LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION

US 20120210416A1
Filed: 01/23/2012
Published: 08/16/2012
Est. Priority Date: 02/16/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining, by a session-aware switching device, a session table, the session table including a plurality of session entries each of which represent a previously established traffic session by the session-aware switching device from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of a plurality of firewall security devices associated with the session-aware switching device;

receiving, at a first port of a plurality of ports of the session-aware switching device, a first data packet of a first traffic session from a client device directed to a target device;

determining, by the session-aware switching device, whether there exists among the plurality of session entries a matching session entry corresponding to the data packet by checking the session table; and

responsive to a negative determination;

using a load balancing function to select a firewall security device from among the plurality of firewall security devices to associate with the first traffic session and a second traffic session from the target device to the client device;

causing the data packet to be processed by the selected firewall security device; and

after processing of the data packet by the selected firewall security device and responsive to receipt of the data packet at a second port of the plurality of ports of the session-aware switching device, installing a first session entry within the session table for the second traffic session with the target device identified as the particular source device and with the client device identified as the particular destination device and including information within the session entry that associates the selected firewall security device with the second traffic session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for balancing load among firewall security devices are provided. According to one embodiment, a switch maintains a session table the session entries of which represent established traffic sessions between a source and a destination and form an association between the traffic session and a particular firewall security device (FSD). Responsive to receiving a packet of a first traffic session on a first port, a determination is made whether there exists a matching session entry. Responsive to a negative determination, a load balancing function is performed to select an FSD with which to associate the first traffic session and a corresponding reverse second traffic session. After processing of the packet by the selected FSD and receipt of the packet at a second port, a session entry is installed within the session table for the second traffic session and which associates the selected FSD with the second traffic session.

173 Citations

21 Claims

1. A method comprising:
- maintaining, by a session-aware switching device, a session table, the session table including a plurality of session entries each of which represent a previously established traffic session by the session-aware switching device from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of a plurality of firewall security devices associated with the session-aware switching device;
  
  receiving, at a first port of a plurality of ports of the session-aware switching device, a first data packet of a first traffic session from a client device directed to a target device;
  
  determining, by the session-aware switching device, whether there exists among the plurality of session entries a matching session entry corresponding to the data packet by checking the session table; and
  
  responsive to a negative determination;
  
  using a load balancing function to select a firewall security device from among the plurality of firewall security devices to associate with the first traffic session and a second traffic session from the target device to the client device;
  
  causing the data packet to be processed by the selected firewall security device; and
  
  after processing of the data packet by the selected firewall security device and responsive to receipt of the data packet at a second port of the plurality of ports of the session-aware switching device, installing a first session entry within the session table for the second traffic session with the target device identified as the particular source device and with the client device identified as the particular destination device and including information within the session entry that associates the selected firewall security device with the second traffic session.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - receiving a reply data packet from the target device directed to the client device, at the second port of the session-aware switching device, the reply data packet representing a reply to the data packet;
      
      responsive to receipt of the reply data packet;
      
      identifying, by the session-aware switching device, the first session entry as a matching session entry corresponding to the reply data packet;
      
      causing the reply data packet to be processed by the selected firewall security device by virtue of the information within the first session entry that associates the selected firewall security device with the second traffic session; and
      
      after processing of the reply data packet by the selected firewall security device and responsive to receipt of the reply data packet at the first port, installing a second session entry within the session table for the first traffic session with the client device identified as the particular source device and with the target device identified as the particular destination device and including information within the second session entry that associates the selected firewall security device with the first traffic session.
  - 3. The method of claim 2, wherein the plurality of session entries contain information regarding a source Internet Protocol (IP) address, a destination IP address, a protocol field, a source port number, a destination port number and a Virtual Local Area Network identifier (VLAN ID).
  - 4. The method of claim 3, wherein the source port number and the destination port number comprise a Transmission Control Protocol (TCP) port number, a User Datagram Protocol (UDP) port number or a layer 4 port number.
  - 5. The method of claim 3, wherein the plurality of firewall security devices are categorized into one or more service groups by associating each of the plurality of firewall security devices with a VLAN ID.
  - 6. The method of claim 5, further comprising, based on a result of the load balancing function, assigning a Virtual Local Area Network (VLAN) tag to the data packet corresponding to the VLAN ID with which the selected firewall security device is associated.

7. A computer-readable, non-transitory storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a session-aware switching device, cause the one or more processors to perform a method for load balancing among a plurality of firewall security devices associated with the session-aware switching device, the method comprising:
- receiving, at a first port of a plurality of ports of the session-aware switching device, a first data packet of a first traffic session from a client device directed to a target device;
  
  determining, by the session-aware switching device, whether there exists within a session table maintained by the session-aware switching device a matching session entry corresponding to the data packet by checking the session table, wherein the session table includes a plurality of session entries each of which represent a previously established traffic session by the session-aware switching device from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of the plurality of firewall security devices;
  
  responsive to a negative determination;
  
  causing the data packet to be processed by a selected firewall security device, wherein the selected firewall security device is determined based upon a load balancing function that associates the first traffic session and a second traffic session from the target device to the client device with the selected firewall security device; and
  
  after processing of the data packet by the selected firewall security device and responsive to receipt of the data packet at a second port of the plurality of ports of the session-aware switching device, causing a first session entry to be installed within the session table for the second traffic session with the target device identified as the particular source device and with the client device identified as the particular destination device and including information within the first session entry that associates the selected firewall security device with the second traffic session.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable storage medium of claim 7, wherein the method further comprises:
    - receiving a reply data packet from the target device directed to the client device, at the second port of the session-aware switching device, the reply data packet representing a reply to the data packet;
      
