METHODS AND SYSTEMS FOR MULTI-TENANT CONTROLLER BASED MAPPING OF DEVICE IDENTITY TO NETWORK LEVEL IDENTITY

US 20160080212A1
Filed: 09/16/2015
Published: 03/17/2016
Est. Priority Date: 09/16/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

executing at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service;

mapping active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE;

instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE;

receiving from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers;

transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP;

executing an algorithm to determine which element will contact specific AD instances to minimize lightweight directory access protocol (LDAP) traffic volume occurring on the WAN and to ensure AD instances can still be reached in case of failure of any one network element;

monitoring in Active Directory servers changes in at least one identity of a network user by using the LDAP ROLE on the network elements; and

updating a policy, based at least in part on the mapping of user identity in AD domains, at a multi-tenant controller, wherein the tracking of changing identity information is implemented as a horizontally scalable service the Identity Definitions Manager Service.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes executing at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service, mapping active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE, instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE, receiving from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers and transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP.

34 Citations

View as Search Results

20 Claims

1. A method comprising:
- executing at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service;
  
  mapping active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE;
  
  instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE;
  
  receiving from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers;
  
  transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP;
  
  executing an algorithm to determine which element will contact specific AD instances to minimize lightweight directory access protocol (LDAP) traffic volume occurring on the WAN and to ensure AD instances can still be reached in case of failure of any one network element;
  
  monitoring in Active Directory servers changes in at least one identity of a network user by using the LDAP ROLE on the network elements; and
  
  updating a policy, based at least in part on the mapping of user identity in AD domains, at a multi-tenant controller, wherein the tracking of changing identity information is implemented as a horizontally scalable service the Identity Definitions Manager Service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further employing a multi-tenant controller based mapping of a user or device identity to a network level identity.
  - 3. The method of claim 1 further comprising performing application analysis on a per session basis.
  - 4. The method of claim 1 further comprising routing traffic based, at least in part, on a dynamic and automated QoS definition.
  - 5. The method of claim 4 further comprising employing on the traffic modeling and analytics selected from the group consisting of Pareto and Weibull.
  - 6. The method of claim 1 further comprising employing QoS standardized controls selected from the group consisting of shaping, policing, random early discard, tail drop, low latency queues, fair queues, anomaly queues and buffers.
  - 7. The method of claim 1 further comprising utilizing a network identity type.
  - 9. The centrally controllable multi-tenant controller of claim 1 further configured to employ a multi-tenant controller based mapping of a user or device identity to a network level identity.
  - 10. The centrally controllable multi-tenant controller of claim 1 further configured to perform application analysis on a per session basis.
  - 11. The centrally controllable multi-tenant controller of claim 1 further configured to route traffic based, at least in part, on a dynamic and automated QoS definition.
  - 12. The centrally controllable multi-tenant controller of claim 4 further configured to employ on the traffic modeling and analytics selected from the group consisting of Pareto and Weibull.
  - 13. The centrally controllable multi-tenant controller of claim 1 further configured to employ QoS standardized controls selected from the group consisting of shaping, policing, random early discard, tail drop, low latency queues, fair queues, anomaly queues and buffers.
  - 14. The centrally controllable multi-tenant controller of claim 1 further configured to utilize a network identity type.

8. A centrally controllable multi-tenant controller for controlling a plurality of assets across a plurality of distributed computing environments wherein the controller is configured to:
- execute at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service;
  
  map active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE;
  
  instruct a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE;
  
  receive from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers;
  
  transmit the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP;
  
  execute an algorithm to determine which element will contact specific AD instances to minimize lightweight directory access protocol (LDAP) traffic volume occurring on the WAN and to ensure AD instances can still be reached in case of failure of any one network element;
  
  receive from the LDAP ROLE of network element changes in Active Directory servers in at least one identity (user or group) of a network; and
  
  update a policy, based at least in part on the mapping of user identity in AD domains, at a multi-tenant controller, wherein the tracking of changing identity information is implemented as a horizontally scalable service the Identity Definitions Manager Service.

