Fortinet Patent Applications

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

Granted: March 2, 2017
Application Number: 20170061141
Methods and systems for secure cloud storage are provided. According to one embodiment, a gateway maintains multiple cryptographic keys. A file that is to be stored across multiple third-party cloud storage services is received by the gateway from a user of an enterprise network. The file is partitioned into chunks. A directory is created within a cloud storage service having a name attribute based on an encrypted version of a name of the file. For each chunk: (i) existence of data is…

DETECTION OF FRAUDULENT CERTIFICATE AUTHORITY CERTIFICATES

Granted: March 2, 2017
Application Number: 20170063557
Systems and methods for verifying a certificate authority are provided. According to one embodiment, a network security device intercepts a session between a client and a server, wherein a secure channel is requested to be established between the client and the server in the session. The network security device captures a digital certificate that is being sent from the server to the client, wherein the digital certificate is used for authenticating the server in connection with…

DATA LEAK PROTECTION

Granted: March 2, 2017
Application Number: 20170063790
Methods and systems for Data Leak Prevention (DLP) in an enterprise network are provided. According to one embodiment, a network security device maintains a filter database containing multiple filtering rules. Each filtering rule specifies a watermark hash value, a set of network services for which the filtering rule is active and an action to be taken. Network traffic directed to a destination residing outside of an enterprise network, associated with a particular network service and…

INTERFACE GROUPS FOR RULE-BASED NETWORK SECURITY

Granted: March 2, 2017
Application Number: 20170063796
Systems and methods for designating interfaces of a network security appliance as source/destination interfaces in connection with defining a security rule are provided. According to one embodiment, a security rule configuration interface is displayed through which a network administrator can specify parameters of security rules to be applied to traffic attempting to traverse the network security appliance. Information defining a traffic flow to be controlled by a security rule is…

FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS

Granted: March 2, 2017
Application Number: 20170063803
Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to hosts of a private network against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall also provides application-layer protection on behalf of the hosts and supports Voice over IP (VoIP) services…

METADATA INFORMATION BASED FILE PROCESSING

Granted: March 2, 2017
Application Number: 20170063883
Methods and systems for network level file processing based on metadata information retrieved from a file are provided. According to one embodiment, a file is received by a network security appliance. Metadata information is extracted from the file. The extracted metadata information is processed based on one or more defined rules. An action is taken on one or more of the file or a sender of the file based on an outcome of the processing.

POLARITY RECOGNITION AND SWAPPING FOR DC POWERED DEVICES

Granted: February 23, 2017
Application Number: 20170054290
A system for recognizing and swapping polarity for DC powered devices that includes a polarity detection module that is configured to identify polarity of DC power input, and further configured to send an output to a controller based on identification of polarity of the DC power input. The system includes a power switch array that is operatively coupled with the controller, and wherein the controller, based on the output, can set one or more switches of the power switch array for…

SECURITY INFORMATION AND EVENT MANAGEMENT

Granted: February 16, 2017
Application Number: 20170048195
Systems and methods are described for conducting work flows by an SIEM device to carry out a complex task automatically. According to one embodiment, an SIEM device may create a work flow that includes multiple security tasks that are performed by one or more security devices. When a security event is captured or the work flow is scheduled to be executed, the SIEM device starts the work flow by scheduling the security tasks defined in the work flow. The SIEM device then collects results…

CONTEXT-AWARE PATTERN MATCHING ACCELERATOR

Granted: February 9, 2017
Application Number: 20170041348
Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching…

CACHE MANAGEMENT BASED ON FACTORS RELATING TO REPLACEMENT COST OF DATA

Granted: February 9, 2017
Application Number: 20170041428
Systems and methods for a cache replacement policy that takes into consideration factors relating to the replacement cost of currently cached data and/or the replacement cost of requested data. According to one embodiment, a request for data is received by a network device. A cache management system running on the network device estimates, for each of multiple cache entries of a cache managed by the cache management system, a computational cost of reproducing data cached within each of…

PROVIDING SECURITY IN A COMMUNICATION NETWORK

Granted: February 2, 2017
Application Number: 20170034190
Systems and methods for optimizing system resources by selectively enabling various scanning functions relating to user traffic streams based on the level of trust associated with the destination are provided. According to one embodiment, a network security device within an enterprise network receives an application protocol request directed to an external network that is originated by a client device associated with the enterprise network. It is determined by the network security device…

