Cluster Architecture and Configuration for Network Security Devices

US 20100169446A1
Filed: 12/21/2009
Published: 07/01/2010
Est. Priority Date: 12/19/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium comprising instructions configured to cause a computing device to perform a method for adding a computing device to a cluster, the method comprising:

discovering the computing device on a communication network;

transmitting a device-specific configuration to the computing device comprising cluster configuration data and a role assignment;

verifying that the computing device has implemented the device-specific configuration; and

including the computing device in a secure cluster communications channel when implementation of the device-specific configuration by the computing device is verified.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.

Citations

31 Claims

1. A computer-readable storage medium comprising instructions configured to cause a computing device to perform a method for adding a computing device to a cluster, the method comprising:
- discovering the computing device on a communication network;
  
  transmitting a device-specific configuration to the computing device comprising cluster configuration data and a role assignment;
  
  verifying that the computing device has implemented the device-specific configuration; and
  
  including the computing device in a secure cluster communications channel when implementation of the device-specific configuration by the computing device is verified.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer-readable storage medium of claim 1, wherein the computing device is discovered responsive to a request to transmit a discovery message on the communication network.
  - 3. The computer-readable storage medium of claim 1, the method further comprising determining whether the computing device is eligible to join the cluster.
  - 4. The computer-readable storage medium of claim 3, wherein the eligibility of the computing device to join the cluster is based upon device-identifying information received from the computing device.
  - 5. The computer-readable storage medium of claim 4, wherein the device-identifying information comprises an indicator of a version of the computing device.
  - 6. The computer-readable storage medium of claim 4, wherein the device-identifying information comprises an indicator of a hardware configuration of the computing device.
  - 7. The computer-readable storage medium of claim 4, wherein the device-identifying information comprises a license of the computing device.
  - 8. The computer-readable storage medium of claim 1, wherein the cluster role assignment is based upon a license of the cluster.
  - 9. The computer-readable storage medium of claim 1, wherein the cluster role assignment is based upon a license of the computing device.
  - 10. The computer-readable storage medium of claim 9, wherein when the computing device does not have a license, the computing device is assigned a standby role in the cluster, and wherein when in the standby role, the computing device is not assigned to handle cluster network traffic flows.
  - 11. The computer-readable storage medium of claim 10, the method further comprising assigning the computing device an active role in the cluster in response to another computing device in the cluster being removed therefrom, wherein when in the active role, the computing device is assigned to handle one or more cluster network traffic flows.
  - 12. The computer-readable storage medium of claim 9, wherein when the computing device has a license, the computing device is assigned an active role in the cluster, and wherein when in the active role, the computing device is assigned to handle one or more cluster network traffic flows.
  - 13. The computer-readable storage medium of claim 1, the method further comprising determining licensed capabilities of the cluster using a license of the computing device.
  - 14. The computer-readable storage medium of claim 13, wherein the licensed capabilities of the cluster are determined by combining licenses of two or more cluster computing devices.
  - 15. The computer-readable storage medium of claim 12, wherein the licensed capabilities of the cluster are determined by performing a least common capabilities combination on licenses of two or more cluster computing devices.
  - 16. The computer-readable storage medium of claim 1, the method further comprising:
    - selecting a first one of a plurality of computing devices in the cluster to act as a cluster master; and
      
      selecting a second one of the plurality of computing devices in the cluster to act as a backup master,wherein the cluster master is configured to assign processing tasks to computing devices in the cluster, and wherein the backup master is configured to synchronize run-time synchronization data with the cluster master.

17. A system comprising:
- a cluster comprising a plurality of computing devices;
  
  a cluster network interface, communicatively coupling the plurality of computing devices in the cluster; and
  
  a cluster management module implemented on one of the cluster computing devices, the cluster management module configured to, upon discovering a new computing device, determine a role of the new computing device in the cluster, transmit a device-specific configuration to the new computing device comprising a cluster configuration and the determined role, and to join the new computing device to a secure cluster communications channel when implementation of the device-specific configuration by the new computing device is verified.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The system of claim 17, wherein the cluster management module is configured to discover the new computing device responsive to a discover command.
  - 19. The system of claim 17, wherein the device-identifying information is one of a device serial number, a device hardware version identifier, a device software version identifier, and a device firmware version identifier.
  - 20. The system of claim 17, wherein the cluster management module is configured to determine the role of the new computing device in the cluster based upon a license of the new computing device.
  - 21. The system of claim 17, wherein the role of the new computing device in the cluster is standby when the new computing device does not have a license, and wherein the role of the new computing device in the cluster is active when the new computing device has a license.
  - 22. The system of claim 18, wherein the cluster management module is configured to update a cluster configuration data structure to indicate that the new computing device is joined to the cluster and to synchronize the updated cluster configuration data structure to the plurality of computing devices in the cluster.
  - 23. The system of claim 17, wherein the cluster management module is configured to actively discover the new computing device by transmitting one or more discovery messages on the cluster network interface.
  - 24. The system of claim 17, wherein the cluster management module is configured to passively discover the new computing device by monitoring network traffic on the cluster network interface.
  - 25. The system of claim 17, wherein the cluster management module is configured to determine whether the new computing device is eligible to join the cluster based upon one of a device identifier, a software version identifier, a hardware version identifier, and a firmware identifier of the new computing device.

26. A method for adding a computing device to a cluster comprising a plurality of computing devices, each of the computing devices comprising a processor, memory, and communications interface communicatively coupled to a cluster network, the method comprising:
- discovering a new computing device on the cluster network;
  
  receiving device-identifying information pertaining to the new computing device via the cluster network;
  
  generating a device-specific configuration for the new computing device using the device-identifying information;
  
  transmitting the device-specific configuration to the new computing device via the cluster network; and
  
  verifying implementation of the device-specific configuration by the new computing device; and
  
  establishing a shared key with the new computing device for secure cluster communications when implementation of the device-specific configuration is verified.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The method of claim 26, further comprising determining whether the computing device is eligible to join the cluster using the device-identifying information.
  - 28. The method of claim 26, wherein the device-identifying information comprises a hardware version indicator and a software version indicator, and wherein the computing device is eligible to join the cluster when the hardware version and the software version of the computing device are compatible with the plurality of computing devices in the cluster.
  - 29. The method claim 26, wherein the device-identifying information comprises a license of the computing device, and wherein the computing device is eligible to join the cluster when the license allows for clustered operations.
  - 30. The method of claim 29, wherein the device-specific configuration assigns a cluster role to the computing device, and wherein the cluster role is determined by the license of the computing device.
  - 31. The method of claim 29, further comprising determining licensed capabilities of the cluster by combining licenses of two or more of the plurality of cluster computing devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Inventors
Huang, James, Linden, Thomas, Hsu, Jeff, Lee, Ming-Jeng

Granted Patent

US 8,316,113 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

G06F 11/181   Eliminating the failing red...

G06F 11/182   based on mutual exchange of...

G06F 11/2028   eliminating a faulty proces...

G06F 11/203   using migration

G06F 11/2035   without idle spare hardware

G06F 15/177   Initialisation or configura...

H04L 41/0659   by isolating or reconfiguri...

H04L 41/0869   Validating the configuratio...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 43/0817   by checking functioning

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0218   Distributed architectures, ...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/20   for managing network securi...

H04L 67/1095   Replication or mirroring of...

H04L 67/142   Managing session states for...

Cluster Architecture and Configuration for Network Security Devices

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Cluster Architecture and Configuration for Network Security Devices

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links