Timing management in a large firewall cluster

US 8,955,097 B2
Filed: 12/13/2011
Issued: 02/10/2015
Est. Priority Date: 12/13/2011
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that when executed cause one or more processing units to:

initialize a firewall cluster comprising three or more firewall processing nodes, each node comprising a hardware network device operable to selectively permit or block traffic flowing between the firewall cluster and an external network;

receive a report from each node of the firewall cluster that the node is ineligible to be a primary node;

receive a report from one or more nodes of the firewall cluster that the node is eligible to be a primary node after a predetermined time period;

prevent formation of a split cluster by designating one of the eligible nodes as a primary node; and

notify the remaining nodes of the firewall cluster about the designated primary node.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node'"'"'s membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out.

Citations

25 Claims

1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that when executed cause one or more processing units to:
- initialize a firewall cluster comprising three or more firewall processing nodes, each node comprising a hardware network device operable to selectively permit or block traffic flowing between the firewall cluster and an external network;
  
  receive a report from each node of the firewall cluster that the node is ineligible to be a primary node;
  
  receive a report from one or more nodes of the firewall cluster that the node is eligible to be a primary node after a predetermined time period;
  
  prevent formation of a split cluster by designating one of the eligible nodes as a primary node; and
  
  notify the remaining nodes of the firewall cluster about the designated primary node.
- View Dependent Claims (2, 3)
- - 2. The computer readable medium of claim 1 further comprising instructions that when executed cause the one or more processing units to:
    - execute, by one or more nodes of the firewall cluster, a firewall application.
  - 3. The computer readable medium of claim 1 further comprising instructions that when executed cause the one or more processing units to:
    - execute, by one or more nodes of the firewall cluster, an intrusion protection application.

4. A firewall system, comprising:
- three or more firewall processing nodes interconnected by a network, each processing node comprising a hardware network device operable to execute rules to selectively filter traffic between the firewall processing nodes and an external network; and
  
  a hardware controller operable to execute instructions that when executed cause the hardware controller to;
  
  receive a report from each node of the firewall processing nodes that the node is ineligible for designation as a primary node;
  
  receive a report from each node of the firewall processing nodes that the node is eligible for primary node designation before expiration of a predetermined time period;
  
  prevent formation of a split firewall cluster by assigning one of the eligible nodes as a primary node before expiration of the predetermined time period;
  
  receive a report from each remaining node of the firewall processing nodes that the node is eligible for primary node designation upon expiration of the predetermined time period; and
  
  notify the remaining nodes of the firewall processing nodes about the assigned primary node to form a firewall cluster.
- View Dependent Claims (5, 6, 7)
- - 5. The firewall system of claim 4, wherein the rules to selectively filter traffic between the firewall processing nodes and an external network are executed by a plurality of nodes of the firewall processing nodes.
  - 6. The firewall system of claim 4, wherein the hardware controller is further operable to execute instructions that when executed cause the hardware controller to:
    - select one or more nodes of the firewall processing nodes; and
      
      execute a firewall application on the selected nodes.
  - 7. The firewall system of claim 4, wherein the hardware controller is further operable to execute instructions that when executed cause the hardware controller to:
    - select one or more nodes of the firewall processing nodes; and
      
      execute an intrusion protection application on the selected nodes.

8. A distributed firewall cluster comprising:
- three or more firewall processing nodes interconnected by a network and connected to an external network, each firewall processing node comprising;
  
  a network device operable to selectively filter traffic between the firewall processing node and the external network and to send primary node eligibility information; and
  
  a hardware controller operable to monitor available firewall processing nodes, the hardware controller adapted to execute instructions that when executed cause the hardware controller to;
  
  initialize a firewall cluster, the firewall cluster comprising three or more firewall processing nodes;
  
  receive an ineligibility notification from each firewall processing node that the node is ineligible for designation as a primary node;
  
  receive an eligibility notification from a plurality of firewall processing nodes that the node is eligible for primary node designation, the eligibility notification received after a predetermined time period;
  
  prevent formation of a split firewall cluster by designating an eligible node as a primary node; and
  
  notify the remaining nodes of the firewall processing nodes about the designation of the primary node to form the firewall cluster.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The distributed firewall cluster of claim 8, wherein the hardware controller is adapted to execute instructions that when executed cause the hardware controller to:
    - selectively filter traffic between the external network and a plurality of firewall processing nodes comprising the firewall cluster.
  - 10. The distributed firewall cluster of claim 9, wherein the instructions to selectively filter traffic between the cluster and the external network are stored on a plurality of nodes.
  - 11. The distributed firewall cluster of claim 8 further comprising:
    - The hardware controller operable to execute instructions that when executed cause the hardware controller to;
      
      select one or more nodes of the firewall cluster; and
      
      execute a firewall application on the selected nodes.
  - 12. The distributed firewall cluster of claim 8 further comprising:
    - The hardware controller operable to execute instructions that when executed cause the hardware controller to;
      
      select one or more nodes of the firewall cluster; and
      
      execute an intrusion protection application on the selected nodes.

