Fortinet Patent Grants

Systems and methods for detecting undesirable network traffic content

Granted: April 25, 2017
Patent Number: 9634989
A method of detecting a content desired to be detected includes receiving electronic data at a first host, determining a checksum value using the received electronic data, sending the checksum value to a processing station, the processing station being a second host that is different from the first host, and receiving a result from the processing station, the result indicating whether the electronic data is associated with a content desired to be detected. A method of detecting a content…

Detecting and preventing flooding attacks in a network environment

Granted: April 25, 2017
Patent Number: 9635051
A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes…

Optimizing multimedia streaming in WLANS (wireless local access networks)

Granted: April 25, 2017
Patent Number: 9635085
An SDN controller to provision network resources at a data plane to keep progressive downloads of multimedia files proportional to encoding rates is disclosed. Packets from a new or unknown flow being downloaded at a default rate are forwarded from an access point, or other device, to an SDN controller for analysis. If a progressive download of a multimedia file (e.g., a video file) in progress is detected, an encoding rate of frames for the multimedia file is determined. A target…

Directed station roaming in cloud managed Wi-Fi network

Granted: April 25, 2017
Patent Number: 9635597
Directing station roaming in a cloud-managed Wi-Fi network. Management messages are received from a controller that is located remotely from the Wi-Fi communication network by an access point. When an RSSI (received signal strength indication) value between the station and the access point falls below a threshold, the access point (i.e., controller access point) determines which neighboring access point would be a best fit for a hand-off, with limited real-time input form the cloud-based…

Intelligent bridging of Wi-Fi flows in a software-defined network (SDN)

Granted: April 18, 2017
Patent Number: 9628292
Wi-Fi flows are intelligently bridged in a software-defined network (SDN) controller of a wireless communication network that centrally coordinates data plane behavior. A default mode tunnels packets received at an access point to the SDN controller for layer 2 routing decisions. A bridging policy concerning bridging of specific types of traffic flows for the wireless communication network is received at the SDN. Data plane traffic flow for each of a plurality of access points…

Emulating virtual port control of airtime fairness using per station enhanced distributed channel access (EDCA) parameters

Granted: April 11, 2017
Patent Number: 9622263
A technique for emulating virtual port control of airtime fairness for wireless stations using per station Enhanced Distributed Channel Access (EDCA) parameters. Specific parameters are received for each of a plurality of stations connected to the access point. An EDCA field of a beacon that stores a general EDCA parameter is set to an empty state. The beacon is broadcast to a plurality stations on the wireless communication network and within range of an access point. The beacon…

Firewall policy management

Granted: March 28, 2017
Patent Number: 9608961
Methods and systems are provided for creation and implementation of firewall policies. According to one embodiment, a firewall maintains a log of observed network traffic flows. An administrator may request the firewall to generate a customized report based on the logged network traffic by extracting information from the log based on specified report parameters. The report includes aggregated network traffic items and one or more corresponding action objects. Responsive to receipt of a…

System and method for securing virtualized networks

Granted: March 28, 2017
Patent Number: 9609021
A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device receives a current network policy of the dynamic virtualized network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. The device further determines a network security policy for the dynamic virtualized network from the…

HTTP proxy

Granted: March 28, 2017
Patent Number: 9609078
Systems and methods are described for translating an HTTP/2 message into an HTTP/1 message by an HTTP proxy that connects HTTP/2 enabled clients with HTTP/1 only servers. According to an embodiment, an HTTP/2-HTTP/1 proxy receives an HTTP/2 request message from an HTTP/2-enabled client and directed to an HTTP/1-only server. The HTTP/2-HTTP/1 proxy translates the HTTP/2 request message into an HTTP/1 request message and sends the HTTP/1 request message to the HTTP/1-only server. The…

Optimizing multimedia streaming in WLANs (wireless local access networks) with a remote SDN (software-defined networking) controller

Granted: March 28, 2017
Patent Number: 9609084
An SDN controller to provision network resources at a data plane to keep progressive downloads of multimedia files proportional to encoding rates is disclosed. Packets from a new or unknown flow being downloaded at a default rate are forwarded from an access point, or other device, to an SDN controller for analysis. If a progressive download of a multimedia file (e.g., a video file) in progress is detected, an encoding rate of frames for the multimedia file is determined. A target…

Identifying nodes in a ring network

Granted: March 21, 2017
Patent Number: 9602303
Methods and systems for determining a token master on a ring network are provided in which possession of an arbitration token permits a blade participating in the ring network to transmit a packet. According to one embodiment, when an event at a blade represents expiration of a timeout period for receipt of the token, a new token is transmitted onto the ring network. When the event represents receipt of the token, then the priority of the originating blade is compared that of the first…

Inline inspection of security protocols

Granted: March 21, 2017
Patent Number: 9602498
Systems and methods for inline security protocol inspection are provided. According to one embodiment, a security device receives an encrypted raw packet from a first network appliance and buffers the encrypted raw packet in a buffer. An inspection module accesses the encrypted raw packet from the buffer, decrypts the encrypted raw packet to produce a plain text and scans the plain text by the inspection module.

Security threat detection

Granted: March 21, 2017
Patent Number: 9602527
Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous…

System and method for software defined behavioral DDoS attack mitigation

Granted: March 21, 2017
Patent Number: 9602535
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation…

Policy-based selection of remediation

Granted: March 21, 2017
Patent Number: 9602550
Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, information regarding a program-code-based operational state of a host asset is collected by a light weight sensor (LWS) running on the host asset via a survey tool. The information is transmitted by the LWS to a remote server via an external network. Multiple security policies are enforced by the remote server with respect to the host asset based on the…

Network advertising system

Granted: March 7, 2017
Patent Number: 9589284
Systems and methods for transmitting content to a client via a communication network are provided. According to one embodiment, an insertion server running within a firewall device of a network observes a content request of an application protocol by monitoring or proxying transport communication protocol connections established through the firewall device. The content request is (i) originated by a client device coupled to the network, (ii) directed to a destination device coupled to…

Facilitating content accessibility via different communication formats

Granted: February 28, 2017
Patent Number: 9584473
Methods and systems for facilitating content accessibility via different communication formats are provided. According to one embodiment, a method is provided for directing content requests to an appropriate content delivery network. A content request is received from a client. The content request relates to web page content published by a content publisher in an Internet Protocol version 4 (IPv4) format or an Internet Protocol version 6 (IPv6) format that is obtained by the content…

Examining and controlling IPv6 extension headers

Granted: February 28, 2017
Patent Number: 9584478
Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an…

Presentation of threat history associated with network activity

Granted: February 28, 2017
Patent Number: 9584536
Methods and systems for extracting, processing, displaying, and analyzing events that are associated with one or more threats are provided. According to one embodiment, threat information, including information from one or more of firewall logs and historical threat logs, is maintained in a database. Information regarding threat filtering parameters, including one or more of types of threats to be extracted from the database, parameters of the threats, network-level details of the…

Managing transmission and storage of sensitive data

Granted: February 28, 2017
Patent Number: 9584587
Systems and methods for injecting sensitive data into outgoing traffic that is to be sent to a remote server from a client by a network security appliance logically interposed between the server and the client are provided. According to one embodiment, the method includes intercepting, by a network security appliance, outgoing traffic from the client to the server. The network security appliance identifies a submission command within the outgoing traffic that is used for submitting…