Service rule console for creating, viewing and updating template based service rules

US 10,148,696 B2
Filed: 12/18/2015
Issued: 12/04/2018
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable medium storing a program for managing service rules in a datacenter, the program comprising sets of instructions for:

providing, for display on a display screen, a service rule management user interface (UI) comprising a service rule section for displaying service rules for processing by service nodes in the datacenter;

receiving a request to add service rules for data messages associated with network nodes that are deployed in the datacenter based on a deployment template;

in response to the request, adding a sub-section to the service rule section to display service rules associated with the deployment template in the displayed service rule management UI; and

to the sub-section, adding a service rule comprising a set of rule identifiers and a service parameter associated with a service to be performed on data messages that have attribute sets that match the rule identifier set.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

Citations

21 Claims

1. A non-transitory machine readable medium storing a program for managing service rules in a datacenter, the program comprising sets of instructions for:
- providing, for display on a display screen, a service rule management user interface (UI) comprising a service rule section for displaying service rules for processing by service nodes in the datacenter;
  
  receiving a request to add service rules for data messages associated with network nodes that are deployed in the datacenter based on a deployment template;
  
  in response to the request, adding a sub-section to the service rule section to display service rules associated with the deployment template in the displayed service rule management UI; and
  
  to the sub-section, adding a service rule comprising a set of rule identifiers and a service parameter associated with a service to be performed on data messages that have attribute sets that match the rule identifier set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory machine readable medium of claim 1, wherein the only service rules the sub-section can display are service rules that are associated with the deployment template.
  - 3. The non-transitory machine readable medium of claim 1, wherein the request is a first request, the service rule section provides a list of service rules including template-based service rules in the sub-section and non-template based service rules, and the rules in the sub-section appear inline with non-template based rules displayed in the service rule section, the program further comprising sets of instructions for:
    - receiving a second request to move the template-based rules in the sub-section higher or lower in the list of service rules; and
      
      in response to the second request, moving all the template-based rules in the sub-section higher or lower as one contiguous unit, without allowing any of the previously higher or lower non-template based rules to be interjected between the template-based service rules in the sub-section.
  - 4. The non-transitory machine readable medium of claim 1, whereinthe service rule section provides a list of service rules including template-based service rules in the sub-section and non-template based service rules,the rules in the sub-section appear inline with non-template based rules displayed in the service rule section, andthe order of the rules in the list of service rules is indicative of the priority of the rules, with rules that appear higher in the list having higher priorities than rules that appear lower in the list.
  - 5. The non-transitory machine readable medium of claim 4, wherein the request is a first request, the program further comprising sets of instructions for:
    - receiving a second request to move the template-based rules in the sub-section higher or lower in the list of service rules; and
      
      in response to the second request, moving all the template-based rules in the sub-section higher or lower as one contiguous unit, in order to increase or decrease the priorities of the template-based rules in the rule list.
  - 6. The non-transitory machine readable medium of claim 1, wherein the request is a first request, the deployment template is a first deployment template, and the sub-section is a first sub-section, the program further comprising sets of instructions for:
    - receiving a second request to add service rules for data messages associated with network nodes that are deployed in the datacenter based on a second deployment template;
      
      in response to the second request, adding a second sub-section to the service rule section to display service rules associated with the second deployment template; and
      
      to the second sub-section, adding a service rule comprising a set of rule identifiers and a service parameter associated with a service to be performed on data messages that have attribute sets that match the rule identifier set.
  - 7. The non-transitory machine readable medium of claim 6, whereinthe service rule section provides a list of service rules including non-template-based service rules and template based service rules,the template-based service rules in the first and second sub-sections appear inline with non-template based rules displayed in the service rule section, andthe order of the rules in the list of service rules is indicative of the priority of the rules, with rules that appear higher in the list having higher priorities than rules that appear lower in the list.
  - 8. The non-transitory machine readable medium of claim 1, wherein the set of rule identifiers includes a template identifier that identifies the deployment template.
  - 9. The non-transitory machine readable medium of claim 1, wherein the set of rule identifiers includes source and destination identifiers that identify source and destination nodes of a data message, wherein at least one of the source identifier and the destination identifier is defined by reference to a group identifier that identifies a group storage structure that stores attributes of network nodes in the datacenter.
  - 10. The non-transitory machine readable medium of claim 9, wherein the group storage structure is dynamically modified to add and remove network node attributes as network nodes are added and removed from the network.
  - 11. The non-transitory machine readable medium of claim 10, wherein the group storage structure includes references to template identifiers for the network node attributes that it stores so that when a data message'"'"'s attribute set matches a network node'"'"'s attribute set, the template identifier for the data message is obtained from the matching network node attributes.
  - 12. The non-transitory machine readable medium of claim 10, wherein the group storage structure includes references to template instance storage structures for the network node attributes that it stores, so that when a data message'"'"'s attribute set matches a network node'"'"'s attribute set the template identifier for the data messages is obtained from the template instance storage structure referenced by the matching network node attributes.
  - 13. The non-transitory machine readable medium of claim of 1, wherein the request is a first request, the program further comprising sets of instructions for:
    - receiving a second request to move the template-based rules of the service rule sub-section; and
      
