Cluster architecture and configuration for network security devices

US 8,316,113 B2
Filed: 12/21/2009
Issued: 11/20/2012
Est. Priority Date: 12/19/2008
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium comprising instructions configured to cause a computing device to perform a method for adding a computing device to a cluster of computing devices, the method comprising:

discovering the computing device on a communication network;

transmitting a device-specific configuration to the computing device comprising cluster configuration data and a role assignment;

verifying that the computing device has implemented the device-specific configuration in response to transmitting the device-specific configuration;

cryptographically verifying a license of the computing device; and

verifying licensed services provided by the computing devices in the cluster by logically combining licensed services of the verified license of the computing device with licensed services of a license of another computing device in the cluster.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.

42 Citations

View as Search Results

31 Claims

1. A non-transitory computer-readable storage medium comprising instructions configured to cause a computing device to perform a method for adding a computing device to a cluster of computing devices, the method comprising:
- discovering the computing device on a communication network;
  
  transmitting a device-specific configuration to the computing device comprising cluster configuration data and a role assignment;
  
  verifying that the computing device has implemented the device-specific configuration in response to transmitting the device-specific configuration;
  
  cryptographically verifying a license of the computing device; and
  
  verifying licensed services provided by the computing devices in the cluster by logically combining licensed services of the verified license of the computing device with licensed services of a license of another computing device in the cluster.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 29)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the computing device is discovered responsive to a request to transmit a discovery message on the communication network.
  - 3. The non-transitory computer-readable storage medium of claim 1, the method further comprising determining whether the computing device is eligible to join the cluster.
  - 4. The non-transitory computer-readable storage medium of claim 3, wherein the eligibility of the computing device to join the cluster is based upon device-identifying information received from the computing device.
  - 5. The non-transitory computer-readable storage medium of claim 4, wherein the device-identifying information comprises an indicator of a version of the computing device.
  - 6. The non-transitory computer-readable storage medium of claim 4, wherein the device-identifying information comprises an indicator of a hardware configuration of the computing device.
  - 7. The non-transitory computer-readable storage medium of claim 4, wherein the device-identifying information comprises a license of the computing device.
  - 8. The non-transitory computer-readable storage medium of claim 1, wherein the role assignment is based upon a license of the cluster.
  - 9. The non-transitory computer-readable storage medium of claim 1, wherein the role assignment is based upon a license of the computing device.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein when the computing device does not have a license, the computing device is assigned a standby role in the cluster, and wherein when in the standby role, the computing device is not assigned to handle cluster network traffic flows.
  - 11. The non-transitory computer-readable storage medium of claim 10, the method further comprising assigning the computing device an active role in the cluster in response to another computing device in the cluster being removed therefrom, wherein when in the active role, the computing device is assigned to handle one or more cluster network traffic flows.
  - 12. The non-transitory computer-readable storage medium of claim 9, wherein when the computing device has a license, the computing device is assigned an active role in the cluster, and wherein when in the active role, the computing device is assigned to handle one or more cluster network traffic flows.
  - 13. The non-transitory computer-readable storage medium of claim 1, the method further comprising determining licensed capabilities of the cluster using a license of the computing device.
  - 14. The non-transitory computer-readable storage medium of claim 1, the method further comprising:
    - selecting a first one of a plurality of computing devices in the cluster to act as a cluster master; and
      
      selecting a second one of the plurality of computing devices in the cluster to act as a backup master,wherein the cluster master is configured to assign processing tasks to computing devices in the cluster, and wherein the backup master is configured to synchronize run-time synchronization data with the cluster master.
  - 29. The non-transitory computer-readable storage medium of claim 1, wherein the licensed services provided by the computing devices in the cluster are determined by one of, identifying least common capabilities between the licenses of the two or more computing devices in the cluster, andidentifying a union of capabilities of the licenses of the two or more computing devices in the cluster.

