Fortinet Patent Applications

DIRECTING CLIENTS BASED ON COMMUNICATION FORMAT

Granted: October 19, 2017
Application Number: 20170302622
Methods and systems for redirecting client requests are provided. According to one embodiment, a system includes a processor and a memory coupled to the processor and configured to provide the processor with instructions. A request is received from a client capable of communicating via multiple supported communication formats. The request is capable of being serviced by multiple servers each of which are configured to communicate via a different communication format. A server is selected…

SCALABLE INLINE BEHAVIORAL DDOS ATTACK MITIGATION

Granted: October 19, 2017
Application Number: 20170302698
Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack…

COMPUTERIZED SYSTEM AND METHOD FOR ADVANCED NETWORK CONTENT PROCESSING

Granted: October 19, 2017
Application Number: 20170302705
A computerized system and method for processing network content in accordance with at least one content processing rule is provided. According to one embodiment, the network content is received at a first interface. A transmission protocol according to which the received network content is formatted is identified and used to intercept at least a portion of the received network content. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected…

NETWORK APPLIANCE HEALTH MONITOR

Granted: October 5, 2017
Application Number: 20170288955
Systems and methods for monitoring failures of network devices and identifying potential sources of the failures by a device health monitor are provided. A device monitor receives a usage log of a network device over a network connection and analyzes an abnormal usage of the network device from the usage log. The device health monitor further retrieves environment information of the network device and analyzes a defect of the environment information of the network device by associating…

SANDBOXING PROTECTION FOR ENDPOINTS

Granted: October 5, 2017
Application Number: 20170289179
Methods and systems for integrating a sandboxing service and distributed threat intelligence within an endpoint security application are provided. According to one embodiment, The method includes file system or operating system activity relating to a file accessible to an endpoint system is monitored by an endpoint security application running on the endpoint system. The endpoint security application determines whether the file has been previously analyzed for a threat status. When a…

FILTERING OF METADATA SIGNATURES

Granted: October 5, 2017
Application Number: 20170289180
Systems and methods for high performance IDS/IPS with efficient metadata filtering are provided. According to one embodiment, a signature database of an IDS/IPS is configured with multiple metadata signatures. A pre-match engine identifies a candidate packet of network traffic received by the IDS/IPS for full-feature match processing by: (i) categorizing the metadata signatures based on characteristics thereof; and (ii) processing and filtering a first set of the metadata signatures that…

AUTOMATED CREATION AND USE OF VPN CONFIGURATION PROFILES

Granted: September 28, 2017
Application Number: 20170279769
Systems and methods for automatically obtaining virtual private network (VPN) connection profile data from a barcode are provided. According to one embodiment, a client security application obtains a barcode, wherein the client security application is installed on a client machine and is used for managing the security of the client machine. The client security application identifies a configuration profile of a virtual private network (VPN) that is encoded by the barcode and creates the…

SECURE, AUTOMATIC SECOND FACTOR USER AUTHENTICATION USING PUSH SERVICES

Granted: September 28, 2017
Application Number: 20170279795
A network-based multi-factor authentication approach is provided. A request to access a protected network resource and user credentials are received from a client by an application server hosting the resource. Attributes associated with the request are obtained. After determining the credentials are valid, the access attributes are provided to an authentication server. A first OTP is generated by the authentication server. The client is caused to seek confirmation from the user regarding…

NETWORK SECURITY MANAGEMENT VIA SOCIAL MEDIA NETWORK

Granted: September 21, 2017
Application Number: 20170272468
Systems and methods for managing users' local security policies based on social media network information are provided. According to one embodiment, a network security appliance of a private network receives authentication request from a client machine and provides a social login interface of a social media network to the client machine. After a user of the client machine is authenticated by the social media network through a personal social media network account of the user, the network…

SYSTEM AND METHOD FOR DYNAMIC MANAGEMENT OF NETWORK DEVICE DATA

Granted: September 14, 2017
Application Number: 20170264509
A method and apparatus of a device that dynamically changes how management data is managed in response to events detected in a network system is described. In an exemplary embodiment, the device detects an event occurring in the network system. The device further determines if the event triggers a system change in how the management data is reported on one or more of the managed nodes. If the event notification does trigger the system change, for each of the one or more of the managed…

