Fortinet Patent Grants

Logging attack context data

Granted: June 20, 2017
Patent Number: 9686309
Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received from an administrator of a network security device. The configuration information includes information indicative of a quantity of packets to be captured for post attack analysis. Responsive to receipt of the configuration information, a size of a circular buffer is configured based thereon. Multiple packets directed to a network protected by the…

Virus co-processor instructions and methods for using such

Granted: June 13, 2017
Patent Number: 9679138
Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a system includes a co-processor (CP), a first memory, a general purpose processor (GPP) and a second memory. The first memory is associated with the CP and coupled to the CP. The first memory includes a first signature compiled for execution on the CP. The GPP is coupled to the CP. The second memory is associated with the GPP and coupled to the CP and to the GPP.…

Securing internet of things (IOT) RF (radio frequency) location tags using source addresses to locate stations on a Wi-Fi network

Granted: June 13, 2017
Patent Number: 9679171
RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source…

Facilitating content accessibility via different communication formats

Granted: June 13, 2017
Patent Number: 9680791
Facilitating content accessibility via different communication formats is disclosed. In some embodiments, in response to receiving a content request from an IPv6 enabled client, the requested content is provided to the IPv6 enabled client in IPv6 format, wherein the requested content is originally obtained in IPv4 format from an IPv4 enabled server and translated into IPv6 format.

Socket application program interface (API) for efficient data transactions

Granted: June 13, 2017
Patent Number: 9680918
Methods and systems for efficient data transactions between applications running on devices associated with the same host. According to one embodiment, a host system includes an HTTP proxy and an SSL/TLS proxy operatively coupled with each other. The SSL/TLS proxy may be configured to perform SSL negotiation with a client and the HTTP proxy may be configured to communicate with a web server in clear text. Data can be transferred directly between the proxies through a pair of connected…

Deauthenticating and disassociating unauthorized access points with spoofed management frames

Granted: June 13, 2017
Patent Number: 9681299
A spoofed management frame is sent to an unauthorized access point (AP) on behalf of a station from an authorized AP, using a media access control (MAC) address of the station. The spoofed frame triggers a security association (SA) query from an unauthorized AP to reestablish valid communications. An acknowledgment (ACK) frame sent from the client to the unauthorized AP responsive to the SA query request is detected by the AP. A probe response is sent to the client. The probe response…

Computerized system and method for deployment of management tunnels

Granted: June 6, 2017
Patent Number: 9673987
Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, the use of PKI-authenticated serial numbers within network devices manufactured by a particular manufacturer enables one-step provisioning of one or more managed devices. A managed device is provisioned with the serial number of a management device manufactured by the particular manufacturer. When the managed device is installed within a network, the…

Centralized management of access points

Granted: June 6, 2017
Patent Number: 9674037
Systems and methods are provided for centralized access, control, and management of APs. According to one embodiment, multiple APs of a private IP network are decoupled from potentially transient IP addresses by assigning a unique identifier to each of the multiple APs by an AC. An AC GUI is presented by the AC to an administrator through which (i) commands are provided by the administrator and (ii) the administrator is provided with access to a first AP of the multiple APs responsive to…

Secure system for allowing the execution of authorized computer program code

Granted: May 30, 2017
Patent Number: 9665708
Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel-level driver within a kernel of an operating system of a computer system intercepts activity in connection with a file system associated with the computer system or the operating system relating to a code module. A determination is made by the kernel-level driver regarding whether to allow the intercepted activity to proceed by performing a real-time authentication process…

Tunnel interface for securing traffic over a network

Granted: May 30, 2017
Patent Number: 9667604
Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second…

Detecting malicious resources in a network based upon active client reputation monitoring

Granted: May 30, 2017
Patent Number: 9667647
Systems and methods for detecting malicious resources by analyzing communication between multiple resources coupled to a network are provided. According to one embodiment, a method of client reputation monitoring is provided. A monitoring unit executing on a network security device operable to protect a private network observes activities relating to multiple monitored devices within the private network. For each of the observed activities, a score is assigned by the monitoring unit…

