communication between multiple resources coupled to a network are provided. According to one embodiment, a method of client reputation monitoring is provided. A monitoring unit executing on a network security device operable to protect a private network observes activities relating to multiple monitored devices within the private network. For each of the observed activities, a score is assigned by the monitoring unit…

LOGGING ATTACK CONTEXT DATA

Granted: July 6, 2017
Application Number: 20170195355
Methods and systems for improved attack context data logging are provided. According to one embodiment, prior to a logging event being triggered (i) it is determined by a network security device whether a received packet is potentially associated with a threat or undesired activity by analyzing the packet; (ii) when the determination is negative, the packet is stored within a circular buffer; and (iii) when the determination is affirmative, (a) the logging event is triggered, (b)…

PATTERN MATCHING FOR DATA LEAK PREVENTION

Granted: June 29, 2017
Application Number: 20170185799
Systems and methods for preprocessing data to facilitate DLP pattern matching are provided. An input string is received by a Data Leak Prevention (DLP) system. The input string is converted by the DLP system into a fixed string pattern. The conversion is performed based on multiple class definitions, including a digit class, a letter class and a symbol class. A determination is then made by the DLP system regarding whether the input string contains potential sensitive data to which a…

FILTERING HIDDEN DATA EMBEDDED IN MEDIA FILES

Granted: June 29, 2017
Application Number: 20170187683
Systems and methods for filtering unsafe content by a network security device are provided. According to one embodiment, a network security device captures network traffic and extracts a media file from the network traffic. The network security device then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security device performs one or more actions on the media file based on a…

DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

Granted: June 29, 2017
Application Number: 20170187684
Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a file having associated therewith a certificate chain is received. A type and structure of the file are identified. A location of the certificate chain is determined based on the identified type and structure. A signature of the file is formed by extracting a targeted subset of…

RATING OF SIGNATURE PATTERNS FOR PATTERN MATCHING

Granted: June 29, 2017
Application Number: 20170187735
Systems and methods for rating of signature patterns are provided. According to one embodiment, a frequency of occurrence is determined by a network security system of each of multiple patterns within a pattern database containing a set of candidate patterns from which a set of patterns or sub-patterns thereof will be selected for inclusion within a pre-match list. For each pattern, the network security device determines whether a length of the pattern exceeds a pre-defined length; and,…

SECURITY CONFIGURATION FILE CONVERSION WITH SECURITY POLICY OPTIMIZATION

Granted: June 29, 2017
Application Number: 20170187750
Systems and methods for converting a configuration file from a first language into a second language with policy optimization and auditing are provided. According to one embodiment, a network appliance configuration converter parses network security policies of an input configuration file of a first network appliance to intermediate representations. The network security policies of the input configuration file are in a first language and the intermediate representations are general data…

NETWORK INTERFACE CARD RATE LIMITING

Granted: June 22, 2017
Application Number: 20170180315
Systems and methods for limiting the rate of packet transmission from a NIC to a host CPU are provided. According to one embodiment, data packets are received from a network by the NIC. The NIC is coupled to a host central processing unit (CPU) of a network security device through a bus. A status of the host CPU is monitored by the NIC. A rate limiting mode indicator is set by the NIC based on the status. When the rate limiting mode indicator indicates rate limiting is inactive, then the…

SYSTEM AND METHOD FOR SECURING VIRTUALIZED NETWORKS

Granted: June 22, 2017
Application Number: 20170180323
Systems and methods for securing a dynamic virtualized network are provided. According to one embodiment, a network policy of a dynamic virtualized network is received by an SDN controller of the dynamic virtualized network. The network policy includes network policy elements which each identify (i) an authorized endpoint, (ii) a network access device, and (iii) a port of the network access device with which the authorized endpoint is associated. A security policy for the dynamic…

TWO-STAGE HASH BASED LOGIC FOR APPLICATION LAYER DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK ATTRIBUTION

Granted: June 22, 2017
Application Number: 20170180415
Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.

POLICY-BASED CONFIGURATION OF INTERNET PROTOCOL SECURITY FOR A VIRTUAL PRIVATE NETWORK

Granted: June 22, 2017
Application Number: 20170180428
A method for performing policy-based configuration of IPSec for a VPN is provided. According to one embodiment, a request for a VPN connection to be established between a network device and a peer network device is received by the network device from the peer network device. Responsive to receipt of the request, the VPN connection is established by the network device in accordance with a policy associated with the request without requiring manual entry of VPN settings by a network…