15. A method comprising:
- executing at a controller a horizontally scalable service IP to Site Mapping (ISM) Service;
  
  instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise;
  
  receiving from the plurality of network elements information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers;
  
  transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using WMI;
  
  executing an algorithm to determine which element will contact specific AD instances in order to contain WMI communication over LAN and minimize WMI communication over WAN;
  
  monitoring, using the WMI role on the network elements, the AD servers security login events comprising an IP address, a user AD ID and a user name;
  
  converting the login events to IP-to-user events and transmitting these to the ISM service in the controller;
  
  using the ISM service to map these IP-to-user events to the right spoke site;
  
  sending the events with enriched information comprising one or more group IDs for the user to the element in the spoke site; and
  
  using the enriched IP to user event at the spoke site to enforce policy based on user and group IDs and to enrich flow and application statistics with user and group information.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 further employing a multi-tenant controller based mapping of a user or device identity to a network level identity.
  - 17. The method of claim 15 further comprising performing application analysis on a per session basis.
  - 18. The method of claim 15 further comprising routing traffic based, at least in part, on a dynamic and automated QoS definition.
  - 19. The method of claim 18 further comprising employing on the traffic modeling and analytics selected from the group consisting of Pareto and Weibull.
  - 20. The method of claim 19 further comprising employing QoS standardized controls selected from the group consisting of shaping, policing, random early discard, tail drop, low latency queues, fair queues, anomaly queues and buffers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Cloudgenix, Inc. (Palo Alto Networks Incorporated)
Inventors
Yadav, Navneet, Ramasamy, Arivu, Ramachandran, Kumar, Anand, Venkataraman

Granted Patent

US 9,742,626 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 16/955   using information identifie...

G06F 17/18   for evaluating statistical ...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0668   by dynamic selection of rec...

H04L 41/12   Discovery or management of ...

H04L 41/122   of virtualised topologies, ...

H04L 41/14   Network analysis or design

H04L 41/34   Signalling channels for net...

H04L 41/40   using virtualisation of net...

H04L 43/04   Processing captured monitor...

H04L 43/062   related to network traffic

H04L 43/065   related to network devices

H04L 43/0811   by checking connectivity

H04L 43/0817   by checking functioning

H04L 43/0864   Round trip delays

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/10   Active monitoring, e.g. hea...

H04L 45/02   Topology update or discovery

H04L 45/125 : based on throughput or band...

H04L 45/22 : Alternate routing

H04L 45/28 : using route fault recovery

H04L 45/302 : Route determination based o...

H04L 45/306 : Route determination based o...

H04L 45/38 : Flow based routing

H04L 47/125 : by balancing the load, e.g....

H04L 47/22 : Traffic shaping

H04L 47/24 : Traffic characterised by sp...

H04L 47/32 : by discarding or delaying d...

H04L 47/781 : Centralised allocation of r...

H04L 47/825 : Involving tunnels, e.g. MPLS

H04L 61/2503 : Translation of Internet pro...

H04L 61/4511 : using domain name system [DNS]

H04L 61/4523 : using lightweight directory...

H04L 63/061 : for key exchange, e.g. in p...

H04L 67/141 : Setup of application sessio...

H04L 67/52 : specially adapted for the l...

H04L 67/63 : Routing a service request d...

H04L 69/40 : for recovering from a failu...

H04W 84/04 : Large scale networks; Deep ...

View All

METHODS AND SYSTEMS FOR MULTI-TENANT CONTROLLER BASED MAPPING OF DEVICE IDENTITY TO NETWORK LEVEL IDENTITY

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

METHODS AND SYSTEMS FOR MULTI-TENANT CONTROLLER BASED MAPPING OF DEVICE IDENTITY TO NETWORK LEVEL IDENTITY

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others