Fortinet Patent Applications

NETWORK INTERFACE CARD RATE LIMITING

Granted: June 22, 2017
Application Number: 20170180315
Systems and methods for limiting the rate of packet transmission from a NIC to a host CPU are provided. According to one embodiment, data packets are received from a network by the NIC. The NIC is coupled to a host central processing unit (CPU) of a network security device through a bus. A status of the host CPU is monitored by the NIC. A rate limiting mode indicator is set by the NIC based on the status. When the rate limiting mode indicator indicates rate limiting is inactive, then the…

SYSTEM AND METHOD FOR SECURING VIRTUALIZED NETWORKS

Granted: June 22, 2017
Application Number: 20170180323
Systems and methods for securing a dynamic virtualized network are provided. According to one embodiment, a network policy of a dynamic virtualized network is received by an SDN controller of the dynamic virtualized network. The network policy includes network policy elements which each identify (i) an authorized endpoint, (ii) a network access device, and (iii) a port of the network access device with which the authorized endpoint is associated. A security policy for the dynamic…

TWO-STAGE HASH BASED LOGIC FOR APPLICATION LAYER DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK ATTRIBUTION

Granted: June 22, 2017
Application Number: 20170180415
Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.

POLICY-BASED CONFIGURATION OF INTERNET PROTOCOL SECURITY FOR A VIRTUAL PRIVATE NETWORK

Granted: June 22, 2017
Application Number: 20170180428
A method for performing policy-based configuration of IPSec for a VPN is provided. According to one embodiment, a request for a VPN connection to be established between a network device and a peer network device is received by the network device from the peer network device. Responsive to receipt of the request, the VPN connection is established by the network device in accordance with a policy associated with the request without requiring manual entry of VPN settings by a network…

MOBILE HOTSPOT MANAGED BY ACCESS CONTROLLER

Granted: June 8, 2017
Application Number: 20170163601
Systems and methods are described for a mobile hotspot that can be managed by an access controller. According to an embodiment, a WAN connection is established by a mobile hotspot through a telecommunication data network via a wireless WAN module. When in a first mode, the mobile hotspot: (i) sets up a secure tunnel through the WAN connection with an AC of the enterprise that manages APs of a wireless network of an enterprise; (ii) broadcasts an SSID that is also broadcast by the APs;…

FIREWALL POLICY MANAGEMENT

Granted: June 8, 2017
Application Number: 20170163606
Methods and systems are provided for creation and implementation of firewall policies. According to one embodiment, a firewall maintains a log of observed network traffic flows. An administrator may request the firewall to generate a customized report based on the logged network traffic by extracting information from the log based on specified report parameters. The report includes aggregated network traffic items and one or more corresponding action objects. Responsive to receipt of a…

DIRECT CACHE ACCESS FOR NETWORK INPUT/OUTPUT DEVICES

Granted: June 8, 2017
Application Number: 20170163662
Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network interface controller (NIC) of a network security device for each of multiple I/O device queues. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the NIC. The packet is parsed to identify boundaries of portions of the packet and…

PRESENTATION OF THREAT HISTORY ASSOCIATED WITH NETWORK ACTIVITY

Granted: June 8, 2017
Application Number: 20170163673
Methods and systems for extracting, processing, displaying, and analyzing events that are associated with one or more threats are provided. According to one embodiment, threat information, including information from one or more of firewall logs and historical threat logs, is maintained in a database. Information regarding threat filtering parameters is received. Information regarding threats matching the threat filtering parameters are extracted from the database and is presented in a…

SECURITY THREAT DETECTION

Granted: June 8, 2017
Application Number: 20170163674
Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous…

HTTP PROXY

Granted: June 8, 2017
Application Number: 20170163758
Systems and methods for translating between an older version of HTTP and a newer version of HTTP are provided. According to an embodiment, a first request message, compliant with the newer version and directed to a server that supports the older version but does not support the newer version, is received by the proxy from a client that supports the newer version. A second request message, compliant with the older version, is created by the proxy by translating the first request message.…

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

Granted: May 25, 2017
Application Number: 20170149822
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for mitigating DDoS attacks. A DDoS attack mitigation appliance of multiple mitigation appliances controlled by a DDoS attack mitigation central controller receives DDoS attack mitigation policies through a network connecting the controller and the mitigation appliance. A DDoS attack is mitigated by the mitigation appliance based on the received…

ASSOCIATING POSITION INFORMATION COLLECTED BY A MOBILE DEVICE WITH AMANAGED NETWORK APPLIANCE

Granted: May 25, 2017
Application Number: 20170150322
Systems and methods for obtaining and managing network appliance position information are provided. According to one embodiment, a network appliance controller establishes a network connection with a mobile device. The network appliance controller receives via the network connection from the mobile device identification information associated with a network appliance and position information. The network appliance controller associates the identification information with the position…

APPLICATION CONTROL

Granted: May 11, 2017
Application Number: 20170134257
Systems and methods for controlling applications on a network are provided. According to one embodiment, a network security device detects a suspect application protocol used in connection with network traffic exchanged between a source peer and a destination peer. The network security device sends a probing request to the destination peer based on the suspect application protocol. The suspect application protocol is confirmed when a response is received from the destination peer in…

CALCULATING CONSECUTIVE MATCHES USING PARALLEL COMPUTING

Granted: May 4, 2017
Application Number: 20170126713
Methods and systems for determining consecutive matches are provided. According to one embodiment, a class definition and a data stream are received by a network security device. The data stream is partitioned into multiple data blocks each containing N data segments. Each data block is processed in parallel to compute: (i) a value (F) indicating whether every data segment value meets the class definition; (ii) a value (L) indicating a number of consecutive data segment values meeting…

EXAMINING AND CONTROLLING IPv6 EXTENSION HEADERS

Granted: April 20, 2017
Application Number: 20170111319
Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an…

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

Granted: April 20, 2017
Application Number: 20170111397
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation…

IDENTIFYING NODES IN A RING NETWORK

Granted: April 13, 2017
Application Number: 20170104638
Methods and systems for determining a token master on a ring network are provided. According to one embodiment, a ring controller of a first blade participating in the ring network receives an indication that an arbitration token originated by an originating blade has been received. The ring controller compares the priorities of the originating blade and the first blade. When the priority of the originating blade is higher, the ring controller transmits the arbitration token to the next…

FACILITATING CONTENT ACCESSIBILITY VIA DIFFERENT COMMUNICATION FORMATS

Granted: April 13, 2017
Application Number: 20170104837
Methods and systems for facilitating content accessibility via different communication formats are provided. According to one embodiment, information indicative of one or more communication formats via which a client device is capable of communication is stored on a client device by (i) sending the client device a web page having embedded therein test content associated with a first protocol stack and/or a second protocol stack; and (ii) based on a response to the test content received…

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

Granted: April 6, 2017
Application Number: 20170098096
Methods and systems for vendor independent and secure cloud storage distribution and aggregation are provided. According to one embodiment, an application programming interface (API) is provided by a cloud storage gateway device logically interposed between third-party cloud storage platforms and users of an enterprise. The API facilitates storing of files, issuing of search requests against the files and retrieval of content of the files. A file storage policy is assigned to each user,…

INLINE INSPECTION OF SECURITY PROTOCOLS

Granted: March 30, 2017
Application Number: 20170093796
Systems and methods for inline security protocol inspection are provided. According to one embodiment, a security device receives an encrypted packet from a first network appliance and buffers the encrypted packet in a buffer. An inspection module accesses the encrypted packet from the buffer, decrypts the encrypted packet to produce plain text and scans the plain text by the inspection module.