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

Granted: September 14, 2017
Application Number: 20170264638
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for mitigating DDoS attacks. A DDoS attack mitigation appliance of multiple mitigation appliances controlled by a DDoS attack mitigation central controller receives DDoS attack mitigation policies through a network connecting the controller and the mitigation appliance. A DDoS attack is mitigated by the mitigation appliance based on the received…

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

Granted: September 14, 2017
Application Number: 20170264646
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation…

HIGH-AVAILABILITY CLUSTER ARCHITECTURE AND PROTOCOL

Granted: September 7, 2017
Application Number: 20170255532
Methods and systems are provided for an improved cluster-based network architecture. According to one embodiment, an active connection is established between a first interface of a network device and an enabled interface of a first cluster unit of a high availability (HA) cluster. The HA cluster is configured to provide connectivity between network devices of an internal and external network. A backup connection is established between a second interface of the network device and a…

VIRTUALIZATION IN A MULTI-HOST ENVIRONMENT

Granted: September 7, 2017
Application Number: 20170255549
Methods and systems for implementing improved partitioning and virtualization in a multi-host environment are provided. According to one embodiment, multiple devices, including CPUs and peripherals, coupled with a system via an interconnect matrix/bus are associated with a shared memory logically partitioned into multiple domains. A first domain is associated with a first set of the devices and a second domain is associated with a second set of the devices. A single shared virtual map…

FILTERING HIDDEN DATA EMBEDDED IN MEDIA FILES

Granted: September 7, 2017
Application Number: 20170257347
Systems and methods for filtering unsafe content by a network security device are provided. According to one embodiment, a network security device captures network traffic and extracts a media file from the network traffic. The network security device then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security device performs one or more actions on the media file based on a…

SYSTEM AND METHOD FOR INTEGRATED HEADER, STATE, RATE AND CONTENT ANOMALY PREVENTION FOR SESSION INITIATION PROTOCOL

Granted: September 7, 2017
Application Number: 20170257348
Methods and systems for an integrated solution to the rate based denial of service attacks targeting the Session Initiation Protocol are provided. According to one embodiment, header, state, rate and content anomalies are prevented and network policy enforcement is provided for session initiation protocol (SIP). A hardware-based apparatus helps identify SIP rate-thresholds through continuous and adaptive learning. The apparatus can determine SIP header and SIP state anomalies and drop…

MANAGING TRANSMISSION AND STORAGE OF SENSITIVE DATA

Granted: September 7, 2017
Application Number: 20170257422
Systems and methods for injecting sensitive data into outgoing traffic on behalf of a user of a private network are provided. According to one embodiment, a network security appliance maintains a database of sensitive data. Secure submission of sensitive data of a user is facilitated by the security appliance in connection with interactions between a client and a server by: (i) intercepting outgoing traffic from the client to the server; (ii) determining whether the outgoing traffic…

METADATA INFORMATION BASED FILE PROCESSING

Granted: August 31, 2017
Application Number: 20170251001
Methods and systems for network level file processing based on metadata information retrieved from a file are provided. According to one embodiment, a file is received by a network security appliance. Metadata information is extracted from the file. The extracted metadata information is processed based on one or more defined rules. An action is taken on one or more of the file or a sender of the file based on an outcome of the processing.

SOCKET APPLICATION PROGRAM INTERFACE (API) FOR EFFICIENT DATA TRANSACTIONS

Granted: August 31, 2017
Application Number: 20170251052
Methods and systems for efficient data transactions between applications running on devices associated with the same host. According to one embodiment, a host system includes an HTTP proxy and an SSL/TLS proxy operatively coupled with each other. The SSL/TLS proxy may be configured to perform SSL negotiation with a client and the HTTP proxy may be configured to communicate with a web server in clear text. Data can be transferred directly between the proxies through a pair of connected…

CENTRALIZED MANAGEMENT OF ACCESS POINTS

Granted: August 17, 2017
Application Number: 20170237617
Systems and methods are provided for centralized access, control, and management of APs. According to one embodiment, multiple APs of a private IP network are decoupled from potentially transient IP addresses by assigning a unique identifier to each of the multiple APs by an AC. An AC GUI is presented by the AC to an administrator through which (i) commands are provided by the administrator and (ii) the administrator is provided with access to a first AP of the multiple APs responsive to…