Filtering hidden data embedded in media files

Granted: May 23, 2017
Patent Number: 9660958
Systems and methods for filtering unsafe content at a network security appliance are provided. According to one embodiment, a network security appliance captures network traffic and extracts a media file from the network traffic. The network security appliance then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security appliance performs one or more actions on the media file…

Network interface card rate limiting

Granted: May 16, 2017
Patent Number: 9652417
Systems and methods for limiting the rate of packet transmission from a NIC to a host CPU are provided. According to one embodiment, data packets are received from a network by the NIC. The NIC is coupled to a host central processing unit (CPU) of a network appliance through a bus system. A status of the host CPU is monitored by the NIC. A rate limiting mode indicator is set by the NIC based on the status. When the rate limiting mode indicator indicates rate limiting is inactive, then…

Policy-based configuration of internet protocol security for a virtual private network

Granted: May 9, 2017
Patent Number: 9647988
A method for performing policy-based configuration of Internet Protocol Security (IPSec) for a Virtual Private Network (VPN) is provided. According to one embodiment, a network device displays a policy page via a user interface of the network device through which a policy, including multiple VPN settings for establishing the VPN connection, is viewed and configured, the VPN settings including a type of IPSec tunnel to be established between the network device and a peer network device.…

Systems and methods for detecting undesirable network traffic content

Granted: April 25, 2017
Patent Number: 9634989
A method of detecting a content desired to be detected includes receiving electronic data at a first host, determining a checksum value using the received electronic data, sending the checksum value to a processing station, the processing station being a second host that is different from the first host, and receiving a result from the processing station, the result indicating whether the electronic data is associated with a content desired to be detected. A method of detecting a content…

Detecting and preventing flooding attacks in a network environment

Granted: April 25, 2017
Patent Number: 9635051
A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes…

Optimizing multimedia streaming in WLANS (wireless local access networks)

Granted: April 25, 2017
Patent Number: 9635085
An SDN controller to provision network resources at a data plane to keep progressive downloads of multimedia files proportional to encoding rates is disclosed. Packets from a new or unknown flow being downloaded at a default rate are forwarded from an access point, or other device, to an SDN controller for analysis. If a progressive download of a multimedia file (e.g., a video file) in progress is detected, an encoding rate of frames for the multimedia file is determined. A target…

Directed station roaming in cloud managed Wi-Fi network

Granted: April 25, 2017
Patent Number: 9635597
Directing station roaming in a cloud-managed Wi-Fi network. Management messages are received from a controller that is located remotely from the Wi-Fi communication network by an access point. When an RSSI (received signal strength indication) value between the station and the access point falls below a threshold, the access point (i.e., controller access point) determines which neighboring access point would be a best fit for a hand-off, with limited real-time input form the cloud-based…

Intelligent bridging of Wi-Fi flows in a software-defined network (SDN)

Granted: April 18, 2017
Patent Number: 9628292
Wi-Fi flows are intelligently bridged in a software-defined network (SDN) controller of a wireless communication network that centrally coordinates data plane behavior. A default mode tunnels packets received at an access point to the SDN controller for layer 2 routing decisions. A bridging policy concerning bridging of specific types of traffic flows for the wireless communication network is received at the SDN. Data plane traffic flow for each of a plurality of access points…

Emulating virtual port control of airtime fairness using per station enhanced distributed channel access (EDCA) parameters

Granted: April 11, 2017
Patent Number: 9622263
A technique for emulating virtual port control of airtime fairness for wireless stations using per station Enhanced Distributed Channel Access (EDCA) parameters. Specific parameters are received for each of a plurality of stations connected to the access point. An EDCA field of a beacon that stores a general EDCA parameter is set to an empty state. The beacon is broadcast to a plurality stations on the wireless communication network and within range of an access point. The beacon…