Fortinet Patent Applications

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

Granted: May 25, 2017
Application Number: 20170149822
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for mitigating DDoS attacks. A DDoS attack mitigation appliance of multiple mitigation appliances controlled by a DDoS attack mitigation central controller receives DDoS attack mitigation policies through a network connecting the controller and the mitigation appliance. A DDoS attack is mitigated by the mitigation appliance based on the received…

ASSOCIATING POSITION INFORMATION COLLECTED BY A MOBILE DEVICE WITH AMANAGED NETWORK APPLIANCE

Granted: May 25, 2017
Application Number: 20170150322
Systems and methods for obtaining and managing network appliance position information are provided. According to one embodiment, a network appliance controller establishes a network connection with a mobile device. The network appliance controller receives via the network connection from the mobile device identification information associated with a network appliance and position information. The network appliance controller associates the identification information with the position…

APPLICATION CONTROL

Granted: May 11, 2017
Application Number: 20170134257
Systems and methods for controlling applications on a network are provided. According to one embodiment, a network security device detects a suspect application protocol used in connection with network traffic exchanged between a source peer and a destination peer. The network security device sends a probing request to the destination peer based on the suspect application protocol. The suspect application protocol is confirmed when a response is received from the destination peer in…

CALCULATING CONSECUTIVE MATCHES USING PARALLEL COMPUTING

Granted: May 4, 2017
Application Number: 20170126713
Methods and systems for determining consecutive matches are provided. According to one embodiment, a class definition and a data stream are received by a network security device. The data stream is partitioned into multiple data blocks each containing N data segments. Each data block is processed in parallel to compute: (i) a value (F) indicating whether every data segment value meets the class definition; (ii) a value (L) indicating a number of consecutive data segment values meeting…

EXAMINING AND CONTROLLING IPv6 EXTENSION HEADERS

Granted: April 20, 2017
Application Number: 20170111319
Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an…

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

Granted: April 20, 2017
Application Number: 20170111397
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation…

IDENTIFYING NODES IN A RING NETWORK

Granted: April 13, 2017
Application Number: 20170104638
Methods and systems for determining a token master on a ring network are provided. According to one embodiment, a ring controller of a first blade participating in the ring network receives an indication that an arbitration token originated by an originating blade has been received. The ring controller compares the priorities of the originating blade and the first blade. When the priority of the originating blade is higher, the ring controller transmits the arbitration token to the next…

FACILITATING CONTENT ACCESSIBILITY VIA DIFFERENT COMMUNICATION FORMATS

Granted: April 13, 2017
Application Number: 20170104837
Methods and systems for facilitating content accessibility via different communication formats are provided. According to one embodiment, information indicative of one or more communication formats via which a client device is capable of communication is stored on a client device by (i) sending the client device a web page having embedded therein test content associated with a first protocol stack and/or a second protocol stack; and (ii) based on a response to the test content received…

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

Granted: April 6, 2017
Application Number: 20170098096
Methods and systems for vendor independent and secure cloud storage distribution and aggregation are provided. According to one embodiment, an application programming interface (API) is provided by a cloud storage gateway device logically interposed between third-party cloud storage platforms and users of an enterprise. The API facilitates storing of files, issuing of search requests against the files and retrieval of content of the files. A file storage policy is assigned to each user,…

INLINE INSPECTION OF SECURITY PROTOCOLS

Granted: March 30, 2017
Application Number: 20170093796
Systems and methods for inline security protocol inspection are provided. According to one embodiment, a security device receives an encrypted packet from a first network appliance and buffers the encrypted packet in a buffer. An inspection module accesses the encrypted packet from the buffer, decrypts the encrypted packet to produce plain text and scans the plain text by the inspection module.

TUNNEL INTERFACE FOR SECURING TRAFFIC OVER A NETWORK

Granted: March 30, 2017
Application Number: 20170093808
Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second…

CENTRALIZED MANAGEMENT AND ENFORCEMENT OF ONLINE BEHAVIORAL TRACKING POLICIES

Granted: March 30, 2017
Application Number: 20170093917
Systems and methods for manipulating online behavioral tracking policies are provided. According to one embodiment, a hypertext transfer protocol (HTTP) response transmitted from a web server to a client is captured by a network security device. A status of the client is determined by the network security device. An online behavioral tracking policy associated with the client is identified by the network security device based on the determined status. The identified online behavioral…

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

Granted: March 2, 2017
Application Number: 20170061141
Methods and systems for secure cloud storage are provided. According to one embodiment, a gateway maintains multiple cryptographic keys. A file that is to be stored across multiple third-party cloud storage services is received by the gateway from a user of an enterprise network. The file is partitioned into chunks. A directory is created within a cloud storage service having a name attribute based on an encrypted version of a name of the file. For each chunk: (i) existence of data is…

DETECTION OF FRAUDULENT CERTIFICATE AUTHORITY CERTIFICATES

Granted: March 2, 2017
Application Number: 20170063557
Systems and methods for verifying a certificate authority are provided. According to one embodiment, a network security device intercepts a session between a client and a server, wherein a secure channel is requested to be established between the client and the server in the session. The network security device captures a digital certificate that is being sent from the server to the client, wherein the digital certificate is used for authenticating the server in connection with…

DATA LEAK PROTECTION

Granted: March 2, 2017
Application Number: 20170063790
Methods and systems for Data Leak Prevention (DLP) in an enterprise network are provided. According to one embodiment, a network security device maintains a filter database containing multiple filtering rules. Each filtering rule specifies a watermark hash value, a set of network services for which the filtering rule is active and an action to be taken. Network traffic directed to a destination residing outside of an enterprise network, associated with a particular network service and…

INTERFACE GROUPS FOR RULE-BASED NETWORK SECURITY

Granted: March 2, 2017
Application Number: 20170063796
Systems and methods for designating interfaces of a network security appliance as source/destination interfaces in connection with defining a security rule are provided. According to one embodiment, a security rule configuration interface is displayed through which a network administrator can specify parameters of security rules to be applied to traffic attempting to traverse the network security appliance. Information defining a traffic flow to be controlled by a security rule is…

FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS

Granted: March 2, 2017
Application Number: 20170063803
Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to hosts of a private network against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall also provides application-layer protection on behalf of the hosts and supports Voice over IP (VoIP) services…

METADATA INFORMATION BASED FILE PROCESSING

Granted: March 2, 2017
Application Number: 20170063883
Methods and systems for network level file processing based on metadata information retrieved from a file are provided. According to one embodiment, a file is received by a network security appliance. Metadata information is extracted from the file. The extracted metadata information is processed based on one or more defined rules. An action is taken on one or more of the file or a sender of the file based on an outcome of the processing.

POLARITY RECOGNITION AND SWAPPING FOR DC POWERED DEVICES

Granted: February 23, 2017
Application Number: 20170054290
A system for recognizing and swapping polarity for DC powered devices that includes a polarity detection module that is configured to identify polarity of DC power input, and further configured to send an output to a controller based on identification of polarity of the DC power input. The system includes a power switch array that is operatively coupled with the controller, and wherein the controller, based on the output, can set one or more switches of the power switch array for…

SECURITY INFORMATION AND EVENT MANAGEMENT

Granted: February 16, 2017
Application Number: 20170048195
Systems and methods are described for conducting work flows by an SIEM device to carry out a complex task automatically. According to one embodiment, an SIEM device may create a work flow that includes multiple security tasks that are performed by one or more security devices. When a security event is captured or the work flow is scheduled to be executed, the SIEM device starts the work flow by scheduling the security tasks defined in the work flow. The SIEM device then collects results…