      in response to the second request, moving the rules in the service rule sub-section as one contiguous unit.

14. A method for managing service rules in a datacenter, the method comprising:
- providing, for display on a display screen, a service rule management user interface (UI) comprising a service rule section for displaying service rules for processing by service nodes in the datacenter;
  
  receiving a request to add service rules for data messages associated with network nodes that are deployed in the datacenter based on a deployment template;
  
  in response to the request, adding a sub-section to the service rule section to display service rules associated with the deployment template in the displayed service rule management UI; and
  
  to the sub-section, adding a service rule comprising a set of rule identifiers and a service parameter associated with a service to be performed on data messages that have attribute sets that match the rule identifier set.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, wherein the only service rules the sub-section can display are service rules that are associated with the deployment template.
  - 16. The method of claim 14, wherein the request is a first request, the service rule section provides a list of service rules including template-based service rules in the sub-section and non-template based service rules, and the rules in the sub-section appear inline with non-template based rules displayed in the service rule section, the method further comprising:
    - receiving a second request to move the template-based rules in the sub-section higher or lower in the list of service rules; and
      
      in response to the second request, moving all the template-based rules in the sub-section higher or lower as one contiguous unit, without allowing any of the previously higher or lower non-template based rules to be interjected between the template-based service rules in the sub-section.
  - 17. The method of claim 14, whereinthe service rule section provides a list of service rules including template-based service rules in the sub-section and non-template based service rules,the rules in the sub-section appear inline with non-template based rules displayed in the service rule section, andthe order of the rules in the list of service rules is indicative of the priority of the rules, with rules that appear higher in the list having higher priorities than rules that appear lower in the list.
  - 18. The method of claim 17, wherein the request is a first request, the method further comprising:
    - receiving a second request to move the template-based rules in the sub-section higher or lower in the list of service rules; and
      
      in response to the second request, moving all the template-based rules in the sub-section higher or lower as one contiguous unit, in order to increase or decrease the priorities of the template-based rules in the rule list.
  - 19. The method of claim 14, wherein the request is a first request, the deployment template is a first deployment template, and the sub-section is a first sub-section, the method further comprising:
    - receiving a second request to add service rules for data messages associated with network nodes that are deployed in the datacenter based on a second deployment template;
      
      in response to the second request, adding a second sub-section to the service rule section to display service rules associated with the second deployment template;
      
      to the second sub-section, adding a service rule comprising a set of rule identifiers and a service parameter associated with a service to be performed on data messages that have attribute sets that match the rule identifier set.
  - 20. The method of claim 19, whereinthe service rule section provides a list of service rules including non-template-based service rules and template based service rules,the template-based service rules in the first and second sub-sections appear inline with non-template based rules displayed in the service rule section, andthe order of the rules in the list of service rules is indicative of the priority of the rules, with rules that appear higher in the list having higher priorities than rules that appear lower in the list.
  - 21. The method of claim 14, wherein the set of rule identifiers includes source and destination identifiers that identify source and destination nodes of a data message, wherein at least one of the source identifier and the destination identifier is defined by reference to a group identifier that identifies a group storage structure that stores attributes of network nodes in the datacenter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Nimmagadda, Srinivas, Jain, Jayant, Sengupta, Anirban, Manuguri, Subrahmanyam, Tiagi, Alok S.
Primary Examiner(s)
Le, Chau

Application Number

US14/975,583
Publication Number

US 20170180423A1
Time in Patent Office

1,082 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

Service rule console for creating, viewing and updating template based service rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Service rule console for creating, viewing and updating template based service rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links