13. A system comprising:
- three or more nodes interconnected by a network, each node comprising a computer system adapted to share processing of at least one of a firewall application and an intrusion protection application; and
  
  a hardware controller operable to monitor nodes available to the system, the hardware controller adapted to execute instructions that when executed cause the hardware controller to;
  
  initialize a firewall cluster, the firewall cluster comprising one or more nodes that comprise members of a previous firewall cluster and a new node;
  
  assign the new node as a primary node;
  
  receive a report from the assigned primary node that the assigned primary node is ineligible to be a primary node to prevent formation of a split firewall cluster;
  
  receive a report from each node comprising a member of the previous firewall cluster that the node that was a member of the previous firewall cluster is eligible to be a primary node;
  
  designate one of the eligible nodes as the primary node;
  
  designate the assigned primary node as a secondary node; and
  
  designate any remaining nodes comprising a member of the previous firewall cluster as a secondary node and notify all secondary nodes about the primary node to form the firewall cluster.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13 further comprising:
    - a node adapted to execute instructions that when executed cause the node to;
      
      determine its membership in the previous firewall cluster;
      
      determine its eligibility to be a primary node based on its membership to the previous firewall cluster; and
      
      send a report to the hardware controller that indicates whether the node is eligible or ineligible to be a primary node.
  - 15. The system of claim 14 further comprising:
    - wherein if the node determines that it is not a member of the previous firewall cluster, the node sends a report to the hardware controller that indicates the node is ineligible to be a primary node.
  - 16. The system of claim 14 further comprising:
    - wherein if the node determines that it is a member of the previous firewall cluster, the node sends a report to the hardware controller that indicates the node is eligible to be a primary node.
  - 17. The system of claim 13 further comprising:
    - the hardware controller adapted to execute instructions that when executed cause the hardware controller to;
      
      selectively filter traffic between the firewall cluster and an external network.
  - 18. The system of claim 17, wherein the instructions to selectively filter traffic between the firewall cluster and the external network are stored on a plurality of nodes of the firewall cluster.
  - 19. The system of claim 13, wherein the hardware controller comprises one or more control nodes, the control nodes operable to execute instructions that when executed cause the control nodes to:
    - select one or more nodes of the firewall cluster; and
      
      execute a firewall application on the selected one or more nodes.
  - 20. The system of claim 13, wherein the hardware controller comprises one or more control nodes, the control nodes operable to execute instructions that when executed cause the control nodes to:
    - select one or more nodes of the firewall cluster; and
      
      execute an intrusion protection application on the selected one or more nodes.

21. A method comprising:
- monitoring, by a hardware control node, one or more nodes that comprise members of a previous firewall cluster and a new node, each node comprising a computer system adapted to share processing of at least a firewall application;
  
  assigning, by the control node, the new node as a primary node;
  
  receiving a report from the assigned primary node that the assigned primary node is ineligible to be a primary node;
  
  receiving a report from one or more nodes comprising a member of the previous firewall cluster that the node is eligible to be a primary node;
  
  designating one of the eligible nodes as the primary node;
  
  designating the assigned primary node as a secondary node; and
  
  designating any remaining nodes of the previous firewall cluster as a secondary node and notifying all secondary nodes about the primary node to form a new firewall cluster.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, wherein the report from the assigned primary node that the assigned primary node is ineligible to be a primary node prevents formation of a split firewall cluster.
  - 23. The method of claim 21 further comprising:
    - determining, by one or more nodes, its membership to the previous firewall cluster;
      
      determining, by one or more nodes, its eligibility to be a primary node based on its membership to the previous firewall cluster; and
      
      sending, by one or more nodes, a report to the hardware control node that indicates whether the sending node is eligible or ineligible to be a primary node.
  - 24. The method of claim 23 further comprising:
    - sending, by one or more nodes, a report to the hardware control node that indicates the sending node is ineligible to be a primary node responsive to determining that the one or more nodes is not a member of the previous firewall cluster.
  - 25. The method of claim 23 further comprising:
    - sending, by one or more nodes, a report to the hardware control node that indicates the sending node is eligible to be a primary node responsive to determining that the one or more nodes is a member of the previous firewall cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bright, David Andrew, Silbersack, Michael James, Bucher, Aaron Christopher
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
AMORIN, CARLOS E

Application Number

US13/324,990
Publication Number

US 20130152191A1
Time in Patent Office

1,155 Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/30   Decision processes by auton...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 67/10   in which an application is ...

Timing management in a large firewall cluster

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Timing management in a large firewall cluster

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links