Fortinet Patent Grants

System and method for software defined behavioral DDoS attack mitigation

Granted: August 22, 2017
Patent Number: 9742800
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for mitigating DDoS attacks. A DDoS attack mitigation appliance of multiple mitigation appliances controlled by a DDoS attack mitigation central controller receives DDoS attack mitigation policies through a network connecting the controller and the mitigation appliance. A DDoS attack is mitigated by the mitigation appliance based on the received…

Configuring initial settings of a network security device via a hand-held computing device

Granted: August 22, 2017
Patent Number: 9742872
Process, equipment, and computer program product code for configuring a network security device using a hand-held computing device are provided. Default initial settings for a network security device are received by a mobile application running on a hand-held computing device. The default initial settings represent settings that allow the network security device to be remotely managed via a network to which the network security device is coupled. The default initial settings are…

Automatic channel selection in wireless local area network (WLAN) controller based deployments using color graphs

Granted: August 22, 2017
Patent Number: 9743418
Wi-Fi channels are automatically selected in a WLAN controller based deployment. Scan results received from each of the plurality of access points comprise a list of neighboring access points from the plurality of access points relative to each access point. Responsive to a number of the plurality of access points exceeding a number of non-interfering channels, assigning each of the plurality of access points to a non-interfering channel with sharing of at least one of the…

Calculating consecutive matches using parallel computing

Granted: August 8, 2017
Patent Number: 9727307
Methods and systems for determining consecutive matches are provided. According to one embodiment, a class definition and a data stream are received by a network security device. The data stream is partitioned into multiple data blocks each containing N data segments. Each data block is processed in parallel to compute: (i) a value (F) indicating whether every data segment value meets the class definition; (ii) a value (L) indicating a number of consecutive data segment values meeting…

Virtualization in a multi-host environment

Granted: August 8, 2017
Patent Number: 9727451
Methods and systems for implementing improved partitioning and virtualization in a multi-host environment are provided. According to one embodiment, multiple devices, including CPUs and peripherals, coupled with a system via an interconnect matrix/bus are associated with a shared memory logically partitioned into multiple domains. A first domain is associated with a first set of the devices and a second domain is associated with a second set of the devices. A single shared virtual map…

System and method for dynamic management of network device data

Granted: August 8, 2017
Patent Number: 9729409
A method and apparatus of a device that dynamically changes how management data is managed in response to events detected in a network system is described. In an exemplary embodiment, the device detects an event occurring in the network system. The device further determines if the event triggers a system change in how the management data is reported on one or more of the managed nodes. If the event notification does trigger the system change, for each of the one or more of the managed…

Policy-based content filtering

Granted: August 8, 2017
Patent Number: 9729508
Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with…

System and method for integrated header, state, rate and content anomaly prevention for session initiation protocol

Granted: August 8, 2017
Patent Number: 9729509
Methods and systems for an integrated solution to the rate based denial of service attacks targeting the Session Initiation Protocol are provided. According to one embodiment, header, state, rate and content anomalies are prevented and network policy enforcement is provided for session initiation protocol (SIP). A hardware-based apparatus helps identify SIP rate-thresholds through continuous and adaptive learning. The apparatus can determine SIP header and SIP state anomalies and drop…

Filtering hidden data embedded in media files

Granted: August 8, 2017
Patent Number: 9729511
Systems and methods for filtering unsafe content by a network security device are provided. According to one embodiment, a network security device captures network traffic and extracts a media file from the network traffic. The network security device then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security device performs one or more actions on the media file based on a…

System and method for software defined behavioral DDoS attack mitigation

Granted: August 8, 2017
Patent Number: 9729584
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation…

Managing transfer of data in a data network

Granted: August 8, 2017
Patent Number: 9729655
A method and apparatus for managing a transfer of data in a data network identifies data associated with a communication session between a first node and a second node in the data network. Further processing of the communication session occurs when a portion of the communication session meets a criterion and the communication session is permitted to continue when the portion of the communication session does not meet the criterion.

Aggregated beacons for per station control of multiple stations across multiple access points in a wireless communication network

Granted: August 8, 2017
Patent Number: 9730125
A technique for providing per station control of multiple stations in a wireless network across multiple access points. A look-up table that assigns a station connected to the access point and at least one communication parameter to each of a plurality of persistent, uniquely-assigned BSSIDs (Basic Service Set Identifiers) is stored. An access point responds to messages addressed one of the plurality of persistent, uniquely-assigned BSSIDs and ignores messages addressed to other BSSIDs.…

Method and system for dedicating processors for desired tasks

Granted: August 1, 2017
Patent Number: 9720739
Improving the performance of multitasking processors are provided. For example, a subset of M processors within a system with N processors is dedicated for a desired task. The M (where M>0) of the N processors are dedicate to a task, thus, leaving N?M (N minus M) processors for running normal operating system (OS). The processors dedicated to the task may have their interrupt mechanism disabled to avoid interrupt handler switching overhead. Therefore, these processors run in an…

Systems and methods for content type classification

Granted: July 25, 2017
Patent Number: 9716644
Various embodiments illustrated and described herein include systems, methods and software for content type classification. Some such embodiments include determining a potential state of classification for packets associated with a session based at least in part on a packet associated with the session that is a packet other than the first packet of the session.

Systems and methods for content type classification

Granted: July 25, 2017
Patent Number: 9716645
Various embodiments illustrated and described herein include systems, methods and software for content type classification. Some such embodiments include determining a potential state of classification for packets associated with a session based at least in part on a packet associated with the session that is a packet other than the first packet of the session.

Integrated security switch

Granted: July 25, 2017
Patent Number: 9716690
An integrated security switch and related method for managing connectivity and security among networks. The integrated security switch includes a security function connectable with a first network and at least one switching function connectable with a second network. A common management interface driven by both command line interface and graphic user interface protocols manages the switching function via a management path dedicated between the security function and the switching…

Direct cache access for network input/output devices

Granted: July 18, 2017
Patent Number: 9712544
Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network interface controller (NIC) of a network security device for each of multiple I/O device queues. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the NIC. The packet is parsed to identify boundaries of portions of the packet and…

Repurposing protocol messages to facilitate handoff

Granted: July 18, 2017
Patent Number: 9713045
A control element identifies the possibility that a station will transfer to a destination AP, and prepares that destination for a handoff. The control element repurposes messages from the station which indicate a possible near-term handoff, to prepare access points to receive that handoff. The control element treats a neighbor list request as a trigger to select which AP's to identify, to restrict the neighbor list to selected AP's, and to prepare each selected AP for a handoff. In…

Extension of Wi-Fi services multicast to a subnet across a Wi-Fi network using software-defined networking (SDN) to centrally control data plane behavior

Granted: July 11, 2017
Patent Number: 9705694
Wi-Fi services multicast to a subnet in a software-defined network (SDN) are extended. An SDN controller centrally monitors a data plane of a Wi-Fi network. Advertisements for services within a first subnet by an advertising station are forwarded to the SDN controller. Parameters of the service of the advertising station are extracted for storage by performing deep packet inspection on the one or more packets. Queries for services within a second subnet by a querying station are also…

Directing clients based on communication format

Granted: July 4, 2017
Patent Number: 9699138
Methods and systems for redirecting client requests are provided. According to one embodiment, a system includes a processor and a memory coupled to the processor and configured to provide the processor with instructions. A request is received from a client capable of communicating via multiple supported communication formats. The request is capable of being serviced by multiple servers each of which are configured to communicate via a different communication format. A server is selected…