15. A system comprising:
- a cluster comprising a plurality of computing devices;
  
  a cluster network interface, communicatively coupling the plurality of computing devices in the cluster; and
  
  a cluster management module implemented on one of the cluster computing devices, the cluster management module configured to, upon discovering a new computing device, determine a role of the new computing device in the cluster, transmit a device-specific configuration to the new computing device comprising a cluster configuration and the determined role,cryptographically verify a license of the new computing device, and to verify licensed services provided by the computing devices in the cluster by logically combining licensed services of the verified license of the new computing device with licensed services of another computing device in the cluster.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 30)
- - 16. The system of claim 15, wherein the cluster management module is configured to discover the new computing device responsive to a discover command.
  - 17. The system of claim 15, wherein the cluster management module is configured to receive device-identifying information from the new computing device, and wherein the device-identifying information is one of a device serial number, a device hardware version identifier, a device software version identifier, a license, and a device firmware version identifier.
  - 18. The system of claim 15, wherein the cluster management module is configured to determine the role of the new computing device in the cluster based upon a license of the new computing device.
  - 19. The system of claim 15, wherein the role of the new computing device in the cluster is standby when the new computing device does not have a license, and wherein the role of the new computing device in the cluster is active when the new computing device has a license.
  - 20. The system of claim 16, wherein the cluster management module is configured to update a cluster configuration data structure to indicate that the new computing device is joined to the cluster and to synchronize the updated cluster configuration data structure to the plurality of computing devices in the cluster.
  - 21. The system of claim 15, wherein the cluster management module is configured to actively discover the new computing device by transmitting one or more discovery messages on the cluster network interface.
  - 22. The system of claim 15, wherein the cluster management module is configured to passively discover the new computing device by monitoring network traffic on the cluster network interface.
  - 23. The system of claim 15, wherein the cluster management module is configured to determine whether the new computing device is eligible to join the cluster based upon one of a device identifier, a software version identifier, a hardware version identifier, and a firmware identifier of the new computing device.
  - 30. The system of claim 15, wherein the cluster management module is configured to determine the licensed services provided by the computing devices in the cluster by one of,identifying least common capabilities between the licenses of the two or more computing devices in the cluster, andidentifying a union of capabilities of the licenses of the two or more computing devices in the cluster.

24. A method for adding a computing device to a cluster comprising a plurality of computing devices, each of the computing devices comprising a processor, memory, and communications interface communicatively coupled to a cluster network, the method comprising:
- discovering a new computing device on the cluster network;
  
  receiving device-identifying information pertaining to the new computing device via the cluster network;
  
  generating a device-specific configuration for the new computing device using the device-identifying information;
  
  transmitting the device-specific configuration to the new computing device via the cluster network;
  
  verifying implementation of the device-specific configuration by the new computing device;
  
  cryptographically verifying a license of the new computing device; and
  
  verifying licensed services provided by the computing devices in the cluster by logically combining licensed services of the verified license of the new computing device with licensed services of a license of another computing device in the cluster.
- View Dependent Claims (25, 26, 27, 28, 31)
- - 25. The method of claim 24, further comprising determining whether the computing device is eligible to join the cluster using the device-identifying information.
  - 26. The method of claim 24, wherein the device-identifying information comprises a hardware version indicator and a software version indicator, and wherein the computing device is eligible to join the cluster when the hardware version and the software version of the computing device are compatible with the plurality of computing devices in the cluster.
  - 27. The method claim 24, wherein the device-identifying information comprises a license of the computing device, and wherein the computing device is eligible to join the cluster when the license allows for clustered operations.
  - 28. The method of claim 27, wherein the device-specific configuration assigns a cluster role to the computing device, and wherein the cluster role is determined by the license of the computing device.
  - 31. The method of claim 24, wherein the licensed services provided by the computing devices in the cluster are determined by one of, identifying least common capabilities between the licenses of the two or more computing devices in the cluster, andidentifying a union of capabilities of the licenses of the two or more computing devices in the cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Inventors
Linden, Thomas, Huang, James, Hsu, Jeff, Lee, Ming-Jeng
Primary Examiner(s)
ZHANG, SHIRLEY X

Application Number

US12/643,378
Publication Number

US 20100169446A1
Time in Patent Office

1,065 Days
Field of Search

709220-226
US Class Current

709/220
CPC Class Codes

G06F 11/181   Eliminating the failing red...

G06F 11/182   based on mutual exchange of...

G06F 11/2028   eliminating a faulty proces...

G06F 11/203   using migration

G06F 11/2035   without idle spare hardware

G06F 15/177   Initialisation or configura...

H04L 41/0659   by isolating or reconfiguri...

H04L 41/0869   Validating the configuratio...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 43/0817   by checking functioning

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0218   Distributed architectures, ...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/20   for managing network securi...

H04L 67/1095   Replication or mirroring of...

H04L 67/142   Managing session states for...

Cluster architecture and configuration for network security devices

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

Cluster architecture and configuration for network security devices

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others