DETECTION OF FRAUDULENT DIGITAL CERTIFICATES

Granted: January 26, 2017
Application Number: 20170026184
Systems and methods for verifying a digital certificate are provided. According to one embodiment, a trusted digital certificate of a server is collect by a network security device from a channel. The trusted digital certificate is stored by the network security device within a storage. A digital certificate of the server captured by a certificate inspector is receive by the network security device. The network security device verifies whether the captured digital certificate is an…

DETECTION OF FRAUDULENT DIGITAL CERTIFICATES

Granted: January 26, 2017
Application Number: 20170026186
Systems and methods for verifying a digital certificate are provided. According to one embodiment, a network security device intercepts a session between a client and a server, wherein a secure channel is requested to be established between the client and the server in the session. The network security device captures a digital certificate that is being sent from the server to the client, wherein the digital certificate is used for authenticating the server in connection with…

UTM INTEGRATED HYPERVISOR FOR VIRTUAL MACHINES

Granted: December 29, 2016
Application Number: 20160378529
Systems and methods for integrating firewall and Unified Threat Management (UTM) features directly within a hypervisor are provided. According to one embodiment, a system is provided that includes multiple virtual machines (VMs) and an integrated hypervisor that manages the VMs. The integrated hypervisor has integrated therein a unified threat management (UTM) layer. In operation, the integrated hypervisor intercepts network traffic directed to or originated by the VMs and provides…

EMULATOR-BASED MALWARE LEARNING AND DETECTION

Granted: December 29, 2016
Application Number: 20160381042
Methods and systems are described for malware learning and detection. According to one embodiment, an antivirus (AV) engine includes a training mode for internal lab use, for example, and a detection mode for use in commercial deployments. In training mode, an original set of suspicious patterns is generated by scanning malware samples. A set of clean patterns is generated by scanning clean samples. A revised set of suspicious patterns is created by removing the clean patterns from the…

PROTOCOL BASED DETECTION OF SUSPICIOUS NETWORK TRAFFIC

Granted: December 29, 2016
Application Number: 20160381070
Embodiments of the present invention relate to identification of suspicious network traffic indicative of a Botnet and/or an Advanced Persistent Threat (APT) based on network protocol of such traffic. According to one embodiment, a traffic file is received at a network security device that is protecting a private network. The traffic file contains therein network traffic associated with the private network that has been captured and stored. The received traffic file is processed by the…

FLOW MANAGEMENT IN A LINK AGGREGATION GROUP SYSTEM

Granted: December 22, 2016
Application Number: 20160373294
Systems and methods for an end-to-end bidirectional symmetric data flow mapping in a LAG system are provided. According to one embodiment, a forward flow from a first end of the LAG system is received by a second end. The forward flow is from a first device connected to the first end and directed to a second device connected to the second end. The forward flow is transmitted by the second end to the second device. A corresponding backward flow is received by the second end that is from…

MANAGEMENT OF CERTIFICATE AUTHORITY (CA) CERTIFICATES

Granted: December 22, 2016
Application Number: 20160373434
Systems and methods for automatically installing CA certificates received from a network security appliance by a client security manager to make the CA certificate become a trusted CA certificate to a client machine are provided. In one embodiment, a client security manager establishes a connection with a network security appliance through a network, wherein the client security manager is configured for managing security of a client at the client side and the network security appliance…

AUTOMATICALLY DEPLOYED WIRELESS NETWORK

Granted: December 22, 2016
Application Number: 20160373942
Systems and methods are described for an automatically deployed wireless network. According to one embodiment, an access point controller (AC) determines the existence of a network anomaly at a position of a wireless network that is managed by the AC. Responsive thereto, the AC causes an unmanned vehicle that carries a movable access point (AP) to carry the movable AP to the position or proximate thereto and causes the movable AP to provide wireless network service to an area…

AUTOMATICALLY DEPLOYED WIRELESS NETWORK

Granted: December 22, 2016
Application Number: 20160373963
Systems and methods for an automatically deployed wireless network are provided. According to one embodiment, an access point controller (AC) determines the existence of a network anomaly at a position of a wireless network that is managed by the AC. Responsive thereto, the AC causes an unmanned vehicle that carries a movable access point (AP) to carry the movable AP to the position or proximate thereto and causes the movable AP to provide wireless network service to an area encompassing…