      responsive to receipt of the reply data packet;
      
      after the first session entry has been identified as a matching session entry corresponding to the reply data packet, causing the reply data packet to be processed by the selected firewall security device by virtue of the information within the first session entry that associates the selected firewall security device with the second traffic session; and
      
      after processing of the reply data packet by the selected firewall security device and responsive to receipt of the reply data packet at the first port, causing a second session entry to be installed within the session table for the first traffic session with the client device identified as the particular source device and with the target device identified as the particular destination device and including information within the second session entry that associates the selected firewall security device with the first traffic session.
  - 9. The computer-readable storage medium of claim 8, wherein the plurality of session entries contain information regarding a source Internet Protocol (IP) address, a destination IP address, a protocol field, a source port number, a destination port number and a Virtual Local Area Network identifier (VLAN ID).
  - 10. The computer-readable storage medium of claim 9, wherein the source port number and the destination port number comprise a Transmission Control Protocol (TCP) port number, a User Datagram Protocol (UDP) port number or a layer 4 port number.
  - 11. The computer-readable storage medium of claim 8, wherein the plurality of firewall security devices are categorized into one or more service groups by associating each of the plurality of firewall security devices with a VLAN ID.
  - 12. The computer-readable storage medium of claim 11, wherein the method further comprises, based on a result of the load balancing function, causing a Virtual Local Area Network (VLAN) tag to be assigned to the data packet corresponding to the VLAN ID with which the selected firewall security device is associated.

13. A switching device comprising:
- a plurality of ports;
  
  a connecting unit coupled to the plurality of ports;
  
  one or more central processing units (CPUs) coupled to the connecting unit;
  
  a load balancing unit coupled to the connecting unit;
  
  a memory unit coupled to the load balancing unit, the memory unit having stored therein a session table, the session table including a plurality of session entries each of which represent a previously established traffic session from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of a plurality of firewall security devices associated with the switching device;
  
  wherein when a first data packet of a first traffic session from a client device directed to a target device is received at a first port of the plurality of ports, a determination is made by the memory unit whether there exists among the plurality of session entries a matching session entry corresponding to the data packet by checking the session table; and
  
  wherein responsive to a negative determination;
  
  the load balancing unit selects a firewall security device from among the plurality of firewall security devices to associate with the first traffic session and a second traffic session from the target device to the client device by performing a load balancing function;
  
  the connecting unit causes the data packet to be processed by the selected firewall security device; and
  
  after processing of the data packet by the selected firewall security device and responsive to receipt of the data packet at a second port of the plurality of ports, the load balancing unit installs a first session entry within the session table for the second traffic session with the target device identified as the particular source device and with the client device identified as the particular destination device and including information within the first session entry that associates the selected firewall security device with the second traffic session.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The switching device of claim 13, wherein:
    - responsive to receiving a reply data packet at the second port from the target device directed to the client device;
      
      the load balancing unit identifies the first session entry as a matching session entry corresponding to the reply data packet;
      
      the connecting unit causes the reply data packet to be processed by the selected firewall security device by virtue of the information within the first session entry that associates the selected firewall security device with the second traffic session; and
      
      after processing of the reply data packet by the selected firewall security device and responsive to receipt of the reply data packet at the first port, the load balancing unit installs a second session entry within the session table for the first traffic session with the client device identified as the particular source device and with the target device identified as the particular destination device and including information within the second session entry that associates the selected firewall security device with the first traffic session.
  - 15. The switching device of claim 14, wherein the plurality of session entries contain information regarding a source Internet Protocol (IP) address, a destination IP address, a protocol field, a source port number, a destination port number and a Virtual Local Area Network identifier (VLAN ID).
  - 16. The switching device of claim 15, wherein the source port number and the destination port number comprise a Transmission Control Protocol (TCP) port number, a User Datagram Protocol (UDP) port number or a layer 4 port number.
  - 17. The switching device of claim 15, wherein the plurality of firewall security devices are categorized into one or more service groups by associating each of the plurality of firewall security devices with a VLAN ID.
  - 18. The switching device of claim 17, wherein based on a result of the load balancing function, the connecting unit assigns a Virtual Local Area Network (VLAN) tag to the data packet corresponding to the VLAN ID with which the selected firewall security device is associated.
  - 19. The switching device of claim 14, wherein the connecting unit comprises a fabric switch.
  - 20. The switching device of claim 19, wherein the load balancing unit comprises one or more field programmable gate arrays.
  - 21. The switching device of claim 20, wherein the memory unit comprises synchronous dynamic random access memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Mihelich, Joe, Pham, Son, Li, Jun

Granted Patent

US 8,776,207 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

G06F 16/282   Hierarchical databases, e.g...

G06F 16/9017   using directory or table lo...

H04L 45/74   Address processing for routing

H04L 47/125   by balancing the load, e.g....

H04L 47/196   Integration of transport la...

H04L 47/726   Reserving resources in mult...

H04L 49/354   for supporting virtual loca...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 67/1001   for accessing one among a p...

H04L 67/1004   Server selection for load b...

H04L 67/1027   Persistence of sessions dur...

H04L 67/142   Managing session states for...

LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

173 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others