Firewall rule management

US 10,608,993 B2
Filed: 10/05/2017
Issued: 03/31/2020
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A datacenter comprising:

a plurality of host computing devices for executing a plurality of data compute nodes;

a first set of controllers for provisioning the data compute nodes;

a plurality of different firewall devices; and

a second of set of controllers for providing a management console to search and modify firewall rules for the different firewall devices, wherein the management console (i) displays a plurality of firewall rules enforced by the plurality of firewall devices and (ii) after receiving a set of filtering criteria, displays a subset of the plurality of firewall rules that satisfy the set of filtering criteria.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.

65 Citations

View as Search Results

16 Claims

1. A datacenter comprising:
- a plurality of host computing devices for executing a plurality of data compute nodes;
  
  a first set of controllers for provisioning the data compute nodes;
  
  a plurality of different firewall devices; and
  
  a second of set of controllers for providing a management console to search and modify firewall rules for the different firewall devices, wherein the management console (i) displays a plurality of firewall rules enforced by the plurality of firewall devices and (ii) after receiving a set of filtering criteria, displays a subset of the plurality of firewall rules that satisfy the set of filtering criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The datacenter of claim 1, wherein the management console is further for defining firewall rules.
  - 3. The datacenter of claim 2, wherein the management console is further for distributing the firewall rules to the firewall devices.
  - 4. The datacenter of claim 1, wherein each set of controller comprises one or more controllers.
  - 5. The datacenter of claim 1 further comprisinga plurality of forwarding elements;
    - anda third set of controllers for configuring the forwarding elements.
  - 6. The datacenter of claim 5, wherein the second and third set of controllers are the same set of controllers.
  - 7. The datacenter of claim 1, wherein the firewall devices comprise different types of firewall devices.

8. A datacenter comprising:
- a plurality of host computing devices for executing a plurality of data compute nodes;
  
  a first set of controllers for provisioning the data compute nodes;
  
  a plurality of different firewall devices comprising firewall engines executing on host computing devices, network perimeter firewall devices, and firewall appliances; and
  
  a second of set of controllers for providing a management console to search and modify firewall rules for the different firewall devices.
- View Dependent Claims (9, 10)
- - 9. The datacenter of claim 8, whereinat least one network perimeter firewall device is a standalone device that executes a firewall engine without executing any compute end node, andat least one firewall appliance is an application firewall gateway.
  - 10. The datacenter of claim 9, wherein the application firewall gateway performs deep packet inspection and enforces firewall rules that are defined in terms of L7 data message header values.

11. A datacenter comprising:
- a plurality of host computing devices for executing a plurality of data compute nodes;
  
  a first set of controllers for provisioning the data compute nodes;
  
  a plurality of different firewall devices comprising firewall devices from different vendors; and
  
  a second of set of controllers for providing a management console to search and modify firewall rules for the different firewall devices.

12. A datacenter comprising:
- a plurality of host computing devices for executing a plurality of data compute nodes;
  
  a first set of controllers for provisioning the data compute nodes;
  
  a plurality of different firewall devices; and
  
  a second of set of controllers for providing a management console to search and modify firewall rules for the different firewall devices, wherein the management console serves as a single interface for receiving, modifying, filtering, and debugging firewall rules for the plurality of different firewall devices in the data center.

13. A datacenter comprising:
- a plurality of host computing devices for executing a plurality of data compute nodes;
  
  a first set of controllers for provisioning the data compute nodes;
  
  a plurality of different firewall devices; and
  
  a second of set of controllers for providing a management console to search and modify firewall rules for the different firewall devices, wherein the management console comprises a first section for displaying firewall rules that are defined by reference to L3 parameters, and a second section for displaying firewall rules by reference to L2 parameters.

14. A datacenter comprising:
- a plurality of host computing devices for executing a plurality of data compute nodes;
  
  a first set of controllers for provisioning the data compute nodes;
  
  a plurality of different firewall devices; and
  
  a second of set of controllers for providing a management console to search and modify firewall rules for the different firewall devices, wherein the firewall management console comprises a first section for displaying firewall rules that are defined for re-directing data messages to one or more third party appliances that perform one or more security services in the datacenter, and a second section for displaying firewall rules that are enforced by other firewall devices in the datacenter.

15. A datacenter comprising:
- a plurality of host computing devices for executing a plurality of data compute nodes;
  
  a first set of controllers for provisioning the data compute nodes;
  
  a plurality of different firewall devices; and
  
  a second of set of controllers for providing a management console to search and modify firewall rules for the different firewall devices, wherein each firewall rule includes a tuple for defining a set of firewall devices for enforcing the firewall rule.
- View Dependent Claims (16)
- - 16. The datacenter of claim 15, wherein at least each of a plurality of tuples for each of a plurality of firewall rules defines the set of firewall devices by reference to a high level group construct, which has to be resolved into one or more lower level constructs that define the firewall devices for enforcing the firewall rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Bansal, Kaushal, Masurekar, Uday, Maskalik, Serge, Shah, Shadab, Srinivasan, Aravind, Agarwal, Minjal
Primary Examiner(s)
McNally, Michael S

Application Number

US15/726,237
Publication Number

US 20180048623A1
Time in Patent Office

908 Days
Field of Search

726 11
US Class Current
CPC Class Codes

G06F 9/455   Emulation; Interpretation; ...

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

Firewall rule management

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall rule management

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links