TIMING MANAGEMENT IN A LARGE FIREWALL CLUSTER

US 20150188884A1
Filed: 02/10/2015
Published: 07/02/2015
Est. Priority Date: 12/13/2011
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that when executed cause one or more processing units to:

initialize a firewall cluster comprising a plurality of nodes, each node operable to selectively permit or block traffic flowing between the firewall cluster and an external network;

receive a report from a first node of the firewall cluster that the first node is ineligible to be a primary node;

receive a report from a second node of the firewall cluster that the second node is eligible to be a primary node;

designate the second node as a primary node; and

notify the remaining nodes of the firewall cluster that the second node is the primary node for the firewall cluster.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node'"'"'s membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out.

Citations

20 Claims

1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that when executed cause one or more processing units to:
- initialize a firewall cluster comprising a plurality of nodes, each node operable to selectively permit or block traffic flowing between the firewall cluster and an external network;
  
  receive a report from a first node of the firewall cluster that the first node is ineligible to be a primary node;
  
  receive a report from a second node of the firewall cluster that the second node is eligible to be a primary node;
  
  designate the second node as a primary node; and
  
  notify the remaining nodes of the firewall cluster that the second node is the primary node for the firewall cluster.
- View Dependent Claims (2, 3)
- - 2. The computer readable medium of claim 1 further comprising instructions that when executed cause the one or more processing units to:
    - execute, by one or more nodes of the firewall cluster, a firewall application.
  - 3. The computer readable medium of claim 1 further comprising instructions that when executed cause the one or more processing units to:
    - execute, by one or more nodes of the firewall cluster, an intrusion protection application.

4. A firewall system, comprising:
- a plurality of firewall processing nodes interconnected by a network, each processing node comprising a hardware network device operable to execute rules to selectively filter traffic between the firewall processing nodes and an external network; and
  
  a controller operable to execute instructions that when executed cause the controller to;
  
  receive a report from a first node of the plurality of firewall processing nodes that the first node is ineligible for designation as a primary node;
  
  receive a report from a second node of the plurality of firewall processing nodes that the second node is eligible for designation as a primary node;
  
  designate the second node as a primary node; and
  
  notify the remaining nodes of the plurality of firewall processing nodes that the second node is the primary node for the firewall system.
- View Dependent Claims (5, 6, 7)
- - 5. The firewall system of claim 4, wherein the rules to selectively filter traffic between the firewall processing nodes and an external network are executed by a plurality of nodes of the firewall processing nodes.
  - 6. The firewall system of claim 4, wherein the controller is further operable to execute instructions that when executed cause the controller to:
    - select one or more nodes of the firewall processing nodes; and
      
      execute a firewall application on the selected nodes.
  - 7. The firewall system of claim 4, wherein the controller is further operable to execute instructions that when executed cause the controller to:
    - select one or more nodes of the firewall processing nodes; and
      
      execute an intrusion protection application on the selected nodes.

8. A system comprising:
- a plurality of nodes interconnected by a network, each node comprising a computer system adapted to share processing of at least one of a firewall application and an intrusion protection application; and
  
  a hardware controller operable to monitor nodes available to the system, the controller adapted to execute instructions that when executed cause the controller to;
  
  initialize a firewall cluster, the firewall cluster comprising one or more nodes that comprise members of a previous firewall cluster and a new node;
  
  assign the new node as a primary node;
  
  receive a report from the assigned primary node that the assigned primary node is ineligible to be a primary node to prevent formation of a split firewall cluster;
  
  receive a report from a second node that is a member of the previous firewall cluster that the node that was a member of the previous firewall cluster is eligible to be a primary node;
  
  designate the second node as the primary node;
  
  designate the assigned primary node as a secondary node; and
  
  designate any remaining nodes that are members of the previous firewall cluster as secondary nodes and notify all secondary nodes about the primary node to form the firewall cluster.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8 further comprising:
    - a node adapted to execute instructions that when executed cause the node to;
      
      determine its membership in the previous firewall cluster;
      
      determine its eligibility to be a primary node based on its membership to the previous firewall cluster; and
      
      send a report to the hardware controller that indicates whether the node is eligible or ineligible to be a primary node.
  - 10. The system of claim 9 further comprising:
    - wherein if the node determines that it is not a member of the previous firewall cluster, the node sends a report to the hardware controller that indicates the node is ineligible to be a primary node.
  - 11. The system of claim 9 further comprising:
    - wherein if the node determines that it is a member of the previous firewall cluster, the node sends a report to the hardware controller that indicates the node is eligible to be a primary node.
  - 12. The system of claim 8 further comprising:
    - the hardware controller adapted to execute instructions that when executed cause the hardware controller to;
      
      selectively filter traffic between the firewall cluster and a second network.
  - 13. The system of claim 12, wherein the instructions to selectively filter traffic between the firewall cluster and the second network are stored on a plurality of nodes of the firewall cluster.
  - 14. The system of claim 8, wherein the hardware controller comprises one or more control nodes, the control nodes operable to execute instructions that when executed cause the control nodes to:
    - select one or more nodes of the firewall cluster; and
      
      execute a firewall application on the selected one or more nodes.
  - 15. The system of claim 8, wherein the hardware controller comprises one or more control nodes, the control nodes operable to execute instructions that when executed cause the control nodes to:
    - select one or more nodes of the firewall cluster; and
      
      execute an intrusion protection application on the selected one or more nodes.

16. A method comprising:
- monitoring, by a hardware control node, one or more nodes that comprise members of a previous firewall cluster and a new node, each node comprising a computer system adapted to share processing of at least a firewall application;
  
  assigning, by the control node, the new node as a primary node;
  
  receiving a report from the assigned primary node that the assigned primary node is ineligible to be a primary node;
  
  receiving a report from a second node comprising a member of the previous firewall cluster that the second node is eligible to be a primary node;
  
  designating the second node as the primary node;
  
  designating the assigned primary node as a secondary node; and
  
  designating any remaining nodes of the previous firewall cluster as secondary nodes and notifying all secondary nodes about the primary node to form a new firewall cluster.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the report from the assigned primary node that the assigned primary node is ineligible to be a primary node prevents formation of a split firewall cluster.
  - 18. The method of claim 16 further comprising:
    - determining, by one or more nodes, its membership to the previous firewall cluster;
      
      determining, by one or more nodes, its eligibility to be a primary node based on its membership to the previous firewall cluster; and
      
      sending, by one or more nodes, a report to the control node that indicates whether the node is eligible or ineligible to be a primary node.
  - 19. The method of claim 18 further comprising:
    - sending, by one or more nodes, a report to the hardware control node that indicates the sending node is ineligible to be a primary node responsive to determining that the one or more nodes is not a member of the previous firewall cluster.
  - 20. The method of claim 18 further comprising:
    - sending, by one or more nodes, a report to the control node that indicates the sending node is eligible to be a primary node responsive to determining that the one or more nodes is a member of the previous firewall cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bright, David Andrew, Silbersack, Michael James, Bucher, Aaron Christopher

Granted Patent

US 10,721,209 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/30   Decision processes by auton...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 67/10   in which an application is ...

TIMING MANAGEMENT IN A LARGE FIREWALL CLUSTER

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TIMING MANAGEMENT IN A LARGE FIREWALL CLUSTER

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links